Re: audit messages to syslog

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Wed, Oct 12, 2011 at 01:09:28PM -0600, Kevin Fenzi wrote:
> >
> > > Thoughts? downsides? Alternate plans?
> > 
> > Auditd supports both logging to syslog
> > (ref: /etc/audisp/plugins.d/syslog.conf) and to remote audit servers
> > trough audispd-plugins (/etc/audisp/plugins.d/au-remote.conf).
> > 
> > Would it not be better to use one of those ?
> 
> Perhaps? What does that get us? Ability to filter? 
> 

I was thinking more about keeping the logs to be able to do data mining
on them using aureport/ausearch, and that auditd is a powerfull 
facility that should be used more -- not less. By turning off auditd you
probably have the same data in the syslogs, but it will be harder to
read and report on.

	"aureport --avc"  -- selinux denials
	"aureport -l --failed" -- failed logins
	"aureport --auth --failed" -- failed authentication attempts

> What do we want to filter out?

Not filter out, rather filter in. F.ex add a watcher on /etc to log when
anything changes there:

	echo "-w /etc/ -p wa -k infrakey" >> /etc/audit/audit.rules

Send this to a central auditd-server (or syslog server), and fire off
alerts/notices whenever "ausearch -k infrakey" finds something. 


  -jf
_______________________________________________
infrastructure mailing list
infrastructure@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/infrastructure


[Index of Archives]     [Fedora Development]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [KDE Users]

  Powered by Linux