Re: [PATCH ghak25 v5] audit: add subj creds to NETFILTER_CFG record to cover async unregister
On Tue, May 19, 2020 at 11:31 AM Richard Guy Briggs <rgb(a)redhat.com> wrote:
Some table unregister actions seem to be initiated by the kernel to
garbage collect unused tables that are not initiated by any userspace
actions. It was found to be necessary to add the subject credentials to
cover this case to reveal the source of these actions. A sample record:
The tty, ses and exe fields have not been included since they are in the
SYSCALL record and contain nothing useful in the non-user context.
type=NETFILTER_CFG msg=audit(2020-03-11 21:25:21.491:269) : table=nat family=bridge
entries=0 op=unregister pid=153 uid=root auid=unset subj=system_u:system_r:kernel_t:s0
comm=kworker/u4:2
Based on where things were left in the discussion on the previous
draft, I think it would be good if you could explain a bit why the uid
and auid fields are useful here.
--
paul moore
www.paul-moore.com