Discussion:
[tomoyo-users-en 568] Using syslog
(too old to reply)
laurent_t
2014-02-27 14:21:19 UTC
Permalink
Raw Message
Hi all,

I use Tomoyo 1.8.3 (thanks for this wonderful soft).
I haven't found any information about using syslog instead of auditd to log errors in enforcing mode.
Any idea?

Laurent
Tetsuo Handa
2014-02-28 12:51:19 UTC
Permalink
Raw Message
Hello.
Post by laurent_t
I use Tomoyo 1.8.3 (thanks for this wonderful soft).
I haven't found any information about using syslog instead of auditd to log errors in enforcing mode.
Any idea?
Excuse me, but what is your question?
Why /usr/sbin/ccs-auditd and /usr/sbin/ccs-notifyd cannot be used?
You want to use (e.g.) /sbin/rsyslogd for saving logs read from /proc/ccs/
rather than running /usr/sbin/ccs-auditd and /usr/sbin/ccs-notifyd ?
laurent_t
2014-03-01 13:34:36 UTC
Permalink
Raw Message
Post by Tetsuo Handa
Excuse me, but what is your question?
I've PCs protected with Tomoyo. I'd like to be informed when Tomoyo detect any policy violation. I'd like to get this information in a central pc. syslog is a good solution to centralize these violations.
Post by Tetsuo Handa
Why /usr/sbin/ccs-auditd and /usr/sbin/ccs-notifyd cannot be used?
These tools provide access violation locally (only in the pc that generates the violation). And I need an automatic solution (ccs-notifyd is an int'ractive tool).
Post by Tetsuo Handa
You want to use (e.g.) /sbin/rsyslogd for saving logs read from
/proc/ccs/
rather than running /usr/sbin/ccs-auditd and /usr/sbin/ccs-notifyd ?
ccs-auditd and ccs-notifyd seem to be tools to update policy. So these tools are dedicated for Tomoyo administrators. But in a production environment, what is the good tool?
Tetsuo Handa
2014-03-02 11:17:37 UTC
Permalink
Raw Message
Post by laurent_t
Post by Tetsuo Handa
Excuse me, but what is your question?
I've PCs protected with Tomoyo. I'd like to be informed when Tomoyo detect
any policy violation.
This is exactly what ccs-notifyd is for.
Post by laurent_t
I'd like to get this information in a central pc. syslog is a good solution
to centralize these violations.
I think you can use /bin/logger command. To send this information to a central
PC, change the action_to_take line of /etc/ccs/tools/notifyd.conf from

action_to_take mail -s Notification\040from\040ccs-notifyd root at localhost

to

action_to_take /bin/logger -p kern.warning -t tomoyo

and change your syslog daemon's config file to forward the message to the
central PC and run ccs-notifyd .
Post by laurent_t
Post by Tetsuo Handa
Why /usr/sbin/ccs-auditd and /usr/sbin/ccs-notifyd cannot be used?
These tools provide access violation locally (only in the pc that generates
the violation). And I need an automatic solution (ccs-notifyd is an
int'ractive tool).
ccs-queryd is an interactive tool, but ccs-notifyd is a non-interactive tool.
Post by laurent_t
Post by Tetsuo Handa
You want to use (e.g.) /sbin/rsyslogd for saving logs read from /proc/ccs/
rather than running /usr/sbin/ccs-auditd and /usr/sbin/ccs-notifyd ?
ccs-auditd and ccs-notifyd seem to be tools to update policy.
In TOMOYO, policy violation logs are in the form of policy configuration.
ccs-auditd and ccs-notifyd are tools to collect policy violation logs.
Programs listed in /etc/ccs/manager.conf are tools to update policy.
Post by laurent_t
So these tools are dedicated for Tomoyo administrators. But in a production
environment, what is the good tool?
I think you can use ccs-notifyd in a production environment.

Regards.
laurent_t
2014-03-03 14:29:52 UTC
Permalink
Raw Message
It works very good.
Thanks a lot

Regards

Loading...