On Fri, Sep 8, 2023 at 10:56 AM Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> wrote: > On Fri, Sep 08, 2023 at 02:22:29AM +0200, Phil Sutter wrote: > > Perform ruleset modifications and compare the NETFILTER_CFG type > > notifications emitted by auditd match expectations. > > > > Signed-off-by: Phil Sutter <phil@xxxxxx> > > --- > > Calling auditd means enabling audit logging in kernel for the remaining > > uptime. So this test will slow down following ones or even cause > > spurious failures due to unexpected kernel log entries, timeouts, etc. > > > > Is there a way to test this in a less intrusive way? Maybe fence this > > test so it does not run automatically (is it any good having it in > > kernel then)? > > I think you could make a small libmnl program to listen to > NETLINK_AUDIT events and filter only the logs you need from there. We > already have a few programs like this in the selftest folder. Just a heads-up that the kernel sends the unicast netlink messages with a bogus nlmsghdr::nlmsg_len field, see the comments in audit_log_end() and kauditd_send_multicast_skb() for the details. -- paul-moore.com
