Re: [PATCH 0/5] Build time disabling of auditd network listener

Hello Steve - This is a patch set that allows --disable-listener to be passed to the configure script to disable the auditd network listener code at build time. The reasoning is that a large number of users do not need centralized audit logging and removing the network listening code from a root-owned auditd process is appealing from a security perspective. The existing implementation clearly does not initialize the listener when tcp_listen_port is undefined in auditd.conf, but I still think there is value in not having the listening code present in all auditd installations.

The first three patches in the set are refactoring patches to move nearly all of the listening code into auditd-listen.c in order to minimize the number of ifdefs that would need to be scattered throughout C source files. The fourth patch is an optional cleanup patch. The last patch introduces the --disable-listener option. The auditd listener code is still enabled by default so that existing distro packaging recipes will not need to be updated. I look forward to your feedback. Thanks! Tyler -- Linux-audit mailing list Linux-audit(a)redhat.com https://www.redhat.com/mailman/listinfo/linux-audit