[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20210318183703.GL3141668@madcap2.tricolour.ca>
Date: Thu, 18 Mar 2021 14:37:03 -0400
From: Richard Guy Briggs <rgb@...hat.com>
To: Phil Sutter <phil@....cc>,
Linux-Audit Mailing List <linux-audit@...hat.com>,
LKML <linux-kernel@...r.kernel.org>,
netfilter-devel@...r.kernel.org, Paul Moore <paul@...l-moore.com>,
Eric Paris <eparis@...isplace.org>,
Steve Grubb <sgrubb@...hat.com>,
Florian Westphal <fw@...len.de>, twoerner@...hat.com,
tgraf@...radead.org, dan.carpenter@...cle.com,
Jones Desougi <jones.desougi+netfilter@...il.com>
Subject: Re: [PATCH] audit: log nftables configuration change events once per
table
On 2021-03-18 17:30, Phil Sutter wrote:
> Hi,
>
> On Thu, Mar 18, 2021 at 11:39:52AM -0400, Richard Guy Briggs wrote:
> > Reduce logging of nftables events to a level similar to iptables.
> > Restore the table field to list the table, adding the generation.
>
> This looks much better, a few remarks below:
>
> [...]
> > +static const u8 nft2audit_op[] = { // enum nf_tables_msg_types
> > + /* NFT_MSG_NEWTABLE */ AUDIT_NFT_OP_TABLE_REGISTER,
> > + /* NFT_MSG_GETTABLE */ AUDIT_NFT_OP_INVALID,
> > + /* NFT_MSG_DELTABLE */ AUDIT_NFT_OP_TABLE_UNREGISTER,
> > + /* NFT_MSG_NEWCHAIN */ AUDIT_NFT_OP_CHAIN_REGISTER,
> > + /* NFT_MSG_GETCHAIN */ AUDIT_NFT_OP_INVALID,
> > + /* NFT_MSG_DELCHAIN */ AUDIT_NFT_OP_CHAIN_UNREGISTER,
> > + /* NFT_MSG_NEWRULE */ AUDIT_NFT_OP_RULE_REGISTER,
> > + /* NFT_MSG_GETRULE */ AUDIT_NFT_OP_INVALID,
> > + /* NFT_MSG_DELRULE */ AUDIT_NFT_OP_RULE_UNREGISTER,
> > + /* NFT_MSG_NEWSET */ AUDIT_NFT_OP_SET_REGISTER,
> > + /* NFT_MSG_GETSET */ AUDIT_NFT_OP_INVALID,
> > + /* NFT_MSG_DELSET */ AUDIT_NFT_OP_SET_UNREGISTER,
> > + /* NFT_MSG_NEWSETELEM */ AUDIT_NFT_OP_SETELEM_REGISTER,
> > + /* NFT_MSG_GETSETELEM */ AUDIT_NFT_OP_INVALID,
> > + /* NFT_MSG_DELSETELEM */ AUDIT_NFT_OP_SETELEM_UNREGISTER,
> > + /* NFT_MSG_NEWGEN */ AUDIT_NFT_OP_GEN_REGISTER,
> > + /* NFT_MSG_GETGEN */ AUDIT_NFT_OP_INVALID,
> > + /* NFT_MSG_TRACE */ AUDIT_NFT_OP_INVALID,
> > + /* NFT_MSG_NEWOBJ */ AUDIT_NFT_OP_OBJ_REGISTER,
> > + /* NFT_MSG_GETOBJ */ AUDIT_NFT_OP_INVALID,
> > + /* NFT_MSG_DELOBJ */ AUDIT_NFT_OP_OBJ_UNREGISTER,
> > + /* NFT_MSG_GETOBJ_RESET */ AUDIT_NFT_OP_OBJ_RESET,
> > + /* NFT_MSG_NEWFLOWTABLE */ AUDIT_NFT_OP_FLOWTABLE_REGISTER,
> > + /* NFT_MSG_GETFLOWTABLE */ AUDIT_NFT_OP_INVALID,
> > + /* NFT_MSG_DELFLOWTABLE */ AUDIT_NFT_OP_FLOWTABLE_UNREGISTER,
> > + /* NFT_MSG_MAX */ AUDIT_NFT_OP_INVALID,
> > +};
>
> NFT_MSG_MAX is itself not a valid message, it serves merely as an upper
> bound for arrays, loops or sanity checks. You will never see it in
> trans->msg_type.
>
> Since enum nf_tables_msg_types contains consecutive values from 0 to
> NFT_MSG_MAX, you could write the above more explicitly:
>
> | static const u8 nft2audit_op[NFT_MSG_MAX] = {
> | [NFT_MSG_NEWTABLE] = AUDIT_NFT_OP_TABLE_REGISTER,
> | [NFT_MSG_GETTABLE] = AUDIT_NFT_OP_INVALID,
> | [NFT_MSG_DELTABLE] = AUDIT_NFT_OP_TABLE_UNREGISTER,
> (And so forth.)
>
> Not a must, but it clarifies the 1:1 mapping between index and said
> enum. Sadly, AUDIT_NFT_OP_INVALID is non-zero. Otherwise one could skip
> all uninteresting ones.
Yes, ok, I prefer your suggested way of listing them.
Yeah, the fact the values for op= already have a precedent in xtables
limits us.
> [...]
> > @@ -6278,12 +6219,11 @@ static int nf_tables_dump_obj(struct sk_buff *skb, struct netlink_callback *cb)
> > filter->type != NFT_OBJECT_UNSPEC &&
> > obj->ops->type->type != filter->type)
> > goto cont;
> > -
> > if (reset) {
> > char *buf = kasprintf(GFP_ATOMIC,
> > - "%s:%llu;?:0",
> > + "%s:%u",
> > table->name,
> > - table->handle);
> > + net->nft.base_seq);
> >
> > audit_log_nfcfg(buf,
> > family,
>
> Why did you leave the object-related logs in place? They should reappear
> at commit time just like chains and sets for instance, no?
There are other paths that can trigger these messages that don't go
through nf_tables_commit() that affect the configuration data. The
counters are considered config data for auditing purposes and the act of
resetting them is audittable. And the only time we want to emit a
record is when they are being reset.
> Thanks, Phil
- RGB
--
Richard Guy Briggs <rgb@...hat.com>
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635
Powered by blists - more mailing lists