Re: AUDIT_NETFILTER_PKT message format

On 2017-02-13 19:24, Richard Guy Briggs wrote: > On 2017-02-13 18:50, Paul Moore wrote: > > On Mon, Feb 13, 2017 at 3:50 PM, Richard Guy Briggs wrote: > > > useless?smac, dmac, macproto > > > > Probably useless in the majority of use cases. > > How do we deal with the

Re: AUDIT_NETFILTER_PKT message format

On Thu, Feb 16, 2017 at 5:36 PM, Richard Guy Briggs wrote: > On 2017-02-15 19:32, Paul Moore wrote: >> On Mon, Feb 13, 2017 at 7:24 PM, Richard Guy Briggs wrote: >> > On 2017-02-13 18:50, Paul Moore wrote: >> >> On Mon, Feb 13, 2017 at 3:50 PM, Richard Guy

Re: AUDIT_NETFILTER_PKT message format

On 2017-02-16 20:57, Paul Moore wrote: > [NOTE: I'll respond back to the other part of your email later but I'm > running out of time in the day and this was a quick but important > response] > > On Thu, Feb 16, 2017 at 5:36 PM, Richard Guy Briggs wrote: > > Steve has requested

Re: AUDIT_NETFILTER_PKT message format

[NOTE: I'll respond back to the other part of your email later but I'm running out of time in the day and this was a quick but important response] On Thu, Feb 16, 2017 at 5:36 PM, Richard Guy Briggs wrote: > Steve has requested the subject attributes which prefixes 7 fields. I

Re: AUDIT_NETFILTER_PKT message format

On 2017-02-14 16:06, Paul Moore wrote: > On Mon, Feb 13, 2017 at 7:24 PM, Richard Guy Briggs wrote: > > On 2017-02-13 18:50, Paul Moore wrote: > >> On Mon, Feb 13, 2017 at 3:50 PM, Richard Guy Briggs > >> wrote: > > ... > > >> > useless?smac, dmac,

Re: AUDIT_NETFILTER_PKT message format

On 2017-02-14 16:31, Steve Grubb wrote: > On Monday, February 13, 2017 3:50:05 PM EST Richard Guy Briggs wrote: > > > > > > The alternatives that I currently see are to drop packets for which > > > > > > there is no local process ownership, or to leave the ownership > > > > > > fields unset. > > >

Re: AUDIT_NETFILTER_PKT message format

On Mon, Feb 13, 2017 at 7:24 PM, Richard Guy Briggs wrote: > On 2017-02-13 18:50, Paul Moore wrote: >> On Mon, Feb 13, 2017 at 3:50 PM, Richard Guy Briggs wrote: ... >> > helpful action, hook >> >> I haven't checked, but do we allow setting of an audit

Re: AUDIT_NETFILTER_PKT message format

On Monday, February 13, 2017 3:50:05 PM EST Richard Guy Briggs wrote: > > > > > The alternatives that I currently see are to drop packets for which > > > > > there is no local process ownership, or to leave the ownership > > > > > fields unset. > > > > > > > > What ownership fields are we talking

Re: AUDIT_NETFILTER_PKT message format

On 2017-02-13 18:50, Paul Moore wrote: > On Mon, Feb 13, 2017 at 3:50 PM, Richard Guy Briggs wrote: > > On 2017-02-13 12:57, Steve Grubb wrote: > >> On Friday, February 10, 2017 5:54:45 PM EST Richard Guy Briggs wrote: > >> > On 2017-02-10 17:39, Steve Grubb wrote: > >> > > > The

Re: AUDIT_NETFILTER_PKT message format

On Mon, Feb 13, 2017 at 3:50 PM, Richard Guy Briggs wrote: > On 2017-02-13 12:57, Steve Grubb wrote: >> On Friday, February 10, 2017 5:54:45 PM EST Richard Guy Briggs wrote: >> > On 2017-02-10 17:39, Steve Grubb wrote: >> > > > The alternatives that I currently see are to drop

