Add auditd rules

2026-05-16 10:50:09 +00:00 · 2026-05-07 21:54:00 +02:00 · 2026-05-07 21:54:00 +02:00 · f4dc8aa2c8
commit f4dc8aa2c8
parent 49626cb1c2
1 changed files with 10 additions and 0 deletions
--- a/README.md
+++ b/README.md
@ -41,6 +41,16 @@ path.
 *MSG_SPLICE_PAGES UDP support was added in 6.5, so 5.15 is below the
 bug's reach.

+## Auditd rule
+
+~~~
+sudo tee /etc/audit/rules.d/xfrm_netlink.rules >/dev/null <<'EOF'
+-a always,exit -F arch=b64 -S socket -F a0=16 -F a2=6 -k xfrm_netlink_socket
+-a always,exit -F arch=b32 -S socket -F a0=16 -F a2=6 -k xfrm_netlink_socket
+EOF
+sudo augenrules --load
+~~~
+
 ## Credits

 Hyunwoo Kim (imv4bel) and Kuan-Ting Chen reported, tested,