[redhat-lspp] Re: audit messages during bootup
LC Bruzenak
lenny at bruzenak.com
Sat Jan 7 18:11:57 UTC 2006
On Sat, 2006-01-07 at 08:41 -0500, Steve Grubb wrote:
> On Friday 06 January 2006 14:53, LC Bruzenak wrote:
> > Auditing the dmesg buffer contents would be desirable.
>
> What would this do? Does this map to any security standard?
...
No, it doesn't that I know of. Was just thinking about personal
experience when going through PL-4 evaluation and also the previous
comment about booting from something other than the desired boot disk.
It would be trivial for the auditd to record the buffer contents on
startup. If it added value (personally I can see some) without inducing
problems it might help on the analysis; something I am interested in.
The problem of course is that audit data isn't stored independent of the
system (and therefore the sysadmins) on which it is collected. So if a
USB boot or otherwise happens not intended no desired audit happens
either.
This is also not in the DCID-6/3 to which we were liable but a common
theme all accreditors echoed. I suspect there may be something to this
in the successor standard to the DCID.
Thanks for the audit list info; I'll subscribe.
--
LC Bruzenak
lenny at bruzenak.com
More information about the redhat-lspp
mailing list