Re: AUDIT_NETFILTER_CFG event format

On 2017-01-19 08:45, Steve Grubb wrote: > AUDIT_NETFILTER_CFG sometimes comes out of the kernel with no syscall record. > Try this, > > ausearch --start today -m netfilter_cfg | less > > You should see at least one that has no syscall record. This begs the question > of why there is even a SYSCALL record? AUDIT_NETFILTER_CFG is not extra > information that is gathered to help explain what the syscall means. Its a > change to system configuration in its own right. It should not be attached to a > syscall record - especially if its not consistent. It should be complete and > stand on its own. One my rawhide test VM, they are all accompanied by SYSCALL setsockopt records. On my laptop running f24, they are all orphans. Manually setting iptables rules on the laptop yields a standalone record so I will assume this is a difference of kernels, and not exhibiting dual behaviour on one kernel. It might be a different kernel version, or different kernel config. I'll re-open this issue and add this information... As to why, I wonder if the message ID is somehow getting re-used when it should not be? I don't have a SYSCALL rule to trigger the syscall logging, so that's another clue...