Re: [PATCH 3/6 RFC] netfilter: audit only on xtables and ebtables syscall rule or standalone

On 2017-05-24 19:36, Pablo Neira Ayuso wrote: > On Thu, May 18, 2017 at 01:21:49PM -0400, Richard Guy Briggs wrote: > > There were syscall events unsolicited by any audit rule caused by a missing > > !audit_dummy_context() check before creating an > > iptables/ip6tables/arptables/ebtables NETFILTER_CFG record. Check > > !audit_dummy_context() before creating the NETFILTER_CFG record. > > > > The vast majority of observed unaccompanied records are caused by the fedora > > default rule: "-a never,task" and the occasional early startup one is I believe > > caused by the iptables filter table module hard linked into the kernel rather > > than a loadable module. The !audit_dummy_context() check above should avoid > > them. Audit only when there is an existing syscall audit rule, otherwise issue > > a standalone record only on table modification rather than empty table > > creation. > > > > Add subject attributes to the new standalone NETFILTER_CFGSOLO record using > > a newly exported audit_log_task(). > > This new NETFILTER_CFGSOLO looks like audit infra is missing some way > to export a revision / context to userspace? It's duplicating quite a > bit of the code from what I can see in this patch. Interesting you brought that up. I did another revision that stores this information in a struct audit_context and greatly simplifies the code in netfilter and re-uses code in audit itself, which may be a better way to go, but that idea needed to settle a bit more before seeing peer review. I'm also having doubts about two record types.