Re: Remote audit clients on RHEL 5.2

[Dan Gruhn <Dan.Gruhn@groupw.com>]

Steve, thanks.

My system is a stand-alone in a secure environment so I can't just run a 
piece of software and get an update, and it is currently locked into 5.2 
as we're working to get it approved by various powers.  Is there any way 
to get the SE Linux policy from the 5.3 update as a separate piece?

Dan

Steve Grubb wrote:
> On Thursday 12 February 2009 12:01:33 pm Dan Gruhn wrote:
>   
>> I'm not much of a wiz at selinux, but I can tell that the audit_port_t type
>> doesn't exist.  I'm stuck here because:
>>
>>  1) I don;t know how to create new types in selinux
>>  2) Even if I figured that out, I don't know how auditd would know to use
>> that.
>>
>>  I've looked at the auditd executable, it has types like this:
>>  -rwxr-x---  root root system_u:object_r:auditd_exec_t  /sbin/auditd
>>
>>  Could someone give me some pointers and/or point me to something I could
>> read to get me going?
>>     
>
> You need to be using the SE Linux policy from the 5.3 update. Before 5.3, 
> auditd never had a listening port and therefore selinux policy prior to it 
> wouldn't have setup that type. I also think SE Linux policy may default to 
> port 60 even though that port may not be guaranteed in the future.
>
> Another thing that you should do on this is to setup the client's localport to 
> bind to a port below 1024 and then set the server's tcp_client_ports to check 
> that the ports are bound to that range as a security precaution.
>
> -Steve
>   

-- 
Dan Gruhn
Group W Inc.
8315 Lee Hwy, Suite 303
Fairfax, VA, 22031
PH: (703) 752-5831
FX: (703) 752-5851