[redhat-lspp] audit messages during bootup

Paul Moore paul.moore at hp.com
Fri Jan 6 23:11:28 UTC 2006 

Timothy R. Chavez wrote:
> On Friday 06 January 2006 15:04, Dustin Kirkland wrote:
> 
>>On Fri, 2006-01-06 at 16:42 +1100, Russell Coker wrote:
>>
>>>I find it difficult to imagine a situation where NFS would be an
>>>appropriate way of dealing with audit data.  I also find it difficult to
>>>imagine why anyone who has a serious need for auditd (as opposed to the
>>>majority who either just want it for SE Linux events or who don't even
>>>know what it is) would even want to run NFS3 on their machines.
>>
>>I can think of a few advantages logging to networked filesystems offers:
>>
>>1) the ability to retain vastly larger logs
>>2) centralized location for audit logs of multiple machines
>>3) remote data in the case of system failure/crash/compromise
>>
>>:-Dustin
>>
> 
> I think there is one big disadvantage with using NFS...
> 
> What guarantee can we make that the audit record is logged to a remote disk 
> using NFS?  What if the server suddenly drops out as the record is being 
> written?  Seems like if we are going to do network logging, it should be done 
> using a connection-based scheme, right?  This way the logging behavior on a 
> remote machine is exactly the same as it is on a local machine.
> 
> kernel->auditd->audispd->(input,filter,output)->remote_auditd->remote_audispd
> 
> Isn't this infact, one of the arguments made for audispd?
> 

I apologize if this has been brought up before (I don't follow the audit 
discussions as closely as I probably should), but I think it would be 
best if we used a transaction based scheme for remote audit logging.  We 
can still utilize a connection based protocol, but there are so many 
different things that could go wrong when you start talking to a remote 
system that having the system explicitly ack that it has committed the 
audit record to storage would be a good thing in my mind.

-- 
. paul moore . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. paul.moore at hp.com                                      hewlett packard
. (603) 884-5056                                          linux security

More information about the redhat-lspp mailing list