Re: [nf-next RFC 2/2] selftests: netfilter: Test nf_tables audit logging

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]


On Fri, Sep 08, 2023 at 04:56:05PM +0200, Pablo Neira Ayuso wrote:
> On Fri, Sep 08, 2023 at 02:22:29AM +0200, Phil Sutter wrote:
> > Perform ruleset modifications and compare the NETFILTER_CFG type
> > notifications emitted by auditd match expectations.
> > 
> > Signed-off-by: Phil Sutter <phil@xxxxxx>
> > ---
> > Calling auditd means enabling audit logging in kernel for the remaining
> > uptime. So this test will slow down following ones or even cause
> > spurious failures due to unexpected kernel log entries, timeouts, etc.
> > 
> > Is there a way to test this in a less intrusive way? Maybe fence this
> > test so it does not run automatically (is it any good having it in
> > kernel then)?
> I think you could make a small libmnl program to listen to
> NETLINK_AUDIT events and filter only the logs you need from there. We
> already have a few programs like this in the selftest folder.

Turns out it is indeed possible to turn audit logging off again. I was
obviously misled from auditd not doing it (when killed at least).
Calling 'auditctl -e 0' inside the EXIT trap does the trick.
Implementing a custom audit listener tailored to our case is probably
still a good idea, but at least the biggest obstacle is gone IMO.

Thanks, Phil

[Index of Archives]     [Netfitler Users]     [Berkeley Packet Filter]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux