search

linux-audit / audit-kernel

GitHub mirror of the Linux Kernel's audit repository
https://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/audit.git
Other
137 stars 36 forks source link

RFE: audit nftables configuration events #124

Closed rgbriggs closed 3 years ago

rgbriggs commented 4 years ago

Currently, iptables, ip6tables, arptables and ebtables table registration/replacement/unregistration configuration information is logged for the native (legacy) iptables setsockopt api, but not for the nftables netlink api which is used by the nft-variant of iptables in addition to nftables itself.

Add calls to log the config actions in the nftables netlink api. It may require a new record type since the operations appear to be per rule rather than per table.

The likely candidate would be net/netfilter/nf_tables_api.c:nf_tables_commit().

See the previous issues for record format discussions and commits: https://github.com/linux-audit/audit-kernel/issues/25 https://github.com/linux-audit/audit-kernel/issues/35 https://github.com/linux-audit/audit-kernel/issues/43 https://github.com/linux-audit/audit-kernel/issues/44

rgbriggs commented 4 years ago

post v1: 2020-05-27 https://www.redhat.com/archives/linux-audit/2020-May/msg00093.html https://lkml.org/lkml/2020/5/27/768

post v2: 2020-05-28 https://www.redhat.com/archives/linux-audit/2020-May/msg00101.html https://lkml.org/lkml/2020/5/28/1689

post v3: https://www.redhat.com/archives/linux-audit/2020-June/msg00008.html https://lkml.org/lkml/2020/6/4/460

rgbriggs commented 4 years ago

2020-06-26: Bug report: https://lore.kernel.org/netfilter-devel/20200626102242.GA313925@mwanda/

2020-06-27: Fix: https://lore.kernel.org/netfilter-devel/3eda864fb69977252a061c8c3ccd2d8fcd1f3a9b.1593278952.git.rgb@redhat.com/ https://www.redhat.com/archives/linux-audit/2020-June/msg00135.html

rgbriggs commented 4 years ago

v3fix merged upstream: 142240398e50 ("audit: add gfp parameter to audit_log_nfcfg")

rgbriggs commented 3 years ago

This can be closed since it is upstream in v5.9-rc1 8e6cf365e1d5 ("audit: log nftables configuration change events") 142240398e50 ("audit: add gfp parameter to audit_log_nfcfg") 68df2ed54487 ("audit: use the proper gfp flags in the audit_log_nfcfg() calls")

rgbriggs commented 3 years ago

2021-03-18 v1 update patch posted upstream https://listman.redhat.com/archives/linux-audit/2021-March/msg00109.html 2021-03-22 v2 update patch posted upstream https://listman.redhat.com/archives/linux-audit/2021-March/msg00149.html 2021-03-23 v3 update patch posted upstream https://listman.redhat.com/archives/linux-audit/2021-March/msg00152.html 2021-03-24 v4 update patch posted upstream https://listman.redhat.com/archives/linux-audit/2021-March/msg00157.html 2021-03-26 v5 update patch posted upstream https://listman.redhat.com/archives/linux-audit/2021-March/msg00159.html 2021-03-31 v5 merged upstream in nf-next bb4052e57b5b ("audit: log nftables configuration change events once per table") 2021-03-31 FW found UAF: nf-next fix e4d272948d25 pablo@netfilter.org ("netfilter: nf_tables: use-after-free") 2021-03-31 v5 merged upstream in nf-next forced update c520292f29b8 ("audit: log nftables configuration change events once per table") 2021-04-02 07:45 Dan Carpenter dadf33c9f6b5 ("netfilter: nftables: fix a warning message in nf_tables_commit_audit_collect()")