From owner-cvs-src@FreeBSD.ORG Fri Feb 3 19:44:26 2006 Return-Path: X-Original-To: cvs-src@freebsd.org Delivered-To: cvs-src@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2D29E16A420; Fri, 3 Feb 2006 19:44:26 +0000 (GMT) (envelope-from dougb@freebsd.org) Received: from rwcrmhc12.comcast.net (rwcrmhc12.comcast.net [216.148.227.152]) by mx1.FreeBSD.org (Postfix) with ESMTP id C7AA043D49; Fri, 3 Feb 2006 19:44:25 +0000 (GMT) (envelope-from dougb@freebsd.org) Received: from [192.168.1.102] (70-32-110-40.vnnyca.adelphia.net[70.32.110.40]) by comcast.net (rwcrmhc12) with ESMTP id <20060203194424m12009r78qe>; Fri, 3 Feb 2006 19:44:24 +0000 Message-ID: <43E3B297.3020001@FreeBSD.org> Date: Fri, 03 Feb 2006 11:44:23 -0800 From: Doug Barton Organization: http://www.FreeBSD.org/ User-Agent: Thunderbird 1.5 (X11/20060112) MIME-Version: 1.0 To: Robert Watson References: <200602021002.k12A2u0u067172@repoman.freebsd.org> <43E2A089.7020202@FreeBSD.org> <20060203095155.I38507@fledge.watson.org> In-Reply-To: <20060203095155.I38507@fledge.watson.org> X-Enigmail-Version: 0.94.0.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: cvs-src@FreeBSD.org, src-committers@FreeBSD.org, cvs-all@FreeBSD.org, trhodes@freebsd.org Subject: Re: cvs commit: src/etc/rc.d Makefile auditd X-BeenThere: cvs-src@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: CVS commit messages for the src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 03 Feb 2006 19:44:26 -0000 Robert Watson wrote: > > On Thu, 2 Feb 2006, Doug Barton wrote: > >> I have a couple concerns about this. First the more general, I'm not >> sure that /etc/security is a reasonable place for your config files. >> That's a very general name, and the audit stuff is a very specific >> project. That said, I'm not sure that we need yet another directory >> under /etc, but I'm curious about what others think about this issue. > > If I were picking a new directory name, it would be /etc/audit. > However, the name we picked was for compatibility with Solaris and Mac > OS X, both of which store audit configuration files of the same names in > the /etc/security directory. Ok, that's good enough for me. Sorry if I missed this detail in a previous posting. > Tom wrote these bits of the rc.d script, so I can't speak to the > details. Tom was kind enough to reply already to say that he'll test some of my suggestions. > However, I do know that auditd needs to be run strictly before > any daemon that allows user login or authentication, such as inetd, > sshd, etc. Ideally it should run after syslog, though, since auditd > errors are reported via syslogd. Ok, this and Brooks comment make things more clear. I don't see anything that runs prior to DAEMON that fits the criteria you state here, so for now you should be ok. Going forward, if there is anything which runs before DAEMON which needs auditd support, it would (IMO) be better for that service to REQUIRE: auditd. Making the ordering specific becomes increasingly important as we add local/ports scripts to the base rcorder, and REQUIRE generally works "better" than BEFORE. It's also a lot easier to debug. Thanks for your (and Tom's) response. I'm relieved to hear that these issues have already been well thought out, and I hope that this additional information is useful. Doug -- This .signature sanitized for your protection