On Mon, 2013-07-08 at 17:26 -0400, Steve Grubb wrote:
On Monday, July 08, 2013 04:51:20 PM Eric Paris wrote:
> If we don't trust the audit system initialization we already
lost and no
> amount of audit= is going to change that.
I'm thinking more about High Assurance cases where the boot
partition/environment is removed from an attacker's reach. Consider use cases
where you want to allow root, but you do not want them to make certain kinds
of changes to the system by taking away certain capabilities in the initramfs
which is outside of the control of anyone with root.
If that's the case, you must be loading the audit policy inside the
initramfs, and thus, you can set this inside the initrd. We MUST have
absolute trust until the audit.rules are processed. To get a boot
option, we have to show how this has value before the audit.rules are
loaded. And it doesn't... Not in any system I can imagine. Nor in the
description you gave above... What am I missing?