On 2017-01-30 10:13, Richard Guy Briggs wrote: > On 2017-01-30 15:53, Steve Grubb wrote: > > On Fri, 27 Jan 2017 08:11:06 -0500 > > Richard Guy Briggs <rgb@xxxxxxxxxx> wrote: > > > Eliminate flipping in and out of message fields. > > > > > > https://github.com/linux-audit/audit-kernel/issues/11 > > > > Do you have sample events that shows how this changes the record > > format? I like to review how the event looks when a patch changes or > > adds a record. > > I used the format that was proposed. Here are several samples from > running this RFC patch through the RFC test script: > > ausearch --start 01/27/2017 -i -m netfilter_pkt > ---- > type=NETFILTER_PKT msg=audit(01/27/2017 08:03:35.649:183) : action=ACCEPT hook=OUTPUT len=84 inif=? outif=lo mark=0xa044a1d4 smac=? dmac=? macproto=UNKNOWN trunc=-1 saddr=127.0.0.1 daddr=127.0.0.1 ipid=26581 proto=icmp frag=255 trunc=-1 sport=65535 dport=65535 icmptype=echo icmpcode=0 > ---- > type=NETFILTER_PKT msg=audit(01/27/2017 08:03:35.649:184) : action=ACCEPT hook=INPUT len=84 inif=lo outif=? mark=0xbadeac28 smac=? dmac=? macproto=UNKNOWN trunc=-1 saddr=127.0.0.1 daddr=127.0.0.1 ipid=26581 proto=icmp frag=255 trunc=-1 sport=65535 dport=65535 icmptype=echo icmpcode=0 > ---- > type=NETFILTER_PKT msg=audit(01/27/2017 08:03:35.652:185) : action=ACCEPT hook=INPUT len=104 inif=lo outif=? mark=0xb404724 smac=? dmac=? macproto=UNKNOWN trunc=-1 saddr=::1 daddr=::1 ipid=-1 proto=ipv6-icmp frag=-1 trunc=-1 sport=65535 dport=65535 icmptype=unknown icmp type (128) icmpcode=0 > ---- > type=NETFILTER_PKT msg=audit(01/27/2017 08:03:35.655:186) : action=ACCEPT hook=INPUT len=60 inif=lo outif=? mark=0xe2bd8098 smac=? dmac=? macproto=UNKNOWN trunc=-1 saddr=127.0.0.1 daddr=127.0.0.1 ipid=29381 proto=tcp frag=255 trunc=-1 sport=51064 dport=42424 icmptype=unknown icmp type (255) icmpcode=255 > ---- > type=NETFILTER_PKT msg=audit(01/27/2017 08:03:35.657:187) : action=ACCEPT hook=INPUT len=80 inif=lo outif=? mark=0xf80a9dd7 smac=? dmac=? macproto=UNKNOWN trunc=-1 saddr=::1 daddr=::1 ipid=-1 proto=tcp frag=-1 trunc=-1 sport=38188 dport=42424 icmptype=unknown icmp type (255) icmpcode=255 > ---- > type=NETFILTER_PKT msg=audit(01/27/2017 08:03:35.659:188) : action=ACCEPT hook=INPUT len=31 inif=lo outif=? mark=0xa6d8d4ac smac=? dmac=? macproto=UNKNOWN trunc=-1 saddr=127.0.0.1 daddr=127.0.0.1 ipid=46304 proto=udp frag=255 trunc=-1 sport=60095 dport=42424 icmptype=unknown icmp type (255) icmpcode=255 > ---- > type=NETFILTER_PKT msg=audit(01/27/2017 08:03:35.661:189) : action=ACCEPT hook=INPUT len=51 inif=lo outif=? mark=0x3f0d6054 smac=? dmac=? macproto=UNKNOWN trunc=-1 saddr=::1 daddr=::1 ipid=-1 proto=udp frag=-1 trunc=-1 sport=43818 dport=42424 icmptype=unknown icmp type (255) icmpcode=255 > ---- Here are the raw messages: ---- time->Fri Jan 27 08:03:35 2017 type=NETFILTER_PKT msg=audit(1485522215.649:183): action=0 hook=3 len=84 inif=? outif=lo mark=0xa044a1d4 smac=? dmac=? macproto=0xffff trunc=-1 saddr=127.0.0.1 