Received: by 2002:a05:6a10:9848:0:0:0:0 with SMTP id x8csp688980pxf; Thu, 1 Apr 2021 10:58:36 -0700 (PDT) X-Google-Smtp-Source: ABdhPJy38hvpm12QQuD5xVDwxxiYLrpYy8Uw065RHNhuCw1L1devuXu7hRYhPvEsOxiaeoj4WH3l X-Received: by 2002:a17:906:5d12:: with SMTP id g18mr10268909ejt.246.1617299915950; Thu, 01 Apr 2021 10:58:35 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1617299915; cv=none; d=google.com; s=arc-20160816; b=oW0Eoxh4sBUGmpgIVb3ZzLXkFSQaqI6V1d/A2QZTy9p7wAUq0a85TXqgfnHceC8J6w 2sz6/xQnuE/llgMDX9o9tKKy/SmSOz/dcGrSPrr6dX7uQO4q9Pj/bFxLzkGxCa7er8NX yrDtdfTU+V8g/OkqYHtO7GTCKgSQ7eVwkEAFRZE3LmF+z0EyRLLTZxivRTu+wARfqW+P +oF8tKBauoOTSMkzATSpTYnhjfHeAAJ1gN9G1SNH+4IET6SQKTUiQTNGW+DE1FJYMFcS NY5qPlvTkaUk+/umfGyv3dSRkwg9Xl1aC/3Fm0QUO81uFczTgismTzqznuZZ5JZdc/bF 4TSA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:in-reply-to:content-disposition :mime-version:references:mail-followup-to:message-id:subject:cc:to :from:date; bh=/hlaLc2tTfyxN05BO90efiwkeMqgBbdkdxEIveQEex8=; b=kmC5ndaPB/bEjSNZDxtOvQo50142bUhccPATk585Up7rPuDYXhUAzRkcxfWUf7dX17 i+b1+9BPw5gu+ppKLBJO3FkRQmBAID8V+dDWe8Qh/idlXMAfDYl6Rk1Jd/yWRI/YBArL oOl/lLfIfgaoxGt0yc7+8gAtHzsjCINSKlDFZ9m4vc2jB1HY6E0/mIWfPGnSJ60Hzv5T acoyKQfDVjejnalGwf2QJFBAiOvolmWob7s0GXD9vlE5EcLYkJQrTG+bs3MpnNoeYcxi bJmOvl04/vn/Ql5gEkezcqiFqc+rTgFHdwRnXbh2FLiHtw+GtkMTWN1NA8WP/AB/Q46m mZPw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id j19si4740539edp.531.2021.04.01.10.58.13; Thu, 01 Apr 2021 10:58:35 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S235341AbhDAR5I (ORCPT + 99 others); Thu, 1 Apr 2021 13:57:08 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:58370 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234474AbhDARmQ (ORCPT ); Thu, 1 Apr 2021 13:42:16 -0400 Received: from orbyte.nwl.cc (orbyte.nwl.cc [IPv6:2001:41d0:e:133a::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id C4186C08EA3C; Thu, 1 Apr 2021 06:24:49 -0700 (PDT) Received: from n0-1 by orbyte.nwl.cc with local (Exim 4.94) (envelope-from ) id 1lRxJU-0001yJ-EH; Thu, 01 Apr 2021 15:24:44 +0200 Date: Thu, 1 Apr 2021 15:24:44 +0200 From: Phil Sutter To: Richard Guy Briggs Cc: Linux-Audit Mailing List , LKML , netfilter-devel@vger.kernel.org, Paul Moore , Eric Paris , Steve Grubb , Florian Westphal , twoerner@redhat.com, tgraf@infradead.org, dan.carpenter@oracle.com, Jones Desougi Subject: Re: [PATCH v5] audit: log nftables configuration change events once per table Message-ID: <20210401132444.GX3158@orbyte.nwl.cc> Mail-Followup-To: Phil Sutter , Richard Guy Briggs , Linux-Audit Mailing List , LKML , netfilter-devel@vger.kernel.org, Paul Moore , Eric Paris , Steve Grubb , Florian Westphal , twoerner@redhat.com, tgraf@infradead.org, dan.carpenter@oracle.com, Jones Desougi References: <28de34275f58b45fd4626a92ccae96b6d2b4e287.1616702731.git.rgb@redhat.