Re: AUDIT_NETFILTER_PKT message format

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi all,

I disagree !

Many people in the world would like to allow an software A to go to internet through OUTPUT TCP port 80 but disallow software B to go to the internet through this same OUTPUT TCP port 80. Don't you know about viruses on linux ? Viruses ALWAYS use HTTP/HTTPS ports to get payloads on internet and OUTPUT TCP port 443 COULD NOT be CLOSED for ALL SOFTWARE if you want to access internet services (via internet browsers for example).

And we cannot know every dangerous IP in the world. Even because there are new one every time in the world. There could be a not dangerous server that became dangerous one because it became a hacked server.

So it's an EXCELLENT idea to make Software socket/PID accessible from packet netfilter API. That could prevent some malware to access opened standard ports and give to the users a way to make better protection with closest control on which software ave right to get information from the internet.

BE USER FRIENDLY PLEASE !!!!

Best regards,

Patrick PIGNOL

Le 20/01/2017 à 21:37, Paul Moore a écrit :
On Fri, Jan 20, 2017 at 9:49 AM, Steve Grubb <sgrubb@xxxxxxxxxx> wrote:
On Wednesday, January 18, 2017 6:35:29 PM EST Paul Moore wrote:
At this point I think it would be good to hear what requirements exist
for per-packet auditing.  Steve, are there any current Common Criteria
(or other) requirements that impact per-packet auditing?
I don't think you want to flood your logs. That is not helpful. It asks for the
ability to detect information flow. Typically you want to know source and
destination, protocol, where on the system its coming from or going to, pid if
possible and the subject information if available. I know that you can be
acting as a proxy and forwarding outside packets into a network. That is not
the typical case CC is concerned about. Its more about what the user is doing.
Determining the pid/subj of a packet is notoriously
difficult/impossible in netfilter so let's drop that; with proper
policy/rules you should be able to match proto/port with a given
process so this shouldn't be that critical.  The source/destination
addresses and proto/port (assuming IP) should be easy enough.

All right, now that we've got the "must" items down, are their any
"should" items we want?


--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html



[Index of Archives]     [Netfitler Users]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux