From mboxrd@z Thu Jan 1 00:00:00 1970 From: Kay Hayen Subject: Re: Audit for live supervision Date: Tue, 19 Aug 2008 22:33:58 +0200 Message-ID: <200808192233.59007.kayhayen@gmx.de> References: <200808140914.07779.kayhayen@gmx.de> <200808192023.21305.kayhayen@gmx.de> <200808191439.50621.sgrubb@redhat.com> Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Return-path: Received: from mx3.redhat.com (mx3.redhat.com [172.16.48.32]) by int-mx1.corp.redhat.com (8.13.1/8.13.1) with ESMTP id m7JKYF5b006730 for ; Tue, 19 Aug 2008 16:34:15 -0400 Received: from mail.gmx.net (mail.gmx.net [213.165.64.20]) by mx3.redhat.com (8.13.8/8.13.8) with SMTP id m7JKY5hh029682 for ; Tue, 19 Aug 2008 16:34:06 -0400 In-Reply-To: <200808191439.50621.sgrubb@redhat.com> Content-Disposition: inline List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: Steve Grubb Cc: linux-audit@redhat.com, alex@segv.de List-Id: linux-audit@redhat.com Hello Steve, > > Can you confirm that two processes opening netlink sockets for audit > > information get the same messages? > > Only one audit pid is allowed for security purposes. Damn security. I saw that patch while googling, and hoped it wasn't merged, but seems it was. I don't really understand why it is helping security, if I need to kill auditd before I can open the netlink socket. For both I need root rights. There isn't any SELinux in the play, is there? Because if that were the case, we could e.g. only open the netlink socket with the auditd binary. That would be effective, and configuration we could then change. But probably pointless to waiste your time on this, given how little I understand security. I just can't resist, feels like a bike-shed and really annoying limitation for our non-security interested system. :-) Best regards, Kay Hayen