Remotely logging audit rules.
Steve Grubb
sgrubb at redhat.com
Wed Nov 2 13:31:10 UTC 2005
On Tuesday 01 November 2005 18:31, Stephen J. Smoogen wrote:
> I got a development request to see how much work it would take to do.
> Our policy wags want to have all object audit events (or whatever the
> real term for that is...) to be sent both locally and remotely.
This is in the works for future versions of audit. We should have it some time
around the 1.2 or 1.3 release.
> My 5000 foot question is how would the best way to implement this be?
> For the current RHEL 4 I would probably need some sort of tail -f xxx
> | logger type script.
This could be very inefficient and create duplicate records. If you wait a
week or so, we should be at 1.1 which introduces audisp. This is the audit
event dispatcher. You will be able to replace it with anything you chose
since its a config option. You could hack together a script to record those
remotely.
-Steve
More information about the Linux-audit
mailing list