[redhat-lspp] audit messages during bootup
Russell Coker
rcoker at redhat.com
Fri Jan 6 22:16:42 UTC 2006
On Fri, 2006-01-06 at 15:04 -0600, Dustin Kirkland wrote:
> On Fri, 2006-01-06 at 16:42 +1100, Russell Coker wrote:
> > I find it difficult to imagine a situation where NFS would be an
> > appropriate way of dealing with audit data. I also find it difficult to
> > imagine why anyone who has a serious need for auditd (as opposed to the
> > majority who either just want it for SE Linux events or who don't even
> > know what it is) would even want to run NFS3 on their machines.
>
> I can think of a few advantages logging to networked filesystems offers:
>
> 1) the ability to retain vastly larger logs
> 2) centralized location for audit logs of multiple machines
> 3) remote data in the case of system failure/crash/compromise
It seems to me that the best solution to those problems is to write a
network protocol for managing such data.
NFS is a complex protocol and configuring firewalls for it is a PITA
(several ports are required and the port numbers vary).
I consider NFS3 to be a security problem so it's not something I'd
install without a trusted network and equal trust of hosts on both ends
(something that's often not available).
The features of a general purpose file system don't quite match the
features we require of auditing. For example if an NFS server is down
do we want the auditd to just hang or have the option to skip some
messages? Some sites would want extreme actions (such as halting the
machine) if the server has a temporary failure, but probably most sites
(IE non-government and non-military) would want the ability to drop some
messages.
Some sort of message signing of the network protocol would be handy too.
Sure we could have signed messages in a plain file over NFS but is that
the best way to do it?
More information about the redhat-lspp
mailing list