From mboxrd@z Thu Jan  1 00:00:00 1970
From: Tyler Hicks <tyhicks@canonical.com>
Subject: Re: [PATCH 0/5] Build time disabling of auditd network listener
Date: Fri, 26 Oct 2012 10:09:24 -0700
Message-ID: <20121026170924.GA10309@boyd>
References: <1343804424-3172-1-git-send-email-tyhicks@canonical.com>
	<20120910183910.GB3873@boyd> <22090059.gJVcnCRO2b@x2>
	<20120911171033.GA12207@boyd>
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="===============7678527353595968854=="
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <20120911171033.GA12207@boyd>
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: Steve Grubb <sgrubb@redhat.com>
Cc: linux-audit@redhat.com
List-Id: linux-audit@redhat.com


--===============7678527353595968854==
Content-Type: multipart/signed; micalg=pgp-sha512;
	protocol="application/pgp-signature"; boundary="+QahgC5+KEYLbs62"
Content-Disposition: inline


--+QahgC5+KEYLbs62
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On 2012-09-11 10:10:35, Tyler Hicks wrote:
> On 2012-09-11 09:12:25, Steve Grubb wrote:
> > On Monday, September 10, 2012 11:39:10 AM Tyler Hicks wrote:
> > > On 2012-08-01 00:00:19, Tyler Hicks wrote:
> > > > Hello Steve - This is a patch set that allows --disable-listener to=
 be
> > > > passed to the configure script to disable the auditd network listen=
er
> > > > code at build time. The reasoning is that a large number of users d=
o not
> > > > need centralized audit logging and removing the network listening c=
ode
> > > > from a root-owned auditd process is appealing from a security
> > > > perspective.
> >=20
> > My thoughts are that if  tcp_listen_port is not set up, the callback is=
 not=20
> > registered and none of the networking code comes into play. By configur=
ation,=20
> > admins are able to reduce the attack surface. The real effect of the pa=
tch is=20
> > that it reduces binary image size.
>=20
> I still see this as more than just reducing binary image size. I agree
> about the tcp_listen_port configuration option, but eliminating
> potential misconfiguration issues by removing the lesser used networking
> code is a security win.=20
>=20
> >=20
> >=20
> > > > The existing implementation clearly does not initialize the listene=
r when
> > > > tcp_listen_port is undefined in auditd.conf, but I still think ther=
e is
> > > > value in not having the listening code present in all auditd
> > > > installations.
> > > Hi Steve - Do you have any thoughts on this idea? Thanks!
> >=20
> > I was getting to this patch set. Are you planning to turn off networkin=
g for=20
> > Ubuntu? Just curious if the patch is going to be used rather than just =
be an=20
> > academic exercise. :-)   I don't see us turning it off any time soon.
>=20
> Yes, we plan to use the patch. The idea is to have two auditd binary
> packages - auditd and auditd-base (package names aren't set in stone at
> this point). The auditd package would be the fully functional daemon,
> with network listener support, and auditd-base would be built with
> --disable-listener to provide a daemon with less of an attack surface.
>=20
> The auditd-base package would promoted to "Main" and we'd encourage the
> majority of users to use it, rather than auditd.

Hello Steve - I wanted to follow up on this patch set. I will be moving
forward with the process of getting auditd into Ubuntu's main repo soon
and I'm not clear on the status of these patches. Do you plan on merging
them?

Thanks!

Tyler

--+QahgC5+KEYLbs62
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iQIcBAEBCgAGBQJQisPEAAoJENaSAD2qAscK1eYP/1tOb2l3vrVjaXrzR2iMOobR
371B7gA1nCIv19aSP7iIJpKQhfHED67xQ0QR7KXJpEULZ/kHuyqft0uAyL/iF3Nc
2KOuElug9gJitkGpKy2LnMZJ8qPFMZezMn45b1xoRPaT4VH/ksZxmcKgQ0/WKG0H
hviHu1LiSP13lEAm5kHFYA+ejC60EwJGLyPuPR7jpDqkW0k0qPTjvh/lyLjoMYbA
8B5KtJIgrWkWZOZ6GA8A40fF+KWoiyo1P8YaVBZhIifY4yzQG6Wkkg55kgyl29AA
ChSrN/0weWPCi7+vmSPO2oHkM52N9QERN87UEkREnEZzgNGyx5HOYgFcZs+xb3c9
up9NjNzDAswuEeL9ANmGNQHJDcnuQ42fzQbWWNxCxVCrWMbbHEjB3LLOn/cimI3W
/NO5xiiBWF6oRTDEaKbgJr1GcKRuYlC24sDqU6W17PHOo1n0URAC5ZRmAfNA1Hf8
8ePwCqJKOUQ/fNrF5nY3VykLeom4TBTV5ZAyVivK+0oYq556liACiyMHPO1api6i
cO75clnV78kWNOorfxMOcI60OPSnWerQuo+q4Bpaw2QVUfTF+iMNDkid0TdW9ALY
DIvY42bKEFBkeOijtWsCXNuNB3Ip9iFA7OR+PMnt679JgojhC2LC2QFqZVJDO/gu
ce1nDkFpADZ1JiWzXpNJ
=15/J
-----END PGP SIGNATURE-----

--+QahgC5+KEYLbs62--


--===============7678527353595968854==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline


--===============7678527353595968854==--