Received: by 2002:a25:1985:0:0:0:0:0 with SMTP id 127csp4634575ybz; Tue, 28 Apr 2020 15:19:57 -0700 (PDT) X-Google-Smtp-Source: APiQypLHZ17Iurk/PH21xaaZTWDI81RGkSmSVx8PS1ILIxeBEJocfM50usXxX+J3TNDF+sWx5Jn1 X-Received: by 2002:a50:8dc2:: with SMTP id s2mr9371942edh.318.1588112397142; Tue, 28 Apr 2020 15:19:57 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1588112397; cv=none; d=google.com; s=arc-20160816; b=z0D+6+S/8LSYjUkK08sAGL7akioWKbBTYMXvMxCmf7exOH6gcyxr/gWytt09AINLYr yt88CwHxUkZEEt1UxRFdpooY+m67tJC+mIIpR8qgNag8tp23VlhrsFbsV5YTBSkOUONo AgJKUD8xTp5ds+BrzaU1aiPmbLgMmnfciJoMBsXr8xL6luFkkPMy3YjYkl5PkG7mqb4O hcNlXC2iMx/mf7HKkX9jxOSCebFjWspr7ncC7odOOc9ZdAIfSCr/xUwYhcE5Mp4FSlkb 7wf7EOpXdYPfWg3jIti6ieSznPo9MVu8Ey8jeeSQIA5z69TWDJqvIuRyZwdaFPUgaXpx DDiQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=qXp1I6HH/Av+hIwjTztKPUJHlaLNrd82Kk+BvbSp5Bg=; b=z/yDYDpikQqztjL8Oz8xQad+Z4rx7UapRgi1STeJIkrfog0A+TJgJvS/mGEauAB6Ca vzV/pTmcmoWXWo0TUYEHUY+bs8eYSI1xqrtYk8ntMfjRP8YbaL7ruBTdMFU+u04bE6UC YjaQIyQ2OehMAZiaGdm+k4IBbZxXRwPyKEkIkwcdeADnIPm3eGy7Z1nzMdRm2Xv2Of9Z +v+wLeBXfU3YoWL3Sv85NvYqR4O1sdvcg8mYi2NcV1EgsO9K50gfG5uYhixQUOkUBqBm jpWTCrRqyw+9jobvxhAcqzDf3G3Ups0uaiglWkp8dvG45qgs5or8MrbMVpH06Yw26ewm SX2Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b=mm3kqkdC; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id y26si2577228edm.274.2020.04.28.15.19.33; Tue, 28 Apr 2020 15:19:57 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b=mm3kqkdC; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726559AbgD1WPf (ORCPT + 99 others); Tue, 28 Apr 2020 18:15:35 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:50828 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-FAIL-OK-FAIL) by vger.kernel.org with ESMTP id S1726274AbgD1WPe (ORCPT ); Tue, 28 Apr 2020 18:15:34 -0400 Received: from mail-ej1-x641.google.com (mail-ej1-x641.google.com [IPv6:2a00:1450:4864:20::641]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 9132AC03C1AC for ; Tue, 28 Apr 2020 15:15:34 -0700 (PDT) Received: by mail-ej1-x641.google.com with SMTP id a2so181974ejx.5 for ; Tue, 28 Apr 2020 15:15:34 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paul-moore-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=qXp1I6HH/Av+hIwjTztKPUJHlaLNrd82Kk+BvbSp5Bg=; b=mm3kqkdC+EWN6cCtmnWpNqxp2ySzDqRbJZ7+w1bSCQSTA3qxENuw9e0df0/6tHEQ/4 5OBPzZ7D3LrqmAkBGte9uquywy5hghC5AV0DkLK/rvvtljsGi7DmtqIyoQnzwLAZU6Lv SWfQshcKQ4jPn66HCtTBqY0wiR7w2vG0DdDs9pJ7yL6/Bl/npmIEWwbR6dU5dr9gFKi+ HfOK1q1XbS7BbgFDX9dF+3opV31KLklT1yeIPmJt2/NuPlYGZDQn1ZuCVZkF0YD2N/wK 6958w72b83xb9YvktEIrP66m8d5FMq/Yjo7PtVBI4TlKSZ8gsrwuRwp/oNx5ahsQlXx8 D+Zg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=qXp1I6HH/Av+hIwjTztKPUJHlaLNrd82Kk+BvbSp5Bg=; b=a59NW7qXWRRyFuoxZ7JdDkWSrYA9hHhYA9AEBoe06z0G4A3xWgRaWavVW6yPo/1Yb+ c8gz7lKQbbUN7Y1npg3ASOB7uLsTPZ2UCmpUAZxp8SGC3R8QEGRuHDbO4ZPs2RDz25nr v4OdACMtTpdUh88jQRSL8dZmkBrzaoy4lQ1uV2C/VwggVWbDH2B8NQb48BKcAU/cFYOe Eamzorv4u70it8aBfUd9ceaj+jR/pO114/QkP2yA3MbeWQiFed89AWWzef3KJgatzsBF /3R4XiS1BSCho5hxylPvMsd3sLWABALSFBaZ08jG9tE2+AKAsjCUH59ruXa4MD3Zqyju lGMw== X-Gm-Message-State: AGi0PuYkLOB/q26zSWS5ZWPS/TInbHGl5i9/ASI5wuERtHQKgDE3FcO6 oJCsx6N6WTBuGioxEoyL3vPih0j5PC0Cb/8bKFzd X-Received: by 2002:a17:906:f106:: with SMTP id gv6mr27400254ejb.271.1588112133067; Tue, 28 Apr 2020 15:15:33 -0700 (PDT) MIME-Version: 1.0 References: <97d8dabf45ee191bc4b51dea2ae27d34fd5ea40d.1587500467.git.rgb@redhat.com> In-Reply-To: <97d8dabf45ee191bc4b51dea2ae27d34fd5ea40d.1587500467.git.rgb@redhat.com> From: Paul Moore Date: Tue, 28 Apr 2020 18:15:22 -0400 Message-ID: Subject: Re: [PATCH ghak25 v4 1/3] audit: tidy and extend netfilter_cfg x_tables and ebtables logging To: Richard Guy Briggs Cc: Linux-Audit Mailing List , LKML , netfilter-devel@vger.kernel.org, sgrubb@redhat.com, omosnace@redhat.com, fw@strlen.de, twoerner@redhat.com, Eric Paris , ebiederm@xmission.com, tgraf@infradead.org Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Apr 22, 2020 at 5:40 PM Richard Guy Briggs wrote: > > NETFILTER_CFG record generation was inconsistent for x_tables and > ebtables configuration changes. The call was needlessly messy and there > were supporting records missing at times while they were produced when > not requested. Simplify the logging call into a new audit_log_nfcfg > call. Honour the audit_enabled setting while more consistently > recording information including supporting records by tidying up dummy > checks. > > Add an op= field that indicates the operation being performed (register > or replace). > > Here is the enhanced sample record: > type=NETFILTER_CFG msg=audit(1580905834.919:82970): table=filter family=2 entries=83 op=replace > > Generate audit NETFILTER_CFG records on ebtables table registration. > Previously this was being done for x_tables registration and replacement > operations and ebtables table replacement only. > > See: https://github.com/linux-audit/audit-kernel/issues/25 > See: https://github.com/linux-audit/audit-kernel/issues/35 > See: https://github.com/linux-audit/audit-kernel/issues/43 > > Signed-off-by: Richard Guy Briggs > --- > include/linux/audit.h | 21 +++++++++++++++++++++ > kernel/auditsc.c | 24 ++++++++++++++++++++++++ > net/bridge/netfilter/ebtables.c | 12 ++++-------- > net/netfilter/x_tables.c | 12 +++--------- > 4 files changed, 52 insertions(+), 17 deletions(-) Merged into audit/next, thanks. -- paul moore www.paul-moore.com