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <28de34275f58b45fd4626a92ccae96b6d2b4e287.1616702731.git.rgb@redhat.com> Sender: Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, Mar 26, 2021 at 01:38:59PM -0400, Richard Guy Briggs wrote: > Reduce logging of nftables events to a level similar to iptables. > Restore the table field to list the table, adding the generation. > > Indicate the op as the most significant operation in the event. > > A couple of sample events: > > type=PROCTITLE msg=audit(2021-03-18 09:30:49.801:143) : proctitle=/usr/bin/python3 -s /usr/sbin/firewalld --nofork --nopid > type=SYSCALL msg=audit(2021-03-18 09:30:49.801:143) : arch=x86_64 syscall=sendmsg success=yes exit=172 a0=0x6 a1=0x7ffdcfcbe650 a2=0x0 a3=0x7ffdcfcbd52c items=0 ppid=1 pid=367 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=roo > t sgid=root fsgid=root tty=(none) ses=unset comm=firewalld exe=/usr/bin/python3.9 subj=system_u:system_r:firewalld_t:s0 key=(null) > type=NETFILTER_CFG msg=audit(2021-03-18 09:30:49.801:143) : table=firewalld:2 family=ipv6 entries=1 op=nft_register_table pid=367 subj=system_u:system_r:firewalld_t:s0 comm=firewalld > type=NETFILTER_CFG msg=audit(2021-03-18 09:30:49.801:143) : table=firewalld:2 family=ipv4 entries=1 op=nft_register_table pid=367 subj=system_u:system_r:firewalld_t:s0 comm=firewalld > type=NETFILTER_CFG msg=audit(2021-03-18 09:30:49.801:143) : table=firewalld:2 family=inet entries=1 op=nft_register_table pid=367 subj=system_u:system_r:firewalld_t:s0 comm=firewalld > > type=PROCTITLE msg=audit(2021-03-18 09:30:49.839:144) : proctitle=/usr/bin/python3 -s /usr/sbin/firewalld --nofork --nopid > type=SYSCALL msg=audit(2021-03-18 09:30:49.839:144) : arch=x86_64 syscall=sendmsg success=yes exit=22792 a0=0x6 a1=0x7ffdcfcbe650 a2=0x0 a3=0x7ffdcfcbd52c items=0 ppid=1 pid=367 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=r > oot sgid=root fsgid=root tty=(none) ses=unset comm=firewalld exe=/usr/bin/python3.9 subj=system_u:system_r:firewalld_t:s0 key=(null) > type=NETFILTER_CFG msg=audit(2021-03-18 09:30:49.839:144) : table=firewalld:3 family=ipv6 entries=30 op=nft_register_chain pid=367 subj=system_u:system_r:firewalld_t:s0 comm=firewalld > type=NETFILTER_CFG msg=audit(2021-03-18 09:30:49.839:144) : table=firewalld:3 family=ipv4 entries=30 op=nft_register_chain pid=367 subj=system_u:system_r:firewalld_t:s0 comm=firewalld > type=NETFILTER_CFG msg=audit(2021-03-18 09:30:49.839:144) : table=firewalld:3 family=inet entries=165 op=nft_register_chain pid=367 subj=system_u:system_r:firewalld_t:s0 comm=firewalld > > The issue was originally documented in > https://github.com/linux-audit/audit-kernel/issues/124 > > Signed-off-by: Richard Guy Briggs Tested this patch to make sure it eliminates the slowdown of iptables-nft when auditd is running. With this applied, neither iptables-nft-restore nor 'iptables-nft -F' show a significant difference in run-time between running or stopped auditd, at least for large rulesets. Individual calls suffer from added audit logging, but that's expected of course. Tested-by: Phil Sutter Thanks, Phil