Hello, On Sat, Feb 27, 2021 at 6:19 PM Richard Guy Briggs <r...@redhat.com> wrote:
> On 2021-02-26 15:21, Andreas Hasenack wrote: > Issue ghak124 (https://github.com/linux-audit/audit-kernel/issues/124) > introduced auditing for nftables modifications. It turns out it was far > too verbose but may have listed these actions for the iptables-nft > variant. That is about to be trimmed but should still catch any > changes for nftables. > > What parameters do you wish to have logged? At a quick look, I'm > guessing table doesn't make sense since a set could be used by any > registered table? But the set name would, followed by protocol family, > number of items changed, and the operation name? > I'm not sure if there are regulatory requirements about what has to be logged in this case, but yeah, what caught my eye is that a firewall rule can effectively be changed by just changing the ipset it references, and that change didn't trigger a NETFILTER_CFG audit message. This is with iptables, not nftables. I don't know if it's handled differently with nftables. > > How much life does iptables have to it? Given that this command can > You mean for how long will people still be using iptables? I'm not sure, but I personally bet in a few more years. > change the configuration of iptables (and ipv6tables, ebtables,...) it > would seem this this should be logged. > That was my thinking, but I thought about a log of its own, not part of iptables. To be honest I haven't checked yet what changes in NETFILTER_CFG with nftables, if anything. I know custom rules catching setsockopt won't catch nftables changes, but that's about it.
-- Linux-audit mailing list Linux-audit@redhat.com https://listman.redhat.com/mailman/listinfo/linux-audit
