[redhat-lspp] Re: audit messages during bootup
Russell Coker
rcoker at redhat.com
Tue Jan 10 02:32:54 UTC 2006
On Mon, 2006-01-09 at 11:22 -0600, LC Bruzenak wrote:
> > The main problem I see is that if someone left their knoppix boot
> disk in the
> > cdrom tray and booted the machine, it likely will not have the audit
> hooks
> > compiled into the kernel nor the audit daemon. You are at the mercy
> of
> > whatever was installed to that disk. You can never count on getting
> an audit
> > trail from that scenario. If you actually got one, you have a
> courteous
> > hacker.
>
> No - I was assuming here that the boot has been secured and I am
> getting
> the usual boot info, not looking for boot info from a successful
> malicious or non-approved attempt.
So when we boot with an unexpected mass storage device connected then
it's probably something that deserves an audit event as that's often a
method of attack. We rely on the BIOS to prevent the attack from
succeeding but want the audit system to inform us about it.
Of course an attacker could recognise the attack as being unsuccessful
and unplug the device before the USB device driver is loaded. But it's
still worth logging what we can.
More information about the redhat-lspp
mailing list