[redhat-lspp] audit messages during bootup
Timothy R. Chavez
tinytim at us.ibm.com
Fri Jan 6 21:24:09 UTC 2006
On Friday 06 January 2006 15:04, Dustin Kirkland wrote:
> On Fri, 2006-01-06 at 16:42 +1100, Russell Coker wrote:
> > I find it difficult to imagine a situation where NFS would be an
> > appropriate way of dealing with audit data. I also find it difficult to
> > imagine why anyone who has a serious need for auditd (as opposed to the
> > majority who either just want it for SE Linux events or who don't even
> > know what it is) would even want to run NFS3 on their machines.
>
> I can think of a few advantages logging to networked filesystems offers:
>
> 1) the ability to retain vastly larger logs
> 2) centralized location for audit logs of multiple machines
> 3) remote data in the case of system failure/crash/compromise
>
> :-Dustin
>
I think there is one big disadvantage with using NFS...
What guarantee can we make that the audit record is logged to a remote disk
using NFS? What if the server suddenly drops out as the record is being
written? Seems like if we are going to do network logging, it should be done
using a connection-based scheme, right? This way the logging behavior on a
remote machine is exactly the same as it is on a local machine.
kernel->auditd->audispd->(input,filter,output)->remote_auditd->remote_audispd
Isn't this infact, one of the arguments made for audispd?
-tim
More information about the redhat-lspp
mailing list