[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Disabling selinux question



Steve Grubb <sgrubb redhat com> writes:

>> What else, besides selinux, is using auditd in Fedora right now or in
>> the immediate future? (Since we're a distribution we don't count
>> theoretical use cases I hope...)
>
> The audit logs are the collection point for all security relevant
> events from

that's a big problem with auditd: it supports only local logging and
logfiles on compromised machines are worthless...  As 'auditd' "removes"
log messages like AVC errors from normal log sources they are not visible
for syslog anymore.

Hence, it's better to disable auditd and read the raw data on the remote
syslog server.



Enrico

Attachment: pgp1Tt0IfA0Du.pgp
Description: PGP signature


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]