On Fri, Jan 20, 2017 at 9:49 AM, Steve Grubb <sgrubb@xxxxxxxxxx> wrote: > On Wednesday, January 18, 2017 6:35:29 PM EST Paul Moore wrote: >> At this point I think it would be good to hear what requirements exist >> for per-packet auditing. Steve, are there any current Common Criteria >> (or other) requirements that impact per-packet auditing? > > I don't think you want to flood your logs. That is not helpful. It asks for the > ability to detect information flow. Typically you want to know source and > destination, protocol, where on the system its coming from or going to, pid if > possible and the subject information if available. I know that you can be > acting as a proxy and forwarding outside packets into a network. That is not > the typical case CC is concerned about. Its more about what the user is doing. Determining the pid/subj of a packet is notoriously difficult/impossible in netfilter so let's drop that; with proper policy/rules you should be able to match proto/port with a given process so this shouldn't be that critical. The source/destination addresses and proto/port (assuming IP) should be easy enough. All right, now that we've got the "must" items down, are their any "should" items we want? -- paul moore www.paul-moore.com -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
