From a0d760bef462ddb9581ddcf62b533b16fab08fad Mon Sep 17 00:00:00 2001 From: ashwat287 Date: Fri, 19 Sep 2025 21:08:26 +0000 Subject: [PATCH] guestagent: start iptables audit watcher when auditing already enabled MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fixes a logic gap where, if auditing was already enabled at startup, the code only set worthCheckingIPTables=true and did not launch setWorthCheckingIPTablesRoutine. Without the routine the flag never changes (never set false after idle, never toggled by NETFILTER_CFG events), so the cached a.latestIPTables path is never used and behavior differs from the “auditing just enabled” case. Change: - After confirming auditing is (or becomes) enabled, always set worthCheckingIPTables=true for the initial scan and always start setWorthCheckingIPTablesRoutine. - Leave the non‑auditing fallback path unchanged. This makes flag state transitions consistent regardless of initial auditStatus.Enabled. Signed-off-by: ashwat287 --- pkg/guestagent/guestagent_linux.go | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/pkg/guestagent/guestagent_linux.go b/pkg/guestagent/guestagent_linux.go index 5b199131f56..e2ca83f3427 100644 --- a/pkg/guestagent/guestagent_linux.go +++ b/pkg/guestagent/guestagent_linux.go @@ -67,11 +67,11 @@ func New(ctx context.Context, newTicker func() (<-chan time.Time, func()), iptab return nil, err } } - - go a.setWorthCheckingIPTablesRoutine(auditClient, iptablesIdle) - } else { - a.worthCheckingIPTables = true } + + a.worthCheckingIPTables = true // allow initial iptables scan + go a.setWorthCheckingIPTablesRoutine(auditClient, iptablesIdle) + logrus.Infof("Auditing enabled (%d)", auditStatus.Enabled) return startGuestAgentRoutines(ctx, a, true), nil } @@ -111,7 +111,8 @@ type agent struct { // when no NETFILTER_CFG audit message was received for the iptablesIdle time. func (a *agent) setWorthCheckingIPTablesRoutine(auditClient *libaudit.AuditClient, iptablesIdle time.Duration) { logrus.Info("setWorthCheckingIPTablesRoutine(): monitoring netfilter audit events") - var latestTrue time.Time + // Initialize to now so the first sleeper loop does not immediately mark it false. + latestTrue := time.Now() go func() { for { time.Sleep(iptablesIdle)