daddr=127.0.0.1 ipid=26581 proto=1 frag=255 trunc=-1 sport=65535 dport=65535 icmptype=8 icmpcode=0 ---- time->Fri Jan 27 08:03:35 2017 type=NETFILTER_PKT msg=audit(1485522215.649:184): action=0 hook=1 len=84 inif=lo outif=? mark=0xbadeac28 smac=? dmac=? macproto=0xffff trunc=-1 saddr=127.0.0.1 daddr=127.0.0.1 ipid=26581 proto=1 frag=255 trunc=-1 sport=65535 dport=65535 icmptype=8 icmpcode=0 ---- time->Fri Jan 27 08:03:35 2017 type=NETFILTER_PKT msg=audit(1485522215.652:185): action=0 hook=1 len=104 inif=lo outif=? mark=0xb404724 smac=? dmac=? macproto=0xffff trunc=-1 saddr=::1 daddr=::1 ipid=-1 proto=58 frag=-1 trunc=-1 sport=65535 dport=65535 icmptype=128 icmpcode=0 ---- time->Fri Jan 27 08:03:35 2017 type=NETFILTER_PKT msg=audit(1485522215.655:186): action=0 hook=1 len=60 inif=lo outif=? mark=0xe2bd8098 smac=? dmac=? macproto=0xffff trunc=-1 saddr=127.0.0.1 daddr=127.0.0.1 ipid=29381 proto=6 frag=255 trunc=-1 sport=51064 dport=42424 icmptype=255 icmpcode=255 ---- time->Fri Jan 27 08:03:35 2017 type=NETFILTER_PKT msg=audit(1485522215.657:187): action=0 hook=1 len=80 inif=lo outif=? mark=0xf80a9dd7 smac=? dmac=? macproto=0xffff trunc=-1 saddr=::1 daddr=::1 ipid=-1 proto=6 frag=-1 trunc=-1 sport=38188 dport=42424 icmptype=255 icmpcode=255 ---- time->Fri Jan 27 08:03:35 2017 type=NETFILTER_PKT msg=audit(1485522215.659:188): action=0 hook=1 len=31 inif=lo outif=? mark=0xa6d8d4ac smac=? dmac=? macproto=0xffff trunc=-1 saddr=127.0.0.1 daddr=127.0.0.1 ipid=46304 proto=17 frag=255 trunc=-1 sport=60095 dport=42424 icmptype=255 icmpcode=255 ---- time->Fri Jan 27 08:03:35 2017 type=NETFILTER_PKT msg=audit(1485522215.661:189): action=0 hook=1 len=51 inif=lo outif=? mark=0x3f0d6054 smac=? dmac=? macproto=0xffff trunc=-1 saddr=::1 daddr=::1 ipid=-1 proto=17 frag=-1 trunc=-1 sport=43818 dport=42424 icmptype=255 icmpcode=255 ---- > > -Steve > > > > > > > Signed-off-by: Richard Guy Briggs <rgb@xxxxxxxxxx> > > > --- > > > net/netfilter/xt_AUDIT.c | 92 > > > +++++++++++++++++++++++++++++++++------------- 1 files changed, 66 > > > insertions(+), 26 deletions(-) > > > > > > diff --git a/net/netfilter/xt_AUDIT.c b/net/netfilter/xt_AUDIT.c > > > index 4973cbd..8089ec2 100644 > > > --- a/net/netfilter/xt_AUDIT.c > > > +++ b/net/netfilter/xt_AUDIT.c > > > @@ -31,24 +31,41 @@ MODULE_ALIAS("ip6t_AUDIT"); > > > MODULE_ALIAS("ebt_AUDIT"); > > > MODULE_ALIAS("arpt_AUDIT"); > > > > > > +struct nfpkt_par { > > > + int ipv; > > > + int iptrunc; > > > + const void *saddr; > > > + const void *daddr; > > > + u16 ipid; > > > + u8 proto; > > > + u8 frag; > > > + int ptrunc; > > > + u16 sport; > > > + u16 dport; > > > + u8 icmpt; > > > + u8 icmpc; > > > +}; > > > + > > > static void audit_proto(struct audit_buffer *ab, struct sk_buff *skb, > > > - unsigned int proto, unsigned int offset) > > > + unsigned int proto, unsigned int offset, > > > struct nfpkt_par *apar) { > > > switch (proto) { > > > case IPPROTO_TCP: > > > case IPPROTO_UDP: > > > - case IPPROTO_UDPLITE: { > > > + case IPPROTO_UDPLITE: > > > + case IPPROTO_DCCP: > > > + case IPPROTO_SCTP: { > > > const __be16 *pptr; > > > __be16 _ports[2]; > > > > > > pptr = skb_header_pointer(skb, offset, > > > sizeof(_ports), _ports); if (pptr == NULL) { > > > - audit_log_format(ab, " truncated=1"); > > > + apar->ptrunc = 1; > > > return; > > > } > > > + apar->sport = ntohs(pptr[0]); > > > + apar->dport = ntohs(pptr[1]); > > > > > > - audit_log_format(ab, " sport=%hu dport=%hu", > > > - ntohs(pptr[0]), ntohs(pptr[1])); > > > } > > > break; > > > > > > @@ -59,41 +76,43 @@ static void audit_proto(struct audit_buffer *ab, > > > struct sk_buff *skb, > > > iptr = skb_header_pointer(skb, offset, sizeof(_ih), > > > &_ih); if (iptr == NULL) { > > > - audit_log_format(ab, " truncated=1"); > > > + apar->ptrunc = 1; > > > return; > > > } > > > - > > > - audit_log_format(ab, " icmptype=%hhu icmpcode=%hhu", > > > - iptr[0], iptr[1]); > > > + apar->icmpt = iptr[0]; > > > + apar->icmpc = iptr[1]; > > > > > > } > > > break; > > > } > > > } > > > > > > -static void audit_ip4(struct audit_buffer *ab, struct sk_buff *skb) > > > +static void audit_ip4(struct audit_buffer *ab, struct sk_buff *skb, > > > struct nfpkt_par *apar) { > > > struct iphdr _iph; > > > const struct iphdr *ih; > > > > > > + apar->ipv = 4; > > > ih = skb_header_pointer(skb, 0, sizeof(_iph), &_iph); > > > if (!ih) { > > > - audit_log_format(ab, " truncated=1"); > > > + apar->iptrunc = 1; > > > return; > > > } > > > > > > - audit_log_format(ab, " saddr=%pI4 daddr=%pI4 ipid=%hu > > > proto=%hhu", > > > - &ih->saddr, &ih->daddr, ntohs(ih->id), ih->protocol); > > > + apar->saddr = &ih->saddr; > > > + apar->daddr = &ih->daddr; > > > + apar->ipid = ntohs(ih->id); > > > + apar->proto = ih->protocol; > > > > > > if (ntohs(ih->frag_off) & IP_OFFSET) { > > > - audit_log_format(ab, " frag=1"); > > > + apar->frag = 1; > > > return; > > > } > > > > > > - audit_proto(ab, skb, ih->protocol, ih->ihl * 4); > > > + audit_proto(ab, skb, ih->protocol, ih->ihl * 4, apar); > > > } > > > > > > -static void audit_ip6(struct audit_buffer *ab, struct sk_buff *skb) > > > +static void audit_ip6(struct audit_buffer *ab, struct sk_buff *skb, > > > struct nfpkt_par *apar) { > > > struct ipv6hdr _ip6h; > > > const struct ipv6hdr *ih; > > > @@ -101,9 +120,10 @@ static void audit_ip6(struct audit_buffer *ab, > > > struct sk_buff *skb) __be16 frag_off; > > > int offset; > > > > > > + apar->ipv = 6; > > > ih = skb_header_pointer(skb, skb_network_offset(skb), > > > sizeof(_ip6h), &_ip6h); if (!ih) { > > > - audit_log_format(ab, " truncated=1"); > > > + apar->iptrunc = 1; > > > return; > > > } > > > > > > @@ -111,11 +131,12 @@ static void audit_ip6(struct audit_buffer *ab, > > > struct sk_buff *skb) offset = ipv6_skip_exthdr(skb, > > > skb_network_offset(skb) + sizeof(_ip6h), &nexthdr, &frag_off); > > > > > > - audit_log_format(ab, " saddr=%pI6c daddr=%pI6c proto=%hhu", > > > - &ih->saddr, &ih->daddr, nexthdr); > > > + apar->saddr = &ih->saddr; > > > + apar->daddr = &ih->daddr; > > > + apar->proto = nexthdr; > > > > > > if (offset) > > > - audit_proto(ab, skb, nexthdr, offset); > > > + audit_proto(ab, skb, nexthdr, offset, apar); > > > } > > > > > > static unsigned int > > > @@ -123,6 +144,9 @@ audit_tg(struct sk_buff *skb, const struct > > > xt_action_param *par) { > > > const struct xt_audit_info *info = par->targinfo; > > > struct audit_buffer *ab; > > > + struct nfpkt_par apar = { > > > + -1, -1, NULL, NULL, -1, -1, -1, -1, -1, -1, -1, -1 > > > + }; > > > > > > if (audit_enabled == 0) > > > goto errout; > > > @@ -136,8 +160,7 @@ audit_tg(struct sk_buff *skb, const struct > > > xt_action_param *par) par->in ? par->in->name : "?", > > > par->out ? par->out->name : "?"); > > > > > > - if (skb->mark) > > > - audit_log_format(ab, " mark=%#x", skb->mark); > > > + audit_log_format(ab, " mark=%#x", skb->mark ?: -1); > > > > > > if (skb->dev && skb->dev->type == ARPHRD_ETHER) { > > > audit_log_format(ab, " smac=%pM dmac=%pM > > > macproto=0x%04x", @@ -147,25 +170,42 @@ audit_tg(struct sk_buff *skb, > > > const struct xt_action_param *par) if (par->family == NFPROTO_BRIDGE) > > > { switch (eth_hdr(skb)->h_proto) { > > > case htons(ETH_P_IP): > > > - audit_ip4(ab, skb); > > > + audit_ip4(ab, skb, &apar); > > > break; > > > > > > case htons(ETH_P_IPV6): > > > - audit_ip6(ab, skb); > > > + audit_ip6(ab, skb, &apar); > > > break; > > > } > > > } > > > + } else { > > > + audit_log_format(ab, " smac=? dmac=? > > > macproto=0xffff"); } > > > > > > switch (par->family) { > > > case NFPROTO_IPV4: > > > - audit_ip4(ab, skb); > > > + audit_ip4(ab, skb, &apar); > > > break; > > > > > > case NFPROTO_IPV6: > > > - audit_ip6(ab, skb); > > > + audit_ip6(ab, skb, &apar); > > > + break; > > > + } > > > + > > > + switch (apar.ipv) { > > > + case 4: > > > + audit_log_format(ab, " trunc=%d saddr=%pI4 > > > daddr=%pI4 ipid=%hu proto=%hhu frag=%d", > > > + apar.iptrunc, apar.saddr, apar.daddr, > > > apar.ipid, apar.proto, apar.frag); > > > + break; > > > + case 6: > > > + audit_log_format(ab, " trunc=%d saddr=%pI6c > > > daddr=%pI6c ipid=-1 proto=%hhu frag=-1", > > > + apar.iptrunc, apar.saddr, apar.daddr, > > > apar.proto); break; > > > + default: > > > + audit_log_format(ab, " trunc=-1 saddr=? daddr=? > > > ipid=-1 proto=-1 frag=-1"); } > > > + audit_log_format(ab, " trunc=%d sport=%hu dport=%hu > > > icmptype=%hhu icmpcode=%hhu", > > > + apar.ptrunc, apar.sport, apar.dport, apar.icmpt, > > > apar.icmpc); > > > #ifdef CONFIG_NETWORK_SECMARK > > > if (skb->secmark) > > > > - RGB > > -- > Richard Guy Briggs <rgb@xxxxxxxxxx> > Kernel Security Engineering, Base Operating Systems, Red Hat > Remote, Ottawa, Canada > Voice: +1.647.777.2635, Internal: (81) 32635 - RGB -- Richard Guy Briggs <rgb@xxxxxxxxxx> Kernel Security Engineering, Base Operating Systems, Red Hat Remote, Ottawa, Canada Voice: +1.647.777.2635, Internal: (81) 32635 -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
