audisp-prelude problems
Loredan Stancu
loredan.stancu at myclar.ro
Thu Dec 4 15:38:53 UTC 2008
On the same topic, I sow that audisp-remote plugin can send events remote
using a secure connection(transport = ssl in audisp-remote.conf file).
When using tcp as a transport method events arrive to the a aggregation
auditd but when using ssl no event arrive?
How can I use a secure connection to transmit events?
> On Thursday 04 December 2008 09:57:54 Loredan Stancu wrote:
>> Now I'll have to user audisp-remote plugin to centralize events.
>
> One further refinement to what I said yesterday about remote logging. You
> probably want to set the local_port value to something < 1024 in the
> remote
> configuration files. Then in the aggregating auditd, set the
> tcp_client_ports to
> the same thing.
>
> This is a security feature to prevent random user space apps from trying
> audit
> log injection attacks. For experimenting or casual use you don't need to
> set
> these up, but for production use you must.
>
> If you use kerberos authentication, then you have even more protection.
> But
> setting up kerberos for this is a little more than I want to explain.
>
> -Steve
>
More information about the Linux-audit
mailing list