On Wed, Jan 05, 2005 at 01:19:15PM -0500, Peter Martuccelli wrote:
On Wed, 2005-01-05 at 13:11, Steve Grubb wrote:
> On Wednesday 05 January 2005 11:40, Casey Schaufler wrote:
> > the only behavior that has ever been considered reliable is
> > for the audit deamon to send the system into
> > single user (or turn it off) when audit space is
> > not available.
>
> So then how do you bring it back up? If it shuts down when there's no room and
> you restart the system, there's still no room. Is it expected for users to
> disable auditing at boot, or boot to single user mode and then clear disk
> space? Just curious what the customer support for this is like.
You can disable the syscall audit and SELinux support on the kernel
command line. Would documenting the kernel command line options of
"audit=0 selinux=0" suffice for CAPP? This way a user has a documented
process for recovering from a disk full condition.
In this approach, the startup files need to ensure that the system
doesn't silently accept user logins with no audit trail. The scripts
could for example switch to single user mode automatically when audit is
off.
The LAuS implementation would have disabled remote login automatically
due to the pam_laus.so module being _required_, with only console login
possible where it is listed as _optional_ in the PAM config file.
The details should be the admin's choice, but the supported behaviours
must include a secure operating mode.
-Klaus