23 lines
861 B
Text
23 lines
861 B
Text
# veilor-os audit remote shipping (DISABLED by default)
|
|
#
|
|
# IMPORTANT: enabling remote audit shipping leaks security events off-device.
|
|
# Only enable if you have a trusted log collector (Loki / Wazuh / Splunk).
|
|
# The remote endpoint will see every privileged syscall, file watch hit,
|
|
# auth event, and sudoers change. Treat the collector with the same trust
|
|
# level as the host root account.
|
|
#
|
|
# Enable:
|
|
# 1. Edit `active = yes` below.
|
|
# 2. Configure /etc/audisp/audisp-remote.conf (see audisp-remote.conf.disabled).
|
|
# 3. systemctl restart auditd.
|
|
# 4. Verify with: auditctl -s | grep enabled
|
|
#
|
|
# Plugin pipes audit events out of auditd via a UNIX socket; audisp-remote
|
|
# reads from that socket and forwards to the configured remote_server.
|
|
|
|
active = no
|
|
direction = out
|
|
path = builtin_af_unix
|
|
type = builtin
|
|
args = /var/run/audit_events
|
|
format = string
|