Received: by 2002:a05:6a10:8c0a:0:0:0:0 with SMTP id go10csp2890095pxb; Fri, 12 Feb 2021 04:13:49 -0800 (PST) X-Google-Smtp-Source: ABdhPJyEt06syF2dF3OqCIFmcon1y5ni1+yNlu81snXPBS47pGb5bTi2BLXFrDckyAizjP6eip9t X-Received: by 2002:a17:906:2743:: with SMTP id a3mr2767867ejd.378.1613132029658; Fri, 12 Feb 2021 04:13:49 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1613132029; cv=none; d=google.com; s=arc-20160816; b=Q6g5AzlNV6S9qu8k3N2VX0AzeCwHAt7HbUUADIxlM9Fhipbb2yAl4iUnVnM1aPWtKg pb6mtJ/hEb16Oc9uBGeQl7eBttTjgYS1gCiAgaJVW9zb9wNr4F1invWHLBjCeoc8Ji+3 IAvt023XVh6euAbGBhwgjf/EuLTXMuCkbjEaeO5DYagO2o/I/sfyEwasHZg/19VgScof zXOWE03/j/VPtLVCOMxpsCFu/3xQ+kZv0bfdDcoYj3qMEuplUOPgqWZ8W0llVpcNxsmf iircvpN1j3BK/WshR5dzQz0s+GLFtRHaoi7gDpBDz16iqulWCcxXI4FnfPMw2alMG2TG zOkA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:in-reply-to:content-disposition :mime-version:references:mail-followup-to:message-id:subject:cc:to :from:date; bh=PzkuXdufVB0H/gTuRlwR04uPhaZyfPh6bsFMVJklsfE=; b=JEurq9LgjwD2+YRXLy3bnq6VTuRSDWjkk1PzYD3Wm4Np3h1V3aBw0gpEUard2Olb9w 6IC21f4OgBM7kv5COMYzLIto1trvBp7edWyNAJARZy8Pd+9RKmhOmOKL4jp5MGX+OY4n A+DNW0t4doVkR8tGM7KmaaUdU7GqQ2uFFf78/mBc+JI5zUGuo5RTixvhR036SZdRPsjd L1pY9xOmeUYoNNgpNNwicdZE0k2kXbtsWMkQcAYH5lbKibO2oKzpiZTr3rFxyzppHUx8 /G+MPA7wJjJy+Hnvyxd704+z+pSv0CzaRT9FIkLUR9q20uVyKxkJgtTD5zBzMCU6Jp9y j4YA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id x11si6685818edi.73.2021.02.12.04.13.25; Fri, 12 Feb 2021 04:13:49 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230353AbhBLMMA (ORCPT + 99 others); Fri, 12 Feb 2021 07:12:00 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:36654 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229839AbhBLML4 (ORCPT ); Fri, 12 Feb 2021 07:11:56 -0500 Received: from orbyte.nwl.cc (orbyte.nwl.cc [IPv6:2001:41d0:e:133a::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 99880C061574; Fri, 12 Feb 2021 04:11:15 -0800 (PST) Received: from n0-1 by orbyte.nwl.cc with local (Exim 4.94) (envelope-from ) id 1lAXI0-00055e-7W; Fri, 12 Feb 2021 13:11:12 +0100 Date: Fri, 12 Feb 2021 13:11:12 +0100 From: Phil Sutter To: Steve Grubb Cc: Richard Guy Briggs , Linux-Audit Mailing List , LKML , netfilter-devel@vger.kernel.org, Paul Moore , Ondrej Mosnacek , fw@strlen.de, twoerner@redhat.com, Eric Paris , tgraf@infradead.org Subject: Re: [PATCH ghak124 v3] audit: log nftables configuration change events Message-ID: <20210212121112.GA3158@orbyte.nwl.cc> Mail-Followup-To: Phil Sutter , Steve Grubb , Richard Guy Briggs , Linux-Audit Mailing List , LKML , netfilter-devel@vger.kernel.org, Paul Moore , Ondrej Mosnacek , fw@strlen.de, twoerner@redhat.com, Eric Paris , tgraf@infradead.org References: <20210211151606.GX3158@orbyte.nwl.cc> <4087569.ejJDZkT8p0@x2> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <4087569.ejJDZkT8p0@x2> Sender: Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi, On Thu, Feb 11, 2021 at 04:02:55PM -0500, Steve Grubb wrote: > On Thursday, February 11, 2021 11:29:34 AM EST Paul Moore wrote: > > > If I'm not mistaken, iptables emits a single audit log per table, ipset > > > doesn't support audit at all. So I wonder how much audit logging is > > > required at all (for certification or whatever reason). How much > > > granularity is desired? > > > > > I believe the netfilter auditing was mostly a nice-to-have bit of > > functionality to help add to the completeness of the audit logs, but I > > could very easily be mistaken. Richard put together those patches, he > > can probably provide the background/motivation for the effort. > > There are certifications which levy requirements on information flow control. > The firewall can decide if information should flow or be blocked. Information > flow decisions need to be auditable - which we have with the audit target. In nftables, this is realized via 'log level audit' statement. Functionality should by all means be identical to that of xtables' AUDIT target. > That then swings in requirements on the configuration of the information flow > policy. > > The requirements state a need to audit any management activity - meaning the > creation, modification, and/or deletion of a "firewall ruleset". Because it > talks constantly about a ruleset and then individual rules, I suspect only 1 > summary event is needed to say something happened, who did it, and the > outcome. This would be in line with how selinux is treated: we have 1 summary > event for loading/modifying/unloading selinux policy. So the central element are firewall rules for audit purposes and NETFILTER_CFG notifications merely serve asserting changes to those rules are noticed by the auditing system. Looking at xtables again, this seems coherent: Any change causes the whole table blob to be replaced (while others stay in place). So table replace/create is the most common place for a change notification. In nftables, the most common one is generation dump - all tables are treated as elements of the same ruleset, not individually like in xtables. Richard, assuming the above is correct, are you fine with reducing nftables auditing to a single notification per transaction then? I guess Florian sufficiently illustrated how this would be implemented. > Hope this helps... It does, thanks a lot for the information! Thanks, Phil