Audit ipset changes?
Richard Guy Briggs
rgb at redhat.com
Sat Feb 27 21:19:28 UTC 2021
On 2021-02-26 15:21, Andreas Hasenack wrote:
> Hi,
Hi Andreas,
> is there a way to audit ipset changes?
>
> The closest I got was to log the specific "socket(AF_NETLINK, SOCK_RAW,
> NETLINK_NETFILTER)" call that ipset makes, but that obviously also triggers
> read-only operations like "ipset list", and any other app that opens suck a
> socket.
Issue ghak124 (https://github.com/linux-audit/audit-kernel/issues/124)
introduced auditing for nftables modifications. It turns out it was far
too verbose but may have listed these actions for the iptables-nft
variant. That is about to be trimmed but should still catch any
changes for nftables.
What parameters do you wish to have logged? At a quick look, I'm
guessing table doesn't make sense since a set could be used by any
registered table? But the set name would, followed by protocol family,
number of items changed, and the operation name?
How much life does iptables have to it? Given that this command can
change the configuration of iptables (and ipv6tables, ebtables,...) it
would seem this this should be logged.
Steve?
- RGB
--
Richard Guy Briggs <rgb at redhat.com>
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635
More information about the Linux-audit
mailing list