[redhat-lspp] Re: audit messages during bootup
Steve Grubb
sgrubb at redhat.com
Mon Jan 9 16:43:15 UTC 2006
On Monday 09 January 2006 11:18, LC Bruzenak wrote:
> In my case I am thinking about an audit trail from bootup - something
> maybe not of interest to everyone.
The main problem I see is that if someone left their knoppix boot disk in the
cdrom tray and booted the machine, it likely will not have the audit hooks
compiled into the kernel nor the audit daemon. You are at the mercy of
whatever was installed to that disk. You can never count on getting an audit
trail from that scenario. If you actually got one, you have a courteous
hacker.
> If sending system audit to an independent audit machine I could
> aggregate my LAN auditing.
This is in the works. That's one of the things audispd will do when its
complete.
> This would allow me to compare previous boot messages and ensure the
> hardware config is still the same as previous, no hardware errors exist at
> boot (sometimes machines are unattended and non-fatal errors are not always
> obvious), etc.
audit and syslog serve different functions. Syslog will have this kind of
information. Syslog is also capable of remote logging so you could script
something in the aggregator to look for this.
> Maybe there was a CD in the drive on boot. Maybe that meant someone was
> testing the password-locked BIOS for CD-enabled boot and if I'm clever
> enough to bring that up in the audit review maybe someone will catch it.
The BIOS would have to save audit records...not very likely to happen.
> Maybe there is now a serial printer connected and the BIOS wasn't
> secured on that port but that fact is now audited.
It sounds like you want a system scanner to look at the machine config or
maybe have hal/udevd/kudzu collect what it sees.
> I realize it may not be appropriate for many installations of SE Linux
> but if my group goes this route I will be doing all the above and more.
Its interesting. But sounds like something that can be cobbled together in
shell script. I am not planning to write one of these, but I'd be interested
in talking about this and looking at what other come up with. Does this map
to a requirement in DCID 6/3?
-Steve
More information about the redhat-lspp
mailing list