On Friday 04 January 2008 09:41:58 Enrico Scholz wrote: > >> What else, besides selinux, is using auditd in Fedora right now or in > >> the immediate future? (Since we're a distribution we don't count > >> theoretical use cases I hope...) > > > > The audit logs are the collection point for all security relevant > > events from > > that's a big problem with auditd: it supports only local logging and > logfiles on compromised machines are worthless... Sure, I agree. There is a plugin for ZOS systems in rawhide that does remote logging for the IBM RACF subsystem. I have also started a plugin that transfers audit events off the machine to a central audit daemon. Its slow going, but the pace of its development should pick up now. > As 'auditd' "removes" log messages like AVC errors from normal log sources > they are not visible for syslog anymore. You can use the syslog plugin to wrap events back to syslog if you want them there as well. Enable it in /etc/audisp/plugins.d/syslog.conf > Hence, it's better to disable auditd and read the raw data on the remote > syslog server. Maybe at this point yes, but it will be changing as the plugins are developed. If you do send events across via syslog, they won't be searchable unless you duplicate a lot of ausearch/aureport from scratch. -Steve -- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list