On Wed, 2008-12-03 at 17:28 +0200, Loredan Stancu wrote:
>
> I know how to activate the audisp-plugin, what I asked is how can I use
> it.
>
> What I need is an example of an application which can stay on the remote
> host, listen for incoming events send by audisp-remote plugin and store
> these events in a regular file.
OK.
That's what the auditd does if the remote host is also SElinux.
So - next questions:
* Is the remote host not a SElinux machine? You'd need to emulate the
protocol on the receive side.
* If it is a SElinux machine (F9/F10/other?), do you want the
originating events in a different place than the default? Like separated
by sending host instead of lumped together with the other audit?
If the latter is the case, there are ways of doing this now depending on
your intent.
Supposing the remote system is an SElinux machine (a machine which stores
all the user activity send by audisp-remote plugins. There are more then
one machine for which I want to store events) what should I do on this
machine to keep separate file events for each machine
Also this is an area Steve has discussed may be open for
modification.
The auditd on the aggregating side may be able to separate data based on
other criteria per user feedback.
LCB.
--
LC (Lenny) Bruzenak
lenny(a)magitekltd.com
--
Linux-audit mailing list
Linux-audit(a)redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit