AUDIT_NETFILTER_CFG event format
Paul Moore
paul at paul-moore.com
Thu Jan 19 22:54:36 UTC 2017
On Thu, Jan 19, 2017 at 9:50 AM, Richard Guy Briggs <rgb at redhat.com> wrote:
> On 2017-01-19 08:45, Steve Grubb wrote:
>> AUDIT_NETFILTER_CFG sometimes comes out of the kernel with no syscall record.
>> Try this,
>>
>> ausearch --start today -m netfilter_cfg | less
>>
>> You should see at least one that has no syscall record. This begs the question
>> of why there is even a SYSCALL record? AUDIT_NETFILTER_CFG is not extra
>> information that is gathered to help explain what the syscall means. Its a
>> change to system configuration in its own right. It should not be attached to a
>> syscall record - especially if its not consistent. It should be complete and
>> stand on its own.
>
> One my rawhide test VM, they are all accompanied by SYSCALL setsockopt
> records. On my laptop running f24, they are all orphans.
>
> Manually setting iptables rules on the laptop yields a standalone record
> so I will assume this is a difference of kernels, and not exhibiting
> dual behaviour on one kernel. It might be a different kernel version,
> or different kernel config.
>
> I'll re-open this issue and add this information...
>
> As to why, I wonder if the message ID is somehow getting re-used when it
> should not be? I don't have a SYSCALL rule to trigger the syscall
> logging, so that's another clue...
Let's try to understand this problem ... something is triggering a
change, why aren't we seeing it?
--
paul moore
www.paul-moore.com
More information about the Linux-audit
mailing list