[Swan-dev] what needs to be [linux] audit logged?

Andrew Cagney andrew.cagney at gmail.com
Sun Jun 30 20:00:06 UTC 2019

Is there a guideline for what needs to be audited (perhaps in linux_audit.[hc]).

For instance, two simple cases are hopefully straight forward:

- a protected payload that turns out corrupt triggers a delete_state()
so needs to be audited
- a message so screwed up that not even the IKE SA can be found (or
created), so probably shouldn't be audited

but there's stuff that fits somewhere in the middle, for instance:

- a duplicate request triggering an re-transmit (I suspect a telco's
would require an event record, but here?)
- a message with an IKE SA but but still falls short (doesn't decode,
old msgid, fails protection check, duplicate fragment, ...)


More information about the Swan-dev mailing list