>> The new AUDIT target logs the following elements of any traffic and is >> protocol independent (so it could be used equally well in iptables and >> ebtables): >> >> - netfilter hook >> - packet length >> - incomming/outgoing interface >> - MAC src/dst/proto for ethernet packets >> - src/dst/protocol address for IPv4/IPv6 >> - src/dst port for TCP/UDP/UDPLITE >> - icmp type/code >> >> This data is available through the audit daemon (auditd) and is also >> retrievable using standard audit tools (ausearch/aureport). >> > > Aha - this sounds perfect for my needs (see question a day ago about > logging all traffic using NFLOG for accounting purposes). Yes, I saw that and since I am - as you also are - a subscriber to the netfilter-dev mailing list, I followed the AUDIT target development since it was first conceived by Thomas Graf and the patch first posted on that mailing list on 14 Jan 2011. That was followed by a numerous improvements and finally integrated into the .39 kernel tree recently. I don't think the .39 kernel itself is stable enough, but I do think that the actual AUDIT target code is good enough to be included in production environment, so I took it apart a couple of days ago and was finally able to integrate it into a more stable kernel (.35 is what I use here).
> I haven't > come across AUDIT before though... Obviously apart from hitting google > right away, where can I learn about the AUDIT target and find api info > to build my own auditd demon? > Since I've already done most of the work and have the patches needed to "enable" this functionality - at least on the .35 kernel - I can provide you with these plus instructions how to integrate them into the kernel. After that kernel is recompiled and installed you have to to the same with iptables (as I already pointed out I am using the latest iptables - 1.4.10 - as basis). Once this is done you are ready to go, provided you have a decent-enough version of auditd/audispd up and running. All you have to do then is define your targets and check your auditd for any messages and wait until shorewall catches up and is able to implement this in the same way the (NF)LOG targets currently are. As I already pointed out the AUDIT target is of great benefit to me as it enables me to centralise all system-related security events into one place (I also run a number of auditd daemons which are interlinked between various machines providing me with one place where all logs are stored and could be retrieved/viewed using ausearch/aureport). ------------------------------------------------------------------------------ What Every C/C++ and Fortran developer Should Know! Read this article and learn how Intel has extended the reach of its next-generation tools to help Windows* and Linux* C/C++ and Fortran developers boost performance applications - including clusters. http://p.sf.net/sfu/intel-dev2devmay _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
