On Thu, May 18, 2017 at 1:21 PM, Richard Guy Briggs <rgb(a)redhat.com> wrote:
Generate audit NETFILTER_CFG records on ebtables table registration.
Previously this was only being done for all x_tables operations and ebtables
table replacement.
Audit only when there is an existing syscall audit rule, otherwise issue a
standalone record only on table modification rather than empty table creation.
Include subject attributes to the new standalone NETFILTER_CFGSOLO record using
audit_log_task().
Here is a sample accompanied record:
type=NETFILTER_CFG msg=audit(1494907217.558:5403): family=7 table=filter entries=0
and unaccompanied case:
type=UNKNOWN[1331] msg=audit(1494723394.832:111): auid=4294967295 uid=0 gid=0
ses=4294967295 subj=system_u:system_r:iptables_t:s0 pid=556
comm="ebtables-restor" exe="/usr/sbin/ebtables-restore" family=7
table=broute entries=1
See:
https://github.com/linux-audit/audit-kernel/issues/43
Signed-off-by: Richard Guy Briggs <rgb(a)redhat.com>
---
net/bridge/netfilter/ebtables.c | 26 ++++++++++++++++++++++++++
1 files changed, 26 insertions(+), 0 deletions(-)
diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c
index 743f9e6..7499232 100644
--- a/net/bridge/netfilter/ebtables.c
+++ b/net/bridge/netfilter/ebtables.c
@@ -1251,6 +1251,32 @@ struct ebt_table * ebt_register_table(struct net *net,
}
list_add(&table->list, &net->xt.tables[NFPROTO_BRIDGE]);
mutex_unlock(&ebt_mutex);
+#ifdef CONFIG_AUDIT
+ if (audit_enabled) {
+ struct audit_buffer *ab;
+
+ if(!audit_dummy_context()) {
+ ab = audit_log_start(current->audit_context, GFP_KERNEL,
+ AUDIT_NETFILTER_CFG);
+ if (ab) {
+ audit_log_format(ab, "family=%u table=%s
entries=%u",
+ AF_BRIDGE, repl->name,
+ repl->nentries);
+ audit_log_end(ab);
+ }
+ } else if(repl->nentries) {
+ ab = audit_log_start(NULL, GFP_KERNEL,
+ AUDIT_NETFILTER_CFGSOLO);
+ if (ab) {
+ audit_log_task(ab);
+ audit_log_format(ab, " family=%u table=%s
entries=%u",
+ AF_BRIDGE, repl->name,
+ repl->nentries);
+ audit_log_end(ab);
+ }
+ }
+ }
+#endif
Similar comments from patch 3/6 apply here, let's stick with a single
audit record type.
--
paul moore