[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Disabling selinux question



On Friday 04 January 2008 09:41:58 Enrico Scholz wrote:
> >> What else, besides selinux, is using auditd in Fedora right now or in
> >> the immediate future? (Since we're a distribution we don't count
> >> theoretical use cases I hope...)
> >
> > The audit logs are the collection point for all security relevant
> > events from
>
> that's a big problem with auditd: it supports only local logging and
> logfiles on compromised machines are worthless...

Sure, I agree. There is a plugin for ZOS systems in rawhide that does remote 
logging for the IBM RACF subsystem. I have also started a plugin that 
transfers audit events off the machine to a central audit daemon. Its slow 
going, but the pace of its development should pick up now.


> As 'auditd' "removes" log messages like AVC errors from normal log sources
> they are not visible for syslog anymore.

You can use the syslog plugin to wrap events back to syslog if you want them 
there as well. Enable it in /etc/audisp/plugins.d/syslog.conf


> Hence, it's better to disable auditd and read the raw data on the remote
> syslog server.

Maybe at this point yes, but it will be changing as the plugins are developed. 
If you do send events across via syslog, they won't be searchable unless you 
duplicate a lot of ausearch/aureport from scratch.

-Steve


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]