From mboxrd@z Thu Jan  1 00:00:00 1970
From: Tyler Hicks <tyhicks@canonical.com>
Subject: Re: [PATCH 0/5] Build time disabling of auditd network listener
Date: Tue, 11 Sep 2012 10:10:35 -0700
Message-ID: <20120911171033.GA12207@boyd>
References: <1343804424-3172-1-git-send-email-tyhicks@canonical.com>
	<20120910183910.GB3873@boyd> <22090059.gJVcnCRO2b@x2>
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="===============6350399820689078472=="
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <22090059.gJVcnCRO2b@x2>
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: Steve Grubb <sgrubb@redhat.com>
Cc: linux-audit@redhat.com
List-Id: linux-audit@redhat.com


--===============6350399820689078472==
Content-Type: multipart/signed; micalg=pgp-sha512;
	protocol="application/pgp-signature"; boundary="/04w6evG8XlLl3ft"
Content-Disposition: inline


--/04w6evG8XlLl3ft
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On 2012-09-11 09:12:25, Steve Grubb wrote:
> On Monday, September 10, 2012 11:39:10 AM Tyler Hicks wrote:
> > On 2012-08-01 00:00:19, Tyler Hicks wrote:
> > > Hello Steve - This is a patch set that allows --disable-listener to be
> > > passed to the configure script to disable the auditd network listener
> > > code at build time. The reasoning is that a large number of users do =
not
> > > need centralized audit logging and removing the network listening code
> > > from a root-owned auditd process is appealing from a security
> > > perspective.
>=20
> My thoughts are that if  tcp_listen_port is not set up, the callback is n=
ot=20
> registered and none of the networking code comes into play. By configurat=
ion,=20
> admins are able to reduce the attack surface. The real effect of the patc=
h is=20
> that it reduces binary image size.

I still see this as more than just reducing binary image size. I agree
about the tcp_listen_port configuration option, but eliminating
potential misconfiguration issues by removing the lesser used networking
code is a security win.=20

>=20
>=20
> > > The existing implementation clearly does not initialize the listener =
when
> > > tcp_listen_port is undefined in auditd.conf, but I still think there =
is
> > > value in not having the listening code present in all auditd
> > > installations.
> > Hi Steve - Do you have any thoughts on this idea? Thanks!
>=20
> I was getting to this patch set. Are you planning to turn off networking =
for=20
> Ubuntu? Just curious if the patch is going to be used rather than just be=
 an=20
> academic exercise. :-)   I don't see us turning it off any time soon.

Yes, we plan to use the patch. The idea is to have two auditd binary
packages - auditd and auditd-base (package names aren't set in stone at
this point). The auditd package would be the fully functional daemon,
with network listener support, and auditd-base would be built with
--disable-listener to provide a daemon with less of an attack surface.

The auditd-base package would promoted to "Main" and we'd encourage the
majority of users to use it, rather than auditd.

Tyler

--/04w6evG8XlLl3ft
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iQIcBAEBCgAGBQJQT3CJAAoJENaSAD2qAscKOfwQAIBBiXWX193drAuzM8qgjU8x
Ci0E+1y2RoHONOZAv4Os3DZYeqSJT/V6ZtNBMBzZXJXQ+Wfr6kkfWjKfQ77SWEEt
HYSlsQ3sBFEGMr/VGTPGyWrtdBDAPFFyfUXKIS9VaAxH9YR0Ld917mCRSWspj2hD
ljHlIqJ+0lfw+V1nresnl6Q7GP24ixYj0mfaJ73AYmkfHVQlF70tFvieyZLtuGSF
bXlKRK2LC7d0LT8+IpwcaSd0vlLcs0WY19bLu4VQVXYmDTQURtzpRgNa3CT39G6E
jb8DMbfuxtUTRRPMkZe5HYlBjHcXQFy69LGZcwr56lNEM47QSoU3C/PK08sQ5pAj
qWCtv17i2GmMUvwDAPUgHkza+bDTFCHp/V84BLMi0LOUNtp34zmu3mw00yM50G6s
1E1eToiF8BIBj0tgtlv9RrEMm7oXe8k4oS8nM9Rg9XLh/S7RfH5aBpysjRtVlEu4
UEf294Quq5BOvtqsnBeqTQRjbnhH21bZem4WRpgh08ky9/8GakXmHHJkWy1LcqSO
oBrahjwVv8FKvUmD7+WfNQAkHf5yW3TXxf0H+uR1q1KzkbQwR7ZGhnJEJKJgn1c1
zhMmC93xDjH/P7yJIINOOkLntsgFRjsGQRAuSTuU+oSzM8lkIes+Pvbl3ViVvy77
IyEAfSOWQpYJktAjhV74
=FPZh
-----END PGP SIGNATURE-----

--/04w6evG8XlLl3ft--


--===============6350399820689078472==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline


--===============6350399820689078472==--