Re: AUDIT_NETFILTER_PKT message format

On 2017-02-13 12:57, Steve Grubb wrote: > On Friday, February 10, 2017 5:54:45 PM EST Richard Guy Briggs wrote: > > On 2017-02-10 17:39, Steve Grubb wrote: > > > > The alternatives that I currently see are to drop packets for which > > > > there is no local process ownership, or to leave the

Re: AUDIT_NETFILTER_PKT message format

On Friday, February 10, 2017 5:54:45 PM EST Richard Guy Briggs wrote: > On 2017-02-10 17:39, Steve Grubb wrote: > > > The alternatives that I currently see are to drop packets for which > > > there is no local process ownership, or to leave the ownership fields > > > unset.> > > > What ownership

Re: AUDIT_NETFILTER_PKT message format

On 2017-02-10 17:39, Steve Grubb wrote: > On Thursday, February 9, 2017 8:12:47 PM EST Richard Guy Briggs wrote: > > On 2017-02-09 19:09, Steve Grubb wrote: > > > On Thursday, February 9, 2017 6:49:38 PM EST Richard Guy Briggs wrote: > > > > On 2017-02-08 18:09, Paul Moore wrote: > > > > > On Wed,

Re: AUDIT_NETFILTER_PKT message format

On Thursday, February 9, 2017 8:12:47 PM EST Richard Guy Briggs wrote: > On 2017-02-09 19:09, Steve Grubb wrote: > > On Thursday, February 9, 2017 6:49:38 PM EST Richard Guy Briggs wrote: > > > On 2017-02-08 18:09, Paul Moore wrote: > > > > On Wed, Feb 8, 2017 at 11:30 AM, Steve Grubb

Re: AUDIT_NETFILTER_PKT message format

On Thursday, February 9, 2017 6:49:38 PM EST Richard Guy Briggs wrote: > On 2017-02-08 18:09, Paul Moore wrote: > > On Wed, Feb 8, 2017 at 11:30 AM, Steve Grubb wrote: > > > On Tuesday, February 7, 2017 10:56:39 PM EST Paul Moore wrote: > > >> On Tue, Feb 7, 2017 at 3:52 PM,

Re: AUDIT_NETFILTER_PKT message format

On 2017-02-08 18:09, Paul Moore wrote: > On Wed, Feb 8, 2017 at 11:30 AM, Steve Grubb wrote: > > On Tuesday, February 7, 2017 10:56:39 PM EST Paul Moore wrote: > >> On Tue, Feb 7, 2017 at 3:52 PM, Richard Guy Briggs wrote: > >> > So while I'm not advocating

Re: AUDIT_NETFILTER_PKT message format

On Thu, Feb 9, 2017 at 5:56 AM, Pablo Neira Ayuso wrote: > Hi Paul, > > On Wed, Feb 08, 2017 at 06:09:07PM -0500, Paul Moore wrote: >> On Wed, Feb 8, 2017 at 11:30 AM, Steve Grubb wrote: >> > On Tuesday, February 7, 2017 10:56:39 PM EST Paul Moore wrote:

Re: AUDIT_NETFILTER_PKT message format

Hi Paul, On Wed, Feb 08, 2017 at 06:09:07PM -0500, Paul Moore wrote: > On Wed, Feb 8, 2017 at 11:30 AM, Steve Grubb wrote: > > On Tuesday, February 7, 2017 10:56:39 PM EST Paul Moore wrote: > >> On Tue, Feb 7, 2017 at 3:52 PM, Richard Guy Briggs wrote: > >> >

Re: AUDIT_NETFILTER_PKT message format

On Wed, Feb 8, 2017 at 11:30 AM, Steve Grubb wrote: > On Tuesday, February 7, 2017 10:56:39 PM EST Paul Moore wrote: >> On Tue, Feb 7, 2017 at 3:52 PM, Richard Guy Briggs wrote: >> > So while I'm not advocating this is what should be done and I'm trying >> >

