From: Paul Moore <paul.moore@hp.com>
To: casey@schaufler-ca.com
Cc: linux-audit@redhat.com
Subject: Re: Correct audit field for a netmask?
Date: Fri, 16 Nov 2007 19:14:41 -0500 [thread overview]
Message-ID: <200711161914.41558.paul.moore@hp.com> (raw)
In-Reply-To: <671342.60721.qm@web36605.mail.mud.yahoo.com>
On Friday 16 November 2007 7:07:14 pm Casey Schaufler wrote:
> --- Paul Moore <paul.moore@hp.com> wrote:
> > On Friday 16 November 2007 11:10:55 am Steve Grubb wrote:
> > > > Or is there some other field specifically for the netmask?
> > > >
> > > > addr=10.0.0.0 X=8
> > >
> > > This would probably be better so that extra parsing of the value is not
> > > needed. I'd suggest something short like "net" to save diskspace.
> >
> > Okay, so for single addresses we should still go with "addr":
> >
> > addr=10.0.0.1
> >
> > ... but for networks we should go with "net":
> >
> > net=10.0.0.0/8
> >
> > ?
>
> Looks like a good appoach to me. Alternatively you could replace
>
> addr=10.0.0.1
>
> with
>
> net=10.0.0.1/32
>
> or you could stick with addr and assume "/32" if a netmask is missing.
> I personally thing your suggestion is the right way to go.
I figure might as well use an existing field when it makes sense. I've been
working on some other stuff today (strangely also audit related) so I haven't
had a chance to make the changes yet. If I don't see any complaints by the
time I sit down at my desk on Monday I'll fixup the existing patch and post
it here for comments.
> Or, if you want to do something truely horrible you could look at the
> Cisco CLI and see how they do it.
Now don't go giving me any ideas ;)
--
paul moore
linux security @ hp
prev parent reply other threads:[~2007-11-17 0:14 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-11-15 21:12 Correct audit field for a netmask? Paul Moore
2007-11-16 16:10 ` Steve Grubb
2007-11-16 16:25 ` Paul Moore
2007-11-17 0:07 ` Casey Schaufler
2007-11-17 0:14 ` Paul Moore [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=200711161914.41558.paul.moore@hp.com \
--to=paul.moore@hp.com \
--cc=casey@schaufler-ca.com \
--cc=linux-audit@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.