[redhat-lspp] Re: audit messages during bootup

LC Bruzenak lenny at bruzenak.com
Mon Jan 9 16:18:20 UTC 2006 

On Mon, 2006-01-09 at 10:31 -0500, Steve Grubb wrote:
> On Saturday 07 January 2006 13:11, LC Bruzenak wrote:
> > No, it doesn't that I know of. Was just thinking about personal
> > experience when going through PL-4 evaluation and also the previous
> > comment about booting from something other than the desired boot disk.
> 
> You do this and all bets are off. I would think in any classified environment 
> that USB ports are disconnected, floppy drives removed, and CD Roms 
> disconnected. Where that is unfeasible, they are disabled in password 
> protected BIOS.

In my current world I work with what I have. You are right; it comes
down to physical security. Actually a trade-off between physical
security and practicality. If your sysadmins also have the BIOS password
it narrows the threat list. In most evaluator's eyes they ARE the
threat. In some cases removing it from them isn't an option.

> 
> > It would be trivial for the auditd to record the buffer contents on
> > startup. If it added value (personally I can see some) without inducing
> > problems it might help on the analysis; something I am interested in.
> 
> How would this be of benefit? What information would you be looking for?

In my case I am thinking about an audit trail from bootup - something
maybe not of interest to everyone. 
If sending system audit to an independent audit machine I could
aggregate my LAN auditing. This would allow me to compare previous boot
messages and ensure the hardware config is still the same as previous,
no hardware errors exist at boot (sometimes machines are unattended and
non-fatal errors are not always obvious), etc.
Maybe there was a CD in the drive on boot. Maybe that meant someone was
testing the password-locked BIOS for CD-enabled boot and if I'm clever
enough to bring that up in the audit review maybe someone will catch it.
Maybe there is now a serial printer connected and the BIOS wasn't
secured on that port but that fact is now audited.
These are the kinds of things which could help an evaluation exercise if
you have at least made a non-trivial attempt to ensure your overall
system security. BTW, we do not (OK, rarely) have only 1-machine
installs but usually multiple clients looking at a server(s).

I realize it may not be appropriate for many installations of SE Linux
but if my group goes this route I will be doing all the above and more.

HTH,
LCB.

-- 
LC Bruzenak
lenny at bruzenak.com

More information about the redhat-lspp mailing list