Re: AUDIT_NETFILTER_PKT message format
Hi all,
I just writen that because I read
"
Determining the pid/subj of a packet is notoriously
difficult/impossible in netfilter so let's drop that; with proper
policy/rules you should be able to match proto/port with a given
process so this shouldn't be that critical. The source/destination
addresses and proto/port (assuming IP) should be easy enough.
"
OK you explain me you talk about "Linux audit" sub-system. Cool I didn't
read it like that ! (I'm waiting for netfilter-dev ml).
Don't tell me that windows is better than linux on that point (see
ZoneAlarm). I know ZoneAlarm is a Firewall. But if Linux could trace it
from netfilter you should integrate it in your audit sub system.
I think it should be good to have to know witch application ask for
send/receive packet on witch protocol and on witch port and for witch IP
target(from/to) at a given level of verbosity(debug) and how many time
for a given time-unit (minute-hour).
At this level content of packet is not really useful, I think wire-shark
is better for that.
Sorry for the noise but it still important for me as a user to can trace
who have access to an from my computer.
Best regards,
Patrick PIGNOL
Le 21/01/2017 à 18:37, Paul Moore a écrit :
On Sat, Jan 21, 2017 at 6:27 AM, Patrick PIGNOL
<patrick.pignol(a)gmail.com> wrote:
> Hi all,
>
> I disagree !
>
> Many people in the world would like to allow an software A to go to internet
> through OUTPUT TCP port 80 but disallow software B to go to the internet
> through this same OUTPUT TCP port 80. Don't you know about viruses on linux
> ? Viruses ALWAYS use HTTP/HTTPS ports to get payloads on internet and OUTPUT
> TCP port 443 COULD NOT be CLOSED for ALL SOFTWARE if you want to access
> internet services (via internet browsers for example).
The Linux audit subsystem simply logs system events, it does not
enforce security policy. I suggest you investigate the different
Linux firewall tools and LSMs, e.g. SELinux, as they should help you
accomplish what you describe.