> And here's a slightly cleaned up version.
>
> 5) Support for the AUDIT target has been added. AUDIT is a feature of
> the 2.6.39 kernel and iptables 1.4.10 that allows security auditing
> of access decisions.
>
> Note: This support note is the only documentation of this support
> currently available.
>
You may wish to expand on this a bit. This was submitted by Thomas Graf
<[email protected]> (the author of the AUDIT patch) on the netfilter-dev
list back in January:
This patch adds a new netfilter target which creates audit records for
packets traversing a certain chain. It can be used to record packets
which are rejected administratively as follows:
-N AUDIT_DROP
-A AUDIT_DROP -j AUDIT --type DROP
-A AUDIT_DROP -j DROP
A rule which would typically drop or reject a packet would then invoke
the new chain to record packets before dropping them.
-j AUDIT_DROP
The module is protocol independent and works for iptables, ip6tables and
ebtables.
The following information is logged:
- netfilter hook
- packet length
- incomming/outgoing interface
- MAC src/dst/proto for ethernet packets
- src/dst/protocol address for IPv4/IPv6
- src/dst port for TCP/UDP/UDPLITE
- icmp type/code
This is the man page for the iptables/AUDIT target:
AUDIT
This target allows to create audit records for packets hitting
the target. It can be used to record accepted, dropped, and rejected
packets. See auditd(8) for additional
details.
--type {accept|drop|reject}
Set type of audit record.
Example:
iptables -N AUDIT_DROP
iptables -A AUDIT_DROP -j AUDIT --type drop
iptables -A AUDIT_DROP -j DROP
And there is another explanation as to why AUDIT is needed: "AUDIT
exists because a very large number of gov't customers (Not just USA)
have special requirements about how 'relevant' information is gathered
and stored. They require centralization and standardization and require
pretty formal documentation describing it's operation. The gov't
certification authority has recently added a requirement that they be
able to log 'illegal attempted network connections' via the approved
audit facility. Thus, this patch."
So, pick and choose if you find anything from the above suitable. The
patch is pretty stable as it went through at least 3 revisions before it
was merged into the (now final) .39 kernel tree. If what I submit in the
next few days as suggestions (i.e. a patch with further additions to
this functionality), there will be even more revisions added to it.
The normal (audited) output as a result of AUDIT match looks like this:
(raw auditd logs)
type=NETFILTER_PKT msg=audit(1305830538.903:31222): action=1 hook=3
len=60 inif=? outif=eth0 saddr=10.1.1.7 daddr=10.2.1.1 ipid=61024
proto=6 sport=33271 dport=22
type=NETFILTER_PKT msg=audit(1305830538.920:31223): action=1 hook=3
len=52 inif=? outif=eth0 saddr=10.1.1.7 daddr=10.2.1.1 ipid=61025
proto=6 sport=33271 dport=22
(aureport)
18165. 05/19/2011 19:42:18 31222 NETFILTER_PKT nfsnobody unset
18166. 05/19/2011 19:42:18 31223 NETFILTER_PKT nfsnobody unset
(ausearch)
time->Thu May 19 19:42:18 2011
type=NETFILTER_PKT msg=audit(1305830538.903:31222): action=1 hook=3
len=60 inif=? outif=eth0 saddr=10.1.1.7 daddr=10.2.1.1 ipid=61024
proto=tcp sport=33271 dport=22
----
time->Thu May 19 19:42:18 2011
type=NETFILTER_PKT msg=audit(1305830538.920:31223): action=1 hook=3
len=52 inif=? outif=eth0 saddr=10.1.1.7 daddr=10.2.1.1 ipid=61025
proto=tcp sport=33271 dport=22
> b) In /etc/shorewall/policy's POLICY column, the policy (and
> default action, if any) may be followed by ':audit' to cause
> application of the policy to be audited.
>
> Only ACCEPT, DROP and REJECT policies may be audited.
>
> Example:
>
> #SOURCE DEST POLICY LOG
> # LEVEL
> net fw DROP:audit
>
> It is allowed to also specify a log level on audited policies
> resulting in both auditing and logging.
>
Perfect! I assume if log level is not specified, no logging is
performed, but auditing is still done, right?
> c) Three new builtin actions that may be used in the rules file,
> in macros and in other actions.
>
> AACCEPT - Audits and accepts the connection request
> ADROP - Audits and drops the connection request
> AREJECT - Audits and rejects
>
> A log level may be supplied with these actions to
> provide both auditing and logging.
>
> Example:
>
> AACCEPT:info loc net ...
>
On a second thought, if it isn't much of a trouble could you change this
to A_ACCEPT, A_DROP and A_REJECT as AACCEPT looks like a spelling error.
I know it was my suggestion, but as I see it now it doesn't look quite
right.
------------------------------------------------------------------------------
What Every C/C++ and Fortran developer Should Know!
Read this article and learn how Intel has extended the reach of its
next-generation tools to help Windows* and Linux* C/C++ and Fortran
developers boost performance applications - including clusters.
http://p.sf.net/sfu/intel-dev2devmay
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
