[PATCH] Add auditd listener and remote audit protocol
LC Bruzenak
lenny at magitekltd.com
Tue Sep 29 19:14:05 UTC 2009
On Tue, 2009-09-29 at 14:51 -0400, Norman Mark St. Laurent wrote:
> Hi LCB,
>
> I hope I answer u correctly...
>
> I would look in your /etc/audisp/audisp-remote.conf file and note the
> port you communicate on, as an alternate you can grab the port with
> "lsof -i -nP" or "netstat -taupe". Then you can use tcpdump to watch
> the connections.
>
> #tcpdump -i eth0 port 1001 --> or what ever port you have setup to
> the remote data on and the correct nic.
>
> Sounds like this could help u out.
>
> Norman Mark St. Laurent
> Conceras | Chief Technology Officer and ISSE
> Phone: 703-965-4892
> Email: mstlaurent at conceras.com
> Web: http://www.conceras.com
>
> Connect. Collaborate. Conceras.
>
>
>
> LC Bruzenak wrote:
> > On Thu, 2008-08-14 at 19:31 -0500, LC Bruzenak wrote:
> >
> >> On Thu, 2008-08-14 at 20:27 -0400, Steve Grubb wrote:
> >>
> >>> On Thursday 14 August 2008 20:22:24 LC Bruzenak wrote:
> >>>
> >>>> I think you have a good point - this is the first cut and maybe
> >>>>
> >> later on
> >>
> >>>> institute a "replay daemon" or something which can send events on
> >>>> reconnect.
> >>>>
> >>> Note that all audispd plugins take their input from stdin. At the
> >>>
> >> worst, if
> >>
> >>> you had the time hacks, you could
> >>>
> >>> ausearch --start <time> --end <time> --raw | /sbin.audisp-remote
> >>>
> >>> -Steve
> >>>
> >
> > Steve,
> >
> > I have been doing this but I really cannot tell if the audisp-remote
> > connection succeeds; it returns "0" either way.
> > Would there be an easy way to return a non-zero failure indicator?
> >
> > Thx,
> > LCB.
> >
Norman,
Thank for the reply but I wasn't quite clear enough.
The context of this is within a recovery script, so I'm concerned that I
can get the return value of the audisp-remote within the script to
decide if the recovery was successful or if it failed.
I don't think that was clear above; my apologies since the conversation
I referenced was > 1 year old.
LCB.
--
LC (Lenny) Bruzenak
lenny at magitekltd.com
More information about the Linux-audit
mailing list