audisp-prelude problems
LC Bruzenak
lenny at magitekltd.com
Wed Dec 3 16:38:45 UTC 2008
On Wed, 2008-12-03 at 17:28 +0200, Loredan Stancu wrote:
>
> I know how to activate the audisp-plugin, what I asked is how can I use it.
>
> What I need is an example of an application which can stay on the remote
> host, listen for incoming events send by audisp-remote plugin and store
> these events in a regular file.
OK.
That's what the auditd does if the remote host is also SElinux.
So - next questions:
* Is the remote host not a SElinux machine? You'd need to emulate the
protocol on the receive side.
* If it is a SElinux machine (F9/F10/other?), do you want the
originating events in a different place than the default? Like separated
by sending host instead of lumped together with the other audit?
If the latter is the case, there are ways of doing this now depending on
your intent.
Also this is an area Steve has discussed may be open for modification.
The auditd on the aggregating side may be able to separate data based on
other criteria per user feedback.
LCB.
--
LC (Lenny) Bruzenak
lenny at magitekltd.com
More information about the Linux-audit
mailing list