From mboxrd@z Thu Jan  1 00:00:00 1970
From: Steve Grubb <sgrubb@redhat.com>
Subject: Re: audisp-prelude problems
Date: Thu, 4 Dec 2008 10:33:24 -0500
Message-ID: <200812041033.24734.sgrubb@redhat.com>
References: <57942.193.230.245.33.1228402674.squirrel@secure.myclar.ro>
Mime-Version: 1.0
Content-Type: text/plain;
  charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <57942.193.230.245.33.1228402674.squirrel@secure.myclar.ro>
Content-Disposition: inline
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: Loredan Stancu <loredan.stancu@myclar.ro>
Cc: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

On Thursday 04 December 2008 09:57:54 Loredan Stancu wrote:
> Now I'll have to user =A0audisp-remote plugin to centralize events.

One further refinement to what I said yesterday about remote logging. You=
=20
probably want to set the local_port value to something < 1024 in the remo=
te=20
configuration files. Then in the aggregating auditd, set the tcp_client_p=
orts to=20
the same thing.

This is a security feature to prevent random user space apps from trying =
audit=20
log injection attacks. For experimenting or casual use you don't need to =
set=20
these up, but for production use you must.

If you use kerberos authentication, then you have even more protection. B=
ut=20
setting up kerberos for this is a little more than I want to explain.

-Steve