[PATCH 0/5] Build time disabling of auditd network listener
Tyler Hicks
tyhicks at canonical.com
Tue Sep 11 17:10:35 UTC 2012
On 2012-09-11 09:12:25, Steve Grubb wrote:
> On Monday, September 10, 2012 11:39:10 AM Tyler Hicks wrote:
> > On 2012-08-01 00:00:19, Tyler Hicks wrote:
> > > Hello Steve - This is a patch set that allows --disable-listener to be
> > > passed to the configure script to disable the auditd network listener
> > > code at build time. The reasoning is that a large number of users do not
> > > need centralized audit logging and removing the network listening code
> > > from a root-owned auditd process is appealing from a security
> > > perspective.
>
> My thoughts are that if tcp_listen_port is not set up, the callback is not
> registered and none of the networking code comes into play. By configuration,
> admins are able to reduce the attack surface. The real effect of the patch is
> that it reduces binary image size.
I still see this as more than just reducing binary image size. I agree
about the tcp_listen_port configuration option, but eliminating
potential misconfiguration issues by removing the lesser used networking
code is a security win.
>
>
> > > The existing implementation clearly does not initialize the listener when
> > > tcp_listen_port is undefined in auditd.conf, but I still think there is
> > > value in not having the listening code present in all auditd
> > > installations.
> > Hi Steve - Do you have any thoughts on this idea? Thanks!
>
> I was getting to this patch set. Are you planning to turn off networking for
> Ubuntu? Just curious if the patch is going to be used rather than just be an
> academic exercise. :-) I don't see us turning it off any time soon.
Yes, we plan to use the patch. The idea is to have two auditd binary
packages - auditd and auditd-base (package names aren't set in stone at
this point). The auditd package would be the fully functional daemon,
with network listener support, and auditd-base would be built with
--disable-listener to provide a daemon with less of an attack surface.
The auditd-base package would promoted to "Main" and we'd encourage the
majority of users to use it, rather than auditd.
Tyler
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20120911/9efeb389/attachment.sig>
More information about the Linux-audit
mailing list