.> Proper kernel auditing is harder than it looks. Check the LSM mailing list
.> archives for the last attempt to get auditing into the kernel - the idea
.> was basically dropped.
.> ...<snip>...
In addition to all the points you covered, you also have to figure
out what to do if the log medium fills up or fails. In a high security
environment the only thing you can do is panic the system immediately,
because (unaudited) bad things might already be happening. You also
have to configure the system so it will not boot into multiuser
mode if the log has failed. (And *then* you get to deal with clueless
admins who will disable that feature in their desperation to get
the system up and running, but that's not really a technical problem.)
------
Chuck
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/