Re: [PATCH 1/1] audit: log binding and unbinding to netlink multicast
On Mon, Oct 16, 2017 at 6:06 PM, Steve Grubb <sgrubb(a)redhat.com> wrote:
On Monday, October 16, 2017 5:35:55 PM EDT Paul Moore wrote:
> On Fri, Oct 13, 2017 at 3:58 PM, Steve Grubb <sgrubb(a)redhat.com> wrote:
> > Log information about programs connecting and disconnecting to the audit
> > netlink multicast socket. This is needed so that during investigations a
> > security officer can tell who or what had access to the audit trail. This
> > helps to meet the FAU_SAR.2 requirement for Common Criteria. Sample
> > event:
> >
> > type=UNKNOWN[1332] msg=audit(1507924331.540:3): pid=1 uid=0
> > auid=4294967295 tty=(none) ses=4294967295 subj=kernel comm="systemd"
> > exe="/usr/lib/systemd/systemd" nlnk-grp=1 op=connect res=1
> >
> > Signed-off-by: sgrubb <sgrubb(a)redhat.com>
> > ---
> >
> > include/uapi/linux/audit.h | 1 +
> > kernel/audit.c | 48
> > ++++++++++++++++++++++++++++++++++++++++++---- 2 files changed, 45
> > insertions(+), 4 deletions(-)
>
> Since I think this is going to involve a respin, I just want to
> mention again "sgrubb" vs "Steve Grubb". More comments inline
...
>
> > diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
> > index 0714a66f0e0c..892e63d9f2c1 100644
> > --- a/include/uapi/linux/audit.h
> > +++ b/include/uapi/linux/audit.h
> > @@ -112,6 +112,7 @@
> >
> > #define AUDIT_FEATURE_CHANGE 1328 /* audit log listing feature
> > changes */ #define AUDIT_REPLACE 1329 /* Replace auditd if
> > this packet unanswerd */ #define AUDIT_KERN_MODULE 1330 /*
> > Kernel Module events */
> >
> > +#define AUDIT_EVENT_LISTENER 1332 /* Task joined multicast read
> > socket */
>
> What Richard said. Basically AUDIT_EVENT_LISTENER should be 1331 or
> have a *really* good explanation as to why it needs to be 1332.
Because 1331 is already assigned and in https://git.kernel.org/pub/scm/linux/
kernel/git/jack/linux-fs.git/log/?h=for_next as commit
de8cd83e91bc3ee212b3e6ec6e4283af9e4ab269.
If you want me to assign 1331 which is already assigned to AUDIT_FANOTIFY in
the user space piece, then it will make your testing...not look right. So, how
do you want it?
As I said above, I wanted a *really* good explanation, which you
provided. In the future it's helpful to add a note about things like
this, it saves us all from being annoyed.
I need to think about when this should get merged, but considering we
are are -rc5 right now and this is a new feature with no test (at
least not that I'm seeing on the list, or on GH) it is likely that
this patch will get held until after the upcoming merge window so the
merge conflict will not be a practical issue.
(HINT: in case you haven't been paying attention to audit kernel
development lately, you should work on a test for the audit-testsuite
which tests this new functionality.)
--
paul moore
www.paul-moore.com