AUDIT_NETFILTER_PKT message format

Richard Guy Briggs rgb at redhat.com
Tue Jan 17 05:25:51 UTC 2017 

Hi,

I'm just starting to look at the normalization of AUDIT_NETFILTER_PKT
event messages and it is not quite as straightforward as I had expected.

It is being tracked here:
	https://github.com/linux-audit/audit-kernel/issues/11
and refers to a previous posting from Mr. Dash Four from four years ago
to which there was no reply.

The example given in the tracker above for "frag=" is fairly
straightforward, but digging more, there are a number of others that are
not quite so obvious.

How many different combinations of fields is acceptable?  Can we create
new message types for each one, or is there a preferred way to indicate
which sub-type it is other than implicit from the arguments given?

Others that are straightforward:
- The first "truncated=" gets pulled in with "0".

- "mark=" gets pulled in with "0".

Ones that are not so straightforward:
- "secmark" depends on a kernel config setting, so should it always be
  present but "(none)" if that kernel feature is compiled out?

- ARPHRD_ETHER pulls in 3 fields, I would pull them all in and set them
  to "(none)" to indicate that type isn't present.

- audit_ip4() and audit_ip6 share "saddr=", "daddr=", proto=", but ip4
  adds "ipid=", which would be set to "(none)" for ip6.

- audit_proto() pulls in "truncated=" again, then either "sport=" and
  "dport=" OR "icmptype=" and "icmpcode=".

If all fields are pulled in, we end up adding 10 fields beyond a
standard well-formed packet, and 15 beyond a truncated packet.

Note: In the cases of "mark" and "secmark" both are unions.  In the case of
"mark", I don't see a problem since it isn't conditionally compiled out
and won't be mis-interpreted.  In the case of "secmark=", it could be
mis-interpreted as offload_fwd_mark if that field is even compiled in,
but that would be addressed in the compiler directive...


One last question: Does anyone have a test suite that can generate any
or all of these types of packets?


Thanks!


- RGB

--
Richard Guy Briggs <rgb at redhat.com>
Kernel Security Engineering, Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635

More information about the Linux-audit mailing list