Re: AUDIT_NETFILTER_PKT message format

On Tuesday, February 7, 2017 10:56:39 PM EST Paul Moore wrote: > On Tue, Feb 7, 2017 at 3:52 PM, Richard Guy Briggs wrote: > > So while I'm not advocating this is what should be done and I'm trying > > to establish bounds to the scope of this feature, but would it be > >

Re: AUDIT_NETFILTER_PKT message format

On Tue, Feb 7, 2017 at 3:52 PM, Richard Guy Briggs wrote: > So while I'm not advocating this is what should be done and I'm trying > to establish bounds to the scope of this feature, but would it be > reasonable to simply not log packets that were transiting this machine >

Re: AUDIT_NETFILTER_PKT message format

On 2017-01-20 09:49, Steve Grubb wrote: > On Wednesday, January 18, 2017 6:35:29 PM EST Paul Moore wrote: > > On Wed, Jan 18, 2017 at 10:15 AM, Richard Guy Briggs > > wrote: > > > On 2017-01-18 07:32, Paul Moore wrote: > > >> On Wed, Jan 18, 2017 at 12:39 AM, Richard Guy Briggs

Re: AUDIT_NETFILTER_PKT message format

On 2017-01-21 20:12, Patrick PIGNOL wrote: > Hi all, > > I just writen that because I read > > " > > Determining the pid/subj of a packet is notoriously > difficult/impossible in netfilter so let's drop that; with proper > policy/rules you should be able to match proto/port with a given >

Re: AUDIT_NETFILTER_PKT message format

Hi all, I just writen that because I read " Determining the pid/subj of a packet is notoriously difficult/impossible in netfilter so let's drop that; with proper policy/rules you should be able to match proto/port with a given process so this shouldn't be that critical. The source/destination

Re: AUDIT_NETFILTER_PKT message format

On Sat, Jan 21, 2017 at 6:27 AM, Patrick PIGNOL wrote: > Hi all, > > I disagree ! > > Many people in the world would like to allow an software A to go to internet > through OUTPUT TCP port 80 but disallow software B to go to the internet > through this same OUTPUT TCP

Re: AUDIT_NETFILTER_PKT message format

Hi all, I disagree ! Many people in the world would like to allow an software A to go to internet through OUTPUT TCP port 80 but disallow software B to go to the internet through this same OUTPUT TCP port 80. Don't you know about viruses on linux ? Viruses ALWAYS use HTTP/HTTPS ports to get

Re: AUDIT_NETFILTER_PKT message format

On Fri, Jan 20, 2017 at 9:49 AM, Steve Grubb wrote: > On Wednesday, January 18, 2017 6:35:29 PM EST Paul Moore wrote: >> At this point I think it would be good to hear what requirements exist >> for per-packet auditing. Steve, are there any current Common Criteria >> (or

Re: AUDIT_NETFILTER_PKT message format

On Wednesday, January 18, 2017 6:35:29 PM EST Paul Moore wrote: > On Wed, Jan 18, 2017 at 10:15 AM, Richard Guy Briggs wrote: > > On 2017-01-18 07:32, Paul Moore wrote: > >> On Wed, Jan 18, 2017 at 12:39 AM, Richard Guy Briggs wrote: > >> > On 2017-01-17 21:34,

Re: AUDIT_NETFILTER_PKT message format

On Wed, Jan 18, 2017 at 10:15 AM, Richard Guy Briggs wrote: > On 2017-01-18 07:32, Paul Moore wrote: >> On Wed, Jan 18, 2017 at 12:39 AM, Richard Guy Briggs wrote: >> > On 2017-01-17 21:34, Richard Guy Briggs wrote: >> >> On 2017-01-17 15:17, Paul Moore wrote:

