On Monday, February 13, 2017 3:50:05 PM EST Richard Guy Briggs wrote:
> > > > The alternatives that I currently see are to drop
packets for which
> > > > there is no local process ownership, or to leave the ownership
> > > > fields unset.
> > >
> > > What ownership fields are we talking about?
> >
> > The ones you want, auid, pid, ses. Perhaps I'm using the wrong
> > terminology. What technical term is there for the collection of subject
> > identifiers?
>
> Subject attributes.
Ah ok, I'll try to remember to use that term...
Now that you know what I'm talking about, can you go back and answer the
questions I had about packet "ownership" (which is really packet subject
attributes)?
The format for subject attributes would be:
pid, uid, auid, ses, subj, comm, exe, ...then whatever else you want to add
This also goes for the netfilter_cfg events.
If we have that information, how to we include it in the
message format? And if we don't have it, do we ignore the packet, or do
we swing fields out, or do we set those fields to "unset" or do we use
an auxiliary record?
If you have this for the majority of events, I'd say leave it unset when you
don't. We really don't care about packets that simply transit through the
system. Also, I suppose it depends on what kind of packet it is. For example,
a icmp echo sent to the machine that is blocked is obviously not going to have
an owner. But one originating in the machine heading out should.
-Steve