AUDIT_NETFILTER_CFG event format

AUDIT_NETFILTER_CFG event format

[Steve Grubb]

Hell Richard,

While we're in the NETFILTER area, the CFG event is lacking some fields, too. 
Its currently:

table,family,entries

its missing everything about *who* sent it:
pid,uid,auid,ses,subj,exe,res

I'd suggest:

pid,uid,auid,ses,subj,table,family,entries,exe,res

to make it compatible with the majority of records. Incidentally, I created a 
chart that shows how each record type is alike and different from every other 
record. You might call it a record grammar tree:

http://people.redhat.com/sgrubb/audit/record-fields.html

I'd like to align as many events as possible to pid,uid,auid section of the 
graph.

-Steve

Re: AUDIT_NETFILTER_CFG event format

[Paul Moore]

On Tue, Jan 17, 2017 at 9:07 AM, Steve Grubb <sgrubb@redhat.com> wrote:
> Incidentally, I created a
> chart that shows how each record type is alike and different from every other
> record. You might call it a record grammar tree:
>
> http://people.redhat.com/sgrubb/audit/record-fields.html

This seems like something that should live in the documentation repo.

* https://github.com/linux-audit/audit-documentation

-- 
paul moore
www.paul-moore.com

Re: AUDIT_NETFILTER_CFG event format

[Steve Grubb]

On Tuesday, January 17, 2017 9:24:46 AM EST Paul Moore wrote:
> On Tue, Jan 17, 2017 at 9:07 AM, Steve Grubb <sgrubb@redhat.com> wrote:
> > Incidentally, I created a
> > chart that shows how each record type is alike and different from every
> > other record. You might call it a record grammar tree:
> > 
> > http://people.redhat.com/sgrubb/audit/record-fields.html
> 
> This seems like something that should live in the documentation repo.
> 
> * https://github.com/linux-audit/audit-documentation

Its got a log of javascript in it. Its probably not suitable for a text based 
system. I'll be starting a blog real soon now to teach people how to create 
this and other audit reports and visualizations. Its literally 6 lines of code 
to create this.

-Steve

Re: AUDIT_NETFILTER_CFG event format

[Paul Moore]

On Tue, Jan 17, 2017 at 9:43 AM, Steve Grubb <sgrubb@redhat.com> wrote:
> On Tuesday, January 17, 2017 9:24:46 AM EST Paul Moore wrote:
>> On Tue, Jan 17, 2017 at 9:07 AM, Steve Grubb <sgrubb@redhat.com> wrote:
>> > Incidentally, I created a
>> > chart that shows how each record type is alike and different from every
>> > other record. You might call it a record grammar tree:
>> >
>> > http://people.redhat.com/sgrubb/audit/record-fields.html
>>
>> This seems like something that should live in the documentation repo.
>>
>> * https://github.com/linux-audit/audit-documentation
>
> Its got a log of javascript in it. Its probably not suitable for a text based
> system.

?

We have images and such in the repository, and if you've got a script
to generate the chart the script would be a good candidate for the
repo.

Example:
https://github.com/linux-audit/audit-documentation/blob/master/wiki_assets/spec-audit_state_diagram/audit-state-diagram.png

> I'll be starting a blog real soon now to teach people how to create
> this and other audit reports and visualizations. Its literally 6 lines of code
> to create this.

Not to dissuade you from blogging, but we also have the wiki which
might be a good spot for this too.

https://github.com/linux-audit/audit-documentation/wiki

-- 
paul moore
security @ redhat

Re: AUDIT_NETFILTER_CFG event format

[Richard Guy Briggs]

On 2017-01-17 09:07, Steve Grubb wrote:
> Hell Richard,
> 
> While we're in the NETFILTER area, the CFG event is lacking some fields, too. 
> Its currently:
> 
> table,family,entries
> 
> its missing everything about *who* sent it:
> pid,uid,auid,ses,subj,exe,res
> 
> I'd suggest:
> 
> pid,uid,auid,ses,subj,table,family,entries,exe,res
> 
> to make it compatible with the majority of records.

