Hello, I just wanted to drop a line to mention a new plugin that I've created for the audit event dispatcher that can pick off AVC's and format a message for the prelude IDS system via IDMEF. This is available in audit-1.6.6.tar.gz. This is in the latest audit package on rawhide. To test it, you have to put selinux in permissive mode for now since we don't have policy around it yet. I have started a prelude HOWTO here: http://people.redhat.com/sgrubb/audit/prelude.txt This plugin + prelude will allow an admin to watch a whole roomful of computers if they are configured to send events to a common prelude manager. The plugin also detects and sends IDMEF events for apps that terminate abnormally (gcc stack overflow/glibc FORTIFY_SOURCE/plain old segfault), logins, MAX failed logins reached, MAX concurrent sessions reached, and AVCs. I am open to feedback on the message as this is proof of concept right now. I will be enhancing the plugin to detect more events and give better information. Thanks, -Steve -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
