rhgb no more

Steve Grubb sgrubb at redhat.com
Thu May 15 13:59:28 UTC 2008 

On Thursday 15 May 2008 09:02:10 Matthias Clasen wrote:
> On Thu, 2008-05-15 at 08:24 -0400, Steve Grubb wrote:
> > On Tuesday 13 May 2008 13:07:51 Ray Strode wrote:
> > > The replacement for rhgb will be a mixture of two things:
> > >
> > > 1) Starting gdm as early as possible and fitting it to give boot
> > > progress before asking for login.
> >
> > Please note that the audit daemon needs to start before any daemon if you
> > want it to work right. There's a couple reasons, one being that it
> > enables the audit system and without that, any process running before the
> > audit daemon is not auditable - ever. The work around is to add audit=1
> > to grub.conf, but then you get a performance hit for everyone.
> >
> > The second reason is that any audit event that occurs before the audit
> > daemon runs could be lost. There may be AVCs on boot that you want or
> > something else important that you wanted to capture.
> >
> > I guess the message is without coordination, some of our security
> > features may not be working right unless consideration is given to their
> > needs.
>
> It certainly doesn't help if these security features are 'special' in
> these little ways that then to easily break them.

The audit system is special in many ways. But people keep forgetting it. For 
example, the LSB headers forget to include audit as a facility even though it 
considers syslog a facility. Anyways...I have been receiving bug reports from 
people wondering why the audit system is broken. I eventually tracked it down 
to users doing a graphical boot.

> Isn't there something we can do to fix this ?

The problem is that there are some people that do not want auditing because 
they want performance. So they don't install the package. But anyone that 
does want auditd enabled needs it to start earlier than login processes and 
daemons. If the audit daemon is enabled, then just issuing "auditctl -e 1" is 
sufficient. But you wouldn't want to do that for the general case due to 
performance.

> Either make the audit system cope with userspace parts coming later, or if
> starting auditd first is really a hard requirement, implement that in a way
> that doesn't require mailing list reminders ?

I have it as low in init priority as I can get it. It even starts before 
rsyslog. If a graphical boot does not honor the settings in the init scripts, 
what am I supposed to do? Is there another directory that I need to drop a 
file into that gets picked up by the boot sequence?

-Steve

More information about the fedora-devel-list mailing list