Re: excluding auditd events
On Thursday, May 26, 2011 10:07:57 AM Mr Dash Four wrote:
> For ultimate protection, we suggest remote logging to a box
that has
> restricted access.
That is certainly a possibility (but then again the box needs to be
"secure"), though since I am not very familiar with the audit daemon
I'll just ask - is the connection between the 2 daemons (on the secure
box as well as the daemon sending the logs) encrypted so to prevent
tampering in-route (man in the middle etc attacks)?
Sort of. We have kerberos support, but its not enabled at the moment. The reason being
is that the kerberos libraries were in /usr/lib64 which is a big problem if the audit
system started before the nfs components (and it does). I think the kerberos libraries
might have been moved so we could potentially turn that on sometime soon - but I have
not been updating or testing the code. If you build your own packages, you can turn it
on now.
-Steve