On Tue, 2011-10-11 at 13:56 -0600, Kevin Fenzi wrote:
> Greetings.
>
> I'd like to try stopping auditd and having selinux audit messages go to
> rsyslog (and thus be captured over on log02). This way we can have
> epylog process those logs, they can be remote so we can have a remote
> copy of them.
>
> This may result in some noise, but I think we can improve the epylog
> selinux module and fix things, and it gives us another audit trail of
> things happening on the machines where selinux is enabled.
>
> I think this should do it (in such a way we can easily back it out):
>
> diff --git a/modules/audit/manifests/init.pp
> b/modules/audit/manifests/init.pp index 30f19c7..ced28a1 100644
> --- a/modules/audit/manifests/init.pp
> +++ b/modules/audit/manifests/init.pp
> @@ -6,8 +6,8 @@ class audit::auditd {
> include audit::package
>
> service { auditd:
> - ensure => running,
> - enable => true,
> + ensure => stopped,
> + enable => false,
> require => Package['audit']
> }
>
> Thoughts? downsides? Alternate plans?
Downsides:
it is A LOT of traffic.
We should keep a close eye on how much noise it generates.
-sv
_______________________________________________
infrastructure mailing list
infrastructure@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/infrastructure
