Re: [Fed-Talk] Put /var on a separate partition?
Re: [Fed-Talk] Put /var on a separate partition?
- Subject: Re: [Fed-Talk] Put /var on a separate partition?
- From: Todd Heberlein <email@hidden>
- Date: Thu, 18 Sep 2014 10:22:22 -0700
> I’ve read the Mac STIGS,
A related tangent… and why these policy issues can be challenging.
Sun’s BSM auditing system ~1992 (which is the basis for Apple's current audit system) had a default policy to halt the system if an event could not be audited. I think (?) this was part of the Orange Book recommendation (and the Tan Book for just auditing), and it made sense if you had a bunch of smart guys in room coming up with policy. After all, you don’t want a bad guy to avoid being audited/detected by simply filling up the hard disk with logs and data.
The first offsite BSM installation I did was at LLNL, and a few days later I got a call from the administrator — his machine had stopped working. He couldn’t even log in as root to change the BSM setting (because this action should be audited).
Fortunately he was *very* understanding, and we worked it out.
I believe Apple’s BSM still has the same policy option (policy: ahlt). I do *not* recommend anyone use this policy. :)
Todd
PS. Fortunately (for us) we did catch a guy breaking into the LLNL machines from LANL and stealing LLNL’s passwords, so the extra security at LLNL did come in handy.
PPS. As a user, I like not having multiple partitions to manage. As an audit trail guy, I wish there was a separate partition on every user’s machine dedicated to logging. I am conflicted on this issue.
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden