Received: by 2002:a05:6a10:9848:0:0:0:0 with SMTP id x8csp679352pxf; Thu, 1 Apr 2021 10:44:04 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyinOK60y3hyKYVZTQxXOGTEtymlbgOHBLu42pFcvkpQKmbMoRAK28vKU3hbB5BTLGB3WdL X-Received: by 2002:a17:907:2093:: with SMTP id pv19mr10501631ejb.134.1617299044181; Thu, 01 Apr 2021 10:44:04 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1617299044; cv=none; d=google.com; s=arc-20160816; b=Gk7gRcGnEcMc1lx6kmOmcj3vEJ+b9yRT+Ip5xVdqTDrwqHauoU/VnqLBU0Tsiaid89 RvKc+IQ3t6Rb1kyiHrrqYDK/dZfMkg7zvTRO/NL7evOKC7iUgA00Ulqx2z7PMWcdJNSX C04Byym8UVFEDPaTZ5YJuCQ7BRtQ14OTzYxEfYLh6NlT74KRVmpyG98PJqMl433+Hbmp sbyWN+h64exkA89obbAv1Nf+lnvMo7Bq4m5d9PNPyZc0E7zXWXCyt29lhyHTgA1VpnSX 2caRmjI/+5yry3h+B0px+LhDjjsjbmy9c+lAL9EaB7n5haWio0RZoKZTiWzgsvkv1jIy qeoA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:user-agent:in-reply-to:content-disposition :mime-version:references:message-id:subject:to:from:date :dkim-signature; bh=bW7B9w+Q68Urxu39Qi9brljMKrW7wGi7AN397dg60A4=; b=H0kJgSlK4s0AgfnoNmfNdWIv5FUkq5IjGTkewacZDskqTBlkcUXu+4WdF2HnPHUjaj MgoGq+P2/mHAP8yAyptGBphr8s8ZDD/c6QD0oa2W0G5kGtjoJTIU4vbB7qU19F0CBMf6 0jeIBAZP20gvlCRat2CV8+2n+A9MW4IiccNjz89Z+7lCt31Ys/il2OziwMURXLtAkK7Q pqv+cMac5CvRfjr8YdIImKJFrpuS1yr9ruACq7dFfdGR/Uot64FDtG4WMkytYqxyr4Cg 50r72TUBfP53pEr1NGM2VUq4QFs+p7k+iBsKV5Ru2NBcFY5MImlaok9VOlNbwpElvioi nyAw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b="HJPGA4D/"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id s16si4362939eju.415.2021.04.01.10.43.28; Thu, 01 Apr 2021 10:44:04 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b="HJPGA4D/"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234377AbhDARlo (ORCPT + 99 others); Thu, 1 Apr 2021 13:41:44 -0400 Received: from us-smtp-delivery-124.mimecast.com ([216.205.24.124]:49877 "EHLO us-smtp-delivery-124.mimecast.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233985AbhDARgR (ORCPT ); Thu, 1 Apr 2021 13:36:17 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1617298570; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=bW7B9w+Q68Urxu39Qi9brljMKrW7wGi7AN397dg60A4=; b=HJPGA4D/4ZElSFsMy9EJthu535fi3KOz8bgwr9a/ksjtUu8VDjWciCkVVfgBrVomt6BpPC nq1X8Uqd8ApFYhfVcrPR5X3mug9T05nRQTj3YuYM5ww9xBjPP18cfH5k0uRg3Ll7zK1KaP YN+3zCEDCVvHgQUGYlo64fyA3YND6z0= Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-340-99AJc0sRM-C4SBQXrwmKUw-1; Thu, 01 Apr 2021 09:35:04 -0400 X-MC-Unique: 99AJc0sRM-C4SBQXrwmKUw-1 Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.phx2.redhat.com [10.5.11.15]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id B70716B9D7; Thu, 1 Apr 2021 13:35:02 +0000 (UTC) Received: from madcap2.tricolour.ca (unknown [10.10.110.27]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 84C395D76F; Thu, 1 Apr 2021 13:34:50 +0000 (UTC) Date: Thu, 1 Apr 2021 09:34:47 -0400 From: Richard Guy Briggs To: Phil Sutter , Linux-Audit Mailing List , LKML , netfilter-devel@vger.kernel.org, Paul Moore , Eric Paris , Steve Grubb , Florian Westphal , twoerner@redhat.com, tgraf@infradead.org, dan.carpenter@oracle.com, Jones Desougi Subject: Re: [PATCH v5] audit: log nftables configuration change events once per table Message-ID: <20210401133447.GB3141668@madcap2.tricolour.ca> References: <28de34275f58b45fd4626a92ccae96b6d2b4e287.1616702731.git.rgb@redhat.com> <20210401132444.GX3158@orbyte.nwl.cc> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20210401132444.GX3158@orbyte.nwl.cc> User-Agent: