From: Steve Grubb <sgrubb@redhat.com>
To: linux-audit@redhat.com
Cc: Richard Guy Briggs <rgb@redhat.com>,
fw@strlen.de, LKML <linux-kernel@vger.kernel.org>,
netfilter-devel@vger.kernel.org, twoerner@redhat.com,
Eric Paris <eparis@parisplace.org>,
tgraf@infradead.org
Subject: Re: [PATCH ghak25 v6] audit: add subj creds to NETFILTER_CFG record to cover async unregister
Date: Wed, 20 May 2020 14:51:26 -0400 [thread overview]
Message-ID: <17476338.hsbNre52Up@x2> (raw)
In-Reply-To: <CAHC9VhRERV9_kgpcn2LBptgXGY0BB4A9CHT+V4-HFMcNd9_Ncg@mail.gmail.com>
On Wednesday, May 20, 2020 2:40:45 PM EDT Paul Moore wrote:
> On Wed, May 20, 2020 at 12:55 PM Richard Guy Briggs <rgb@redhat.com> wrote:
> > On 2020-05-20 12:51, Richard Guy Briggs wrote:
> > > Some table unregister actions seem to be initiated by the kernel to
> > > garbage collect unused tables that are not initiated by any userspace
> > > actions. It was found to be necessary to add the subject credentials
> > > to cover this case to reveal the source of these actions. A sample
> > > record:
> > >
> > > The uid, auid, tty, ses and exe fields have not been included since
> > > they
> > > are in the SYSCALL record and contain nothing useful in the non-user
> > > context.
> > >
> > > type=NETFILTER_CFG msg=audit(2020-03-11 21:25:21.491:269) : table=nat
> > > family=bridge entries=0 op=unregister pid=153
> > > subj=system_u:system_r:kernel_t:s0 comm=kworker/u4:2
>
> FWIW, that record looks good.
It's severely broken
cat log.file
type=NETFILTER_CFG msg=audit(2020-03-11 21:25:21.491:269) : table=nat
family=bridge entries=0 op=unregister pid=153
subj=system_u:system_r:kernel_t:s0 comm=kworker/u4:2
ausearch -if log.file --format text
At 19:33:40 12/31/1969 did-unknown
ausearch -if log.file --format csv
NODE,EVENT,DATE,TIME,SERIAL_NUM,EVENT_KIND,SESSION,SUBJ_PRIME,SUBJ_SEC,SUBJ_KIND,ACTION,RESULT,OBJ_PRIME,OBJ_SEC,OBJ_KIND,HOW
error normalizing NETFILTER_CFG
,NETFILTER_CFG,12/31/1969,19:33:40,0,,,,,,,,,,
This is unusable. This is why the bug was filed in the first place.
-Steve
> > > Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
> >
> > Self-NACK. I forgot to remove cred and tty declarations.
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
WARNING: multiple messages have this Message-ID (diff)
From: Steve Grubb <sgrubb@redhat.com>
To: linux-audit@redhat.com
Cc: Paul Moore <paul@paul-moore.com>,
Richard Guy Briggs <rgb@redhat.com>,
fw@strlen.de, LKML <linux-kernel@vger.kernel.org>,
netfilter-devel@vger.kernel.org, twoerner@redhat.com,
Eric Paris <eparis@parisplace.org>,
tgraf@infradead.org
Subject: Re: [PATCH ghak25 v6] audit: add subj creds to NETFILTER_CFG record to cover async unregister
Date: Wed, 20 May 2020 14:51:26 -0400 [thread overview]
Message-ID: <17476338.hsbNre52Up@x2> (raw)
In-Reply-To: <CAHC9VhRERV9_kgpcn2LBptgXGY0BB4A9CHT+V4-HFMcNd9_Ncg@mail.gmail.com>
On Wednesday, May 20, 2020 2:40:45 PM EDT Paul Moore wrote:
> On Wed, May 20, 2020 at 12:55 PM Richard Guy Briggs <rgb@redhat.com> wrote:
> > On 2020-05-20 12:51, Richard Guy Briggs wrote:
> > > Some table unregister actions seem to be initiated by the kernel to
> > > garbage collect unused tables that are not initiated by any userspace
> > > actions. It was found to be necessary to add the subject credentials
> > > to cover this case to reveal the source of these actions. A sample
> > > record:
> > >
> > > The uid, auid, tty, ses and exe fields have not been included since
> > > they
> > > are in the SYSCALL record and contain nothing useful in the non-user
> > > context.
> > >
> > > type=NETFILTER_CFG msg=audit(2020-03-11 21:25:21.491:269) : table=nat
> > > family=bridge entries=0 op=unregister pid=153
> > > subj=system_u:system_r:kernel_t:s0 comm=kworker/u4:2
>
> FWIW, that record looks good.
It's severely broken
cat log.file
type=NETFILTER_CFG msg=audit(2020-03-11 21:25:21.491:269) : table=nat
family=bridge entries=0 op=unregister pid=153
subj=system_u:system_r:kernel_t:s0 comm=kworker/u4:2
ausearch -if log.file --format text
At 19:33:40 12/31/1969 did-unknown
ausearch -if log.file --format csv
NODE,EVENT,DATE,TIME,SERIAL_NUM,EVENT_KIND,SESSION,SUBJ_PRIME,SUBJ_SEC,SUBJ_KIND,ACTION,RESULT,OBJ_PRIME,OBJ_SEC,OBJ_KIND,HOW
error normalizing NETFILTER_CFG
,NETFILTER_CFG,12/31/1969,19:33:40,0,,,,,,,,,,
This is unusable. This is why the bug was filed in the first place.
-Steve
> > > Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
> >
> > Self-NACK. I forgot to remove cred and tty declarations.
next prev parent reply other threads:[~2020-05-20 18:51 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-05-20 16:51 [PATCH ghak25 v6] audit: add subj creds to NETFILTER_CFG record to cover async unregister Richard Guy Briggs
2020-05-20 16:51 ` Richard Guy Briggs
2020-05-20 16:55 ` Richard Guy Briggs
2020-05-20 16:55 ` Richard Guy Briggs
2020-05-20 18:40 ` Paul Moore
2020-05-20 18:40 ` Paul Moore
2020-05-20 18:51 ` Steve Grubb [this message]
2020-05-20 18:51 ` Steve Grubb
2020-05-20 18:59 ` Richard Guy Briggs
2020-05-20 18:59 ` Richard Guy Briggs
2020-05-20 19:06 ` Richard Guy Briggs
2020-05-20 19:06 ` Richard Guy Briggs
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=17476338.hsbNre52Up@x2 \
--to=sgrubb@redhat.com \
--cc=eparis@parisplace.org \
--cc=fw@strlen.de \
--cc=linux-audit@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=rgb@redhat.com \
--cc=tgraf@infradead.org \
--cc=twoerner@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.