AUDIT_NETFILTER_CFG event format

Richard Guy Briggs rgb at redhat.com
Thu Jan 19 14:50:46 UTC 2017 

On 2017-01-19 08:45, Steve Grubb wrote:
> On Thursday, January 19, 2017 5:10:44 AM EST Richard Guy Briggs wrote:
> > On 2017-01-17 10:42, Richard Guy Briggs wrote:
> > > On 2017-01-17 09:07, Steve Grubb wrote:
> > > > Hell Richard,
> > > > 
> > > > While we're in the NETFILTER area, the CFG event is lacking some fields,
> > > > too. Its currently:
> > > > 
> > > > table,family,entries
> > > > 
> > > > its missing everything about *who* sent it:
> > > > pid,uid,auid,ses,subj,exe,res
> > > > 
> > > > I'd suggest:
> > > > 
> > > > pid,uid,auid,ses,subj,table,family,entries,exe,res
> > > > 
> > > > to make it compatible with the majority of records.
> > > 
> > > Ok, I've created an issue to track this:
> > > 	https://github.com/linux-audit/audit-kernel/issues/35
> > 
> > And I've just closed it since the associated SYSCALL setsockopt record
> > lists all that information.
> 
> AUDIT_NETFILTER_CFG sometimes comes out of the kernel with no syscall record. 
> Try this, 
> 
> ausearch --start today -m netfilter_cfg | less
> 
> You should see at least one that has no syscall record. This begs the question 
> of why there is even a SYSCALL record? AUDIT_NETFILTER_CFG is not extra 
> information that is gathered to help explain what the syscall means. Its a 
> change to system configuration in its own right. It should not be attached to a 
> syscall record - especially if its not consistent. It should be complete and 
> stand on its own.

One my rawhide test VM, they are all accompanied by SYSCALL setsockopt
records.  On my laptop running f24, they are all orphans.

Manually setting iptables rules on the laptop yields a standalone record
so I will assume this is a difference of kernels, and not exhibiting
dual behaviour on one kernel.  It might be a different kernel version,
or different kernel config.

I'll re-open this issue and add this information...

As to why, I wonder if the message ID is somehow getting re-used when it
should not be?  I don't have a SYSCALL rule to trigger the syscall
logging, so that's another clue...

> Thanks,
> -Steve
> 
> > > > Incidentally, I created a
> > > > chart that shows how each record type is alike and different from every
> > > > other record. You might call it a record grammar tree:
> > > > 
> > > > http://people.redhat.com/sgrubb/audit/record-fields.html
> > > > 
> > > > I'd like to align as many events as possible to pid,uid,auid section of
> > > > the
> > > > graph.
> > > > 
> > > > -Steve
> > > 
> > > - RGB
> > 
> > - RGB
> > 
> > --
> > Richard Guy Briggs <rgb at redhat.com>
> > Kernel Security Engineering, Base Operating Systems, Red Hat
> > Remote, Ottawa, Canada
> > Voice: +1.647.777.2635, Internal: (81) 32635
> 
> 

- RGB

--
Richard Guy Briggs <rgb at redhat.com>
Kernel Security Engineering, Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635

More information about the Linux-audit mailing list