Re: [redhat-lspp] labeled ipsec auditing

On Mon, Oct 09, 2006 at 03:15:09PM -0400, Paul Moore wrote: > Going back to Joy's original mail I think it was the establishing or deleting of > an SA with SELinux context that we were concerned about (at least that is what I > was concerned about) as that could generate quite a bit of traffic. Based on > your comments above it looks like that is something we need to do. Here's what Joy wrote: > I am auditing when an ipsec policy is added and removed from the > Security Policy Database. Should I also add audit when an SA is > added and removed? If I understand it correctly, SAs can also be added and removed manually, and unless we forbid that admins do that, it would need to be audited.