AUDIT_NETFILTER_PKT message format
Paul Moore
paul at paul-moore.com
Fri Jan 20 20:37:12 UTC 2017
On Fri, Jan 20, 2017 at 9:49 AM, Steve Grubb <sgrubb at redhat.com> wrote:
> On Wednesday, January 18, 2017 6:35:29 PM EST Paul Moore wrote:
>> At this point I think it would be good to hear what requirements exist
>> for per-packet auditing. Steve, are there any current Common Criteria
>> (or other) requirements that impact per-packet auditing?
>
> I don't think you want to flood your logs. That is not helpful. It asks for the
> ability to detect information flow. Typically you want to know source and
> destination, protocol, where on the system its coming from or going to, pid if
> possible and the subject information if available. I know that you can be
> acting as a proxy and forwarding outside packets into a network. That is not
> the typical case CC is concerned about. Its more about what the user is doing.
Determining the pid/subj of a packet is notoriously
difficult/impossible in netfilter so let's drop that; with proper
policy/rules you should be able to match proto/port with a given
process so this shouldn't be that critical. The source/destination
addresses and proto/port (assuming IP) should be easy enough.
All right, now that we've got the "must" items down, are their any
"should" items we want?
--
paul moore
www.paul-moore.com
More information about the Linux-audit
mailing list