Audit for live supervision
Steve Grubb
sgrubb at redhat.com
Tue Aug 19 20:47:16 UTC 2008
On Tuesday 19 August 2008 16:33:58 Kay Hayen wrote:
> > Only one audit pid is allowed for security purposes.
>
> Damn security. I saw that patch while googling, and hoped it wasn't merged,
> but seems it was.
Its been there since 2.6.6 kernel. IOW - day 1.
> I don't really understand why it is helping security, if I need to kill
> auditd before I can open the netlink socket. For both I need root rights.
The queueing is complicated and if you have a group of processes it gets real
messy. The audit queue tries hard for guaranteed delivery or take the system
down if the flow is not working right. Its not like syslog or iptables
logging.
> There isn't any SELinux in the play, is there?
SE Linux helps for MLS systems, but for CAPP, it doesn't come into play. The
data flowing through the audit system could be very sensitive. Anyone needing
access to the stream either needs to replace auditd, write their own
dispatcher, or write a plugin to the shipped dispatcher. This way the admin
knows exactly what processes have access to the data.
-Steve
More information about the Linux-audit
mailing list