audit messages to syslog

Kevin Fenzi kevin at scrye.com
Sat Oct 15 17:13:00 UTC 2011 

On Thu, 13 Oct 2011 10:16:38 +0200
Jan-Frode Myklebust <janfrode at tanso.net> wrote:

> On Wed, Oct 12, 2011 at 01:09:28PM -0600, Kevin Fenzi wrote:
> > >
> > > > Thoughts? downsides? Alternate plans?
> > > 
> > > Auditd supports both logging to syslog
> > > (ref: /etc/audisp/plugins.d/syslog.conf) and to remote audit
> > > servers trough audispd-plugins
> > > (/etc/audisp/plugins.d/au-remote.conf).
> > > 
> > > Would it not be better to use one of those ?
> > 
> > Perhaps? What does that get us? Ability to filter? 
> > 
> 
> I was thinking more about keeping the logs to be able to do data
> mining on them using aureport/ausearch, and that auditd is a
> powerfull facility that should be used more -- not less. By turning
> off auditd you probably have the same data in the syslogs, but it
> will be harder to read and report on.
> 
> 	"aureport --avc"  -- selinux denials
> 	"aureport -l --failed" -- failed logins
> 	"aureport --auth --failed" -- failed authentication attempts

Sure, true... but I was hoping to use our existing epylog setup to also
report on them and give us 2x daily reports on them. ;) 

I suppose it could be made to operate on the audit files as well. 

We would need to setup a new server/port/firewall rule however?
I didn't find any good/easy/simple doc on setting up a central audit
server. Do you know of any? Otherwise I can set one up here at home and
play around with it. 

Dumping to syslog is pretty easy to try too however.... 

> > What do we want to filter out?
> 
> Not filter out, rather filter in. F.ex add a watcher on /etc to log
> when anything changes there:
> 
> 	echo "-w /etc/ -p wa -k infrakey" >> /etc/audit/audit.rules
> 
> Send this to a central auditd-server (or syslog server), and fire off
> alerts/notices whenever "ausearch -k infrakey" finds something. 

Sure. Could be very handy in some cases...

kevin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://lists.fedoraproject.org/pipermail/infrastructure/attachments/20111015/34e39b5c/attachment.bin

More information about the infrastructure mailing list