Correct audit field for a netmask?
Steve Grubb
sgrubb at redhat.com
Fri Nov 16 16:10:55 UTC 2007
On Thursday 15 November 2007 16:12:53 Paul Moore wrote:
> I was wondering what was the correct way to send a netmask in an audit
> message?
That is a curious one. I don't think we've ever recorded a netmask since we
don't audit the routing tables. How does this net mask get used in a way that
needs to be audited. Just curious. :)
> Or is there some other field specifically for the netmask?
>
> addr=10.0.0.0 X=8
This would probably be better so that extra parsing of the value is not
needed. I'd suggest something short like "net" to save diskspace.
-Steve
More information about the Linux-audit
mailing list