On Friday, February 10, 2017 5:54:45 PM EST Richard Guy Briggs wrote: > On 2017-02-10 17:39, Steve Grubb wrote: > > > The alternatives that I currently see are to drop packets for which > > > there is no local process ownership, or to leave the ownership fields > > > unset.> > > > What ownership fields are we talking about? > > The ones you want, auid, pid, ses. Perhaps I'm using the wrong > terminology. What technical term is there for the collection of subject > identifiers? Subject attributes. > > > > I don't think audit should worry about spoofing. Yes it can be done, > > > > but we should accurately record what was presented to the system. > > > > Other tools can be employed to watch for arp spoofing and source routed > > > > packets. Its a bigger problem than just the audit logs. > > > > > > I find this statement a bit surprising given we're trying to find out > > > who's doing what where. > > > > We're just recording what's presented to the system that meets the rules > > programmed in. > > I don't quite understand. Are you saying only display the fields that > were specifically used in the netfilter rule to trigger the target that > records a packet? No. I'm saying we shouldn't do any processing to figure out if we have a spoofed or source routed packet. There are other tools that do that kind of thing. > I don't think that's what you want and it isn't easy > to get without being more invasive in netfilter and swinging fields. > I'd record the MAC header since it is part of the packet that tells us > where it came from and where it's going. Do we really need the MAC header for every event? I really don't think so. -Steve -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
