Hi, is there a way to audit ipset changes?
The closest I got was to log the specific "socket(AF_NETLINK, SOCK_RAW, NETLINK_NETFILTER)" call that ipset makes, but that obviously also triggers read-only operations like "ipset list", and any other app that opens suck a socket.
-- Linux-audit mailing list Linux-audit@redhat.com https://listman.redhat.com/mailman/listinfo/linux-audit