Greetings.
I'd like to try stopping auditd and having selinux audit messages go to
rsyslog (and thus be captured over on log02). This way we can have
epylog process those logs, they can be remote so we can have a remote
copy of them.
This may result in some noise, but I think we can improve the epylog
selinux module and fix things, and it gives us another audit trail of
things happening on the machines where selinux is enabled.
I think this should do it (in such a way we can easily back it out):
diff --git a/modules/audit/manifests/init.pp
b/modules/audit/manifests/init.pp index 30f19c7..ced28a1 100644
--- a/modules/audit/manifests/init.pp
+++ b/modules/audit/manifests/init.pp
@@ -6,8 +6,8 @@ class audit::auditd {
include audit::package
service { auditd:
- ensure => running,
- enable => true,
+ ensure => stopped,
+ enable => false,
require => Package['audit']
}
Thoughts? downsides? Alternate plans?
kevin
Attachment:
signature.asc
Description: PGP signature
_______________________________________________ infrastructure mailing list infrastructure@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/infrastructure
