[redhat-lspp] Re: RHEL5 Kernel with labeled networking
Linda Knippers
linda.knippers at hp.com
Tue Oct 3 21:27:30 UTC 2006
Joshua Brindle wrote:
> Linda Knippers wrote:
>
>> Joy Latten wrote:
>>
>>
>>> On Tue, 2006-10-03 at 15:18 -0400, Joshua Brindle wrote:
>>>
>>>
>>>
>>>> Joy Latten wrote:
>>>>
>>>>
>>>>
>>>>>> Before network labeling is completed we still need some work
>>>>>> implementing how we plan to audit configuration changes in ipsec
>>>>>> labeling decisions. I believe we agreed today that this auditing
>>>>>> must
>>>>>> be done in kernelspace since we do not have fine grained enough
>>>>>> controls
>>>>>> on netlink messages to allow for all of the auditing in userspace.
>>>>>>
>>>>>>
>>>>>
>>>>> I've talked to Klaus about what needs to be audited for ipsec and
>>>>> lspp compliance. I will begin work on a patch and get this out
>>>>> to the list as soon as I can. We will audit everytime a policy is
>>>>> added/removed to/from the ipsec policy database.
>>>>>
>>>>>
>>>>>
>>>>
>>>> why not just auditallow all association setcontext?
>>>>
>>>
>>> Dang! Why didn't I think of that! :-) Such a good idea. I will do a
>>> quick test and
>>> show Klaus and see if it all looks ok to him.
>>> Thanks!!!
>>>
>>
>>
>> If we go the auditallow route then we lose some audit record management
>> features, like the ability to enable/disble/search for these records,
>> don't we? Do we care?
>>
>>
>
> enable and disable with a boolean
>
> searching? surely you can search avc records..
I meant with the audit tools, so using auditctl to add/remove rules and
ausearch for looking for specific record types.
-- ljk
More information about the redhat-lspp
mailing list