search

linux-audit / audit-kernel

GitHub mirror of the Linux Kernel's audit repository
https://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/audit.git
Other
139 stars 37 forks source link

RFE: missing sport and dport from NETFILTER_PKT audit log #162

Open mvasi90 opened 4 months ago

mvasi90 commented 4 months ago

nft log level audit writes the messages into the audit buffer for reading with ausearch.

I want to use it instead of journalctl, but it is very limited. Only shows saddr,daddr and proto:

ausearch -i -m netfilter_pkt
type=NETFILTER_PKT msg=audit(06/20/2024 15:49:52.819:576) : mark=0x0 saddr=<ip> daddr=<ip> proto=tcp 
----
type=NETFILTER_PKT msg=audit(06/20/2024 15:49:56.452:577) : mark=0x0 saddr=<ip> daddr=<ip> proto=tcp 
...

dpt and spt is needed. For the output packets the sid and gid is needed.

I can't believe I'm the only one who has this need. No one else has reported it?

pcmoore commented 4 months ago

No one else has reported it?

I don't believe so, but I could be wrong. If you are interested in this new functionality, patches are always welcome upstream.