[PATCH 0/5] Build time disabling of auditd network listener

Tyler Hicks tyhicks at canonical.com
Fri Oct 26 17:09:24 UTC 2012 

On 2012-09-11 10:10:35, Tyler Hicks wrote:
> On 2012-09-11 09:12:25, Steve Grubb wrote:
> > On Monday, September 10, 2012 11:39:10 AM Tyler Hicks wrote:
> > > On 2012-08-01 00:00:19, Tyler Hicks wrote:
> > > > Hello Steve - This is a patch set that allows --disable-listener to be
> > > > passed to the configure script to disable the auditd network listener
> > > > code at build time. The reasoning is that a large number of users do not
> > > > need centralized audit logging and removing the network listening code
> > > > from a root-owned auditd process is appealing from a security
> > > > perspective.
> > 
> > My thoughts are that if  tcp_listen_port is not set up, the callback is not 
> > registered and none of the networking code comes into play. By configuration, 
> > admins are able to reduce the attack surface. The real effect of the patch is 
> > that it reduces binary image size.
> 
> I still see this as more than just reducing binary image size. I agree
> about the tcp_listen_port configuration option, but eliminating
> potential misconfiguration issues by removing the lesser used networking
> code is a security win. 
> 
> > 
> > 
> > > > The existing implementation clearly does not initialize the listener when
> > > > tcp_listen_port is undefined in auditd.conf, but I still think there is
> > > > value in not having the listening code present in all auditd
> > > > installations.
> > > Hi Steve - Do you have any thoughts on this idea? Thanks!
> > 
> > I was getting to this patch set. Are you planning to turn off networking for 
> > Ubuntu? Just curious if the patch is going to be used rather than just be an 
> > academic exercise. :-)   I don't see us turning it off any time soon.
> 
> Yes, we plan to use the patch. The idea is to have two auditd binary
> packages - auditd and auditd-base (package names aren't set in stone at
> this point). The auditd package would be the fully functional daemon,
> with network listener support, and auditd-base would be built with
> --disable-listener to provide a daemon with less of an attack surface.
> 
> The auditd-base package would promoted to "Main" and we'd encourage the
> majority of users to use it, rather than auditd.

Hello Steve - I wanted to follow up on this patch set. I will be moving
forward with the process of getting auditd into Ubuntu's main repo soon
and I'm not clear on the status of these patches. Do you plan on merging
them?

Thanks!

Tyler
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20121026/0b9abed1/attachment.sig>

More information about the Linux-audit mailing list