On 2017-01-19 08:45, Steve Grubb wrote:
On Thursday, January 19, 2017 5:10:44 AM EST Richard Guy Briggs
wrote:
> On 2017-01-17 10:42, Richard Guy Briggs wrote:
> > On 2017-01-17 09:07, Steve Grubb wrote:
> > > Hell Richard,
> > >
> > > While we're in the NETFILTER area, the CFG event is lacking some
fields,
> > > too. Its currently:
> > >
> > > table,family,entries
> > >
> > > its missing everything about *who* sent it:
> > > pid,uid,auid,ses,subj,exe,res
> > >
> > > I'd suggest:
> > >
> > > pid,uid,auid,ses,subj,table,family,entries,exe,res
> > >
> > > to make it compatible with the majority of records.
> >
> > Ok, I've created an issue to track this:
> >
https://github.com/linux-audit/audit-kernel/issues/35
>
> And I've just closed it since the associated SYSCALL setsockopt record
> lists all that information.
AUDIT_NETFILTER_CFG sometimes comes out of the kernel with no syscall record.
Try this,
ausearch --start today -m netfilter_cfg | less
You should see at least one that has no syscall record. This begs the question
of why there is even a SYSCALL record? AUDIT_NETFILTER_CFG is not extra
information that is gathered to help explain what the syscall means. Its a
change to system configuration in its own right. It should not be attached to a
syscall record - especially if its not consistent. It should be complete and
stand on its own.
One my rawhide test VM, they are all accompanied by SYSCALL setsockopt
records. On my laptop running f24, they are all orphans.
Manually setting iptables rules on the laptop yields a standalone record
so I will assume this is a difference of kernels, and not exhibiting
dual behaviour on one kernel. It might be a different kernel version,
or different kernel config.
I'll re-open this issue and add this information...
As to why, I wonder if the message ID is somehow getting re-used when it
should not be? I don't have a SYSCALL rule to trigger the syscall
logging, so that's another clue...
Thanks,
-Steve
> > > Incidentally, I created a
> > > chart that shows how each record type is alike and different from every
> > > other record. You might call it a record grammar tree:
> > >
> > >
http://people.redhat.com/sgrubb/audit/record-fields.html
> > >
> > > I'd like to align as many events as possible to pid,uid,auid section
of
> > > the
> > > graph.
> > >
> > > -Steve
> >
> > - RGB
>
> - RGB
>
> --
> Richard Guy Briggs <rgb(a)redhat.com>
> Kernel Security Engineering, Base Operating Systems, Red Hat
> Remote, Ottawa, Canada
> Voice: +1.647.777.2635, Internal: (81) 32635
- RGB
--
Richard Guy Briggs <rgb(a)redhat.com>
Kernel Security Engineering, Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635