From: Steve Grubb <sgrubb@redhat.com>
To: linux-audit@redhat.com
Subject: Re: Question concerning -l option
Date: Fri, 10 Feb 2017 12:09:50 -0500 [thread overview]
Message-ID: <2300419.YRPMtKelT5@x2> (raw)
In-Reply-To: <1486745472582.37375@Brocade.com>
Hello,
On Friday, February 10, 2017 4:52:13 PM EST Tom Hall wrote:
> Please forgive me, I assume this has already been addressed in the mail
> archive but I've been unable to locate a related thread. Can someone tell
> me why the default for auditd is O_NOFOLLOW for accessing auditd
> configuration files? I assume there is a reason for not supporting links as
> the default that is important enough to justify the extra work to add the
> -l option but it is not clear to me.
It was made that way to ensure that the security assumptions are exactly as
expected. Meaning no one has replaced the real configuration with a weaker one
somewhere else on disk. And since auditd is covered by selinux policy, moving
the configuration also means policy label problems. So, this is kind of a
strong hint to leave it where its supposed to be to avoid problems.
In the old days, all it took was a simple edit to /etc/sysconfig/auditd to fix.
But with systemd, it is a bit more work to copy the service file to the right
place before editing.
-Steve
prev parent reply other threads:[~2017-02-10 17:09 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-02-10 16:52 Question concerning -l option Tom Hall
2017-02-10 17:09 ` Steve Grubb [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2300419.YRPMtKelT5@x2 \
--to=sgrubb@redhat.com \
--cc=linux-audit@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).