Disabling selinux question
Steve Grubb
sgrubb at redhat.com
Fri Jan 4 15:00:14 UTC 2008
On Friday 04 January 2008 09:41:58 Enrico Scholz wrote:
> >> What else, besides selinux, is using auditd in Fedora right now or in
> >> the immediate future? (Since we're a distribution we don't count
> >> theoretical use cases I hope...)
> >
> > The audit logs are the collection point for all security relevant
> > events from
>
> that's a big problem with auditd: it supports only local logging and
> logfiles on compromised machines are worthless...
Sure, I agree. There is a plugin for ZOS systems in rawhide that does remote
logging for the IBM RACF subsystem. I have also started a plugin that
transfers audit events off the machine to a central audit daemon. Its slow
going, but the pace of its development should pick up now.
> As 'auditd' "removes" log messages like AVC errors from normal log sources
> they are not visible for syslog anymore.
You can use the syslog plugin to wrap events back to syslog if you want them
there as well. Enable it in /etc/audisp/plugins.d/syslog.conf
> Hence, it's better to disable auditd and read the raw data on the remote
> syslog server.
Maybe at this point yes, but it will be changing as the plugins are developed.
If you do send events across via syslog, they won't be searchable unless you
duplicate a lot of ausearch/aureport from scratch.
-Steve
More information about the fedora-devel-list
mailing list