[redhat-lspp] Re: audit messages during bootup

Steve Grubb sgrubb at redhat.com
Mon Jan 9 16:43:15 UTC 2006 

On Monday 09 January 2006 11:18, LC Bruzenak wrote:
> In my case I am thinking about an audit trail from bootup - something
> maybe not of interest to everyone.

The main problem I see is that if someone left their knoppix boot disk in the 
cdrom tray and booted the machine, it likely will not have the audit hooks 
compiled into the kernel nor the audit daemon. You are at the mercy of 
whatever was installed to that disk. You can never count on getting an audit 
trail from that scenario. If you actually got one, you have a courteous 
hacker.

> If sending system audit to an independent audit machine I could
> aggregate my LAN auditing.

This is in the works. That's one of the things audispd will do when its 
complete.

> This would allow me to compare previous boot messages and ensure the
> hardware config is still the same as previous, no hardware errors exist at
> boot (sometimes machines are unattended and non-fatal errors are not always
> obvious), etc.

audit and syslog serve different functions. Syslog will have this kind of 
information. Syslog is also capable of remote logging so you could script 
something in the aggregator to look for this.

> Maybe there was a CD in the drive on boot. Maybe that meant someone was
> testing the password-locked BIOS for CD-enabled boot and if I'm clever
> enough to bring that up in the audit review maybe someone will catch it.

The BIOS would have to save audit records...not very likely to happen.

> Maybe there is now a serial printer connected and the BIOS wasn't
> secured on that port but that fact is now audited.

It sounds like you want a system scanner to look at the machine config or 
maybe have hal/udevd/kudzu collect what it sees.

> I realize it may not be appropriate for many installations of SE Linux
> but if my group goes this route I will be doing all the above and more.

Its interesting. But sounds like something that can be cobbled together in 
shell script. I am not planning to write one of these, but I'd be interested 
in talking about this and looking at what other come up with. Does this map 
to a requirement in DCID 6/3?

-Steve

More information about the redhat-lspp mailing list