[Swan-dev] what needs to be [linux] audit logged?

Paul Wouters paul at nohats.ca
Tue Jul 2 16:13:11 UTC 2019

On Sun, 30 Jun 2019, Andrew Cagney wrote:

> Is there a guideline for what needs to be audited (perhaps in linux_audit.[hc]).


But even that is not the entire story. And some of it is wide open to

Success and Failure needs to be logged for starting an IKE and IPSEC SA's.
Success is also logged for a destroy operation of an IKE SA and IPsec SA.

Success is logged with an operation (op=) start and result (res=success)
Failure is logged with an operation start and result failure
Destroy is logged with operation destroy and result success.

Note these are different from the kernel audit logs, which in itself is
producing audit logs for each inbound and outbound IPsec SA.

> For instance, two simple cases are hopefully straight forward:
> - a protected payload that turns out corrupt triggers a delete_state()
> so needs to be audited

Any failure in negotiation of an IKE SA requires an audit log entry.

It's more complicated in IKEv2 because sometimes we have/get two states
and sometimes one. Sometimes we create the IPsec state before we have
an established IKE SA, so we don't really start ipsec. I'm currently
doing this as best I can but for instance for a failed IPsec SA we
currently (wrongly) also fail the IKE SA.

> - a message so screwed up that not even the IKE SA can be found (or
> created), so probably shouldn't be audited

Yeah we don't log those. That would be a bad DDoS.

> but there's stuff that fits somewhere in the middle, for instance:
> - a duplicate request triggering an re-transmit (I suspect a telco's
> would require an event record, but here?)

retransmits in partial negotiations are not logged. Only the ultimate
failure resulting in a delete of IKE state is logged.

> - a message with an IKE SA but but still falls short (doesn't decode,
> old msgid, fails protection check, duplicate fragment, ...)

Most of the examples here are ephemeral failures that are not logged.
Only when we decide an IKE SA negotiation is lost, do we log it. So
duplicate packets don't generate an audit log. Neither do wrong msgids
or protection check failures because those do not lead to a final
failure of the IKE SA - we would drop those packets waiting for a real
IKE packet instead.

audit logs are nog syslogs. It is strictly limited to start/fail and
stop messages for each IKE/IPsec SA.


More information about the Swan-dev mailing list