Received: by 2002:a25:ef43:0:0:0:0:0 with SMTP id w3csp912465ybm; Wed, 27 May 2020 11:00:00 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyHWOYNQumg0+gZgOQMdqXygRCho/rK2pkr5cCSQMBLSuY/9c9nqfETnCMAsQhMO1WQPiF8 X-Received: by 2002:a17:906:30ce:: with SMTP id b14mr5549217ejb.152.1590602400311; Wed, 27 May 2020 11:00:00 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1590602400; cv=none; d=google.com; s=arc-20160816; b=IXXxJwEK3TKKyhKAyzgNI6O8B+HnHJe/AYmEP3mGbzH+2eqWeTcPfLQC0ajicnR/K1 HJ2JWr+mLaJSGbzJqZrqQqK2MAeX6tkK1GADuY3r7oOn4L+BYRttzrCuGhf9rW+JOziH ocWpCbLUsq6DN4TmILAgYDbF6Ho5jNfky8HqCfXH/+It0SQKjuUoe8ANGkFz+bm3g8rQ xdBrbuG8OXnZ3/vxYs8FTB49pvAumEI9UoQkdLb2PYKwPkrA/9+Ff+JTFqD4A+gmfu9j kNz7ybRU4NAQTdK2i5lpcC+EmAlOBDsVfb8KIyHsFpmqrVJEZ2opP2Hz2JvL+eyGZsCo KZyg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:date:subject:cc:to:from :dkim-signature; bh=iDf5zmc1e1S6JUF2vessjVDEGmlryExcIRrBg0GxbAU=; b=iFT8FqWPKddzpmPlit8Wz0CWqRUA9u2+nNu1gSJury7Lb3i0Uf8sHQOdfLX6D6FLOq /NtiFvAI7nPCSWi1qpJLi2i4zerlh9t5erH4jjGh62yCxXYKbTi1lnTbf81DEQrjnba/ AUKYwwRw6JxN2tUd0fzYePpJ9tgLw7TFw4WzGpbmlut1LGOwf5bKoZDKYNuZL1lNKMKJ iZA14SYmSFwI0Vn7Ug2g2Du0LsHusOTZZN/aWMUU+aD80w43DXYxJzRPvX2q3xBKn+RE klLPL40hRrB19DJPivTM6pI2cO8JsD4g7EUWnnjXTwZ6IzRtOkcZV/EGNqVojlgou90l ifCg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b="Mnt/Qec+"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id g1si2389693ejk.122.2020.05.27.10.59.36; Wed, 27 May 2020 11:00:00 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b="Mnt/Qec+"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2388862AbgE0NyX (ORCPT + 99 others); Wed, 27 May 2020 09:54:23 -0400 Received: from us-smtp-1.mimecast.com ([207.211.31.81]:24083 "EHLO us-smtp-delivery-1.mimecast.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S2387581AbgE0NyW (ORCPT ); Wed, 27 May 2020 09:54:22 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1590587661; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc; bh=iDf5zmc1e1S6JUF2vessjVDEGmlryExcIRrBg0GxbAU=; b=Mnt/Qec+w4Ud09AQNtSocufi2lcCJMF0nodqTrGT5WYSXCj9VjlRUVgYrEKA8xc8Ak+CeY SKdFHNmLc1QYXae7dUFF+MBkrCFtnxYd8rcQQ5jRAxvCzVdPxifShlEFpHZADQTMq4W4lu 7iZGAZ2DE7HD9shONNdGx6bPEv6I0fI= Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-331-ElORiSJoM6m2FkbCrnf4qw-1; Wed, 27 May 2020 09:54:04 -0400 X-MC-Unique: ElORiSJoM6m2FkbCrnf4qw-1 Received: from smtp.corp.redhat.com (int-mx07.intmail.prod.int.phx2.redhat.com [10.5.11.22]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 1A045835B47; Wed, 27 May 2020 13:54:03 +0000 (UTC) Received: from madcap2.tricolour.ca (unknown [10.10.110.54]) by smtp.corp.redhat.com (Postfix) with ESMTP id 920CB1001268; Wed, 27 May 2020 13:53:54 +0000 (UTC) From: Richard Guy Briggs To: Linux-Audit Mailing List , LKML , netfilter-devel@vger.kernel.org Cc: Paul Moore , sgrubb@redhat.com, omosnace@redhat.com, fw@strlen.de, twoerner@redhat.com, eparis@parisplace.org, tgraf@infradead.org, Richard Guy Briggs Subject: [PATCH ghak124 v1] audit: log nftables configuration change events Date: Wed, 27 May 2020 09:53:31 -0400 Message-Id: X-Scanned-By: MIMEDefang 2.84 on 10.5.11.22 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org iptables, ip6tables, arptables and ebtables table registration, replacement and unregistration configuration events are logged for the native (legacy) iptables setsockopt api, but not for the nftables netlink api which is used by the nft-variant of iptables in addition to nftables itself. Add calls to log the configuration actions in the nftables netlink api. This uses the same NETFILTER_CFG record format. For further information please see issue https://github.com/linux-audit/audit-kernel/issues/124 Signed-off-by: Richard Guy Briggs --- This is an RFC patch. Note: I have questions about the "entries" count. Is there a more appropriate or relevant item to report here? Note: It might make sense to differentiate in the op= field that this was a legacy call vs an nft call. At the moment, legacy calls overlap with nft table calls, which are similar calls. include/linux/audit.h | 7 +++++++ kernel/auditsc.c | 12 +++++++++--- net/netfilter/nf_tables_api.c | 14 ++++++++++++++ 3 files changed, 30 insertions(+), 3 deletions(-) diff --git a/include/linux/audit.h b/include/linux/audit.h index 3fcd9ee49734..b10f54103a82 100644 --- a/include/linux/audit.h +++ b/include/linux/audit.h @@ -12,6 +12,7 @@ #include #include #include +#include #define AUDIT_INO_UNSET ((unsigned long)-1) #define AUDIT_DEV_UNSET ((dev_t)-1) @@ -98,6 +99,12 @@ enum audit_nfcfgop { AUDIT_XT_OP_REGISTER, AUDIT_XT_OP_REPLACE, AUDIT_XT_OP_UNREGISTER, + AUDIT_XT_OP_CHAIN_REGISTER = NFT_MSG_NEWCHAIN, + AUDIT_XT_OP_CHAIN_NOOP = NFT_MSG_GETCHAIN, + AUDIT_XT_OP_CHAIN_UNREGISTER = NFT_MSG_DELCHAIN, + AUDIT_XT_OP_RULE_REGISTER = NFT_MSG_NEWRULE, + AUDIT_XT_OP_RULE_NOOP = NFT_MSG_GETRULE, + AUDIT_XT_OP_RULE_UNREGISTER = NFT_MSG_DELRULE, }; extern int is_audit_feature_set(int which); diff --git a/kernel/auditsc.c b/kernel/auditsc.c index 468a23390457..eedce8fa4067 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -136,9 +136,15 @@ struct audit_nfcfgop_tab { }; static const struct audit_nfcfgop_tab audit_nfcfgs[] = { - { AUDIT_XT_OP_REGISTER, "register" }, - { AUDIT_XT_OP_REPLACE, "replace" }, - { AUDIT_XT_OP_UNREGISTER, "unregister" }, + { AUDIT_XT_OP_REGISTER, "register" }, + { AUDIT_XT_OP_REPLACE, "replace" }, + { AUDIT_XT_OP_UNREGISTER, "unregister" }, + { AUDIT_XT_OP_CHAIN_REGISTER, "register_chain" }, + { AUDIT_XT_OP_CHAIN_NOOP, "noop_chain" }, + { AUDIT_XT_OP_CHAIN_UNREGISTER, "unregister_chain" }, + { AUDIT_XT_OP_RULE_REGISTER, "register_rule" }, + { AUDIT_XT_OP_RULE_NOOP, "noop_rule" }, + { AUDIT_XT_OP_RULE_UNREGISTER, "unregister_rule" }, }; static int audit_match_perm(struct audit_context *ctx, int mask) diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c index 4471393da6d8..c8dc954685f2 100644 --- a/net/netfilter/nf_tables_api.c +++ b/net/netfilter/nf_tables_api.c @@ -12,6 +12,7 @@ #include #include #include +#include #include #include #include @@ -7344,6 +7345,19 @@ static int nf_tables_commit(struct net *net, struct sk_buff *skb) list_for_each_entry_safe(trans, next, &net->nft.commit_list, list) { switch (trans->msg_type) { case NFT_MSG_NEWTABLE: + case NFT_MSG_DELTABLE: + case NFT_MSG_NEWCHAIN: + case NFT_MSG_DELCHAIN: + case NFT_MSG_NEWRULE: + case NFT_MSG_DELRULE: + audit_log_nfcfg(trans->ctx.table->name, + trans->ctx.family, + atomic_read(&trans->ctx.table->chains_ht.ht.nelems), + trans->msg_type); + break; + } + switch (trans->msg_type) { + case NFT_MSG_NEWTABLE: if (nft_trans_table_update(trans)) { if (!nft_trans_table_enable(trans)) { nf_tables_table_disable(net, -- 1.8.3.1