Closed rgbriggs closed 3 years ago
rgbriggs
commented
7 years ago The associated SYSCALL record for setsockopt includes: ppid=561 pid=2864 auid=root uid=root ... ses=1 ... subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 ... exe=/usr/sbin/xtables-multi ... success=yes
This appears to meet the requirements already. In addition, the PROCTITLE record gives the entire configuration command.
rgbriggs
commented
7 years ago Steve Grubb reports that unaccompanied records exist.
Further checking with multiple machines with "ausearch -i -m netfilter_cfg | less" produces all accompanied records on a rawhide VM while an f24 laptop produces all unaccompanied records.
This is inconsistent. It is a system configuration change record that should stand on its own unrelated to a SYSCALL record (though the PROCTITLE record appears at least somewhat useful to record the command that triggered it, but is unreliable).
rgbriggs
commented
7 years ago From https://www.redhat.com/archives/linux-audit/2017-February/msg00087.html pid, uid, auid, ses, subj, comm, exe, table,family,entries
rgbriggs
commented
7 years ago Recommend exposing audit_log_task() to add this information where necessary and possibly adding syscall information to round out the picture, creating a new standalone record NETFILTER_CFGSOLO calling audit_log_start() passing in a NULL context to make it an unaccompanied record to log system configuration changes when a syscall rule does not exist to capture the event.
rgbriggs
commented
7 years ago Posted RFC patchset upstream: https://www.redhat.com/archives/linux-audit/2017-May/msg00034.html http://marc.info/?l=netfilter-devel&m=149512814901358&w=2 http://marc.info/?l=netfilter-devel&m=149512820601374&w=2 http://marc.info/?l=netfilter-devel&m=149512821101377&w=2 http://marc.info/?l=netfilter-devel&m=149512823001388&w=2
rgbriggs
commented
7 years ago Better but slower netfilter-devel archive link: http://www.spinics.net/lists/netfilter-devel/msg47986.html
pcmoore
commented
7 years ago @stevegrubb made a similar request for NETFILTER_CFG in #58 (closed as a duplicate):
This event should be a simple record with the following fields: pid, uid, auid, tty, session, context, comm, exe (in this order) + old value + new value if applicable.
rgbriggs
commented
3 years ago This can be closed since it is upstream in v5.8-rc1 c4dad0a ("audit: tidy and extend netfilter_cfg x_tables") a45d885 ("netfilter: add audit table unregister actions") db9ff6e ("audit: make symbol 'audit_nfcfgs' static") 9d44a12 ("audit: add subj creds to NETFILTER_CFG record to") Note: the usespace parser didn't make it into audit-3.0 (patches were on mailing list months ago, a PR has since been issued)
From: https://www.redhat.com/archives/linux-audit/2017-January/msg00077.html
AUDIT_NETFILTER_CFG records currently list:
table,family,entriesWhat is missing is everything about who sent it:
pid,uid,auid,ses,subj,exe,resTo make it compatible with the majority of records, suggested format is:
pid,uid,auid,ses,subj,table,family,entries,exe,res