On Thu, Jan 19, 2017 at 9:50 AM, Richard Guy Briggs <[email protected]> wrote: > On 2017-01-19 08:45, Steve Grubb wrote: >> AUDIT_NETFILTER_CFG sometimes comes out of the kernel with no syscall record. >> Try this, >> >> ausearch --start today -m netfilter_cfg | less >> >> You should see at least one that has no syscall record. This begs the >> question >> of why there is even a SYSCALL record? AUDIT_NETFILTER_CFG is not extra >> information that is gathered to help explain what the syscall means. Its a >> change to system configuration in its own right. It should not be attached >> to a >> syscall record - especially if its not consistent. It should be complete and >> stand on its own. > > One my rawhide test VM, they are all accompanied by SYSCALL setsockopt > records. On my laptop running f24, they are all orphans. > > Manually setting iptables rules on the laptop yields a standalone record > so I will assume this is a difference of kernels, and not exhibiting > dual behaviour on one kernel. It might be a different kernel version, > or different kernel config. > > I'll re-open this issue and add this information... > > As to why, I wonder if the message ID is somehow getting re-used when it > should not be? I don't have a SYSCALL rule to trigger the syscall > logging, so that's another clue...
Let's try to understand this problem ... something is triggering a change, why aren't we seeing it? -- paul moore www.paul-moore.com -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
