cvs commit: src/etc/rc.d Makefile auditd

Robert Watson rwatson at FreeBSD.org
Fri Feb 3 01:54:53 PST 2006 

On Thu, 2 Feb 2006, Doug Barton wrote:

> I have a couple concerns about this. First the more general, I'm not sure 
> that /etc/security is a reasonable place for your config files. That's a 
> very general name, and the audit stuff is a very specific project. That 
> said, I'm not sure that we need yet another directory under /etc, but I'm 
> curious about what others think about this issue.

If I were picking a new directory name, it would be /etc/audit.  However, the 
name we picked was for compatibility with Solaris and Mac OS X, both of which 
store audit configuration files of the same names in the /etc/security 
directory.  Linux also uses /etc/security directory for various 
security-related configuration files, although not for configuring BSM as it 
doesn't support BSM.

> My more specific concern is about some aspects of the rc.d script. First, 
> it's not clear why you need BEFORE:  DAEMON, generally services like this 
> would REQUIRE: DAEMON instead. Is there a good reason that this has to start 
> earlier than that? It's also generally a bad thing to use BEFORE when it's 
> not absolutely necessary. Is there something else that could REQUIRE auditd 
> that would get you the same or similar ordering? Next, I'm pretty sure you 
> don't need the test for the pid file in auditd_stop, rc.subr should handle 
> that for you. Please test that, and if it doesn't work properly let 
> freebsd-rc@ know about it. You should probably also add the shutdown KEYWORD 
> so that this gets killed off properly on system shutdown. Finally, I'm 
> pretty sure that command_args="${auditd_flags}" is not needed. If you find 
> that it is, that's worth mentioning on freebsd-rc@ as well.

Tom wrote these bits of the rc.d script, so I can't speak to the details. 
However, I do know that auditd needs to be run strictly before any daemon that 
allows user login or authentication, such as inetd, sshd, etc.  Ideally it 
should run after syslog, though, since auditd errors are reported via syslogd.

Robert N M Watson

More information about the cvs-src mailing list