Correct audit field for a netmask?
Casey Schaufler
casey at schaufler-ca.com
Sat Nov 17 00:07:14 UTC 2007
--- Paul Moore <paul.moore at hp.com> wrote:
> On Friday 16 November 2007 11:10:55 am Steve Grubb wrote:
> > On Thursday 15 November 2007 16:12:53 Paul Moore wrote:
> > > I was wondering what was the correct way to send a netmask in an audit
> > > message?
> >
> > That is a curious one. I don't think we've ever recorded a netmask since we
> > don't audit the routing tables. How does this net mask get used in a way
> > that needs to be audited. Just curious. :)
>
> It's not a routing table, but rather an IP selector/filter used to assign
> static/fallback security labels to incoming traffic. There has been a lot of
>
> discussion about this on the SELinux list over the summer and RFC patches
> have been available for a week or two, the audit relevant patch is below
> (once we get these issues resolved I'll respin the audit patch and send it
> here for review):
>
> * http://marc.info/?l=linux-security-module&m=119514613623937&w=2
>
> > > Or is there some other field specifically for the netmask?
> > >
> > > addr=10.0.0.0 X=8
> >
> > This would probably be better so that extra parsing of the value is not
> > needed. I'd suggest something short like "net" to save diskspace.
>
> Okay, so for single addresses we should still go with "addr":
>
> addr=10.0.0.1
>
> ... but for networks we should go with "net":
>
> net=10.0.0.0/8
>
> ?
Looks like a good appoach to me. Alternatively you could replace
addr=10.0.0.1
with
net=10.0.0.1/32
or you could stick with addr and assume "/32" if a netmask is missing.
I personally thing your suggestion is the right way to go.
Or, if you want to do something truely horrible you could look at the
Cisco CLI and see how they do it.
Casey Schaufler
casey at schaufler-ca.com
More information about the Linux-audit
mailing list