From mboxrd@z Thu Jan  1 00:00:00 1970
From: Steve Grubb <sgrubb@redhat.com>
Subject: [PATCH 0/2] audit: log binding and unbinding to netlink multicast
	socket
Date: Wed, 30 Nov 2016 14:23:51 -0500
Message-ID: <30846979.mIhR5Z33f8@x2>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
Received: from x2.localnet (vpn-58-29.rdu2.redhat.com [10.10.58.29])
	by int-mx09.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP
	id uAUJQq11005554
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256
	verify=NO)
	for <linux-audit@redhat.com>; Wed, 30 Nov 2016 14:26:53 -0500
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

Hello,

I am resurrecting this old patch. Its been cleaned up by adding a simple task 
logging function which should, in the future, serve almost all kernel logging 
needs. The cleaned up bind and unbind functions call it to create the preamble 
and then finish with specific data items for bind/unbinding.

In essence, this patch logs connecting and disconnecting to the audit netlink 
multicast socket. This is needed so that during investigations a security 
officer can tell who or what had access to the audit trail. This helps to meet 
the FAU_SAR.2 SFR for Common Criteria.

Sample output:
type=UNKNOWN[1330] audit(1480532106.644:2): pid=1 uid=0 auid=4294967295 
tty=(none) ses=4294967295 subj=kernel comm="systemd" exe="/usr/lib/systemd/
systemd" nlnk-grp=1 op=connect res=1

Signed-off-by: Steve Grubb <sgrubb@redhat.com>

---