On Wed, Oct 12, 2011 at 01:09:28PM -0600, Kevin Fenzi wrote: > > > > > Thoughts? downsides? Alternate plans? > > > > Auditd supports both logging to syslog > > (ref: /etc/audisp/plugins.d/syslog.conf) and to remote audit servers > > trough audispd-plugins (/etc/audisp/plugins.d/au-remote.conf). > > > > Would it not be better to use one of those ? > > Perhaps? What does that get us? Ability to filter? > I was thinking more about keeping the logs to be able to do data mining on them using aureport/ausearch, and that auditd is a powerfull facility that should be used more -- not less. By turning off auditd you probably have the same data in the syslogs, but it will be harder to read and report on. "aureport --avc" -- selinux denials "aureport -l --failed" -- failed logins "aureport --auth --failed" -- failed authentication attempts > What do we want to filter out? Not filter out, rather filter in. F.ex add a watcher on /etc to log when anything changes there: echo "-w /etc/ -p wa -k infrakey" >> /etc/audit/audit.rules Send this to a central auditd-server (or syslog server), and fire off alerts/notices whenever "ausearch -k infrakey" finds something. -jf _______________________________________________ infrastructure mailing list infrastructure@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/infrastructure
