[PATCH 4/5] audit: add netlink multicast group for log read

Steve Grubb sgrubb at redhat.com
Wed Mar 12 13:35:46 UTC 2014


On Wednesday, March 12, 2014 09:18:14 AM Eric Paris wrote:
> On Wed, 2014-03-12 at 08:55 -0400, Steve Grubb wrote:
> > On Wednesday, February 19, 2014 01:08:22 PM Richard Guy Briggs wrote:
> > > Add a netlink multicast socket with one group to kaudit for
> > > "best-effort"
> > > delivery to read-only userspace clients such as systemd, in addition to
> > > the
> > > existing bidirectional unicast auditd userspace client.
> > 
> > One question...we do have to have the ability to separate of secadm_r and
> > sysadm_r. By allowing this we will leak to a sysadmin that he is being
> > audited by the security officer. In a lot of cases, they are one in the
> > same person. But for others, they are not. I have a feeling this will
> > cause problems for MLS systems.
> 
> A good question.  But easily solved in policy.  Don't give
> CAP_AUDIT_READ to sysadm_t if you don't want sysadm_t to be able to read
> from the multicast socket.

That also means that we probably want an audit event for any successful and 
unsuccessful attempts to connect for _reading_ audit events.

-Steve

> As to what others who read from the journal I guess we can just make
> sure it is a config option whether to collect or not.  Most everyone
> would want to collect, but some configs might obviously not.
>
> I'll roll around in the back of my head the ability for auditctl to
> disable the multicasting, but CAP_AUDIT_READ takes care of that a whole
> lot more nicely...




More information about the Linux-audit mailing list