Joshua Brindle wrote: > Linda Knippers wrote: > >> Joy Latten wrote: >> >> >>> On Tue, 2006-10-03 at 15:18 -0400, Joshua Brindle wrote: >>> >>> >>> >>>> Joy Latten wrote: >>>> >>>> >>>> >>>>>> Before network labeling is completed we still need some work >>>>>> implementing how we plan to audit configuration changes in ipsec >>>>>> labeling decisions. I believe we agreed today that this auditing >>>>>> must >>>>>> be done in kernelspace since we do not have fine grained enough >>>>>> controls >>>>>> on netlink messages to allow for all of the auditing in userspace. >>>>>> >>>>>> >>>>> >>>>> I've talked to Klaus about what needs to be audited for ipsec and >>>>> lspp compliance. I will begin work on a patch and get this out >>>>> to the list as soon as I can. We will audit everytime a policy is >>>>> added/removed to/from the ipsec policy database. >>>>> >>>>> >>>>> >>>> >>>> why not just auditallow all association setcontext? >>>> >>> >>> Dang! Why didn't I think of that! :-) Such a good idea. I will do a >>> quick test and >>> show Klaus and see if it all looks ok to him. >>> Thanks!!! >>> >> >> >> If we go the auditallow route then we lose some audit record management >> features, like the ability to enable/disble/search for these records, >> don't we? Do we care? >> >> > > enable and disable with a boolean > > searching? surely you can search avc records..
I meant with the audit tools, so using auditctl to add/remove rules and ausearch for looking for specific record types. -- ljk -- redhat-lspp mailing list [email protected] https://www.redhat.com/mailman/listinfo/redhat-lspp
