[redhat-lspp] audit messages during bootup
Paul Moore
paul.moore at hp.com
Fri Jan 6 23:11:28 UTC 2006
Timothy R. Chavez wrote:
> On Friday 06 January 2006 15:04, Dustin Kirkland wrote:
>
>>On Fri, 2006-01-06 at 16:42 +1100, Russell Coker wrote:
>>
>>>I find it difficult to imagine a situation where NFS would be an
>>>appropriate way of dealing with audit data. I also find it difficult to
>>>imagine why anyone who has a serious need for auditd (as opposed to the
>>>majority who either just want it for SE Linux events or who don't even
>>>know what it is) would even want to run NFS3 on their machines.
>>
>>I can think of a few advantages logging to networked filesystems offers:
>>
>>1) the ability to retain vastly larger logs
>>2) centralized location for audit logs of multiple machines
>>3) remote data in the case of system failure/crash/compromise
>>
>>:-Dustin
>>
>
> I think there is one big disadvantage with using NFS...
>
> What guarantee can we make that the audit record is logged to a remote disk
> using NFS? What if the server suddenly drops out as the record is being
> written? Seems like if we are going to do network logging, it should be done
> using a connection-based scheme, right? This way the logging behavior on a
> remote machine is exactly the same as it is on a local machine.
>
> kernel->auditd->audispd->(input,filter,output)->remote_auditd->remote_audispd
>
> Isn't this infact, one of the arguments made for audispd?
>
I apologize if this has been brought up before (I don't follow the audit
discussions as closely as I probably should), but I think it would be
best if we used a transaction based scheme for remote audit logging. We
can still utilize a connection based protocol, but there are so many
different things that could go wrong when you start talking to a remote
system that having the system explicitly ack that it has committed the
audit record to storage would be a good thing in my mind.
--
. paul moore . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. paul.moore at hp.com hewlett packard
. (603) 884-5056 linux security
More information about the redhat-lspp
mailing list