[redhat-lspp] Re: audit messages during bootup

[Steve Grubb]

On Saturday 07 January 2006 13:11, LC Bruzenak wrote:
> No, it doesn't that I know of. Was just thinking about personal
> experience when going through PL-4 evaluation and also the previous
> comment about booting from something other than the desired boot disk.

You do this and all bets are off. I would think in any classified environment 
that USB ports are disconnected, floppy drives removed, and CD Roms 
disconnected. Where that is unfeasible, they are disabled in password 
protected BIOS.

> It would be trivial for the auditd to record the buffer contents on
> startup. If it added value (personally I can see some) without inducing
> problems it might help on the analysis; something I am interested in.

How would this be of benefit? What information would you be looking for?

> The problem of course is that audit data isn't stored independent of the
> system (and therefore the sysadmins) on which it is collected. So if a
> USB boot or otherwise happens not intended no desired audit happens
> either.

If you boot from USB, you will run the OS on that device and they likely have 
no interest in providing an audit trail. This is basically a physical 
security issue and/or system config issue from what I can tell.

-Steve