Re: Auditing nftables changes

On Fri, Mar 10, 2023 at 9:36 AM Steve Grubb <sgrubb(a)redhat.com&gt; wrote: Reading Steve's response I'm not sure we use the same terminology, or perhaps we explain it a bit differently. Regardless, here is a quick definition that I stick to when discussing audit: "audit record": An audit record is a single line in the audit log that consists of a timestamp, record type (type=XXX), and a series of fields which are dependent on the record type. Here is an example of a SYSCALL record: type=SYSCALL msg=audit(03/10/2023 10:59:00.797:563) : arch=x86_64 syscall=bpf success=yes exit=12 a0=BPF_PROG_LOAD a1=0x7ffde0efc650 a2=0x80 a3=0x13 items=0 ppid=1 pid=2683 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=10 comm=systemd exe=/usr/lib/systemd/systemd subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) "audit event": An audit event consists of multiple audit records grouped together by a single timestamp. Single record audit events are allowed and do exist. There is no upper bound on the number of records allowed in an audit event. Here is an example of an audit event consisting of PROCTITLE, SYSCALL, and BPF audit records: type=PROCTITLE msg=audit(03/10/2023 10:59:00.797:563) : proctitle=(systemd) type=SYSCALL msg=audit(03/10/2023 10:59:00.797:563) : arch=x86_64 syscall=bpf success=yes exit=12 a0=BPF_PROG_LOAD a1=0x7ffde0efc650 a2=0x80 a3=0x13 items=0 ppid=1 pid=2683 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=10 comm=systemd exe=/usr/lib/systemd/systemd subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) type=BPF msg=audit(03/10/2023 10:59:00.797:563) : prog-id=172 op=LOAD I hope that helps. -- paul-moore.com