Correct audit field for a netmask?
Paul Moore
paul.moore at hp.com
Fri Nov 16 16:25:21 UTC 2007
On Friday 16 November 2007 11:10:55 am Steve Grubb wrote:
> On Thursday 15 November 2007 16:12:53 Paul Moore wrote:
> > I was wondering what was the correct way to send a netmask in an audit
> > message?
>
> That is a curious one. I don't think we've ever recorded a netmask since we
> don't audit the routing tables. How does this net mask get used in a way
> that needs to be audited. Just curious. :)
It's not a routing table, but rather an IP selector/filter used to assign
static/fallback security labels to incoming traffic. There has been a lot of
discussion about this on the SELinux list over the summer and RFC patches
have been available for a week or two, the audit relevant patch is below
(once we get these issues resolved I'll respin the audit patch and send it
here for review):
* http://marc.info/?l=linux-security-module&m=119514613623937&w=2
> > Or is there some other field specifically for the netmask?
> >
> > addr=10.0.0.0 X=8
>
> This would probably be better so that extra parsing of the value is not
> needed. I'd suggest something short like "net" to save diskspace.
Okay, so for single addresses we should still go with "addr":
addr=10.0.0.1
... but for networks we should go with "net":
net=10.0.0.0/8
?
--
paul moore
linux security @ hp
More information about the Linux-audit
mailing list