From owner-cvs-all@FreeBSD.ORG Fri Feb 3 09:54:53 2006 Return-Path: X-Original-To: cvs-all@FreeBSD.org Delivered-To: cvs-all@FreeBSD.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A017F16A420; Fri, 3 Feb 2006 09:54:53 +0000 (GMT) (envelope-from rwatson@FreeBSD.org) Received: from cyrus.watson.org (cyrus.watson.org [209.31.154.42]) by mx1.FreeBSD.org (Postfix) with ESMTP id 21F4143D45; Fri, 3 Feb 2006 09:54:53 +0000 (GMT) (envelope-from rwatson@FreeBSD.org) Received: from fledge.watson.org (fledge.watson.org [209.31.154.41]) by cyrus.watson.org (Postfix) with ESMTP id A6B0646B9B; Fri, 3 Feb 2006 04:54:41 -0500 (EST) Date: Fri, 3 Feb 2006 09:56:56 +0000 (GMT) From: Robert Watson X-X-Sender: robert@fledge.watson.org To: Doug Barton In-Reply-To: <43E2A089.7020202@FreeBSD.org> Message-ID: <20060203095155.I38507@fledge.watson.org> References: <200602021002.k12A2u0u067172@repoman.freebsd.org> <43E2A089.7020202@FreeBSD.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: cvs-src@FreeBSD.org, src-committers@FreeBSD.org, cvs-all@FreeBSD.org, trhodes@freebsd.org Subject: Re: cvs commit: src/etc/rc.d Makefile auditd X-BeenThere: cvs-all@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: CVS commit messages for the entire tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 03 Feb 2006 09:54:53 -0000 On Thu, 2 Feb 2006, Doug Barton wrote: > I have a couple concerns about this. First the more general, I'm not sure > that /etc/security is a reasonable place for your config files. That's a > very general name, and the audit stuff is a very specific project. That > said, I'm not sure that we need yet another directory under /etc, but I'm > curious about what others think about this issue. If I were picking a new directory name, it would be /etc/audit. However, the name we picked was for compatibility with Solaris and Mac OS X, both of which store audit configuration files of the same names in the /etc/security directory. Linux also uses /etc/security directory for various security-related configuration files, although not for configuring BSM as it doesn't support BSM. > My more specific concern is about some aspects of the rc.d script. First, > it's not clear why you need BEFORE: DAEMON, generally services like this > would REQUIRE: DAEMON instead. Is there a good reason that this has to start > earlier than that? It's also generally a bad thing to use BEFORE when it's > not absolutely necessary. Is there something else that could REQUIRE auditd > that would get you the same or similar ordering? Next, I'm pretty sure you > don't need the test for the pid file in auditd_stop, rc.subr should handle > that for you. Please test that, and if it doesn't work properly let > freebsd-rc@ know about it. You should probably also add the shutdown KEYWORD > so that this gets killed off properly on system shutdown. Finally, I'm > pretty sure that command_args="${auditd_flags}" is not needed. If you find > that it is, that's worth mentioning on freebsd-rc@ as well. Tom wrote these bits of the rc.d script, so I can't speak to the details. However, I do know that auditd needs to be run strictly before any daemon that allows user login or authentication, such as inetd, sshd, etc. Ideally it should run after syslog, though, since auditd errors are reported via syslogd. Robert N M Watson