From mboxrd@z Thu Jan 1 00:00:00 1970 From: Dan Gruhn Subject: Re: Remote audit clients on RHEL 5.2 Date: Thu, 12 Feb 2009 12:48:47 -0500 Message-ID: <499460FF.3050400@groupw.com> References: <499455ED.3060208@groupw.com> <200902121243.03741.sgrubb@redhat.com> Mime-Version: 1.0 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Return-path: Received: from mx1.redhat.com (mx1.redhat.com [172.16.48.31]) by int-mx1.corp.redhat.com (8.13.1/8.13.1) with ESMTP id n1CHn4an016543 for ; Thu, 12 Feb 2009 12:49:04 -0500 Received: from smtp.group-w-inc.com (group-w-inc.com [70.164.45.3]) by mx1.redhat.com (8.13.8/8.13.8) with ESMTP id n1CHmmit014330 for ; Thu, 12 Feb 2009 12:48:48 -0500 Received: from smtp.group-w-inc.com (localhost.localdomain [127.0.0.1]) by localhost (Postfix) with ESMTP id 6977DDA009F for ; Thu, 12 Feb 2009 12:48:48 -0500 (EST) Received: from [10.1.1.218] (dgruhn-f9.group-w-inc.com [10.1.1.218]) by smtp.group-w-inc.com (Postfix) with ESMTP id 32F3FDA0094 for ; Thu, 12 Feb 2009 12:48:48 -0500 (EST) In-Reply-To: <200902121243.03741.sgrubb@redhat.com> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com Cc: linux-audit@redhat.com List-Id: linux-audit@redhat.com Steve, thanks. My system is a stand-alone in a secure environment so I can't just run a piece of software and get an update, and it is currently locked into 5.2 as we're working to get it approved by various powers. Is there any way to get the SE Linux policy from the 5.3 update as a separate piece? Dan Steve Grubb wrote: > On Thursday 12 February 2009 12:01:33 pm Dan Gruhn wrote: > >> I'm not much of a wiz at selinux, but I can tell that the audit_port_t type >> doesn't exist. I'm stuck here because: >> >> 1) I don;t know how to create new types in selinux >> 2) Even if I figured that out, I don't know how auditd would know to use >> that. >> >> I've looked at the auditd executable, it has types like this: >> -rwxr-x--- root root system_u:object_r:auditd_exec_t /sbin/auditd >> >> Could someone give me some pointers and/or point me to something I could >> read to get me going? >> > > You need to be using the SE Linux policy from the 5.3 update. Before 5.3, > auditd never had a listening port and therefore selinux policy prior to it > wouldn't have setup that type. I also think SE Linux policy may default to > port 60 even though that port may not be guaranteed in the future. > > Another thing that you should do on this is to setup the client's localport to > bind to a port below 1024 and then set the server's tcp_client_ports to check > that the ports are bound to that range as a security precaution. > > -Steve > -- Dan Gruhn Group W Inc. 8315 Lee Hwy, Suite 303 Fairfax, VA, 22031 PH: (703) 752-5831 FX: (703) 752-5851