[redhat-lspp] Re: audit messages during bootup

LC Bruzenak lenny at bruzenak.com
Mon Jan 9 17:22:14 UTC 2006 

On Mon, 2006-01-09 at 11:43 -0500, Steve Grubb wrote:
> On Monday 09 January 2006 11:18, LC Bruzenak wrote:
> > In my case I am thinking about an audit trail from bootup - something
> > maybe not of interest to everyone.
> 
> The main problem I see is that if someone left their knoppix boot disk in the 
> cdrom tray and booted the machine, it likely will not have the audit hooks 
> compiled into the kernel nor the audit daemon. You are at the mercy of 
> whatever was installed to that disk. You can never count on getting an audit 
> trail from that scenario. If you actually got one, you have a courteous 
> hacker.

No - I was assuming here that the boot has been secured and I am getting
the usual boot info, not looking for boot info from a successful
malicious or non-approved attempt.

> 
> > If sending system audit to an independent audit machine I could
> > aggregate my LAN auditing.
> 
> This is in the works. That's one of the things audispd will do when its 
> complete.
> 
> > This would allow me to compare previous boot messages and ensure the
> > hardware config is still the same as previous, no hardware errors exist at
> > boot (sometimes machines are unattended and non-fatal errors are not always
> > obvious), etc.
> 
> audit and syslog serve different functions. Syslog will have this kind of 
> information. Syslog is also capable of remote logging so you could script 
> something in the aggregator to look for this.

That would be fine. 

> 
> > Maybe there was a CD in the drive on boot. Maybe that meant someone was
> > testing the password-locked BIOS for CD-enabled boot and if I'm clever
> > enough to bring that up in the audit review maybe someone will catch it.
> 
> The BIOS would have to save audit records...not very likely to happen.

What you said earlier would suffice - aggregating the syslog on the
"normal" (non-malicious) boot.

> 
> > Maybe there is now a serial printer connected and the BIOS wasn't
> > secured on that port but that fact is now audited.
> 
> It sounds like you want a system scanner to look at the machine config or 
> maybe have hal/udevd/kudzu collect what it sees.

That could also be an option.

> 
> > I realize it may not be appropriate for many installations of SE Linux
> > but if my group goes this route I will be doing all the above and more.
> 
> Its interesting. But sounds like something that can be cobbled together in 
> shell script. I am not planning to write one of these, but I'd be interested 
> in talking about this and looking at what other come up with. Does this map 
> to a requirement in DCID 6/3?

Yes. The details are not spelled out, so it is up to the system and the
evaluator as to the level of effort/interpretation.

LCB.

-- 
LC Bruzenak
lenny at bruzenak.com

More information about the redhat-lspp mailing list