Re: Auditing nftables changes

On Thursday, March 9, 2023 5:52:28 PM EST Bruce Elrick wrote: There are simple events which are one line and compound events which are multiple lines - called records. The simple events tend to be hardwired and not optional. For example, logins are hardwired; kernel config changes are hardwired; authentication is hardwired. The compound events tend to be related to audit rules (but not always). When the rule triggers, the syscall triggering the recording travels around different parts of the kernel. As it does so, there is code that observes and records different attributes of what it's doing. It may record the path, the socket, the command line, arguments of the syscall, etc. Then when the syscall finishes, the different observations are lumped together with the same serial number and output to the audit daemon. The events originating from a rule can optionally have a key. This is to allow grouping of multiple rules that meet the same requirement. Simple events never have a key. There are a couple presentations here that may help understand the audit system: https://people.redhat.com/sgrubb/audit/ -Steve