Correct audit field for a netmask?

Correct audit field for a netmask?

[Paul Moore]

Hello,

I was wondering what was the correct way to send a netmask in an audit 
message?  Can I simply add it to the end of the 'addr' field:

 addr=10.0.0.0/8

Or is there some other field specifically for the netmask?

 addr=10.0.0.0 X=8

-- 
paul moore
linux security @ hp

Re: Correct audit field for a netmask?

[Steve Grubb]

On Thursday 15 November 2007 16:12:53 Paul Moore wrote:
> I was wondering what was the correct way to send a netmask in an audit
> message?

That is a curious one. I don't think we've ever recorded a netmask since we 
don't audit the routing tables. How does this net mask get used in a way that 
needs to be audited. Just curious. :)

> Or is there some other field specifically for the netmask?
>
>  addr=10.0.0.0 X=8

This would probably be better so that extra parsing of the value is not 
needed. I'd suggest something short like "net" to save diskspace.

-Steve

Re: Correct audit field for a netmask?

[Paul Moore]

On Friday 16 November 2007 11:10:55 am Steve Grubb wrote:
> On Thursday 15 November 2007 16:12:53 Paul Moore wrote:
> > I was wondering what was the correct way to send a netmask in an audit
> > message?
>
> That is a curious one. I don't think we've ever recorded a netmask since we
> don't audit the routing tables. How does this net mask get used in a way
> that needs to be audited. Just curious. :)

It's not a routing table, but rather an IP selector/filter used to assign 
static/fallback security labels to incoming traffic.  There has been a lot of 
discussion about this on the SELinux list over the summer and RFC patches 
have been available for a week or two, the audit relevant patch is below 
(once we get these issues resolved I'll respin the audit patch and send it 
here for review):

 * http://marc.info/?l=linux-security-module&m=119514613623937&w=2

> > Or is there some other field specifically for the netmask?
> >
> >  addr=10.0.0.0 X=8
>
> This would probably be better so that extra parsing of the value is not
> needed. I'd suggest something short like "net" to save diskspace.

Okay, so for single addresses we should still go with "addr":

 addr=10.0.0.1

... but for networks we should go with "net":

 net=10.0.0.0/8

?

-- 
paul moore
linux security @ hp

Re: Correct audit field for a netmask?

[Casey Schaufler]

--- Paul Moore <paul.moore@hp.com> wrote:

> On Friday 16 November 2007 11:10:55 am Steve Grubb wrote:
> > On Thursday 15 November 2007 16:12:53 Paul Moore wrote:
> > > I was wondering what was the correct way to send a netmask in an audit
> > > message?
> >
> > That is a curious one. I don't think we've ever recorded a netmask since we
> > don't audit the routing tables. How does this net mask get used in a way
> > that needs to be audited. Just curious. :)
> 
> It's not a routing table, but rather an IP selector/filter used to assign 
> static/fallback security labels to incoming traffic.  There has been a lot of
> 
> discussion about this on the SELinux list over the summer and RFC patches 
> have been available for a week or two, the audit relevant patch is below 
> (once we get these issues resolved I'll respin the audit patch and send it 
> here for review):
> 
>  * http://marc.info/?l=linux-security-module&m=119514613623937&w=2
> 
> > > Or is there some other field specifically for the netmask?
> > >
> > >  addr=10.0.0.0 X=8
> >
> > This would probably be better so that extra parsing of the value is not
> > needed. I'd suggest something short like "net" to save diskspace.
> 
> Okay, so for single addresses we should still go with "addr":
> 
>  addr=10.0.0.1
> 
> ... but for networks we should go with "net":
> 
>  net=10.0.0.0/8
> 
> ?

Looks like a good appoach to me. Alternatively you could replace

   addr=10.0.0.1

with

   net=10.0.0.1/32

or you could stick with addr and assume "/32" if a netmask is missing.
I personally thing your suggestion is the right way to go.


Or, if you want to do something truely horrible you could look at the
Cisco CLI and see how they do it.

Casey Schaufler
casey@schaufler-ca.com

Re: Correct audit field for a netmask?

[Paul Moore]

On Friday 16 November 2007 7:07:14 pm Casey Schaufler wrote:
> --- Paul Moore <paul.moore@hp.com> wrote:
> > On Friday 16 November 2007 11:10:55 am Steve Grubb wrote:
> > > > Or is there some other field specifically for the netmask?
> > > >
> > > >  addr=10.0.0.0 X=8
> > >
> > > This would probably be better so that extra parsing of the value is not
> > > needed. I'd suggest something short like "net" to save diskspace.
> >
> > Okay, so for single addresses we should still go with "addr":
> >
> >  addr=10.0.0.1
> >
> > ... but for networks we should go with "net":
> >
> >  net=10.0.0.0/8
> >
> > ?
>
> Looks like a good appoach to me. Alternatively you could replace
>
>    addr=10.0.0.1
>
> with
>
>    net=10.0.0.1/32
>
> or you could stick with addr and assume "/32" if a netmask is missing.
> I personally thing your suggestion is the right way to go.

I figure might as well use an existing field when it makes sense.  I've been 
working on some other stuff today (strangely also audit related) so I haven't 
had a chance to make the changes yet.  If I don't see any complaints by the 
time I sit down at my desk on Monday I'll fixup the existing patch and post 
it here for comments.

> Or, if you want to do something truely horrible you could look at the
> Cisco CLI and see how they do it.

Now don't go giving me any ideas ;)

-- 
paul moore
linux security @ hp