labeled ipsec auditing
Steve Grubb
sgrubb at redhat.com
Thu Oct 5 22:04:55 UTC 2006
On Thursday 05 October 2006 17:23, Joy Latten wrote:
> I am auditing when an ipsec policy is added and removed from the
> Security Policy Database. Should I also add audit when an SA is
> added and removed?
What we need to capture is the changes to configuration that affects the
access decisions. Klaus may be better person to judge SP vs SA.
> I looked at how Paul implemented netlabel auditing, but
> was wondering is there any specific info I should audit for
> labeled ipsec?
We need auid and subj of the process that loads the "rules". Is there any
security relevant data in the rules that you want to log to help get a better
idea of what is being inserted/deleted?
Thanks,
-Steve
More information about the Linux-audit
mailing list