RFE: generate audit records when connecting and disconnecting to the multicast socket

[pcmoore]

Log information about programs connecting and disconnecting to the audit netlink multicast socket. This is needed so that during investigations a security officer can tell who or what had access to the audit trail. This helps to meet the FAU_SAR.2 requirement for Common Criteria.

This issue will require the addition of a new test in the audit-testsuite as well as a new RFE page in the audit kernel wiki.

• https://github.com/linux-audit/audit-testsuite
• https://github.com/linux-audit/audit-kernel/wiki/Template-RFE

[pcmoore]

Upstream patch posting:

• https://www.redhat.com/archives/linux-audit/2016-November/msg00063.html

[rgbriggs]

See previous patch and discussion: https://www.redhat.com/archives/linux-audit/2014-October/msg00052.html and audit_log_task_info discussion: https://www.redhat.com/archives/linux-audit/2014-October/msg00054.html

[rgbriggs]

Provide an RFE wiki page: https://github.com/linux-audit/audit-kernel/wiki/RFE-Audit-Multicast-Socket-Join-Part

[rgbriggs]

Provide userspace support: https://github.com/linux-audit/audit-userspace/pull/114 Provide test case: https://github.com/linux-audit/audit-testsuite/pull/93

[rgbriggs]

posted v5: https://www.redhat.com/archives/linux-audit/2020-January/msg00038.html https://lkml.org/lkml/2020/1/17/832

[rgbriggs]

posted v6: https://www.redhat.com/archives/linux-audit/2020-February/msg00060.html https://lkml.org/lkml/2020/2/18/1077 This patchset was posted slightly prematurely and depends on ghak120.

[rgbriggs]

post v7 https://www.redhat.com/archives/linux-audit/2020-March/msg00046.html https://lkml.org/lkml/2020/3/17/1100

The test script was updated to test for the setsockopt to drop mcast membership to generate aux records. There is an accompanying userspace patch to add support for the EVENT_LISTENER record type.

[rgbriggs]

post v8 https://www.redhat.com/archives/linux-audit/2020-April/msg00119.html https://lkml.org/lkml/2020/4/22/1775

[rgbriggs]

userspace to parse yaasao for EVENT_LISTENER https://www.redhat.com/archives/linux-audit/2020-May/msg00064.html https://www.redhat.com/archives/linux-audit/2020-May/msg00065.html

[rgbriggs]

This can be closed since it is upstream in v5.7-rc1 9d2161bed4e3 ("audit: log audit netlink multicast bind and unbind") There is still an outstanding pull request with a nolib alternate for the test case: https://github.com/linux-audit/audit-testsuite/pull/93#issuecomment-642728858 Note: the usespace parser didn't make it into audit-3.0 (patches were on mailing list months ago, a PR has since been issued)