Re: Correct audit field for a netmask?

On Friday 16 November 2007 11:10:55 am Steve Grubb wrote: > On Thursday 15 November 2007 16:12:53 Paul Moore wrote: > > I was wondering what was the correct way to send a netmask in an audit > > message? > > That is a curious one. I don't think we've ever recorded a netmask since we > don't audit the routing tables. How does this net mask get used in a way > that needs to be audited. Just curious. :) It's not a routing table, but rather an IP selector/filter used to assign static/fallback security labels to incoming traffic. There has been a lot of discussion about this on the SELinux list over the summer and RFC patches have been available for a week or two, the audit relevant patch is below (once we get these issues resolved I'll respin the audit patch and send it here for review): * http://marc.info/?l=linux-security-module&m=119514613623937&w=2 > > Or is there some other field specifically for the netmask? > > > >  addr=10.0.0.0 X=8 > > This would probably be better so that extra parsing of the value is not > needed. I'd suggest something short like "net" to save diskspace. Okay, so for single addresses we should still go with "addr": addr=10.0.0.1 ... but for networks we should go with "net": net=10.0.0.0/8 ?