[PATCH 7/7] audit: audit feature to set loginuid immutable
Eric Paris
eparis at redhat.com
Mon Jul 8 21:32:31 UTC 2013
On Mon, 2013-07-08 at 17:26 -0400, Steve Grubb wrote:
> On Monday, July 08, 2013 04:51:20 PM Eric Paris wrote:
> > If we don't trust the audit system initialization we already lost and no
> > amount of audit= is going to change that.
>
> I'm thinking more about High Assurance cases where the boot
> partition/environment is removed from an attacker's reach. Consider use cases
> where you want to allow root, but you do not want them to make certain kinds
> of changes to the system by taking away certain capabilities in the initramfs
> which is outside of the control of anyone with root.
If that's the case, you must be loading the audit policy inside the
initramfs, and thus, you can set this inside the initrd. We MUST have
absolute trust until the audit.rules are processed. To get a boot
option, we have to show how this has value before the audit.rules are
loaded. And it doesn't... Not in any system I can imagine. Nor in the
description you gave above... What am I missing?
More information about the Linux-audit
mailing list