On Wed, 05 Dec 2007 14:45:12 EST, Paul Moore said: > Hello all, > > I'm looking at RFC4303 at some of the auditing requirements and one of the > gaps between what the specification requires and what we currently provide > involves the SA's sequence number and the IPv6 flow ID. According the list > of existing audit fields[1] there doesn't appear to any fields which are a > good match. With that in mind I'd like to propose two new fields: > > * seqno - sequence number > * flowid - flow id > > Any comments, objections, suggestions?
I see a note from Sep 12 or so from Joy Latten that was talking about adding support for rfcs430[1-3] - are you two collaborating or working at cross purposes? Are any other fields/calls needed to complete the set? (Feel free to just handwave a "Somebody should add XYZ in 2.6.N+3" if warranted) Other than that, the RFC looks sane, and has a rfc2119-SHOULD for those fields, so it certainly sounds like a good idea. Besides, I *know* that if we don't, at some point I'm going to be doing forensics or debugging, and cursing the fact that not all my sensors reported flowid to cross-correlate on :)
pgpZTrFvbLgbY.pgp
Description: PGP signature
-- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit