Re: AUDIT_NETFILTER_PKT message format
On Friday, February 10, 2017 5:54:45 PM EST Richard Guy Briggs wrote:
On 2017-02-10 17:39, Steve Grubb wrote:
> > The alternatives that I currently see are to drop packets for which
> > there is no local process ownership, or to leave the ownership fields
> > unset.>
> What ownership fields are we talking about?
The ones you want, auid, pid, ses. Perhaps I'm using the wrong
terminology. What technical term is there for the collection of subject
identifiers?
Subject attributes.
> > > I don't think audit should worry about spoofing.
Yes it can be done,
> > > but we should accurately record what was presented to the system.
> > > Other tools can be employed to watch for arp spoofing and source routed
> > > packets. Its a bigger problem than just the audit logs.
> >
> > I find this statement a bit surprising given we're trying to find out
> > who's doing what where.
>
> We're just recording what's presented to the system that meets the rules
> programmed in.
I don't quite understand. Are you saying only display the fields that
were specifically used in the netfilter rule to trigger the target that
records a packet?
No. I'm saying we shouldn't do any processing to figure out if we have a
spoofed or source routed packet. There are other tools that do that kind of
thing.
I don't think that's what you want and it isn't easy
to get without being more invasive in netfilter and swinging fields.
I'd record the MAC header since it is part of the packet that tells us
where it came from and where it's going.
Do we really need the MAC header for every event? I really don't think so.
-Steve