Correct audit field for a netmask?
Paul Moore
paul.moore at hp.com
Sat Nov 17 00:14:41 UTC 2007
On Friday 16 November 2007 7:07:14 pm Casey Schaufler wrote:
> --- Paul Moore <paul.moore at hp.com> wrote:
> > On Friday 16 November 2007 11:10:55 am Steve Grubb wrote:
> > > > Or is there some other field specifically for the netmask?
> > > >
> > > > addr=10.0.0.0 X=8
> > >
> > > This would probably be better so that extra parsing of the value is not
> > > needed. I'd suggest something short like "net" to save diskspace.
> >
> > Okay, so for single addresses we should still go with "addr":
> >
> > addr=10.0.0.1
> >
> > ... but for networks we should go with "net":
> >
> > net=10.0.0.0/8
> >
> > ?
>
> Looks like a good appoach to me. Alternatively you could replace
>
> addr=10.0.0.1
>
> with
>
> net=10.0.0.1/32
>
> or you could stick with addr and assume "/32" if a netmask is missing.
> I personally thing your suggestion is the right way to go.
I figure might as well use an existing field when it makes sense. I've been
working on some other stuff today (strangely also audit related) so I haven't
had a chance to make the changes yet. If I don't see any complaints by the
time I sit down at my desk on Monday I'll fixup the existing patch and post
it here for comments.
> Or, if you want to do something truely horrible you could look at the
> Cisco CLI and see how they do it.
Now don't go giving me any ideas ;)
--
paul moore
linux security @ hp
More information about the Linux-audit
mailing list