Question concerning -l option
Steve Grubb
sgrubb at redhat.com
Fri Feb 10 17:09:50 UTC 2017
Hello,
On Friday, February 10, 2017 4:52:13 PM EST Tom Hall wrote:
> Please forgive me, I assume this has already been addressed in the mail
> archive but I've been unable to locate a related thread. Can someone tell
> me why the default for auditd is O_NOFOLLOW for accessing auditd
> configuration files? I assume there is a reason for not supporting links as
> the default that is important enough to justify the extra work to add the
> -l option but it is not clear to me.
It was made that way to ensure that the security assumptions are exactly as
expected. Meaning no one has replaced the real configuration with a weaker one
somewhere else on disk. And since auditd is covered by selinux policy, moving
the configuration also means policy label problems. So, this is kind of a
strong hint to leave it where its supposed to be to avoid problems.
In the old days, all it took was a simple edit to /etc/sysconfig/auditd to fix.
But with systemd, it is a bit more work to copy the service file to the right
place before editing.
-Steve
More information about the Linux-audit
mailing list