Re: [Shorewall-users] AUDIT instead of (NF)LOG

[Tom Eastep]

On 05/19/2011 12:18 PM, Tom Eastep wrote:

> Here are the release notes for what I have working at this point. I'm
> distributing them for comment before sending out the code.

And here's a slightly cleaned up version.

5)  Support for the AUDIT target has been added. AUDIT is a feature of
    the 2.6.39 kernel and iptables 1.4.10 that allows security auditing
    of access decisions.

    Note: This support note is the only documentation of this support
    currently available.

    The support involves the following:

    a)  A new "AUDIT Target" capability is added and is required for
        auditing support. To use AUDIT support with a capabilities
        file, that file must be generated using this or a later
        release.

        Use 'shorewall show capabilities' after installing this release
        to see if your kernel/iptables support the AUDIT target.

    b)  In /etc/shorewall/policy's POLICY column, the policy (and
        default action, if any) may be followed by ':audit' to cause
        application of the policy to be audited.

        Only ACCEPT, DROP and REJECT policies may be audited.

        Example:

        #SOURCE DEST    POLICY          LOG
        #                               LEVEL
        net     fw      DROP:audit

        It is allowed to also specify a log level on audited policies
        resulting in both auditing and logging.

    c)  Three new builtin actions that may be used in the rules file,
        in macros and in other actions.

        AACCEPT - Audits and accepts the connection request
        ADROP   - Audits and drops the connection request
        AREJECT - Audits and rejects

        A log level may be supplied with these actions to
        provide both auditing and logging.

        Example:

        AACCEPT:info    loc     net     ...

    d)  The BLACKLIST_DISPOSITION, MACLIST_DISPOSITION and
        TCP_FLAGS_DISPOSITION options may be set as follows:

        BLACKLIST_DISPOSITION         ADROP or AREJECT
        MACLIST_DISPOSITION           ADROP
                                      AREJECT, unless
                                               MACLIST_TABLE=mangle
        TCP_FLAGS_DISPOSITION         ADROP or AREJECT

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

signature.asc
Description: OpenPGP digital signature

------------------------------------------------------------------------------
What Every C/C++ and Fortran developer Should Know!
Read this article and learn how Intel has extended the reach of its 
next-generation tools to help Windows* and Linux* C/C++ and Fortran 
developers boost performance applications - including clusters. 
http://p.sf.net/sfu/intel-dev2devmay
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users