audit messages to syslog
Kevin Fenzi
kevin at scrye.com
Sat Oct 15 17:13:00 UTC 2011
On Thu, 13 Oct 2011 10:16:38 +0200
Jan-Frode Myklebust <janfrode at tanso.net> wrote:
> On Wed, Oct 12, 2011 at 01:09:28PM -0600, Kevin Fenzi wrote:
> > >
> > > > Thoughts? downsides? Alternate plans?
> > >
> > > Auditd supports both logging to syslog
> > > (ref: /etc/audisp/plugins.d/syslog.conf) and to remote audit
> > > servers trough audispd-plugins
> > > (/etc/audisp/plugins.d/au-remote.conf).
> > >
> > > Would it not be better to use one of those ?
> >
> > Perhaps? What does that get us? Ability to filter?
> >
>
> I was thinking more about keeping the logs to be able to do data
> mining on them using aureport/ausearch, and that auditd is a
> powerfull facility that should be used more -- not less. By turning
> off auditd you probably have the same data in the syslogs, but it
> will be harder to read and report on.
>
> "aureport --avc" -- selinux denials
> "aureport -l --failed" -- failed logins
> "aureport --auth --failed" -- failed authentication attempts
Sure, true... but I was hoping to use our existing epylog setup to also
report on them and give us 2x daily reports on them. ;)
I suppose it could be made to operate on the audit files as well.
We would need to setup a new server/port/firewall rule however?
I didn't find any good/easy/simple doc on setting up a central audit
server. Do you know of any? Otherwise I can set one up here at home and
play around with it.
Dumping to syslog is pretty easy to try too however....
> > What do we want to filter out?
>
> Not filter out, rather filter in. F.ex add a watcher on /etc to log
> when anything changes there:
>
> echo "-w /etc/ -p wa -k infrakey" >> /etc/audit/audit.rules
>
> Send this to a central auditd-server (or syslog server), and fire off
> alerts/notices whenever "ausearch -k infrakey" finds something.
Sure. Could be very handy in some cases...
kevin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://lists.fedoraproject.org/pipermail/infrastructure/attachments/20111015/34e39b5c/attachment.bin
More information about the infrastructure
mailing list