public inbox for linux-audit@redhat.com
 help / color / mirror / Atom feed
From: Richard Guy Briggs <rgb@redhat.com>
To: Paul Moore <paul@paul-moore.com>
Cc: Steve Grubb <sgrubb@redhat.com>,
	Linux-Audit Mailing List <linux-audit@redhat.com>,
	Netfilter Developer Mailing List
	<netfilter-devel@vger.kernel.org>,
	Thomas Graf <tgraf@infradead.org>
Subject: Re: AUDIT_NETFILTER_PKT message format
Date: Thu, 16 Feb 2017 17:41:51 -0500	[thread overview]
Message-ID: <20170216224151.GN21519@madcap2.tricolour.ca> (raw)
In-Reply-To: <CAHC9VhQfwgcc4KquQm3TtNm-GLS+4YpoF6NkoZ8wzVopAn4Now@mail.gmail.com>

On 2017-02-14 16:06, Paul Moore wrote:
> On Mon, Feb 13, 2017 at 7:24 PM, Richard Guy Briggs <rgb@redhat.com> wrote:
> > On 2017-02-13 18:50, Paul Moore wrote:
> >> On Mon, Feb 13, 2017 at 3:50 PM, Richard Guy Briggs <rgb@redhat.com> wrote:
> 
> ...
> 
> >> > useless?        smac, dmac, macproto
> >>
> >> Probably useless in the majority of use cases.
> >
> > How do we deal with the minority of cases where it could be quite useful?
> 
> First you first need to show me why I should care about this, in other
> words, why *must* you have the fields in the audit record.

Well, as I've just argued in my other reply, the only fields that are a
*must* are the subject attributes and the nfmark.

You've jettisoned the ports while keeping the addresses, which puzzles
me other than for expediancy.

MAC, IP and ports can all be spoofed, each layer easier as you get
higher, but it is all potentially useful information.

> >> > helpful         secmark (I forgot to change it from "obj" to "secmark" in my patch).
> >>
> >> We may also want to log the peer label if we are going to log the secmark.
> >
> > Ok, noted.
> 
> Please note well the "*if*" portion in the above statement.  I'm not
> overly convinced that either field is all that useful in the majority
> of cases.

Thank you for that reminder to link the two.

> paul moore

- RGB

--
Richard Guy Briggs <rgb@redhat.com>
Kernel Security Engineering, Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635

  reply	other threads:[~2017-02-16 22:41 UTC|newest]

Thread overview: 43+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2017-01-17  5:25 AUDIT_NETFILTER_PKT message format Richard Guy Briggs
2017-01-17 13:55 ` Steve Grubb
2017-01-17 16:12   ` Richard Guy Briggs
2017-01-17 16:29     ` Richard Guy Briggs
2017-01-17 18:35       ` Steve Grubb
2017-01-17 20:17     ` Paul Moore
2017-01-18  2:34       ` Richard Guy Briggs
2017-01-18  5:39         ` Richard Guy Briggs
2017-01-18 12:32           ` Paul Moore
2017-01-18 14:52             ` Steve Grubb
2017-01-18 15:15             ` Richard Guy Briggs
2017-01-18 23:35               ` Paul Moore
2017-01-20 14:49                 ` Steve Grubb
2017-01-20 20:37                   ` Paul Moore
2017-01-21 11:27                     ` Patrick PIGNOL
2017-01-21 17:37                       ` Paul Moore
2017-01-21 19:12                         ` Patrick PIGNOL
2017-01-23  4:49                           ` Richard Guy Briggs
2017-02-07 20:52                   ` Richard Guy Briggs
2017-02-08  3:56                     ` Paul Moore
2017-02-08 16:30                       ` Steve Grubb
2017-02-08 23:09                         ` Paul Moore
2017-02-09 10:56                           ` Pablo Neira Ayuso
2017-02-09 16:31                             ` Paul Moore
2017-02-09 23:49                           ` Richard Guy Briggs
2017-02-10  0:09                             ` Steve Grubb
2017-02-10  1:12                               ` Richard Guy Briggs
2017-02-10 22:39                                 ` Steve Grubb
2017-02-10 22:54                                   ` Richard Guy Briggs
2017-02-13 17:57                                     ` Steve Grubb
2017-02-13 20:50                                       ` Richard Guy Briggs
2017-02-13 23:50                                         ` Paul Moore
2017-02-14  0:24                                           ` Richard Guy Briggs
2017-02-14 21:06                                             ` Paul Moore
2017-02-16 22:41                                               ` Richard Guy Briggs [this message]
2017-02-16  0:32                                             ` Paul Moore
2017-02-16 22:36                                               ` Richard Guy Briggs
2017-02-17  1:57                                                 ` Paul Moore
2017-02-17  2:24                                                   ` Richard Guy Briggs
2017-02-17 23:04                                                 ` Paul Moore
2017-02-26 19:09                                             ` Richard Guy Briggs
2017-02-14 21:31                                         ` Steve Grubb
2017-02-16 21:24                                           ` Richard Guy Briggs

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20170216224151.GN21519@madcap2.tricolour.ca \
    --to=rgb@redhat.com \
    --cc=linux-audit@redhat.com \
    --cc=netfilter-devel@vger.kernel.org \
    --cc=paul@paul-moore.com \
    --cc=sgrubb@redhat.com \
    --cc=tgraf@infradead.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox