Question concerning -l option

Question concerning -l option

[Tom Hall]

[-- Attachment #1.1: Type: text/plain, Size: 466 bytes --]

Please forgive me, I assume this has already been addressed in the mail archive but I've been unable to locate a related thread. Can someone tell me why the default for auditd is O_NOFOLLOW for accessing auditd configuration files? I assume there is a reason for not supporting links as the default that is important enough to justify the extra work to add the -l option but it is not clear to me.


Thanks,


Tom Hall

Brocade Communications Systems, Inc.

[-- Attachment #1.2: Type: text/html, Size: 901 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

Re: Question concerning -l option

[Steve Grubb]

Hello,

On Friday, February 10, 2017 4:52:13 PM EST Tom Hall wrote:
> Please forgive me, I assume this has already been addressed in the mail
> archive but I've been unable to locate a related thread. Can someone tell
> me why the default for auditd is O_NOFOLLOW for accessing auditd
> configuration files? I assume there is a reason for not supporting links as
> the default that is important enough to justify the extra work to add the
> -l option but it is not clear to me.

It was made that way to ensure that the security assumptions are exactly as 
expected. Meaning no one has replaced the real configuration with a weaker one 
somewhere else on disk. And since auditd is covered by selinux policy, moving 
the configuration also means policy label problems. So, this is kind of a 
strong hint to leave it where its supposed to be to avoid problems.

In the old days, all it took was a simple edit to /etc/sysconfig/auditd to fix. 
But with systemd, it is a bit more work to copy the service file to the right 
place before editing.

-Steve