[redhat-lspp] audit messages during bootup
Russell Coker
rcoker at redhat.com
Fri Jan 6 02:53:30 UTC 2006
On Thu, 2006-01-05 at 17:36 -0500, Steve Grubb wrote:
> I was wondering if we need to capture all audit messages during bootup to the
> audit system. The reason I ask is that there are AVC messages that can occur
> before the audit daemon is running.
That depends on when the auditd starts. Currently auditd starts at
number 18 in run level 5, that's after named, portmap, and nfslock. I
Think that this is wrong, it should start at about number 12 (same as
syslogd).
> Or do we only care about the audit messages that occur once the system is to a
> point where someone could attempt login?
I think that we only really care about audit messages that occur when
the system is capable of performing actions on behalf of users or
network data. When the system is just running kudzu etc there's little
need for it.
The only exception to this is hotplug. I believe that a USB device is
an external object which can trigger code execution early in the boot
process, which is a potential problem for this and other things.
More information about the redhat-lspp
mailing list