Re: Audit firewall changes in RHEL 8

Richard Guy Briggs Mon, 07 Dec 2020 07:28:54 -0800

On 2020-12-05 00:45, Smith, Gary R wrote:
> Good afternoon,
> 
> I have RHEL 7 systems set up to emit audit records when the firewall rules 
> with iptables change. I do it with a single audit command:
> 
> -a always,exit -F arch=b64 -S setsockopt -F a2=0x40 -F key=IPTablesChange
> 
> And it works great. I get audit logs like this:
> 
> type=PROCTITLE msg=audit(12/04/2020 11:04:58.840:3334178) : 
> proctitle=iptables -D INPUT 2
> type=SYSCALL msg=audit(12/04/2020 11:04:58.840:3334178) : arch=x86_64 
> syscall=setsockopt success=yes exit=0 a0=0x4 a1=ip a2=IPT_SO_SET_REPLACE 
> a3=0x1009ca0 items=0 ppid=154754 pid=160855 auid=DrEvil uid=root gid=root 
> euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 
> ses=198995 comm=iptables exe=/usr/sbin/xtables-multi key=IPtablesChange
> type=NETFILTER_CFG msg=audit(12/04/2020 11:04:58.840:3334178) : table=filter 
> family=ipv4 entries=48
> 
> I want to do the same thing with RHEL 8 and nftables. I tried the same audit 
> rule but nothing happens. I tried using firewall-cmd to change the rules. The 
> rules changed, but no audit records. I fat fingered rules using nft but no 
> audit record. I suspect that I’m not writing the audit rule correctly.  I 
> looked around to see if a2 needed to be something other than 0x040 
> (IPT_SO_SET_REPLACE) but I couldn’t find anything.


The hooks were missing for nftables and were the subject of the recent
upstream patches to address that, covered by issue:
        https://github.com/linux-audit/audit-kernel/issues/124

The patches in question went into:
2020-08-04  fd76a74d940a  Merge tag 'audit-pr-20200803' of 
git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/audit
 2020-07-08  68df2ed54487  audit: use the proper gfp flags in the 
audit_log_nfcfg() calls
 2020-06-29  142240398e50  audit: add gfp parameter to audit_log_nfcfg
 2020-06-23  8e6cf365e1d5  audit: log nftables configuration change events

> Any suggestions on how to do this in RHEL 8 would be appreciated.

That is a distro-specific question that should be asked in the appropriate
vendor forum, but are expected to be backported.

> Gary Smith

- RGB

--
Richard Guy Briggs <r...@redhat.com>
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635

--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit

Re: Audit firewall changes in RHEL 8

Reply via email to