excluding auditd events
Steve Grubb
sgrubb at redhat.com
Thu May 26 14:16:13 UTC 2011
On Thursday, May 26, 2011 10:07:57 AM Mr Dash Four wrote:
> > For ultimate protection, we suggest remote logging to a box that has
> > restricted access.
>
> That is certainly a possibility (but then again the box needs to be
> "secure"), though since I am not very familiar with the audit daemon
> I'll just ask - is the connection between the 2 daemons (on the secure
> box as well as the daemon sending the logs) encrypted so to prevent
> tampering in-route (man in the middle etc attacks)?
Sort of. We have kerberos support, but its not enabled at the moment. The reason being
is that the kerberos libraries were in /usr/lib64 which is a big problem if the audit
system started before the nfs components (and it does). I think the kerberos libraries
might have been moved so we could potentially turn that on sometime soon - but I have
not been updating or testing the code. If you build your own packages, you can turn it
on now.
-Steve
More information about the Linux-audit
mailing list