Re: Auditing nftables changes

On 2023-03-10 11:04, Paul Moore wrote: > On Fri, Mar 10, 2023 at 9:36 AM Steve Grubb <sgrubb(a)redhat.com&gt; wrote: > > On Thursday, March 9, 2023 5:52:28 PM EST Bruce Elrick wrote: > > > Anyway, I think I need to spend some time playing until that "aha!" > > > moment comes. It's feels a lot closer thanks to both of your responses > > > and I really apprecaite the time you've taken to read my emails and > > > respond to them. > > > > There are simple events which are one line and compound events which are > > multiple lines - called records. The simple events tend to be hardwired and > > not optional. For example, logins are hardwired; kernel config changes are > > hardwired; authentication is hardwired. > > Reading Steve's response I'm not sure we use the same terminology, or > perhaps we explain it a bit differently. Regardless, here is a quick > definition that I stick to when discussing audit: > > "audit record": An audit record is a single line in the audit log that > consists of a timestamp, record type (type=XXX), and a series of > fields which are dependent on the record type. Here is an example of > a SYSCALL record: > > type=SYSCALL msg=audit(03/10/2023 10:59:00.797:563) : > arch=x86_64 syscall=bpf success=yes exit=12 a0=BPF_PROG_LOAD > a1=0x7ffde0efc650 a2=0x80 a3=0x13 items=0 ppid=1 pid=2683 > auid=root uid=root gid=root euid=root suid=root fsuid=root > egid=root sgid=root fsgid=root tty=(none) ses=10 comm=systemd > exe=/usr/lib/systemd/systemd > subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) > > "audit event": An audit event consists of multiple audit records > grouped together by a single timestamp. Single record audit events > are allowed and do exist. There is no upper bound on the number of > records allowed in an audit event. Here is an example of an audit > event consisting of PROCTITLE, SYSCALL, and BPF audit records: > > type=PROCTITLE msg=audit(03/10/2023 10:59:00.797:563) : > proctitle=(systemd) > type=SYSCALL msg=audit(03/10/2023 10:59:00.797:563) : > arch=x86_64 syscall=bpf success=yes exit=12 a0=BPF_PROG_LOAD > a1=0x7ffde0efc650 a2=0x80 a3=0x13 items=0 ppid=1 pid=2683 > auid=root uid=root gid=root euid=root suid=root fsuid=root > egid=root sgid=root fsgid=root tty=(none) ses=10 comm=systemd > exe=/usr/lib/systemd/systemd > subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) > type=BPF msg=audit(03/10/2023 10:59:00.797:563) : > prog-id=172 op=LOAD An "audit event" which is a collection of audit records with the same timestamp and serial number correspond to *one* event of interest to the audit subsystem either due to internal rules or added audit rules that when triggered record audit information into a set of records that are all related to give a larger picture of the circumstances of that event. Configuration changes, being audit rules added, or firewall rules changes, are hardwired. > I hope that helps. > > -- > paul-moore.com > - RGB -- Richard Guy Briggs <rgb(a)redhat.com&gt; Sr. S/W Engineer, Kernel Security, Base Operating Systems Remote, Ottawa, Red Hat Canada IRC: rgb, SunRaycer Voice: +1.647.777.2635, Internal: (81) 32635