[PATCH 0/5] Build time disabling of auditd network listener

Steve Grubb sgrubb at redhat.com
Tue Sep 11 13:12:25 UTC 2012 

On Monday, September 10, 2012 11:39:10 AM Tyler Hicks wrote:
> On 2012-08-01 00:00:19, Tyler Hicks wrote:
> > Hello Steve - This is a patch set that allows --disable-listener to be
> > passed to the configure script to disable the auditd network listener
> > code at build time. The reasoning is that a large number of users do not
> > need centralized audit logging and removing the network listening code
> > from a root-owned auditd process is appealing from a security
> > perspective.

My thoughts are that if  tcp_listen_port is not set up, the callback is not 
registered and none of the networking code comes into play. By configuration, 
admins are able to reduce the attack surface. The real effect of the patch is 
that it reduces binary image size.


> > The existing implementation clearly does not initialize the listener when
> > tcp_listen_port is undefined in auditd.conf, but I still think there is
> > value in not having the listening code present in all auditd
> > installations.
> Hi Steve - Do you have any thoughts on this idea? Thanks!

I was getting to this patch set. Are you planning to turn off networking for 
Ubuntu? Just curious if the patch is going to be used rather than just be an 
academic exercise. :-)   I don't see us turning it off any time soon.

Thanks,
-Steve


> > The first three patches in the set are refactoring patches to move nearly
> > all of the listening code into auditd-listen.c in order to minimize the
> > number of ifdefs that would need to be scattered throughout C source
> > files. The fourth patch is an optional cleanup patch. The last patch
> > introduces the
> > --disable-listener option.
> > 
> > The auditd listener code is still enabled by default so that existing
> > distro packaging recipes will not need to be updated.
> > 
> > I look forward to your feedback. Thanks!
> > 
> > Tyler
> > 
> > --
> > Linux-audit mailing list
> > Linux-audit at redhat.com
> > https://www.redhat.com/mailman/listinfo/linux-audit

More information about the Linux-audit mailing list