Re: Audit ipset changes?
On 2021-02-26 15:21, Andreas Hasenack wrote:
Hi,
Hi Andreas,
is there a way to audit ipset changes?
The closest I got was to log the specific "socket(AF_NETLINK, SOCK_RAW,
NETLINK_NETFILTER)" call that ipset makes, but that obviously also triggers
read-only operations like "ipset list", and any other app that opens suck a
socket.
Issue ghak124 (https://github.com/linux-audit/audit-kernel/issues/124)
introduced auditing for nftables modifications. It turns out it was far
too verbose but may have listed these actions for the iptables-nft
variant. That is about to be trimmed but should still catch any
changes for nftables.
What parameters do you wish to have logged? At a quick look, I'm
guessing table doesn't make sense since a set could be used by any
registered table? But the set name would, followed by protocol family,
number of items changed, and the operation name?
How much life does iptables have to it? Given that this command can
change the configuration of iptables (and ipv6tables, ebtables,...) it
would seem this this should be logged.
Steve?
- RGB
--
Richard Guy Briggs <rgb(a)redhat.com>
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635