Ok, I've created an issue to track this:
	https://github.com/linux-audit/audit-kernel/issues/35

> Incidentally, I created a 
> chart that shows how each record type is alike and different from every other 
> record. You might call it a record grammar tree:
> 
> http://people.redhat.com/sgrubb/audit/record-fields.html
> 
> I'd like to align as many events as possible to pid,uid,auid section of the 
> graph.
> 
> -Steve

- RGB

--
Richard Guy Briggs <rgb@redhat.com>
Kernel Security Engineering, Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635

Re: AUDIT_NETFILTER_CFG event format

[Richard Guy Briggs]

On 2017-01-17 10:42, Richard Guy Briggs wrote:
> On 2017-01-17 09:07, Steve Grubb wrote:
> > Hell Richard,
> > 
> > While we're in the NETFILTER area, the CFG event is lacking some fields, too. 
> > Its currently:
> > 
> > table,family,entries
> > 
> > its missing everything about *who* sent it:
> > pid,uid,auid,ses,subj,exe,res
> > 
> > I'd suggest:
> > 
> > pid,uid,auid,ses,subj,table,family,entries,exe,res
> > 
> > to make it compatible with the majority of records.
> 
> Ok, I've created an issue to track this:
> 	https://github.com/linux-audit/audit-kernel/issues/35

And I've just closed it since the associated SYSCALL setsockopt record
lists all that information.

> > Incidentally, I created a 
> > chart that shows how each record type is alike and different from every other 
> > record. You might call it a record grammar tree:
> > 
> > http://people.redhat.com/sgrubb/audit/record-fields.html
> > 
> > I'd like to align as many events as possible to pid,uid,auid section of the 
> > graph.
> > 
> > -Steve
> 
> - RGB

- RGB

--
Richard Guy Briggs <rgb@redhat.com>
Kernel Security Engineering, Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635

Re: AUDIT_NETFILTER_CFG event format

[Steve Grubb]

On Thursday, January 19, 2017 5:10:44 AM EST Richard Guy Briggs wrote:
> On 2017-01-17 10:42, Richard Guy Briggs wrote:
> > On 2017-01-17 09:07, Steve Grubb wrote:
> > > Hell Richard,
> > > 
> > > While we're in the NETFILTER area, the CFG event is lacking some fields,
> > > too. Its currently:
> > > 
> > > table,family,entries
> > > 
> > > its missing everything about *who* sent it:
> > > pid,uid,auid,ses,subj,exe,res
> > > 
> > > I'd suggest:
> > > 
> > > pid,uid,auid,ses,subj,table,family,entries,exe,res
> > > 
> > > to make it compatible with the majority of records.
> > 
> > Ok, I've created an issue to track this:
> > 	https://github.com/linux-audit/audit-kernel/issues/35
> 
> And I've just closed it since the associated SYSCALL setsockopt record
> lists all that information.

AUDIT_NETFILTER_CFG sometimes comes out of the kernel with no syscall record. 
Try this, 

ausearch --start today -m netfilter_cfg | less

You should see at least one that has no syscall record. This begs the question 
of why there is even a SYSCALL record? AUDIT_NETFILTER_CFG is not extra 
information that is gathered to help explain what the syscall means. Its a 
change to system configuration in its own right. It should not be attached to a 
syscall record - especially if its not consistent. It should be complete and 
stand on its own.

Thanks,
-Steve

> > > Incidentally, I created a
> > > chart that shows how each record type is alike and different from every
> > > other record. You might call it a record grammar tree:
> > > 
> > > http://people.redhat.com/sgrubb/audit/record-fields.html
> > > 
> > > I'd like to align as many events as possible to pid,uid,auid section of
> > > the
> > > graph.
> > > 
> > > -Steve
> > 
> > - RGB
> 
> - RGB
> 
> --
> Richard Guy Briggs <rgb@redhat.com>
> Kernel Security Engineering, Base Operating Systems, Red Hat
> Remote, Ottawa, Canada
> Voice: +1.647.777.2635, Internal: (81) 32635

Re: AUDIT_NETFILTER_CFG event format

[Richard Guy Briggs]

