From mboxrd@z Thu Jan 1 00:00:00 1970 From: Paul Moore Subject: Re: Correct audit field for a netmask? Date: Fri, 16 Nov 2007 11:25:21 -0500 Message-ID: <200711161125.21373.paul.moore@hp.com> References: <200711151612.53432.paul.moore@hp.com> <200711161110.56596.sgrubb@redhat.com> Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Return-path: In-Reply-To: <200711161110.56596.sgrubb@redhat.com> Content-Disposition: inline List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: Steve Grubb Cc: linux-audit@redhat.com List-Id: linux-audit@redhat.com On Friday 16 November 2007 11:10:55 am Steve Grubb wrote: > On Thursday 15 November 2007 16:12:53 Paul Moore wrote: > > I was wondering what was the correct way to send a netmask in an audi= t > > message? > > That is a curious one. I don't think we've ever recorded a netmask sinc= e we > don't audit the routing tables. How does this net mask get used in a wa= y > that needs to be audited. Just curious. :) It's not a routing table, but rather an IP selector/filter used to assign= =20 static/fallback security labels to incoming traffic. There has been a lo= t of=20 discussion about this on the SELinux list over the summer and RFC patches= =20 have been available for a week or two, the audit relevant patch is below=20 (once we get these issues resolved I'll respin the audit patch and send i= t=20 here for review): * http://marc.info/?l=3Dlinux-security-module&m=3D119514613623937&w=3D2 > > Or is there some other field specifically for the netmask? > > > > =A0addr=3D10.0.0.0 X=3D8 > > This would probably be better so that extra parsing of the value is not > needed. I'd suggest something short like "net" to save diskspace. Okay, so for single addresses we should still go with "addr": addr=3D10.0.0.1 ... but for networks we should go with "net": net=3D10.0.0.0/8 ? --=20 paul moore linux security @ hp