audisp-prelude problems
Steve Grubb
sgrubb at redhat.com
Thu Dec 4 15:33:24 UTC 2008
On Thursday 04 December 2008 09:57:54 Loredan Stancu wrote:
> Now I'll have to user audisp-remote plugin to centralize events.
One further refinement to what I said yesterday about remote logging. You
probably want to set the local_port value to something < 1024 in the remote
configuration files. Then in the aggregating auditd, set the tcp_client_ports to
the same thing.
This is a security feature to prevent random user space apps from trying audit
log injection attacks. For experimenting or casual use you don't need to set
these up, but for production use you must.
If you use kerberos authentication, then you have even more protection. But
setting up kerberos for this is a little more than I want to explain.
-Steve
More information about the Linux-audit
mailing list