On 2012-09-11 09:12:25, Steve Grubb wrote: > On Monday, September 10, 2012 11:39:10 AM Tyler Hicks wrote: > > On 2012-08-01 00:00:19, Tyler Hicks wrote: > > > Hello Steve - This is a patch set that allows --disable-listener to be > > > passed to the configure script to disable the auditd network listener > > > code at build time. The reasoning is that a large number of users do not > > > need centralized audit logging and removing the network listening code > > > from a root-owned auditd process is appealing from a security > > > perspective. > > My thoughts are that if tcp_listen_port is not set up, the callback is not > registered and none of the networking code comes into play. By configuration, > admins are able to reduce the attack surface. The real effect of the patch is > that it reduces binary image size.
I still see this as more than just reducing binary image size. I agree about the tcp_listen_port configuration option, but eliminating potential misconfiguration issues by removing the lesser used networking code is a security win. > > > > > The existing implementation clearly does not initialize the listener when > > > tcp_listen_port is undefined in auditd.conf, but I still think there is > > > value in not having the listening code present in all auditd > > > installations. > > Hi Steve - Do you have any thoughts on this idea? Thanks! > > I was getting to this patch set. Are you planning to turn off networking for > Ubuntu? Just curious if the patch is going to be used rather than just be an > academic exercise. :-) I don't see us turning it off any time soon. Yes, we plan to use the patch. The idea is to have two auditd binary packages - auditd and auditd-base (package names aren't set in stone at this point). The auditd package would be the fully functional daemon, with network listener support, and auditd-base would be built with --disable-listener to provide a daemon with less of an attack surface. The auditd-base package would promoted to "Main" and we'd encourage the majority of users to use it, rather than auditd. Tyler
signature.asc
Description: Digital signature
-- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit