Audit firewall changes in RHEL 8
Smith, Gary R
Gary.Smith at pnnl.gov
Sat Dec 5 00:45:39 UTC 2020
Good afternoon,
I have RHEL 7 systems set up to emit audit records when the firewall rules with iptables change. I do it with a single audit command:
-a always,exit -F arch=b64 -S setsockopt -F a2=0x40 -F key=IPTablesChange
And it works great. I get audit logs like this:
type=PROCTITLE msg=audit(12/04/2020 11:04:58.840:3334178) : proctitle=iptables -D INPUT 2
type=SYSCALL msg=audit(12/04/2020 11:04:58.840:3334178) : arch=x86_64 syscall=setsockopt success=yes exit=0 a0=0x4 a1=ip a2=IPT_SO_SET_REPLACE a3=0x1009ca0 items=0 ppid=154754 pid=160855 auid=DrEvil uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=198995 comm=iptables exe=/usr/sbin/xtables-multi key=IPtablesChange
type=NETFILTER_CFG msg=audit(12/04/2020 11:04:58.840:3334178) : table=filter family=ipv4 entries=48
I want to do the same thing with RHEL 8 and nftables. I tried the same audit rule but nothing happens. I tried using firewall-cmd to change the rules. The rules changed, but no audit records. I fat fingered rules using nft but no audit record. I suspect that I’m not writing the audit rule correctly. I looked around to see if a2 needed to be something other than 0x040 (IPT_SO_SET_REPLACE) but I couldn’t find anything.
Any suggestions on how to do this in RHEL 8 would be appreciated.
Best regards,
Gary Smith
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20201205/afe620bc/attachment.htm>
More information about the Linux-audit
mailing list