lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date:   Wed, 27 May 2020 09:53:31 -0400
From:   Richard Guy Briggs <rgb@...hat.com>
To:     Linux-Audit Mailing List <linux-audit@...hat.com>,
        LKML <linux-kernel@...r.kernel.org>,
        netfilter-devel@...r.kernel.org
Cc:     Paul Moore <paul@...l-moore.com>, sgrubb@...hat.com,
        omosnace@...hat.com, fw@...len.de, twoerner@...hat.com,
        eparis@...isplace.org, tgraf@...radead.org,
        Richard Guy Briggs <rgb@...hat.com>
Subject: [PATCH ghak124 v1] audit: log nftables configuration change events

iptables, ip6tables, arptables and ebtables table registration,
replacement and unregistration configuration events are logged for the
native (legacy) iptables setsockopt api, but not for the
nftables netlink api which is used by the nft-variant of iptables in
addition to nftables itself.

Add calls to log the configuration actions in the nftables netlink api.

This uses the same NETFILTER_CFG record format.

For further information please see issue
https://github.com/linux-audit/audit-kernel/issues/124

Signed-off-by: Richard Guy Briggs <rgb@...hat.com>
---
This is an RFC patch.
Note: I have questions about the "entries" count.  Is there a more
appropriate or relevant item to report here?
Note: It might make sense to differentiate in the op= field that this
was a legacy call vs an nft call.  At the moment, legacy calls overlap
with nft table calls, which are similar calls.

 include/linux/audit.h         |  7 +++++++
 kernel/auditsc.c              | 12 +++++++++---
 net/netfilter/nf_tables_api.c | 14 ++++++++++++++
 3 files changed, 30 insertions(+), 3 deletions(-)

diff --git a/include/linux/audit.h b/include/linux/audit.h
index 3fcd9ee49734..b10f54103a82 100644
--- a/include/linux/audit.h
+++ b/include/linux/audit.h
@@ -12,6 +12,7 @@
 #include <linux/sched.h>
 #include <linux/ptrace.h>
 #include <uapi/linux/audit.h>
+#include <uapi/linux/netfilter/nf_tables.h>
 
 #define AUDIT_INO_UNSET ((unsigned long)-1)
 #define AUDIT_DEV_UNSET ((dev_t)-1)
@@ -98,6 +99,12 @@ enum audit_nfcfgop {
 	AUDIT_XT_OP_REGISTER,
 	AUDIT_XT_OP_REPLACE,
 	AUDIT_XT_OP_UNREGISTER,
+	AUDIT_XT_OP_CHAIN_REGISTER	= NFT_MSG_NEWCHAIN,
+	AUDIT_XT_OP_CHAIN_NOOP		= NFT_MSG_GETCHAIN,
+	AUDIT_XT_OP_CHAIN_UNREGISTER	= NFT_MSG_DELCHAIN,
+	AUDIT_XT_OP_RULE_REGISTER	= NFT_MSG_NEWRULE,
+	AUDIT_XT_OP_RULE_NOOP		= NFT_MSG_GETRULE,
+	AUDIT_XT_OP_RULE_UNREGISTER	= NFT_MSG_DELRULE,
 };
 
 extern int is_audit_feature_set(int which);
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index 468a23390457..eedce8fa4067 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -136,9 +136,15 @@ struct audit_nfcfgop_tab {
 };
 
 static const struct audit_nfcfgop_tab audit_nfcfgs[] = {
-	{ AUDIT_XT_OP_REGISTER,		"register"	},
-	{ AUDIT_XT_OP_REPLACE,		"replace"	},
-	{ AUDIT_XT_OP_UNREGISTER,	"unregister"	},
+	{ AUDIT_XT_OP_REGISTER,		"register"		},
+	{ AUDIT_XT_OP_REPLACE,		"replace"		},
+	{ AUDIT_XT_OP_UNREGISTER,	"unregister"		},
+	{ AUDIT_XT_OP_CHAIN_REGISTER,	"register_chain"	},
+	{ AUDIT_XT_OP_CHAIN_NOOP,	"noop_chain"		},
+	{ AUDIT_XT_OP_CHAIN_UNREGISTER,	"unregister_chain"	},
+	{ AUDIT_XT_OP_RULE_REGISTER,	"register_rule"		},
+	{ AUDIT_XT_OP_RULE_NOOP,	"noop_rule"		},
+	{ AUDIT_XT_OP_RULE_UNREGISTER,	"unregister_rule"	},
 };
 
 static int audit_match_perm(struct audit_context *ctx, int mask)
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index 4471393da6d8..c8dc954685f2 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -12,6 +12,7 @@
 #include <linux/netlink.h>
 #include <linux/vmalloc.h>
 #include <linux/rhashtable.h>
+#include <linux/audit.h>
 #include <linux/netfilter.h>
 #include <linux/netfilter/nfnetlink.h>
 #include <linux/netfilter/nf_tables.h>
@@ -7344,6 +7345,19 @@ static int nf_tables_commit(struct net *net, struct sk_buff *skb)
 	list_for_each_entry_safe(trans, next, &net->nft.commit_list, list) {
 		switch (trans->msg_type) {
 		case NFT_MSG_NEWTABLE:
+		case NFT_MSG_DELTABLE:
+		case NFT_MSG_NEWCHAIN:
+		case NFT_MSG_DELCHAIN:
+		case NFT_MSG_NEWRULE:
+		case NFT_MSG_DELRULE:
+			audit_log_nfcfg(trans->ctx.table->name,
+					trans->ctx.family,
+					atomic_read(&trans->ctx.table->chains_ht.ht.nelems),
+					trans->msg_type);
+			break;
+		}
+		switch (trans->msg_type) {
+		case NFT_MSG_NEWTABLE:
 			if (nft_trans_table_update(trans)) {
 				if (!nft_trans_table_enable(trans)) {
 					nf_tables_table_disable(net,
-- 
1.8.3.1

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