Diskless workstation audit advice

public inbox for linux-audit@redhat.com
 help / color / mirror / Atom feed

* Diskless workstation audit advice
@ 2014-05-26 20:39 Burn Alting
  2014-05-27 15:24 ` Steve Grubb
  0 siblings, 1 reply; 3+ messages in thread
From: Burn Alting @ 2014-05-26 20:39 UTC (permalink / raw)
  To: linux-audit

Hi All,

I have some disk less workstations upon which I wish to collect audit.
Once a workstation is running, I periodically transmit audit in
compressed batches of enriched audit (i.e. "ausearch -i" output is
sent).

My question is:
To collect AND transmit audit until the last possible moment, is the
logical place to perform the last collection and transmission operation
within the 'stop' function of /etc/init.d/auditd ?

The enrichment (calling ausearch -i) rules out syslog.

Thanks in advance

Burn

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: Diskless workstation audit advice
  2014-05-26 20:39 Diskless workstation audit advice Burn Alting
@ 2014-05-27 15:24 ` Steve Grubb
  2014-05-27 21:09   ` Burn Alting
  0 siblings, 1 reply; 3+ messages in thread
From: Steve Grubb @ 2014-05-27 15:24 UTC (permalink / raw)
  To: burn; +Cc: linux-audit

On Tuesday, May 27, 2014 06:39:36 AM Burn Alting wrote:
> My question is:
> To collect AND transmit audit until the last possible moment, is the
> logical place to perform the last collection and transmission operation
> within the 'stop' function of /etc/init.d/auditd ?
> 
> The enrichment (calling ausearch -i) rules out syslog.

For sysVinit systems, yes.

-Steve

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: Diskless workstation audit advice
  2014-05-27 15:24 ` Steve Grubb
@ 2014-05-27 21:09   ` Burn Alting
  0 siblings, 0 replies; 3+ messages in thread
From: Burn Alting @ 2014-05-27 21:09 UTC (permalink / raw)
  To: Steve Grubb; +Cc: linux-audit

Thanks Steve.

On Tue, 2014-05-27 at 11:24 -0400, Steve Grubb wrote:
> On Tuesday, May 27, 2014 06:39:36 AM Burn Alting wrote:
> > My question is:
> > To collect AND transmit audit until the last possible moment, is the
> > logical place to perform the last collection and transmission operation
> > within the 'stop' function of /etc/init.d/auditd ?
> > 
> > The enrichment (calling ausearch -i) rules out syslog.
> 
> For sysVinit systems, yes.
> 
> -Steve

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2014-05-27 21:09 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2014-05-26 20:39 Diskless workstation audit advice Burn Alting
2014-05-27 15:24 ` Steve Grubb
2014-05-27 21:09   ` Burn Alting

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox