Remote audit clients on RHEL 5.2
Steve Grubb
sgrubb at redhat.com
Thu Feb 12 17:43:03 UTC 2009
On Thursday 12 February 2009 12:01:33 pm Dan Gruhn wrote:
> I'm not much of a wiz at selinux, but I can tell that the audit_port_t type
> doesn't exist. I'm stuck here because:
>
> 1) I don;t know how to create new types in selinux
> 2) Even if I figured that out, I don't know how auditd would know to use
> that.
>
> I've looked at the auditd executable, it has types like this:
> -rwxr-x--- root root system_u:object_r:auditd_exec_t /sbin/auditd
>
> Could someone give me some pointers and/or point me to something I could
> read to get me going?
You need to be using the SE Linux policy from the 5.3 update. Before 5.3,
auditd never had a listening port and therefore selinux policy prior to it
wouldn't have setup that type. I also think SE Linux policy may default to
port 60 even though that port may not be guaranteed in the future.
Another thing that you should do on this is to setup the client's localport to
bind to a port below 1024 and then set the server's tcp_client_ports to check
that the ports are bound to that range as a security precaution.
-Steve
More information about the Linux-audit
mailing list