rhgb no more
sgrubb at redhat.com
Thu May 15 14:56:58 UTC 2008
On Thursday 15 May 2008 10:41:30 Matthias Clasen wrote:
> On Thu, 2008-05-15 at 09:59 -0400, Steve Grubb wrote:
> > > Either make the audit system cope with userspace parts coming later, or
> > > if starting auditd first is really a hard requirement, implement that
> > > in a way that doesn't require mailing list reminders ?
> > I have it as low in init priority as I can get it. It even starts before
> > rsyslog. If a graphical boot does not honor the settings in the init
> > scripts, what am I supposed to do? Is there another directory that I need
> > to drop a file into that gets picked up by the boot sequence?
> Out of interest, does that mean that unlocking an encrypted disk leaves
> no audit trail ?
This is completely unaudited. It probably should be audited, but I'd need to
know more about it to see if its done before the kernel is running or after.
If its before, there's not a lot you can do except slow down the number of
attempts and render the machine unusable by refusing to accept anymore
passphrases. If its after the kernel is running, then yes an audit event
should be sent into the kernel.
More information about the devel