Re: Netfilter logging from the kernel

[Roberto Nibali <ratz@drugphish.ch>]

Hi,

> We're interested in locking down machines, in an attempt to
> limit what a hacker can do if he is able to break into them.

 From your description I'd have to say two things:

o wrong mailinglist
o wrong approach

since this sounds very cocky let's see if I maybe misunderstand something.

> All of these machines will have a iptables firewall in place,
> limiting the outbound traffic.
> 
> Thus, the first thing an attacker would do after breaking in
> would be to attempt to remove the firewall rules.

Not necessarily. You might as well just install a backdoor lkm which 
happily coexists with your fw rules but kind of hijacks certain hooks.

> While we cannot defend against this, assuming he has gained root
> access, we would at least like to make the machine tamper evident.

That's why you should log everything; for example to a remote syslog 
server, or you could deploy leveraged-security systems like

o selinux
o rsbac
o write some lsm tracing hooks

> Initially, we thought that we could modify the iptables binary to
> print out something to syslog every time a change to the rules
> is made - however, it would be easy enough for the attacker to
> copy over a virgin copy of iptables.

Assuming that an intruder will change your firewall rules is the least 
of your concerns, really.

> Thus, the logging code must be in the kernel, and not in the
> iptables binary.

Or you use the cryptoAPI and digitally sign your rules in the kernel 
which would then be more ontopic for this list. Digsig is a project 
which has working code for signing user space apps, their concept could 
be adapted to kernel space as well.

> We would ideally like to see a log message sent to the
> syslog every time an iptables rule is added/modified/removed.

Check out do_ipt_get_ctl, ipt_register_* and follow the code from there.

> Does anyone know if there is anything in place right now that
> would allow this?

IIRC your can simply enable the DEBUG_IP_FIREWALL_USER switch in 
../linux/net/ipv4/netfilter/ip_tables.c and watch your kernlog grow.

Basically this is your file to look at, plus you need to check out a few 
functions in ../linux/include/linux/netfilter_ipv4/ip_tables.h

> If nothing exists, how difficult would it be to whip something
> like this up?

It's pretty straightforward once you've looked at the code.

> Could you point me to the right part of the code
> where I'd need to add my additional functionality.

I hope I did, however I also hope that you're not going to do this for 
your customers.

Best regards,
Roberto Nibali, ratz
-- 
echo 
'[q]sa[ln0=aln256%Pln256/snlbx]sb3135071790101768542287578439snlbxq' | dc