From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-3.8 required=3.0 tests=BAYES_00, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 1A2C6C433E9 for ; Thu, 11 Feb 2021 15:54:10 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id C625B64EB9 for ; Thu, 11 Feb 2021 15:54:09 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231630AbhBKPxt (ORCPT ); Thu, 11 Feb 2021 10:53:49 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:50128 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229935AbhBKPRm (ORCPT ); Thu, 11 Feb 2021 10:17:42 -0500 Received: from orbyte.nwl.cc (orbyte.nwl.cc [IPv6:2001:41d0:e:133a::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 921D7C0613D6; Thu, 11 Feb 2021 07:16:19 -0800 (PST) Received: from n0-1 by orbyte.nwl.cc with local (Exim 4.94) (envelope-from ) id 1lADhO-0002Ym-8N; Thu, 11 Feb 2021 16:16:06 +0100 Date: Thu, 11 Feb 2021 16:16:06 +0100 From: Phil Sutter To: Richard Guy Briggs Cc: Linux-Audit Mailing List , LKML , netfilter-devel@vger.kernel.org, Paul Moore , sgrubb@redhat.com, omosnace@redhat.com, fw@strlen.de, twoerner@redhat.com, eparis@parisplace.org, tgraf@infradead.org Subject: Re: [PATCH ghak124 v3] audit: log nftables configuration change events Message-ID: <20210211151606.GX3158@orbyte.nwl.cc> Mail-Followup-To: Phil Sutter , Richard Guy Briggs , Linux-Audit Mailing List , LKML , netfilter-devel@vger.kernel.org, Paul Moore , sgrubb@redhat.com, omosnace@redhat.com, fw@strlen.de, twoerner@redhat.com, eparis@parisplace.org, tgraf@infradead.org References: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: Sender: Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi, On Thu, Jun 04, 2020 at 09:20:49AM -0400, Richard Guy Briggs wrote: > iptables, ip6tables, arptables and ebtables table registration, > replacement and unregistration configuration events are logged for the > native (legacy) iptables setsockopt api, but not for the > nftables netlink api which is used by the nft-variant of iptables in > addition to nftables itself. > > Add calls to log the configuration actions in the nftables netlink api. As discussed offline already, these audit notifications are pretty hefty performance-wise. In an internal report, 300% restore time of a ruleset containing 70k set elements is measured. If I'm not mistaken, iptables emits a single audit log per table, ipset doesn't support audit at all. So I wonder how much audit logging is required at all (for certification or whatever reason). How much granularity is desired? I personally would notify once per transaction. This is easy and quick. Once per table or chain should be acceptable, as well. At the very least, we should not have to notify once per each element. This is the last resort of fast ruleset adjustments. If we lose it, people are better off with ipset IMHO. Unlike nft monitor, auditd is not designed to be disabled "at will". So turning it off for performance-critical workloads is no option. Cheers, Phil