Auditing nftables changes

Richard Guy Briggs rgb at redhat.com
Fri Mar 10 20:37:56 UTC 2023 

On 2023-03-10 11:04, Paul Moore wrote:
> On Fri, Mar 10, 2023 at 9:36 AM Steve Grubb <sgrubb at redhat.com> wrote:
> > On Thursday, March 9, 2023 5:52:28 PM EST Bruce Elrick wrote:
> > > Anyway, I think I need to spend some time playing until that "aha!"
> > > moment comes. It's feels a lot closer thanks to both of your responses
> > > and I really apprecaite the time you've taken to read my emails and
> > > respond to them.
> >
> > There are simple events which are one line and compound events which are
> > multiple lines - called records. The simple events tend to be hardwired and
> > not optional. For example, logins are hardwired; kernel config changes are
> > hardwired; authentication is hardwired.
> 
> Reading Steve's response I'm not sure we use the same terminology, or
> perhaps we explain it a bit differently.  Regardless, here is a quick
> definition that I stick to when discussing audit:
> 
> "audit record": An audit record is a single line in the audit log that
> consists of a timestamp, record type (type=XXX), and a series of
> fields which are dependent on the record type.  Here is an example of
> a SYSCALL record:
> 
>  type=SYSCALL msg=audit(03/10/2023 10:59:00.797:563) :
>   arch=x86_64 syscall=bpf success=yes exit=12 a0=BPF_PROG_LOAD
>   a1=0x7ffde0efc650 a2=0x80 a3=0x13 items=0 ppid=1 pid=2683
>   auid=root uid=root gid=root euid=root suid=root fsuid=root
>   egid=root sgid=root fsgid=root tty=(none) ses=10 comm=systemd
>   exe=/usr/lib/systemd/systemd
>   subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
> 
> "audit event": An audit event consists of multiple audit records
> grouped together by a single timestamp.  Single record audit events
> are allowed and do exist.  There is no upper bound on the number of
> records allowed in an audit event.  Here is an example of an audit
> event consisting of PROCTITLE, SYSCALL, and BPF audit records:
> 
>  type=PROCTITLE msg=audit(03/10/2023 10:59:00.797:563) :
>   proctitle=(systemd)
>  type=SYSCALL msg=audit(03/10/2023 10:59:00.797:563) :
>   arch=x86_64 syscall=bpf success=yes exit=12 a0=BPF_PROG_LOAD
>   a1=0x7ffde0efc650 a2=0x80 a3=0x13 items=0 ppid=1 pid=2683
>   auid=root uid=root gid=root euid=root suid=root fsuid=root
>   egid=root sgid=root fsgid=root tty=(none) ses=10 comm=systemd
>   exe=/usr/lib/systemd/systemd
>   subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
>  type=BPF msg=audit(03/10/2023 10:59:00.797:563) :
>   prog-id=172 op=LOAD

An "audit event" which is a collection of audit records with the same
timestamp and serial number correspond to *one* event of interest to the
audit subsystem either due to internal rules or added audit rules that
when triggered record audit information into a set of records that are
all related to give a larger picture of the circumstances of that event.
Configuration changes, being audit rules added, or firewall rules
changes, are hardwired.

> I hope that helps.
> 
> --
> paul-moore.com
> 

- RGB

--
Richard Guy Briggs <rgb at redhat.com>
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635

More information about the Linux-audit mailing list