Re: AUDIT_NETFILTER_PKT message format

On 2017-01-18 07:32, Paul Moore wrote: > On Wed, Jan 18, 2017 at 12:39 AM, Richard Guy Briggs wrote: > > On 2017-01-17 21:34, Richard Guy Briggs wrote: > >> On 2017-01-17 15:17, Paul Moore wrote: > >> > On Tue, Jan 17, 2017 at 11:12 AM, Richard Guy Briggs > >>

Re: AUDIT_NETFILTER_PKT message format

On Wed, Jan 18, 2017 at 12:39 AM, Richard Guy Briggs wrote: > On 2017-01-17 21:34, Richard Guy Briggs wrote: >> On 2017-01-17 15:17, Paul Moore wrote: >> > On Tue, Jan 17, 2017 at 11:12 AM, Richard Guy Briggs >> > wrote: >> > > On 2017-01-17 08:55, Steve Grubb

Re: AUDIT_NETFILTER_PKT message format

On 2017-01-17 21:34, Richard Guy Briggs wrote: > On 2017-01-17 15:17, Paul Moore wrote: > > On Tue, Jan 17, 2017 at 11:12 AM, Richard Guy Briggs > > wrote: > > > On 2017-01-17 08:55, Steve Grubb wrote: > > >> On Tuesday, January 17, 2017 12:25:51 AM EST Richard Guy Briggs wrote:

Re: AUDIT_NETFILTER_PKT message format

On 2017-01-17 15:17, Paul Moore wrote: > On Tue, Jan 17, 2017 at 11:12 AM, Richard Guy Briggs wrote: > > On 2017-01-17 08:55, Steve Grubb wrote: > >> On Tuesday, January 17, 2017 12:25:51 AM EST Richard Guy Briggs wrote: > > ... > > >> > Ones that are not so straightforward: >

Re: AUDIT_NETFILTER_PKT message format

On Tue, Jan 17, 2017 at 11:12 AM, Richard Guy Briggs wrote: > On 2017-01-17 08:55, Steve Grubb wrote: >> On Tuesday, January 17, 2017 12:25:51 AM EST Richard Guy Briggs wrote: ... >> > Ones that are not so straightforward: >> > - "secmark" depends on a kernel config setting, so

Re: AUDIT_NETFILTER_PKT message format

On Tuesday, January 17, 2017 11:29:43 AM EST Richard Guy Briggs wrote: > On 2017-01-17 11:12, Richard Guy Briggs wrote: > > On 2017-01-17 08:55, Steve Grubb wrote: > > > On Tuesday, January 17, 2017 12:25:51 AM EST Richard Guy Briggs wrote: > > > > I'm just starting to look at the normalization of

Re: AUDIT_NETFILTER_PKT message format

On 2017-01-17 11:12, Richard Guy Briggs wrote: > On 2017-01-17 08:55, Steve Grubb wrote: > > On Tuesday, January 17, 2017 12:25:51 AM EST Richard Guy Briggs wrote: > > > I'm just starting to look at the normalization of AUDIT_NETFILTER_PKT > > > event messages and it is not quite as

Re: AUDIT_NETFILTER_PKT message format

On 2017-01-17 08:55, Steve Grubb wrote: > On Tuesday, January 17, 2017 12:25:51 AM EST Richard Guy Briggs wrote: > > I'm just starting to look at the normalization of AUDIT_NETFILTER_PKT > > event messages and it is not quite as straightforward as I had expected. > > > > It is being tracked here:

Re: AUDIT_NETFILTER_PKT message format

On Tuesday, January 17, 2017 12:25:51 AM EST Richard Guy Briggs wrote: > I'm just starting to look at the normalization of AUDIT_NETFILTER_PKT > event messages and it is not quite as straightforward as I had expected. > > It is being tracked here: >

AUDIT_NETFILTER_PKT message format

Hi, I'm just starting to look at the normalization of AUDIT_NETFILTER_PKT event messages and it is not quite as straightforward as I had expected. It is being tracked here: https://github.com/linux-audit/audit-kernel/issues/11 and refers to a previous posting from Mr. Dash Four from four