Auditing nftables changes
Steve Grubb
sgrubb at redhat.com
Fri Mar 10 14:36:00 UTC 2023
On Thursday, March 9, 2023 5:52:28 PM EST Bruce Elrick wrote:
> Anyway, I think I need to spend some time playing until that "aha!"
> moment comes. It's feels a lot closer thanks to both of your responses
> and I really apprecaite the time you've taken to read my emails and
> respond to them.
There are simple events which are one line and compound events which are
multiple lines - called records. The simple events tend to be hardwired and
not optional. For example, logins are hardwired; kernel config changes are
hardwired; authentication is hardwired.
The compound events tend to be related to audit rules (but not always). When
the rule triggers, the syscall triggering the recording travels around
different parts of the kernel. As it does so, there is code that observes and
records different attributes of what it's doing. It may record the path, the
socket, the command line, arguments of the syscall, etc. Then when the
syscall finishes, the different observations are lumped together with the same
serial number and output to the audit daemon.
The events originating from a rule can optionally have a key. This is to
allow grouping of multiple rules that meet the same requirement. Simple
events never have a key.
There are a couple presentations here that may help understand the audit
system:
https://people.redhat.com/sgrubb/audit/
-Steve
More information about the Linux-audit
mailing list