All of lore.kernel.org
 help / color / mirror / Atom feed
* Audit firewall changes in RHEL 8
@ 2020-12-05  0:45 Smith, Gary R
  2020-12-07 15:28 ` Richard Guy Briggs
  0 siblings, 1 reply; 2+ messages in thread
From: Smith, Gary R @ 2020-12-05  0:45 UTC (permalink / raw)
  To: Linux-Audit Mailing List


[-- Attachment #1.1: Type: text/plain, Size: 1364 bytes --]

Good afternoon,

I have RHEL 7 systems set up to emit audit records when the firewall rules with iptables change. I do it with a single audit command:

-a always,exit -F arch=b64 -S setsockopt -F a2=0x40 -F key=IPTablesChange

And it works great. I get audit logs like this:

type=PROCTITLE msg=audit(12/04/2020 11:04:58.840:3334178) : proctitle=iptables -D INPUT 2
type=SYSCALL msg=audit(12/04/2020 11:04:58.840:3334178) : arch=x86_64 syscall=setsockopt success=yes exit=0 a0=0x4 a1=ip a2=IPT_SO_SET_REPLACE a3=0x1009ca0 items=0 ppid=154754 pid=160855 auid=DrEvil uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=198995 comm=iptables exe=/usr/sbin/xtables-multi key=IPtablesChange
type=NETFILTER_CFG msg=audit(12/04/2020 11:04:58.840:3334178) : table=filter family=ipv4 entries=48

I want to do the same thing with RHEL 8 and nftables. I tried the same audit rule but nothing happens. I tried using firewall-cmd to change the rules. The rules changed, but no audit records. I fat fingered rules using nft but no audit record. I suspect that I’m not writing the audit rule correctly.  I looked around to see if a2 needed to be something other than 0x040 (IPT_SO_SET_REPLACE) but I couldn’t find anything.

Any suggestions on how to do this in RHEL 8 would be appreciated.

Best regards,

Gary Smith


[-- Attachment #1.2: Type: text/html, Size: 3444 bytes --]

[-- Attachment #2: Type: text/plain, Size: 102 bytes --]

--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit

^ permalink raw reply	[flat|nested] 2+ messages in thread
* Re: Audit firewall changes in RHEL 8
  2020-12-05  0:45 Audit firewall changes in RHEL 8 Smith, Gary R
@ 2020-12-07 15:28 ` Richard Guy Briggs
  0 siblings, 0 replies; 2+ messages in thread
From: Richard Guy Briggs @ 2020-12-07 15:28 UTC (permalink / raw)
  To: Smith, Gary R; +Cc: Linux-Audit Mailing List

On 2020-12-05 00:45, Smith, Gary R wrote:
> Good afternoon,
> 
> I have RHEL 7 systems set up to emit audit records when the firewall rules with iptables change. I do it with a single audit command:
> 
> -a always,exit -F arch=b64 -S setsockopt -F a2=0x40 -F key=IPTablesChange
> 
> And it works great. I get audit logs like this:
> 
> type=PROCTITLE msg=audit(12/04/2020 11:04:58.840:3334178) : proctitle=iptables -D INPUT 2
> type=SYSCALL msg=audit(12/04/2020 11:04:58.840:3334178) : arch=x86_64 syscall=setsockopt success=yes exit=0 a0=0x4 a1=ip a2=IPT_SO_SET_REPLACE a3=0x1009ca0 items=0 ppid=154754 pid=160855 auid=DrEvil uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=198995 comm=iptables exe=/usr/sbin/xtables-multi key=IPtablesChange
> type=NETFILTER_CFG msg=audit(12/04/2020 11:04:58.840:3334178) : table=filter family=ipv4 entries=48
> 
> I want to do the same thing with RHEL 8 and nftables. I tried the same audit rule but nothing happens. I tried using firewall-cmd to change the rules. The rules changed, but no audit records. I fat fingered rules using nft but no audit record. I suspect that I’m not writing the audit rule correctly.  I looked around to see if a2 needed to be something other than 0x040 (IPT_SO_SET_REPLACE) but I couldn’t find anything.

The hooks were missing for nftables and were the subject of the recent
upstream patches to address that, covered by issue:
	https://github.com/linux-audit/audit-kernel/issues/124

The patches in question went into:
2020-08-04  fd76a74d940a  Merge tag 'audit-pr-20200803' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/audit
 2020-07-08  68df2ed54487  audit: use the proper gfp flags in the audit_log_nfcfg() calls
 2020-06-29  142240398e50  audit: add gfp parameter to audit_log_nfcfg
 2020-06-23  8e6cf365e1d5  audit: log nftables configuration change events

> Any suggestions on how to do this in RHEL 8 would be appreciated.

That is a distro-specific question that should be asked in the appropriate
vendor forum, but are expected to be backported.

> Gary Smith

- RGB

--
Richard Guy Briggs <rgb@redhat.com>
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635

--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit

^ permalink raw reply	[flat|nested] 2+ messages in thread
end of thread, other threads:[~2020-12-07 15:28 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-12-05  0:45 Audit firewall changes in RHEL 8 Smith, Gary R
2020-12-07 15:28 ` Richard Guy Briggs

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.