AUDIT_NETFILTER_PKT message format
Steve Grubb
sgrubb at redhat.com
Mon Feb 13 17:57:38 UTC 2017
On Friday, February 10, 2017 5:54:45 PM EST Richard Guy Briggs wrote:
> On 2017-02-10 17:39, Steve Grubb wrote:
> > > The alternatives that I currently see are to drop packets for which
> > > there is no local process ownership, or to leave the ownership fields
> > > unset.>
>
> > What ownership fields are we talking about?
>
> The ones you want, auid, pid, ses. Perhaps I'm using the wrong
> terminology. What technical term is there for the collection of subject
> identifiers?
Subject attributes.
> > > > I don't think audit should worry about spoofing. Yes it can be done,
> > > > but we should accurately record what was presented to the system.
> > > > Other tools can be employed to watch for arp spoofing and source routed
> > > > packets. Its a bigger problem than just the audit logs.
> > >
> > > I find this statement a bit surprising given we're trying to find out
> > > who's doing what where.
> >
> > We're just recording what's presented to the system that meets the rules
> > programmed in.
>
> I don't quite understand. Are you saying only display the fields that
> were specifically used in the netfilter rule to trigger the target that
> records a packet?
No. I'm saying we shouldn't do any processing to figure out if we have a
spoofed or source routed packet. There are other tools that do that kind of
thing.
> I don't think that's what you want and it isn't easy
> to get without being more invasive in netfilter and swinging fields.
> I'd record the MAC header since it is part of the packet that tells us
> where it came from and where it's going.
Do we really need the MAC header for every event? I really don't think so.
-Steve
More information about the Linux-audit
mailing list