[PATCH 4/5] audit: add netlink multicast group for log read

Richard Guy Briggs rgb at redhat.com
Wed Mar 12 15:25:34 UTC 2014 

On 14/03/12, Steve Grubb wrote:
> On Wednesday, March 12, 2014 09:18:14 AM Eric Paris wrote:
> > On Wed, 2014-03-12 at 08:55 -0400, Steve Grubb wrote:
> > > On Wednesday, February 19, 2014 01:08:22 PM Richard Guy Briggs wrote:
> > > > Add a netlink multicast socket with one group to kaudit for
> > > > "best-effort"
> > > > delivery to read-only userspace clients such as systemd, in addition to
> > > > the
> > > > existing bidirectional unicast auditd userspace client.
> > > 
> > > One question...we do have to have the ability to separate of secadm_r and
> > > sysadm_r. By allowing this we will leak to a sysadmin that he is being
> > > audited by the security officer. In a lot of cases, they are one in the
> > > same person. But for others, they are not. I have a feeling this will
> > > cause problems for MLS systems.

At first I had no idea what you were talking about but Eric's reply
helps to understand the context.

> > A good question.  But easily solved in policy.  Don't give
> > CAP_AUDIT_READ to sysadm_t if you don't want sysadm_t to be able to read
> > from the multicast socket.

This seems like an easy one.

> That also means that we probably want an audit event for any successful and 
> unsuccessful attempts to connect for _reading_ audit events.

That could easily be added to the new custom netlink bind function.

> -Steve
> 
> > As to what others who read from the journal I guess we can just make
> > sure it is a config option whether to collect or not.  Most everyone
> > would want to collect, but some configs might obviously not.

This would be easy to add as a "feature", I'm guessing...

> > I'll roll around in the back of my head the ability for auditctl to
> > disable the multicasting, but CAP_AUDIT_READ takes care of that a whole
> > lot more nicely...

- RGB

--
Richard Guy Briggs <rbriggs at redhat.com>
Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545

More information about the Linux-audit mailing list