From mboxrd@z Thu Jan  1 00:00:00 1970
From: Klaus Weidner <klaus@atsec.com>
Subject: Re: [redhat-lspp] labeled ipsec auditing
Date: Mon, 9 Oct 2006 14:30:01 -0500
Message-ID: <20061009193001.GB28519@w-m-p.com>
References: <200610052123.k95LN0S9017784@faith.austin.ibm.com>
	<45258410.60302@hp.com> <20061009190949.GA28519@w-m-p.com>
	<452A9FBD.5060300@hp.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Return-path: <linux-audit-bounces@redhat.com>
Received: from mx1.redhat.com (mx1.redhat.com [172.16.48.31])
	by int-mx1.corp.redhat.com (8.12.11.20060308/8.12.11) with ESMTP id
	k99JUGB7018066
	for <linux-audit@redhat.com>; Mon, 9 Oct 2006 15:30:16 -0400
Received: from mail.atsec.com (mail.atsec.com [195.30.252.105])
	by mx1.redhat.com (8.12.11.20060308/8.12.11) with ESMTP id
	k99JUDfp007947
	for <linux-audit@redhat.com>; Mon, 9 Oct 2006 15:30:14 -0400
Content-Disposition: inline
In-Reply-To: <452A9FBD.5060300@hp.com>
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: Paul Moore <paul.moore@hp.com>
Cc: redhat-lspp@redhat.com, linux-audit@redhat.com
List-Id: linux-audit@redhat.com

On Mon, Oct 09, 2006 at 03:15:09PM -0400, Paul Moore wrote:
> Going back to Joy's original mail I think it was the establishing or deleting of
> an SA with SELinux context that we were concerned about (at least that is what I
> was concerned about) as that could generate quite a bit of traffic.  Based on
> your comments above it looks like that is something we need to do.

Here's what Joy wrote: 

> I am auditing when an ipsec policy is added and removed from the
> Security Policy Database. Should I also add audit when an SA is
> added and removed? 

If I understand it correctly, SAs can also be added and removed manually,
and unless we forbid that admins do that, it would need to be audited.

If the SPD completely determines the rules for ipsec related to MLS, it
would not be necessary to audit the individual additions and deletions,
but I'm not convinced that's the case. Does modifying the SPD
automatically tear down any currently active SAs that do not match the
updated policy?

As always, keep in mind that the system only needs to be capable of
auditing these events, not that these events always need to be
generating. It's fine to keep the audit events off by default.

-Klaus