Re: Auditing nftables changes
On 2023-03-10 11:04, Paul Moore wrote:
On Fri, Mar 10, 2023 at 9:36 AM Steve Grubb <sgrubb(a)redhat.com>
wrote:
> On Thursday, March 9, 2023 5:52:28 PM EST Bruce Elrick wrote:
> > Anyway, I think I need to spend some time playing until that "aha!"
> > moment comes. It's feels a lot closer thanks to both of your responses
> > and I really apprecaite the time you've taken to read my emails and
> > respond to them.
>
> There are simple events which are one line and compound events which are
> multiple lines - called records. The simple events tend to be hardwired and
> not optional. For example, logins are hardwired; kernel config changes are
> hardwired; authentication is hardwired.
Reading Steve's response I'm not sure we use the same terminology, or
perhaps we explain it a bit differently. Regardless, here is a quick
definition that I stick to when discussing audit:
"audit record": An audit record is a single line in the audit log that
consists of a timestamp, record type (type=XXX), and a series of
fields which are dependent on the record type. Here is an example of
a SYSCALL record:
type=SYSCALL msg=audit(03/10/2023 10:59:00.797:563) :
arch=x86_64 syscall=bpf success=yes exit=12 a0=BPF_PROG_LOAD
a1=0x7ffde0efc650 a2=0x80 a3=0x13 items=0 ppid=1 pid=2683
auid=root uid=root gid=root euid=root suid=root fsuid=root
egid=root sgid=root fsgid=root tty=(none) ses=10 comm=systemd
exe=/usr/lib/systemd/systemd
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
"audit event": An audit event consists of multiple audit records
grouped together by a single timestamp. Single record audit events
are allowed and do exist. There is no upper bound on the number of
records allowed in an audit event. Here is an example of an audit
event consisting of PROCTITLE, SYSCALL, and BPF audit records:
type=PROCTITLE msg=audit(03/10/2023 10:59:00.797:563) :
proctitle=(systemd)
type=SYSCALL msg=audit(03/10/2023 10:59:00.797:563) :
arch=x86_64 syscall=bpf success=yes exit=12 a0=BPF_PROG_LOAD
a1=0x7ffde0efc650 a2=0x80 a3=0x13 items=0 ppid=1 pid=2683
auid=root uid=root gid=root euid=root suid=root fsuid=root
egid=root sgid=root fsgid=root tty=(none) ses=10 comm=systemd
exe=/usr/lib/systemd/systemd
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
type=BPF msg=audit(03/10/2023 10:59:00.797:563) :
prog-id=172 op=LOAD
An "audit event" which is a collection of audit records with the same
timestamp and serial number correspond to *one* event of interest to the
audit subsystem either due to internal rules or added audit rules that
when triggered record audit information into a set of records that are
all related to give a larger picture of the circumstances of that event.
Configuration changes, being audit rules added, or firewall rules
changes, are hardwired.
I hope that helps.
--
paul-moore.com
- RGB
--
Richard Guy Briggs <rgb(a)redhat.com>
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635