Scribery/aushape

Handle repeated NETFILTER_CFG records

spbnick opened this issue · 0 comments

spbnick commented

Apparently NETFILTER_CFG records can also be repeated. E.g.:

node=host.example.com type=NETFILTER_CFG msg=audit(1489088730.553:188168): table=filter family=2 entries=0
node=host.example.com type=NETFILTER_CFG msg=audit(1489088730.553:188168): table=filter family=10 entries=0
node=host.example.com type=NETFILTER_CFG msg=audit(1489088730.553:188168): table=raw family=2 entries=0
node=host.example.com type=NETFILTER_CFG msg=audit(1489088730.553:188168): table=security family=2 entries=0
node=host.example.com type=NETFILTER_CFG msg=audit(1489088730.553:188168): table=mangle family=2 entries=0
node=host.example.com type=SYSCALL msg=audit(1489088730.556:188169): arch=c000003e syscall=90 success=yes exit=0 a0=2448180 a1=1a4 a2=48c0 a3=10 items=1 ppid=30762 pid=32440 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=2134 comm="ldconfig" exe="/usr/sbin/ldconfig" subj=unconfined_u:unconfined_r:rpm_script_t:s0-s0:c0.c1023 key="perm_mod"
node=host.example.com type=CWD msg=audit(1489088730.556:188169):  cwd="/"
node=host.example.com type=PATH msg=audit(1489088730.556:188169): item=0 name="/etc/ld.so.cache~" inode=134326391 dev=fd:00 mode=0100600 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:ld_so_cache_t:s0 objtype=NORMAL
node=host.example.com type=NETFILTER_CFG msg=audit(1489088730.553:188168): table=nat family=2 entries=0
node=host.example.com type=NETFILTER_CFG msg=audit(1489088730.553:188168): table=raw family=10 entries=0
node=host.example.com type=NETFILTER_CFG msg=audit(1489088730.553:188168): table=security family=10 entries=0
node=host.example.com type=NETFILTER_CFG msg=audit(1489088730.553:188168): table=mangle family=10 entries=0
node=host.example.com type=NETFILTER_CFG msg=audit(1489088730.553:188168): table=nat family=10 entries=0
node=host.example.com type=SYSCALL msg=audit(1489088730.553:188168): arch=c000003e syscall=56 success=yes exit=32445 a0=6c020011 a1=7f4494265e70 a2=200 a3=7f449fdab440 items=0 ppid=1 pid=32377 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="libvirtd" exe="/usr/sbin/libvirtd" subj=system_u:system_r:virtd_t:s0-s0:c0.c1023 key=(null)

Figure out how to handle them properly.