Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 03 Feb 2006 11:44:23 -0800
From:      Doug Barton <dougb@FreeBSD.org>
To:        Robert Watson <rwatson@FreeBSD.org>
Cc:        cvs-src@FreeBSD.org, src-committers@FreeBSD.org, cvs-all@FreeBSD.org, trhodes@freebsd.org
Subject:   Re: cvs commit: src/etc/rc.d Makefile auditd
Message-ID:  <43E3B297.3020001@FreeBSD.org>
In-Reply-To: <20060203095155.I38507@fledge.watson.org>
References:  <200602021002.k12A2u0u067172@repoman.freebsd.org> <43E2A089.7020202@FreeBSD.org> <20060203095155.I38507@fledge.watson.org>

next in thread | previous in thread | raw e-mail | index | archive | help
Robert Watson wrote:
> 
> On Thu, 2 Feb 2006, Doug Barton wrote:
> 
>> I have a couple concerns about this. First the more general, I'm not
>> sure that /etc/security is a reasonable place for your config files.
>> That's a very general name, and the audit stuff is a very specific
>> project. That said, I'm not sure that we need yet another directory
>> under /etc, but I'm curious about what others think about this issue.
> 
> If I were picking a new directory name, it would be /etc/audit. 
> However, the name we picked was for compatibility with Solaris and Mac
> OS X, both of which store audit configuration files of the same names in
> the /etc/security directory.  

Ok, that's good enough for me. Sorry if I missed this detail in a previous
posting.

> Tom wrote these bits of the rc.d script, so I can't speak to the
> details.

Tom was kind enough to reply already to say that he'll test some of my
suggestions.

> However, I do know that auditd needs to be run strictly before
> any daemon that allows user login or authentication, such as inetd,
> sshd, etc.  Ideally it should run after syslog, though, since auditd
> errors are reported via syslogd.

Ok, this and Brooks comment make things more clear. I don't see anything
that runs prior to DAEMON that fits the criteria you state here, so for now
you should be ok. Going forward, if there is anything which runs before
DAEMON which needs auditd support, it would (IMO) be better for that service
to REQUIRE: auditd. Making the ordering specific becomes increasingly
important as we add local/ports scripts to the base rcorder, and REQUIRE
generally works "better" than BEFORE. It's also a lot easier to debug.

Thanks for your (and Tom's) response. I'm relieved to hear that these issues
have already been well thought out, and I hope that this additional
information is useful.

Doug

-- 

    This .signature sanitized for your protection




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?43E3B297.3020001>