Is there a guideline for what needs to be audited (perhaps in linux_audit.[hc]).
For instance, two simple cases are hopefully straight forward: - a protected payload that turns out corrupt triggers a delete_state() so needs to be audited - a message so screwed up that not even the IKE SA can be found (or created), so probably shouldn't be audited but there's stuff that fits somewhere in the middle, for instance: - a duplicate request triggering an re-transmit (I suspect a telco's would require an event record, but here?) - a message with an IKE SA but but still falls short (doesn't decode, old msgid, fails protection check, duplicate fragment, ...) Andrew _______________________________________________ Swan-dev mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan-dev
