Re: Auditd 1.0.15 in RHEL4 U4
On Monday 12 February 2007 08:54, Matthew Booth wrote:
Will this work without any other 4.5 updates?
Yes.
Also, I had a quick flick through the dispatcher example. I note
that
it's shipping binary logs.
Hmm. I don't recall any binary logs in examples...are you sure?
This is great from a storage POV, however it wasn't clear to me
how this
would tie in with the existing audit tools. If I simply dump the binary data
to a file, can I easily:
* Turn it into text?
* Process it with aureport/ausearch?
Need the answer to the above before I can answer this. But then again...I
would not release anything that did binary formats without having the whole
thing tied together. IOW, I would release something that could read as well
as write a binary format. And I don't recall doing any binary format work.
Also, that you're aware of, has anybody already implemented the
simplest
possible centralised log server. ie:
* Stream uncompressed, unencrypted, unauthenticated audit logs to server
* Write 1 log file per client audit daemon
* Rotate on signal, respecting message boundaries
I believe so. I think the SNARE guys wrote a perl script that uses the
realtime interface and transfers data to their centralized logger.
I'll be writing this if not.
Well, in about a week we'll be releasing a new & improved event dispatcher
that will allow multiple programs to hang off it and then we'll start looking
into a centralized collection system, too.
-Steve