Re: audisp-prelude problems
On Wed, 2008-12-03 at 17:28 +0200, Loredan Stancu wrote:
I know how to activate the audisp-plugin, what I asked is how can I use it.
What I need is an example of an application which can stay on the remote
host, listen for incoming events send by audisp-remote plugin and store
these events in a regular file.
OK.
That's what the auditd does if the remote host is also SElinux.
So - next questions:
* Is the remote host not a SElinux machine? You'd need to emulate the
protocol on the receive side.
* If it is a SElinux machine (F9/F10/other?), do you want the
originating events in a different place than the default? Like separated
by sending host instead of lumped together with the other audit?
If the latter is the case, there are ways of doing this now depending on
your intent.
Also this is an area Steve has discussed may be open for modification.
The auditd on the aggregating side may be able to separate data based on
other criteria per user feedback.
LCB.
--
LC (Lenny) Bruzenak
lenny(a)magitekltd.com