Received: by 2002:a25:8b91:0:0:0:0:0 with SMTP id j17csp8362696ybl; Thu, 16 Jan 2020 15:22:39 -0800 (PST) X-Google-Smtp-Source: APXvYqx7AsbShuUcJZF6ARrj9J/HWoAiVJLq8dh8eTjgJXT6Pv1PAmPDz9x8/W26QMxcussfvKUO X-Received: by 2002:aca:51c9:: with SMTP id f192mr1371904oib.10.1579216958844; Thu, 16 Jan 2020 15:22:38 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1579216958; cv=none; d=google.com; s=arc-20160816; b=QV09vqtFL2bq544CC7vhMsg9vSaM5/sFzmSweFTqvm21UkoSE7ix6DzqQKqRFQpncd v2oWuhV4/PNoU0BdW8JnzbmYZ2lS4PFD8fqAhr1XJkOy7Xd4NPXTWnB7FZxf3jolE8fR aZL47om4LBQJs9fotNznD5FBzeC1I56dc2swNp+AThHdPIqbmoCxHNSwnAZI0V1iOx8z SVZEa1Z/2DCsKmA1YN+kMUg3x2NS3dCsnvRSWLkpoq/s/sBTAOPa2piLGRb1m+Ur+N49 DF5Rym/xGwsm3GNIAeq/FyOBaE6VRuA8Gqbdoj7r7zYZ1mIZKoX1EAHteCziZbQxcL8m ks/w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=EmuC4PVZIAqszrVr1XV69xZ8ppUgqhM55b6dhWz3+uk=; b=fzkkCYVgzHOoDUjEdOIsdkVTc20G1ykRTr5vc8QOPzXH1IV3kNmXkKzsxGwRgu8jnF tIGWPXCq6XmsCoSR2jE5ZcRbdJ1hyYROZhXh/CD6ZE3+kT7EuKiQLD9jDKvCZReE88KL 4Pis0tEMDgArDoPyWmEzIR3W24WYYvnuRvoRIydPRDQyaS+Sy4eSt7ywhC9tV6U5qANa Dj8YzaRkhybj5t44tFLsJR9YFBecpYL1k2fKDhL+TYZF9WK0okTTAw5DYWhq+LndwmdW W6u6Pg9Y6xi+iLmGr7mtqBKBj5vo8tyC2RKAMpEfurBc9MHQz3x7twKPzhwMcWNyu3nF rylQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b=sq6rBxCB; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id q9si12124351oij.125.2020.01.16.15.22.27; Thu, 16 Jan 2020 15:22:38 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b=sq6rBxCB; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2437344AbgAPTHl (ORCPT + 99 others); Thu, 16 Jan 2020 14:07:41 -0500 Received: from mail-lf1-f68.google.com ([209.85.167.68]:35486 "EHLO mail-lf1-f68.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2388049AbgAPTHj (ORCPT ); Thu, 16 Jan 2020 14:07:39 -0500 Received: by mail-lf1-f68.google.com with SMTP id 15so16406547lfr.2 for ; Thu, 16 Jan 2020 11:07:38 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paul-moore-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=EmuC4PVZIAqszrVr1XV69xZ8ppUgqhM55b6dhWz3+uk=; b=sq6rBxCBy/CCxrwdHmaue9zJzhbHLCVFuzGNGljHenlF/JLCURJo0cW7HCcIzob853 ad8iNOfF7LvsNp4yActpwaksvIR5rR1SdBfmQKDabEl3I/66emZXHFCqfHyOU+Udbi20 0tAWoeLngfq3NMIbyFzU+Ex99sYkrcGxIllnCdE+f2SBzpq4080pQlPAJlMoyjZpzPhZ DGGoDvZ48oTt7anYYS1ei29KQbqdWUs3CASJU/SV9rM2iPjwRMmumUYKC1mkFyvnaEte mMCLHi9tI/s+qcIUCXU5476/G0zj8H79xmCp+F5wrCflAzrvYOq2DBF6Ip3cme3OPkbD /K0A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=EmuC4PVZIAqszrVr1XV69xZ8ppUgqhM55b6dhWz3+uk=; b=CpgJ5ejlhhblqRjuuh47FqWtQQ0VT3+BJ7qLqUEhV5j9Tbe/o6FRalaWmb04t9X5OX FdD//7Xkja9eB/Jx0n5RRtefATlhkhF0FEzCsQvLxJQGNxGyg6TZx3Kfyotm2tUry4Fd HUSFL7GXxOaroXsXkRMXaxYaWObsvuciSzTE1kPbS4PYv61J5Ps9id15MEJPYB1PB6zA G5kKwaMmGaAs/hVzvcXOJXWwDdN72JZ6qd7mdbtteoMheBws6VucD9qHRGpaH48mTWA2 7H149crNIDZ19HOOjMLtqnpvbjIhUkFvDXYkTJv3JL+Rw7RO05Cv4TVhsWtgxW3/9++P UP2Q== X-Gm-Message-State: APjAAAVpDgeprORavEIaT5UKae7bgo7/MXwattAH7EnXx/nP8QuuznJ2 RyxaD1VwnREKGCSjW4vy0eZ/qespjwFlL2mM4mjp X-Received: by 2002:a2e:870b:: with SMTP id m11mr3237458lji.93.1579201657915; Thu, 16 Jan 2020 11:07:37 -0800 (PST) MIME-Version: 1.0 References: <20200116150518.gfmzixoqagmk77rw@salvia> In-Reply-To: <20200116150518.gfmzixoqagmk77rw@salvia> From: Paul Moore Date: Thu, 16 Jan 2020 14:07:27 -0500 Message-ID: Subject: Re: [PATCH ghak25 v2 0/9] Address NETFILTER_CFG issues To: Pablo Neira Ayuso Cc: Richard Guy Briggs , Linux-Audit Mailing List , LKML , netfilter-devel@vger.kernel.org, sgrubb@redhat.com, omosnace@redhat.com, fw@strlen.de, twoerner@redhat.com, Eric Paris , ebiederm@xmission.com, tgraf@infradead.org Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Jan 16, 2020 at 10:05 AM Pablo Neira Ayuso wrote: > On Mon, Jan 06, 2020 at 01:54:01PM -0500, Richard Guy Briggs wrote: > > There were questions about the presence and cause of unsolicited syscall events > > in the logs containing NETFILTER_CFG records and sometimes unaccompanied > > NETFILTER_CFG records. > > > > During testing at least the following list of events trigger NETFILTER_CFG > > records and the syscalls related (There may be more events that will trigger > > this message type.): > > init_module, finit_module: modprobe > > setsockopt: iptables-restore, ip6tables-restore, ebtables-restore > > unshare: (h?)ostnamed > > clone: libvirtd > > > > The syscall events unsolicited by any audit rule were found to be caused by a > > missing !audit_dummy_context() check before creating a NETFILTER_CFG > > record and issuing the record immediately rather than saving the > > information to create the record at syscall exit. > > Check !audit_dummy_context() before creating the NETFILTER_CFG record. > > > > The vast majority of unaccompanied records are caused by the fedora default > > rule: "-a never,task" and the occasional early startup one is I believe caused > > by the iptables filter table module hard linked into the kernel rather than a > > loadable module. The !audit_dummy_context() check above should avoid them. > > > > A couple of other factors should help eliminate unaccompanied records > > which include commit cb74ed278f80 ("audit: always enable syscall > > auditing when supported and audit is enabled") which makes sure that > > when audit is enabled, so automatically is syscall auditing, and ghak66 > > which addressed initializing audit before PID 1. > > > > Ebtables module initialization to register tables doesn't generate records > > because it was never hooked in to audit. Recommend adding audit hooks to log > > this. > > > > Table unregistration was never logged, which is now covered. > > > > Seemingly duplicate records are not actually exact duplicates that are caused > > by netfilter table initialization in different network namespaces from the same > > syscall. Recommend adding the network namespace ID (proc inode and dev) > > to the record to make this obvious (address later with ghak79 after nsid > > patches). > > > > See: https://github.com/linux-audit/audit-kernel/issues/25 > > See: https://github.com/linux-audit/audit-kernel/issues/35 > > See: https://github.com/linux-audit/audit-kernel/issues/43 > > See: https://github.com/linux-audit/audit-kernel/issues/44 > > What tree is this batch targeted to? I believe Richard was targeting this for the audit tree. -- paul moore www.paul-moore.com