audit messages to syslog
Jan-Frode Myklebust
janfrode at tanso.net
Thu Oct 13 08:16:38 UTC 2011
On Wed, Oct 12, 2011 at 01:09:28PM -0600, Kevin Fenzi wrote:
> >
> > > Thoughts? downsides? Alternate plans?
> >
> > Auditd supports both logging to syslog
> > (ref: /etc/audisp/plugins.d/syslog.conf) and to remote audit servers
> > trough audispd-plugins (/etc/audisp/plugins.d/au-remote.conf).
> >
> > Would it not be better to use one of those ?
>
> Perhaps? What does that get us? Ability to filter?
>
I was thinking more about keeping the logs to be able to do data mining
on them using aureport/ausearch, and that auditd is a powerfull
facility that should be used more -- not less. By turning off auditd you
probably have the same data in the syslogs, but it will be harder to
read and report on.
"aureport --avc" -- selinux denials
"aureport -l --failed" -- failed logins
"aureport --auth --failed" -- failed authentication attempts
> What do we want to filter out?
Not filter out, rather filter in. F.ex add a watcher on /etc to log when
anything changes there:
echo "-w /etc/ -p wa -k infrakey" >> /etc/audit/audit.rules
Send this to a central auditd-server (or syslog server), and fire off
alerts/notices whenever "ausearch -k infrakey" finds something.
-jf
More information about the infrastructure
mailing list