[redhat-lspp] Re: audit messages during bootup
Steve Grubb
sgrubb at redhat.com
Mon Jan 9 15:31:41 UTC 2006
On Saturday 07 January 2006 13:11, LC Bruzenak wrote:
> No, it doesn't that I know of. Was just thinking about personal
> experience when going through PL-4 evaluation and also the previous
> comment about booting from something other than the desired boot disk.
You do this and all bets are off. I would think in any classified environment
that USB ports are disconnected, floppy drives removed, and CD Roms
disconnected. Where that is unfeasible, they are disabled in password
protected BIOS.
> It would be trivial for the auditd to record the buffer contents on
> startup. If it added value (personally I can see some) without inducing
> problems it might help on the analysis; something I am interested in.
How would this be of benefit? What information would you be looking for?
> The problem of course is that audit data isn't stored independent of the
> system (and therefore the sysadmins) on which it is collected. So if a
> USB boot or otherwise happens not intended no desired audit happens
> either.
If you boot from USB, you will run the OS on that device and they likely have
no interest in providing an audit trail. This is basically a physical
security issue and/or system config issue from what I can tell.
-Steve
More information about the redhat-lspp
mailing list