[redhat-lspp] audit messages during bootup
Steve Grubb
sgrubb at redhat.com
Fri Jan 6 03:45:05 UTC 2006
On Thursday 05 January 2006 21:53, Russell Coker wrote:
> That depends on when the auditd starts. Currently auditd starts at
> number 18 in run level 5, that's after named, portmap, and nfslock.
I had it starting after portmap in case someone was using a nfs directory for
the audit logs. However, audit-1.1.3, which was released today, has it
starting at 11, which is just before syslogd.
> > Or do we only care about the audit messages that occur once the system is
> > to a point where someone could attempt login?
>
> I think that we only really care about audit messages that occur when
> the system is capable of performing actions on behalf of users or
> network data. When the system is just running kudzu etc there's little
> need for it.
What about during autorelabel? Do we care if policy loads? What if policy does
not load due to a bad update or something?
> The only exception to this is hotplug. I believe that a USB device is
> an external object which can trigger code execution early in the boot
> process, which is a potential problem for this and other things.
Do we care about device allocation during boot? Or only the manual changes?
I'm just wanting to get a reading on this before we spend any time working out
a solution.
-Steve
More information about the redhat-lspp
mailing list