From mboxrd@z Thu Jan 1 00:00:00 1970 From: "Loredan Stancu" Subject: Re: audisp-prelude problems Date: Thu, 4 Dec 2008 17:38:53 +0200 (EET) Message-ID: <48048.193.230.245.33.1228405133.squirrel@secure.myclar.ro> Mime-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable Return-path: Received: from mx3.redhat.com (mx3.redhat.com [172.16.48.32]) by int-mx1.corp.redhat.com (8.13.1/8.13.1) with ESMTP id mB4FmXor019967 for ; Thu, 4 Dec 2008 10:48:33 -0500 Received: from mail.myclar.ro (mail.myclar.ro [86.120.65.74]) by mx3.redhat.com (8.13.8/8.13.8) with ESMTP id mB4FmIWU032136 for ; Thu, 4 Dec 2008 10:48:18 -0500 List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: Steve Grubb Cc: linux-audit@redhat.com List-Id: linux-audit@redhat.com On the same topic, I sow that audisp-remote plugin can send events remote using a secure connection(transport =3D ssl in audisp-remote.conf file). When using tcp as a transport method events arrive to the a aggregation auditd but when using ssl no event arrive? How can I use a secure connection to transmit events? > On Thursday 04 December 2008 09:57:54 Loredan Stancu wrote: >> Now I'll have to user =A0audisp-remote plugin to centralize events. > > One further refinement to what I said yesterday about remote logging. Y= ou > probably want to set the local_port value to something < 1024 in the > remote > configuration files. Then in the aggregating auditd, set the > tcp_client_ports to > the same thing. > > This is a security feature to prevent random user space apps from tryin= g > audit > log injection attacks. For experimenting or casual use you don't need t= o > set > these up, but for production use you must. > > If you use kerberos authentication, then you have even more protection. > But > setting up kerberos for this is a little more than I want to explain. > > -Steve >