Re: AUDIT_NETFILTER_PKT message format
On Mon, Feb 13, 2017 at 7:24 PM, Richard Guy Briggs <rgb(a)redhat.com> wrote:
On 2017-02-13 18:50, Paul Moore wrote:
> On Mon, Feb 13, 2017 at 3:50 PM, Richard Guy Briggs <rgb(a)redhat.com> wrote:
...
> > useless? smac, dmac, macproto
>
> Probably useless in the majority of use cases.
How do we deal with the minority of cases where it could be quite useful?
First you first need to show me why I should care about this, in other
words, why *must* you have the fields in the audit record.
> > helpful secmark (I forgot to change it from
"obj" to "secmark" in my patch).
>
> We may also want to log the peer label if we are going to log the secmark.
Ok, noted.
Please note well the "*if*" portion in the above statement. I'm not
overly convinced that either field is all that useful in the majority
of cases.
--
paul moore
www.paul-moore.com