On Wed, Feb 8, 2017 at 11:30 AM, Steve Grubb <[email protected]> wrote: > On Tuesday, February 7, 2017 10:56:39 PM EST Paul Moore wrote: >> On Tue, Feb 7, 2017 at 3:52 PM, Richard Guy Briggs <[email protected]> wrote: >> > So while I'm not advocating this is what should be done and I'm trying >> > to establish bounds to the scope of this feature, but would it be >> > reasonable to simply not log packets that were transiting this machine >> > without a local endpoint? >> >> I'm still waiting on more detailed requirements information from >> Steve, but based on what we've heard so far, it seems that ignoring >> forwarded traffic is a reasonable thing to do. > > OK, I have done teh analysis to see where things stand on this ...
... > At this point, I would say there is no purpose for xt_AUDIT.c based on Common > Criteria. It looks like its built in response to the > CONFIG_NETFILTER_XT_TARGET_AUDIT config option. So, it can be cleanly > deprecated. Based on some off-list discussions with Richard it would appear that there are several users of the NETFILTER_PKT record so I am in no hurry to deprecate it. Considering that there are no CC requirements on the record, I think we can focus on simply providing a basic record that satisfies the whims of the userspace tools without adding any pain to the kernel. I believe Richard is currently working on a proposal to do that, let's discuss it further in that thread. -- paul moore www.paul-moore.com -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
