On 05/19/2011 03:21 PM, Mr Dash Four wrote: > >> And here's a slightly cleaned up version. >> >> 5) Support for the AUDIT target has been added. AUDIT is a feature of >> the 2.6.39 kernel and iptables 1.4.10 that allows security auditing >> of access decisions. >> >> Note: This support note is the only documentation of this support >> currently available. >> > You may wish to expand on this a bit. This was submitted by Thomas Graf > <[email protected]> (the author of the AUDIT patch) on the netfilter-dev > list back in January:
Thanks -- I'll use some of this information when I write an Audit article for the web site. >> b) In /etc/shorewall/policy's POLICY column, the policy (and >> default action, if any) may be followed by ':audit' to cause >> application of the policy to be audited. >> >> Only ACCEPT, DROP and REJECT policies may be audited. >> >> Example: >> >> #SOURCE DEST POLICY LOG >> # LEVEL >> net fw DROP:audit >> >> It is allowed to also specify a log level on audited policies >> resulting in both auditing and logging. >> > Perfect! I assume if log level is not specified, no logging is > performed, but auditing is still done, right? Sure: Logging is still totally optional (as is auditing). > >> c) Three new builtin actions that may be used in the rules file, >> in macros and in other actions. >> >> AACCEPT - Audits and accepts the connection request >> ADROP - Audits and drops the connection request >> AREJECT - Audits and rejects >> >> A log level may be supplied with these actions to >> provide both auditing and logging. >> >> Example: >> >> AACCEPT:info loc net ... >> > On a second thought, if it isn't much of a trouble could you change this > to A_ACCEPT, A_DROP and A_REJECT as AACCEPT looks like a spelling error. > I know it was my suggestion, but as I see it now it doesn't look quite > right. Yes, I wasn't particularly excited about the names either. They are easy to change at this point (one of the reasons for sending skeletal documentation with the initial release). Thanks, -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ What Every C/C++ and Fortran developer Should Know! Read this article and learn how Intel has extended the reach of its next-generation tools to help Windows* and Linux* C/C++ and Fortran developers boost performance applications - including clusters. http://p.sf.net/sfu/intel-dev2devmay
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
