From ad050763cc2c7e38de41b317809e63a1cba3be3e Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Sat, 21 May 2011 17:22:19 -0700 Subject: [PATCH] Documentation update 2 for AUDIT support Signed-off-by: Tom Eastep --- docs/Audit.xml | 240 +++++++++++++++++++++++++++++++++++ docs/Documentation_Index.xml | 17 +-- 2 files changed, 249 insertions(+), 8 deletions(-) create mode 100644 docs/Audit.xml diff --git a/docs/Audit.xml b/docs/Audit.xml new file mode 100644 index 000000000..5efad0655 --- /dev/null +++ b/docs/Audit.xml @@ -0,0 +1,240 @@ + + +
+ + + + AUDIT Target Support + + + + Tom + + Eastep + + + + + + + 2011 + + Thomas M. Eastep + + + + Permission is granted to copy, distribute and/or modify this + document under the terms of the GNU Free Documentation License, Version + 1.2 or any later version published by the Free Software Foundation; with + no Invariant Sections, with no Front-Cover, and with no Back-Cover + Texts. A copy of the license is included in the section entitled + GNU Free Documentation + License. + + + +
+ Background + + In early 2011, Thomas Graf submitted a set of patches to the + Netfilter development list that implemented an AUDIT rule target. This is + from the initial submittal: + +
+ This patch adds a new netfilter target which creates audit records + for packets traversing a certain chain. It can be used to record packets + which are rejected administraively as follows: + + + -N AUDIT_DROP + + -A AUDIT_DROP -j AUDIT --type DROP + + -A AUDIT_DROP -j DROP + + + A rule which would typically drop or reject a packet would then + invoke the new chain to record packets before dropping them. + + + -j AUDIT_DROP + + + The module is protocol independant and works for iptables, + ip6tables and ebtables. + + + + netfilter hook + + + + packet length + + + + incoming/outgoing interface + + + + MAC src/dst/proto for ethernet packets + + + + src/dst/protocol address for IPv4/IPv6 + + + + + + + + src/dst port for TCP/UDP/UDPLITE + + + + icmp type/code + + +
+ + Additionally, Thomas released a daemon (auditd) that write the audit + information to a log file. + + In a later post, the following additional information was + posted: + +
+ AUDIT exists because a very large number of gov't customers (Not + just USA) have special requirements about how 'relevant' information is + gathered and stored. They require centralization and standardization and + require pretty formal documentation describing it's operation. The gov't + certification authority has recently added a requirement that they be + able to log 'illegal attempted network connections' via the approved + audit facility. Thus, this patch. +
+ + The AUDIT target was included in Linux kernel 2.6.39. +
+ +
+ Shorewall Support + + Shorewall support for the AUDIT target was added in 4.4.20. + + The support involves the following: + + + + A new "AUDIT Target" capability is added and is required for + auditing support. To use AUDIT support with a capabilities file, that + file must be generated using this or a later release. + + Use 'shorewall show capabilities' after installing this release + to see if your kernel/iptables support the AUDIT target. + + + + In /etc/shorewall/policy's POLICY column, the policy (and + default action, if any) may be followed by ':audit' to cause + application of the policy to be audited. Only ACCEPT, DROP and REJECT + policies may be audited. + + Example: + + #SOURCE DEST POLICY LOG +# LEVEL +net fw DROP:audit + + It is allowed to also specify a log level on audited policies + resulting in both auditing and logging. + + + + Three new builtin targets that may be used in the rules file, + in macros and in other actions. + + + + A_ACCEPT - Audits and accepts the connection request + + + + A_DROP - Audits and drops the connection request + + + + A_REJECT - Audits and rejects + + + + A log level may be supplied with these actions to provide both + auditing and logging. + + Example: + + #ACTION SOURCE DEST PROTO +A_ACCEPT:info loc net ... + + + + The BLACKLIST_DISPOSITION, MACLIST_DISPOSITION, + SMURF_DISPOSITION and TCP_FLAGS_DISPOSITION options may be set as + follows: + + + + + + BLACKLIST_DISPOSITION + + A_DROP or A_REJECT + + + + MACLIST_DISPOSITION + + A_DROP, A_REJECT unless MACLIST_TABLE=mangle + + + + SMURF_DISPOSITION + This option was added in Shorewall 4.4.20 + + + A_DROP + + + + TCP_FLAGS_DISPOSITION + + A_DROP or A_REJECT + + + + + + + + An 'audit' option has been added to the /etc/shorewall/blacklist + file which causes the packets matching the entryto be audited. 'audit' + may not be specified together with 'accept'. + + + + The builtin actions (dropBroadcast, rejNonSyn, etc.) now support + an 'audit' parameter which causes all ACCEPT, DROP and REJECTs + performed by the action to be audited. This allows creation of audited + versions of the Shorewall-provided default actions (action.Drop and + action.Reject). + + + The builtin actions are those actions listed in the output of + shorewall show actions whose names begin with a + lower-case letter. + + + +
+
diff --git a/docs/Documentation_Index.xml b/docs/Documentation_Index.xml index c8e2126d1..e5c154ba1 100644 --- a/docs/Documentation_Index.xml +++ b/docs/Documentation_Index.xml @@ -55,7 +55,7 @@ - + 6to4 and 6in4 Tunnels Linux-vserver @@ -63,7 +63,7 @@ - 6to4 and 6in4 Tunnels + Accounting Limiting Connection Rates @@ -73,7 +73,7 @@ - Accounting + Actions Logging @@ -82,7 +82,8 @@ - Actions + Aliased + (virtual) Interfaces (e.g., eth0:0) Macros @@ -90,8 +91,8 @@ - Aliased - (virtual) Interfaces (e.g., eth0:0) + Anatomy of + Shorewall MAC Verification @@ -102,8 +103,8 @@ - Anatomy of - Shorewall + AUDIT Target + support Man Pages