AUDIT_NETFILTER_PKT message format
Richard Guy Briggs
rgb at redhat.com
Wed Jan 18 02:34:29 UTC 2017
On 2017-01-17 15:17, Paul Moore wrote:
> On Tue, Jan 17, 2017 at 11:12 AM, Richard Guy Briggs <rgb at redhat.com> wrote:
> > On 2017-01-17 08:55, Steve Grubb wrote:
> >> On Tuesday, January 17, 2017 12:25:51 AM EST Richard Guy Briggs wrote:
>
> ...
>
> >> > Ones that are not so straightforward:
> >> > - "secmark" depends on a kernel config setting, so should it always be
> >> > present but "(none)" if that kernel feature is compiled out?
> >>
> >> If this is selinux related, I'd treat it the same way that we do subj
> >> everywhere else.
> >
> > Ok.
>
> To be clear, a packet's secmark should be recorded via a dedicated
> field, e.g. "secmark", and not use the "subj" field (it isn't a
> subject label in the traditional sense).
I think Steve was talking about if, when or where to include that field,
not what its label is.
> paul moore
- RGB
--
Richard Guy Briggs <rgb at redhat.com>
Kernel Security Engineering, Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635
More information about the Linux-audit
mailing list