Fwd: Re: Fw: Audit records for start/stop auditd

Klaus Weidner klaus at atsec.com
Fri Apr 8 17:10:30 UTC 2005


On Wed, Apr 06, 2005 at 11:21:26AM -0400, Steve Grubb wrote:
> BTW, If I send a SIGKILL to the audit daemon - it gets yanked out of memory by 
> the kernel without any courtesy. I wonder how this was covered by laus or is 
> this considered outside the bounds of what is reasonable? Same thing with a 
> user shell, there won't be a pam_close_session call.

Sending SIGKILL auditd needs administrator privileges, and for CAPP we
can assume/require them not to do that.

The pam_close_session record isn't required by CAPP, we had a discussion
about session end records some time ago. It's generally less reliable
than the start record anyway since the session close record doesn't mean
that all processes launched by that user have terminated; some may have
been backgrounded.

> For LSPP are there additional requirements that we should consider now so that 
> this doesn't come up "next time"?

LSPP has essentially the same audit requirements as CAPP, it only adds
requirements for new fields related to the "sensitivity labels of
subjects, objects, or information involved".

-Klaus




More information about the Linux-audit mailing list