Auditing nftables changes

Paul Moore paul at paul-moore.com
Fri Mar 10 16:04:37 UTC 2023 

On Fri, Mar 10, 2023 at 9:36 AM Steve Grubb <sgrubb at redhat.com> wrote:
>
> On Thursday, March 9, 2023 5:52:28 PM EST Bruce Elrick wrote:
> > Anyway, I think I need to spend some time playing until that "aha!"
> > moment comes. It's feels a lot closer thanks to both of your responses
> > and I really apprecaite the time you've taken to read my emails and
> > respond to them.
>
> There are simple events which are one line and compound events which are
> multiple lines - called records. The simple events tend to be hardwired and
> not optional. For example, logins are hardwired; kernel config changes are
> hardwired; authentication is hardwired.

Reading Steve's response I'm not sure we use the same terminology, or
perhaps we explain it a bit differently.  Regardless, here is a quick
definition that I stick to when discussing audit:

"audit record": An audit record is a single line in the audit log that
consists of a timestamp, record type (type=XXX), and a series of
fields which are dependent on the record type.  Here is an example of
a SYSCALL record:

 type=SYSCALL msg=audit(03/10/2023 10:59:00.797:563) :
  arch=x86_64 syscall=bpf success=yes exit=12 a0=BPF_PROG_LOAD
  a1=0x7ffde0efc650 a2=0x80 a3=0x13 items=0 ppid=1 pid=2683
  auid=root uid=root gid=root euid=root suid=root fsuid=root
  egid=root sgid=root fsgid=root tty=(none) ses=10 comm=systemd
  exe=/usr/lib/systemd/systemd
  subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)

"audit event": An audit event consists of multiple audit records
grouped together by a single timestamp.  Single record audit events
are allowed and do exist.  There is no upper bound on the number of
records allowed in an audit event.  Here is an example of an audit
event consisting of PROCTITLE, SYSCALL, and BPF audit records:

 type=PROCTITLE msg=audit(03/10/2023 10:59:00.797:563) :
  proctitle=(systemd)
 type=SYSCALL msg=audit(03/10/2023 10:59:00.797:563) :
  arch=x86_64 syscall=bpf success=yes exit=12 a0=BPF_PROG_LOAD
  a1=0x7ffde0efc650 a2=0x80 a3=0x13 items=0 ppid=1 pid=2683
  auid=root uid=root gid=root euid=root suid=root fsuid=root
  egid=root sgid=root fsgid=root tty=(none) ses=10 comm=systemd
  exe=/usr/lib/systemd/systemd
  subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
 type=BPF msg=audit(03/10/2023 10:59:00.797:563) :
  prog-id=172 op=LOAD

I hope that helps.

--
paul-moore.com

More information about the Linux-audit mailing list