On Wed, 16 Apr 2008, Patrick Spinler wrote: Hi,
Malcolm Beattie wrote: | | Quick plug: I'll be covering Linux native tools for auditing | (auditd/auditctl), accounting (acct/sa) and other things beginning | with "A"[1] in my technical session at the z Tech Conference in | Dresden next month. | | There are trade-offs involved in enabling such things but if you | really want to audit everything root does, you can. | Looked at these. Just wished there was an easy and obvious way to send audit records to syslog, and thus off-node.
The obvious reason you do not want this is that syslog is not reliable and you can possibly lose audit records. Further they won't be encrypted and in plaintext on the wire. Last you wouldn't even know if anyone had tampered with them when you received them on the destination. Spoofing UDP can be really easy. If you want to remote audit records for postprocessing or keeping them around, either do it batched as in log shipping with in secure and realiable way or use an encrypted reliable transport stream with spooling to handle times when the receiver is not available/reachable, etc... /bz -- Bjoern A. Zeeb Stop bit received. Insert coin for new game. ---------------------------------------------------------------------- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