Mutt/1.10.1 (2018-07-13) X-Scanned-By: MIMEDefang 2.79 on 10.5.11.15 Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 2021-04-01 15:24, Phil Sutter wrote: > On Fri, Mar 26, 2021 at 01:38:59PM -0400, Richard Guy Briggs wrote: > > Reduce logging of nftables events to a level similar to iptables. > > Restore the table field to list the table, adding the generation. > > > > Indicate the op as the most significant operation in the event. > > > > A couple of sample events: > > > > type=PROCTITLE msg=audit(2021-03-18 09:30:49.801:143) : proctitle=/usr/bin/python3 -s /usr/sbin/firewalld --nofork --nopid > > type=SYSCALL msg=audit(2021-03-18 09:30:49.801:143) : arch=x86_64 syscall=sendmsg success=yes exit=172 a0=0x6 a1=0x7ffdcfcbe650 a2=0x0 a3=0x7ffdcfcbd52c items=0 ppid=1 pid=367 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=roo > > t sgid=root fsgid=root tty=(none) ses=unset comm=firewalld exe=/usr/bin/python3.9 subj=system_u:system_r:firewalld_t:s0 key=(null) > > type=NETFILTER_CFG msg=audit(2021-03-18 09:30:49.801:143) : table=firewalld:2 family=ipv6 entries=1 op=nft_register_table pid=367 subj=system_u:system_r:firewalld_t:s0 comm=firewalld > > type=NETFILTER_CFG msg=audit(2021-03-18 09:30:49.801:143) : table=firewalld:2 family=ipv4 entries=1 op=nft_register_table pid=367 subj=system_u:system_r:firewalld_t:s0 comm=firewalld > > type=NETFILTER_CFG msg=audit(2021-03-18 09:30:49.801:143) : table=firewalld:2 family=inet entries=1 op=nft_register_table pid=367 subj=system_u:system_r:firewalld_t:s0 comm=firewalld > > > > type=PROCTITLE msg=audit(2021-03-18 09:30:49.839:144) : proctitle=/usr/bin/python3 -s /usr/sbin/firewalld --nofork --nopid > > type=SYSCALL msg=audit(2021-03-18 09:30:49.839:144) : arch=x86_64 syscall=sendmsg success=yes exit=22792 a0=0x6 a1=0x7ffdcfcbe650 a2=0x0 a3=0x7ffdcfcbd52c items=0 ppid=1 pid=367 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=r > > oot sgid=root fsgid=root tty=(none) ses=unset comm=firewalld exe=/usr/bin/python3.9 subj=system_u:system_r:firewalld_t:s0 key=(null) > > type=NETFILTER_CFG msg=audit(2021-03-18 09:30:49.839:144) : table=firewalld:3 family=ipv6 entries=30 op=nft_register_chain pid=367 subj=system_u:system_r:firewalld_t:s0 comm=firewalld > > type=NETFILTER_CFG msg=audit(2021-03-18 09:30:49.839:144) : table=firewalld:3 family=ipv4 entries=30 op=nft_register_chain pid=367 subj=system_u:system_r:firewalld_t:s0 comm=firewalld > > type=NETFILTER_CFG msg=audit(2021-03-18 09:30:49.839:144) : table=firewalld:3 family=inet entries=165 op=nft_register_chain pid=367 subj=system_u:system_r:firewalld_t:s0 comm=firewalld > > > > The issue was originally documented in > > https://github.com/linux-audit/audit-kernel/issues/124 > > > > Signed-off-by: Richard Guy Briggs > > Tested this patch to make sure it eliminates the slowdown of > iptables-nft when auditd is running. With this applied, neither > iptables-nft-restore nor 'iptables-nft -F' show a significant > difference in run-time between running or stopped auditd, at least for > large rulesets. Individual calls suffer from added audit logging, but > that's expected of course. > > Tested-by: Phil Sutter Excellent, thanks Phil for helping nail this one down and confirming the fix. > Thanks, Phil - RGB -- Richard Guy Briggs Sr. S/W Engineer, Kernel Security, Base Operating Systems Remote, Ottawa, Red Hat Canada IRC: rgb, SunRaycer Voice: +1.647.777.2635, Internal: (81) 32635