From mboxrd@z Thu Jan 1 00:00:00 1970 From: Steve Grubb Subject: Re: excluding auditd events Date: Thu, 26 May 2011 10:16:13 -0400 Message-ID: <201105261016.13760.sgrubb@redhat.com> References: <4DDD9D3E.8020001@googlemail.com> <201105260950.33723.sgrubb@redhat.com> <4DDE5EBD.7060601@googlemail.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <4DDE5EBD.7060601@googlemail.com> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: Mr Dash Four Cc: linux-audit@redhat.com List-Id: linux-audit@redhat.com On Thursday, May 26, 2011 10:07:57 AM Mr Dash Four wrote: > > For ultimate protection, we suggest remote logging to a box that has > > restricted access. > > That is certainly a possibility (but then again the box needs to be > "secure"), though since I am not very familiar with the audit daemon > I'll just ask - is the connection between the 2 daemons (on the secure > box as well as the daemon sending the logs) encrypted so to prevent > tampering in-route (man in the middle etc attacks)? Sort of. We have kerberos support, but its not enabled at the moment. The reason being is that the kerberos libraries were in /usr/lib64 which is a big problem if the audit system started before the nfs components (and it does). I think the kerberos libraries might have been moved so we could potentially turn that on sometime soon - but I have not been updating or testing the code. If you build your own packages, you can turn it on now. -Steve