On 2017-01-19 08:45, Steve Grubb wrote:
> On Thursday, January 19, 2017 5:10:44 AM EST Richard Guy Briggs wrote:
> > On 2017-01-17 10:42, Richard Guy Briggs wrote:
> > > On 2017-01-17 09:07, Steve Grubb wrote:
> > > > Hell Richard,
> > > > 
> > > > While we're in the NETFILTER area, the CFG event is lacking some fields,
> > > > too. Its currently:
> > > > 
> > > > table,family,entries
> > > > 
> > > > its missing everything about *who* sent it:
> > > > pid,uid,auid,ses,subj,exe,res
> > > > 
> > > > I'd suggest:
> > > > 
> > > > pid,uid,auid,ses,subj,table,family,entries,exe,res
> > > > 
> > > > to make it compatible with the majority of records.
> > > 
> > > Ok, I've created an issue to track this:
> > > 	https://github.com/linux-audit/audit-kernel/issues/35
> > 
> > And I've just closed it since the associated SYSCALL setsockopt record
> > lists all that information.
> 
> AUDIT_NETFILTER_CFG sometimes comes out of the kernel with no syscall record. 
> Try this, 
> 
> ausearch --start today -m netfilter_cfg | less
> 
> You should see at least one that has no syscall record. This begs the question 
> of why there is even a SYSCALL record? AUDIT_NETFILTER_CFG is not extra 
> information that is gathered to help explain what the syscall means. Its a 
> change to system configuration in its own right. It should not be attached to a 
> syscall record - especially if its not consistent. It should be complete and 
> stand on its own.

One my rawhide test VM, they are all accompanied by SYSCALL setsockopt
records.  On my laptop running f24, they are all orphans.

Manually setting iptables rules on the laptop yields a standalone record
so I will assume this is a difference of kernels, and not exhibiting
dual behaviour on one kernel.  It might be a different kernel version,
or different kernel config.

I'll re-open this issue and add this information...

As to why, I wonder if the message ID is somehow getting re-used when it
should not be?  I don't have a SYSCALL rule to trigger the syscall
logging, so that's another clue...

> Thanks,
> -Steve
> 
> > > > Incidentally, I created a
> > > > chart that shows how each record type is alike and different from every
> > > > other record. You might call it a record grammar tree:
> > > > 
> > > > http://people.redhat.com/sgrubb/audit/record-fields.html
> > > > 
> > > > I'd like to align as many events as possible to pid,uid,auid section of
> > > > the
> > > > graph.
> > > > 
> > > > -Steve
> > > 
> > > - RGB
> > 
> > - RGB
> > 
> > --
> > Richard Guy Briggs <rgb@redhat.com>
> > Kernel Security Engineering, Base Operating Systems, Red Hat
> > Remote, Ottawa, Canada
> > Voice: +1.647.777.2635, Internal: (81) 32635
> 
> 

- RGB

--
Richard Guy Briggs <rgb@redhat.com>
Kernel Security Engineering, Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635

Re: AUDIT_NETFILTER_CFG event format

[Paul Moore]

On Thu, Jan 19, 2017 at 9:50 AM, Richard Guy Briggs <rgb@redhat.com> wrote:
> On 2017-01-19 08:45, Steve Grubb wrote:
>> AUDIT_NETFILTER_CFG sometimes comes out of the kernel with no syscall record.
>> Try this,
>>
>> ausearch --start today -m netfilter_cfg | less
>>
>> You should see at least one that has no syscall record. This begs the question
>> of why there is even a SYSCALL record? AUDIT_NETFILTER_CFG is not extra
>> information that is gathered to help explain what the syscall means. Its a
>> change to system configuration in its own right. It should not be attached to a
>> syscall record - especially if its not consistent. It should be complete and
>> stand on its own.
>
> One my rawhide test VM, they are all accompanied by SYSCALL setsockopt
> records.  On my laptop running f24, they are all orphans.
>
> Manually setting iptables rules on the laptop yields a standalone record
> so I will assume this is a difference of kernels, and not exhibiting
> dual behaviour on one kernel.  It might be a different kernel version,
> or different kernel config.
>
> I'll re-open this issue and add this information...
>
> As to why, I wonder if the message ID is somehow getting re-used when it
> should not be?  I don't have a SYSCALL rule to trigger the syscall
> logging, so that's another clue...

Let's try to understand this problem ... something is triggering a
change, why aren't we seeing it?

-- 
paul moore
www.paul-moore.com