lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20210318183703.GL3141668@madcap2.tricolour.ca>
Date:   Thu, 18 Mar 2021 14:37:03 -0400
From:   Richard Guy Briggs <rgb@...hat.com>
To:     Phil Sutter <phil@....cc>,
        Linux-Audit Mailing List <linux-audit@...hat.com>,
        LKML <linux-kernel@...r.kernel.org>,
        netfilter-devel@...r.kernel.org, Paul Moore <paul@...l-moore.com>,
        Eric Paris <eparis@...isplace.org>,
        Steve Grubb <sgrubb@...hat.com>,
        Florian Westphal <fw@...len.de>, twoerner@...hat.com,
        tgraf@...radead.org, dan.carpenter@...cle.com,
        Jones Desougi <jones.desougi+netfilter@...il.com>
Subject: Re: [PATCH] audit: log nftables configuration change events once per
 table

On 2021-03-18 17:30, Phil Sutter wrote:
> Hi,
> 
> On Thu, Mar 18, 2021 at 11:39:52AM -0400, Richard Guy Briggs wrote:
> > Reduce logging of nftables events to a level similar to iptables.
> > Restore the table field to list the table, adding the generation.
> 
> This looks much better, a few remarks below:
> 
> [...]
> > +static const u8 nft2audit_op[] = { // enum nf_tables_msg_types
> > +	/* NFT_MSG_NEWTABLE	*/	AUDIT_NFT_OP_TABLE_REGISTER,
> > +	/* NFT_MSG_GETTABLE	*/	AUDIT_NFT_OP_INVALID,
> > +	/* NFT_MSG_DELTABLE	*/	AUDIT_NFT_OP_TABLE_UNREGISTER,
> > +	/* NFT_MSG_NEWCHAIN	*/	AUDIT_NFT_OP_CHAIN_REGISTER,
> > +	/* NFT_MSG_GETCHAIN	*/	AUDIT_NFT_OP_INVALID,
> > +	/* NFT_MSG_DELCHAIN	*/	AUDIT_NFT_OP_CHAIN_UNREGISTER,
> > +	/* NFT_MSG_NEWRULE	*/	AUDIT_NFT_OP_RULE_REGISTER,
> > +	/* NFT_MSG_GETRULE	*/	AUDIT_NFT_OP_INVALID,
> > +	/* NFT_MSG_DELRULE	*/	AUDIT_NFT_OP_RULE_UNREGISTER,
> > +	/* NFT_MSG_NEWSET	*/	AUDIT_NFT_OP_SET_REGISTER,
> > +	/* NFT_MSG_GETSET	*/	AUDIT_NFT_OP_INVALID,
> > +	/* NFT_MSG_DELSET	*/	AUDIT_NFT_OP_SET_UNREGISTER,
> > +	/* NFT_MSG_NEWSETELEM	*/	AUDIT_NFT_OP_SETELEM_REGISTER,
> > +	/* NFT_MSG_GETSETELEM	*/	AUDIT_NFT_OP_INVALID,
> > +	/* NFT_MSG_DELSETELEM	*/	AUDIT_NFT_OP_SETELEM_UNREGISTER,
> > +	/* NFT_MSG_NEWGEN	*/	AUDIT_NFT_OP_GEN_REGISTER,
> > +	/* NFT_MSG_GETGEN	*/	AUDIT_NFT_OP_INVALID,
> > +	/* NFT_MSG_TRACE	*/	AUDIT_NFT_OP_INVALID,
> > +	/* NFT_MSG_NEWOBJ	*/	AUDIT_NFT_OP_OBJ_REGISTER,
> > +	/* NFT_MSG_GETOBJ	*/	AUDIT_NFT_OP_INVALID,
> > +	/* NFT_MSG_DELOBJ	*/	AUDIT_NFT_OP_OBJ_UNREGISTER,
> > +	/* NFT_MSG_GETOBJ_RESET	*/	AUDIT_NFT_OP_OBJ_RESET,
> > +	/* NFT_MSG_NEWFLOWTABLE	*/	AUDIT_NFT_OP_FLOWTABLE_REGISTER,
> > +	/* NFT_MSG_GETFLOWTABLE	*/	AUDIT_NFT_OP_INVALID,
> > +	/* NFT_MSG_DELFLOWTABLE	*/	AUDIT_NFT_OP_FLOWTABLE_UNREGISTER,
> > +	/* NFT_MSG_MAX		*/	AUDIT_NFT_OP_INVALID,
> > +};
> 
> NFT_MSG_MAX is itself not a valid message, it serves merely as an upper
> bound for arrays, loops or sanity checks. You will never see it in
> trans->msg_type.
> 
> Since enum nf_tables_msg_types contains consecutive values from 0 to
> NFT_MSG_MAX, you could write the above more explicitly:
> 
> | static const u8 nft2audit_op[NFT_MSG_MAX] = {
> | 	[NFT_MSG_NEWTABLE]	= AUDIT_NFT_OP_TABLE_REGISTER,
> | 	[NFT_MSG_GETTABLE]	= AUDIT_NFT_OP_INVALID,
> | 	[NFT_MSG_DELTABLE]	= AUDIT_NFT_OP_TABLE_UNREGISTER,
> (And so forth.)
> 
> Not a must, but it clarifies the 1:1 mapping between index and said
> enum. Sadly, AUDIT_NFT_OP_INVALID is non-zero. Otherwise one could skip
> all uninteresting ones.

Yes, ok, I prefer your suggested way of listing them.

Yeah, the fact the values for op= already have a precedent in xtables
limits us.

> [...]
> > @@ -6278,12 +6219,11 @@ static int nf_tables_dump_obj(struct sk_buff *skb, struct netlink_callback *cb)
> >  			    filter->type != NFT_OBJECT_UNSPEC &&
> >  			    obj->ops->type->type != filter->type)
> >  				goto cont;
> > -
> >  			if (reset) {
> >  				char *buf = kasprintf(GFP_ATOMIC,
> > -						      "%s:%llu;?:0",
> > +						      "%s:%u",
> >  						      table->name,
> > -						      table->handle);
> > +						      net->nft.base_seq);
> >  
> >  				audit_log_nfcfg(buf,
> >  						family,
> 
> Why did you leave the object-related logs in place? They should reappear
> at commit time just like chains and sets for instance, no?

There are other paths that can trigger these messages that don't go
through nf_tables_commit() that affect the configuration data.  The
counters are considered config data for auditing purposes and the act of
resetting them is audittable.  And the only time we want to emit a
record is when they are being reset.

> Thanks, Phil

- RGB

--
Richard Guy Briggs <rgb@...hat.com>
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