laurent_t wrote: > >Excuse me, but what is your question? > I've PCs protected with Tomoyo. I'd like to be informed when Tomoyo detect > any policy violation. This is exactly what ccs-notifyd is for. > I'd like to get this information in a central pc. syslog is a good solution > to centralize these violations. I think you can use /bin/logger command. To send this information to a central PC, change the action_to_take line of /etc/ccs/tools/notifyd.conf from action_to_take mail -s Notification\040from\040ccs-notifyd root at localhost to action_to_take /bin/logger -p kern.warning -t tomoyo and change your syslog daemon's config file to forward the message to the central PC and run ccs-notifyd . > >Why /usr/sbin/ccs-auditd and /usr/sbin/ccs-notifyd cannot be used? > These tools provide access violation locally (only in the pc that generates > the violation). And I need an automatic solution (ccs-notifyd is an > int'ractive tool). ccs-queryd is an interactive tool, but ccs-notifyd is a non-interactive tool. > >You want to use (e.g.) /sbin/rsyslogd for saving logs read from > >/proc/ccs/ > >rather than running /usr/sbin/ccs-auditd and /usr/sbin/ccs-notifyd ? > ccs-auditd and ccs-notifyd seem to be tools to update policy. In TOMOYO, policy violation logs are in the form of policy configuration. ccs-auditd and ccs-notifyd are tools to collect policy violation logs. Programs listed in /etc/ccs/manager.conf are tools to update policy. > So these tools are dedicated for Tomoyo administrators. But in a production > environment, what is the good tool? I think you can use ccs-notifyd in a production environment. Regards.
TOMOYO
Fork