On Thursday 04 December 2008 09:57:54 Loredan Stancu wrote: > Now I'll have to user audisp-remote plugin to centralize events.
One further refinement to what I said yesterday about remote logging. You probably want to set the local_port value to something < 1024 in the remote configuration files. Then in the aggregating auditd, set the tcp_client_ports to the same thing. This is a security feature to prevent random user space apps from trying audit log injection attacks. For experimenting or casual use you don't need to set these up, but for production use you must. If you use kerberos authentication, then you have even more protection. But setting up kerberos for this is a little more than I want to explain. -Steve -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
