On Monday, September 10, 2012 11:39:10 AM Tyler Hicks wrote:
On 2012-08-01 00:00:19, Tyler Hicks wrote:
> Hello Steve - This is a patch set that allows --disable-listener to be
> passed to the configure script to disable the auditd network listener
> code at build time. The reasoning is that a large number of users do not
> need centralized audit logging and removing the network listening code
> from a root-owned auditd process is appealing from a security
> perspective.
My thoughts are that if tcp_listen_port is not set up, the callback is not
registered and none of the networking code comes into play. By configuration,
admins are able to reduce the attack surface. The real effect of the patch is
that it reduces binary image size.
> The existing implementation clearly does not initialize the
listener when
> tcp_listen_port is undefined in auditd.conf, but I still think there is
> value in not having the listening code present in all auditd
> installations.
Hi Steve - Do you have any thoughts on this idea? Thanks!
I was getting to this patch set. Are you planning to turn off networking for
Ubuntu? Just curious if the patch is going to be used rather than just be an
academic exercise. :-) I don't see us turning it off any time soon.
Thanks,
-Steve
> The first three patches in the set are refactoring patches to
move nearly
> all of the listening code into auditd-listen.c in order to minimize the
> number of ifdefs that would need to be scattered throughout C source
> files. The fourth patch is an optional cleanup patch. The last patch
> introduces the
> --disable-listener option.
>
> The auditd listener code is still enabled by default so that existing
> distro packaging recipes will not need to be updated.
>
> I look forward to your feedback. Thanks!
>
> Tyler
>
> --
> Linux-audit mailing list
> Linux-audit(a)redhat.com
>
https://www.redhat.com/mailman/listinfo/linux-audit