From mboxrd@z Thu Jan  1 00:00:00 1970
From: Paul Moore <pmoore@redhat.com>
Subject: Re: [PATCH 2/2] audit: log binding and unbinding to netlink multicast
	socket
Date: Fri, 24 Jul 2015 18:58:42 -0400
Message-ID: <3104753.orA6D5XYvi@sifl>
References: <8611875.W95Jo5o7mj@x2>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <8611875.W95Jo5o7mj@x2>
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: Steve Grubb <sgrubb@redhat.com>
Cc: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

On Thursday, July 23, 2015 04:45:19 PM Steve Grubb wrote:
> Log information about programs connecting and disconnecting to the audit
> netlink multicast socket. This is needed so that during investigations a
> security officer can tell who or what had access to the audit trail. This
> helps to meet the FAU_SAR.2 requirement for Common Criteria.
> 
> Signed-off-by: Steve Grubb <sgrubb@redhat.com>
> ---
>  include/uapi/linux/audit.h |  1 +
>  kernel/audit.c             | 30 ++++++++++++++++++++++++++++--
>  2 files changed, 29 insertions(+), 2 deletions(-)

...

> diff --git a/kernel/audit.c b/kernel/audit.c
> index 29fb38b..3253f1b 100644
> --- a/kernel/audit.c
> +++ b/kernel/audit.c
> @@ -1135,13 +1135,36 @@ void audit_log_task_simple(struct audit_buffer *ab,
> struct task_struct *tsk) }
>  EXPORT_SYMBOL(audit_log_task_simple);
> 
> +static void audit_log_bind(int group, const char *op, int err)
> +{

Hmmm, how about a name tweak to indicate multicast?  How about 
audit_log_multicast_bind()?

> +	struct audit_buffer *ab;
> +
> +	ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_EVENT_LISTENER);
> +	if (!ab)
> +		return;
> +
> +	audit_log_task_simple(ab, current);
> +	audit_log_format(ab, " nlnk-grp=%d", group);
> +	audit_log_format(ab, " op=%s", op);
> +	audit_log_format(ab, " res=%d", !err);
> +	audit_log_end(ab);

Any reason we can't do this with one audit_log_format() call?

	audit_log_format(ab, "nlnk-grp=%d op=%s res=%d", group, op, !err);

-- 
paul moore
security @ redhat