AUDIT_NETFILTER_PKT message format
Patrick PIGNOL
patrick.pignol at gmail.com
Sat Jan 21 19:12:21 UTC 2017
Hi all,
I just writen that because I read
"
Determining the pid/subj of a packet is notoriously
difficult/impossible in netfilter so let's drop that; with proper
policy/rules you should be able to match proto/port with a given
process so this shouldn't be that critical. The source/destination
addresses and proto/port (assuming IP) should be easy enough.
"
OK you explain me you talk about "Linux audit" sub-system. Cool I didn't
read it like that ! (I'm waiting for netfilter-dev ml).
Don't tell me that windows is better than linux on that point (see
ZoneAlarm). I know ZoneAlarm is a Firewall. But if Linux could trace it
from netfilter you should integrate it in your audit sub system.
I think it should be good to have to know witch application ask for
send/receive packet on witch protocol and on witch port and for witch IP
target(from/to) at a given level of verbosity(debug) and how many time
for a given time-unit (minute-hour).
At this level content of packet is not really useful, I think wire-shark
is better for that.
Sorry for the noise but it still important for me as a user to can trace
who have access to an from my computer.
Best regards,
Patrick PIGNOL
Le 21/01/2017 à 18:37, Paul Moore a écrit :
> On Sat, Jan 21, 2017 at 6:27 AM, Patrick PIGNOL
> <patrick.pignol at gmail.com> wrote:
>> Hi all,
>>
>> I disagree !
>>
>> Many people in the world would like to allow an software A to go to internet
>> through OUTPUT TCP port 80 but disallow software B to go to the internet
>> through this same OUTPUT TCP port 80. Don't you know about viruses on linux
>> ? Viruses ALWAYS use HTTP/HTTPS ports to get payloads on internet and OUTPUT
>> TCP port 443 COULD NOT be CLOSED for ALL SOFTWARE if you want to access
>> internet services (via internet browsers for example).
> The Linux audit subsystem simply logs system events, it does not
> enforce security policy. I suggest you investigate the different
> Linux firewall tools and LSMs, e.g. SELinux, as they should help you
> accomplish what you describe.
>
More information about the Linux-audit
mailing list