Re: AUDIT_NETFILTER_PKT message format

Hi all, I just writen that because I read " Determining the pid/subj of a packet is notoriously difficult/impossible in netfilter so let's drop that; with proper policy/rules you should be able to match proto/port with a given process so this shouldn't be that critical. The source/destination addresses and proto/port (assuming IP) should be easy enough. " OK you explain me you talk about "Linux audit" sub-system. Cool I didn't read it like that ! (I'm waiting for netfilter-dev ml). Don't tell me that windows is better than linux on that point (see ZoneAlarm). I know ZoneAlarm is a Firewall. But if Linux could trace it from netfilter you should integrate it in your audit sub system. I think it should be good to have to know witch application ask for send/receive packet on witch protocol and on witch port and for witch IP target(from/to) at a given level of verbosity(debug) and how many time for a given time-unit (minute-hour). At this level content of packet is not really useful, I think wire-shark is better for that. Sorry for the noise but it still important for me as a user to can trace who have access to an from my computer.

Best regards, Patrick PIGNOL Le 21/01/2017 à 18:37, Paul Moore a écrit : >On Sat, Jan 21, 2017 at 6:27 AM, Patrick PIGNOL ><patrick.pignol(a)gmail.com> wrote: >>Hi all, >> >>I disagree ! >> >>Many people in the world would like to allow an software A to go to internet >>through OUTPUT TCP port 80 but disallow software B to go to the internet >>through this same OUTPUT TCP port 80. Don't you know about viruses on linux >>? Viruses ALWAYS use HTTP/HTTPS ports to get payloads on internet and OUTPUT >>TCP port 443 COULD NOT be CLOSED for ALL SOFTWARE if you want to access >>internet services (via internet browsers for example). >The Linux audit subsystem simply logs system events, it does not >enforce security policy. I suggest you investigate the different >Linux firewall tools and LSMs, e.g. SELinux, as they should help you >accomplish what you describe. >