On Thu, 13 Oct 2011 10:16:38 +0200 Jan-Frode Myklebust <janfrode@xxxxxxxxx> wrote: > On Wed, Oct 12, 2011 at 01:09:28PM -0600, Kevin Fenzi wrote: > > > > > > > Thoughts? downsides? Alternate plans? > > > > > > Auditd supports both logging to syslog > > > (ref: /etc/audisp/plugins.d/syslog.conf) and to remote audit > > > servers trough audispd-plugins > > > (/etc/audisp/plugins.d/au-remote.conf). > > > > > > Would it not be better to use one of those ? > > > > Perhaps? What does that get us? Ability to filter? > > > > I was thinking more about keeping the logs to be able to do data > mining on them using aureport/ausearch, and that auditd is a > powerfull facility that should be used more -- not less. By turning > off auditd you probably have the same data in the syslogs, but it > will be harder to read and report on. > > "aureport --avc" -- selinux denials > "aureport -l --failed" -- failed logins > "aureport --auth --failed" -- failed authentication attempts Sure, true... but I was hoping to use our existing epylog setup to also report on them and give us 2x daily reports on them. ;) I suppose it could be made to operate on the audit files as well. We would need to setup a new server/port/firewall rule however? I didn't find any good/easy/simple doc on setting up a central audit server. Do you know of any? Otherwise I can set one up here at home and play around with it. Dumping to syslog is pretty easy to try too however.... > > What do we want to filter out? > > Not filter out, rather filter in. F.ex add a watcher on /etc to log > when anything changes there: > > echo "-w /etc/ -p wa -k infrakey" >> /etc/audit/audit.rules > > Send this to a central auditd-server (or syslog server), and fire off > alerts/notices whenever "ausearch -k infrakey" finds something. Sure. Could be very handy in some cases... kevin
Attachment:
signature.asc
Description: PGP signature
_______________________________________________ infrastructure mailing list infrastructure@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/infrastructure
