From mboxrd@z Thu Jan  1 00:00:00 1970
From: Paul Moore <paul.moore@hp.com>
Subject: Re: Correct audit field for a netmask?
Date: Fri, 16 Nov 2007 19:14:41 -0500
Message-ID: <200711161914.41558.paul.moore@hp.com>
References: <671342.60721.qm@web36605.mail.mud.yahoo.com>
Mime-Version: 1.0
Content-Type: text/plain;
  charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <671342.60721.qm@web36605.mail.mud.yahoo.com>
Content-Disposition: inline
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: casey@schaufler-ca.com
Cc: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

On Friday 16 November 2007 7:07:14 pm Casey Schaufler wrote:
> --- Paul Moore <paul.moore@hp.com> wrote:
> > On Friday 16 November 2007 11:10:55 am Steve Grubb wrote:
> > > > Or is there some other field specifically for the netmask?
> > > >
> > > > =A0addr=3D10.0.0.0 X=3D8
> > >
> > > This would probably be better so that extra parsing of the value is=
 not
> > > needed. I'd suggest something short like "net" to save diskspace.
> >
> > Okay, so for single addresses we should still go with "addr":
> >
> >  addr=3D10.0.0.1
> >
> > ... but for networks we should go with "net":
> >
> >  net=3D10.0.0.0/8
> >
> > ?
>
> Looks like a good appoach to me. Alternatively you could replace
>
>    addr=3D10.0.0.1
>
> with
>
>    net=3D10.0.0.1/32
>
> or you could stick with addr and assume "/32" if a netmask is missing.
> I personally thing your suggestion is the right way to go.

I figure might as well use an existing field when it makes sense.  I've b=
een=20
working on some other stuff today (strangely also audit related) so I hav=
en't=20
had a chance to make the changes yet.  If I don't see any complaints by t=
he=20
time I sit down at my desk on Monday I'll fixup the existing patch and po=
st=20
it here for comments.

> Or, if you want to do something truely horrible you could look at the
> Cisco CLI and see how they do it.

Now don't go giving me any ideas ;)

--=20
paul moore
linux security @ hp