From mboxrd@z Thu Jan 1 00:00:00 1970 From: Steve Grubb Subject: Re: Question concerning -l option Date: Fri, 10 Feb 2017 12:09:50 -0500 Message-ID: <2300419.YRPMtKelT5@x2> References: <1486745472582.37375@Brocade.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <1486745472582.37375@Brocade.com> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit@redhat.com List-Id: linux-audit@redhat.com Hello, On Friday, February 10, 2017 4:52:13 PM EST Tom Hall wrote: > Please forgive me, I assume this has already been addressed in the mail > archive but I've been unable to locate a related thread. Can someone tell > me why the default for auditd is O_NOFOLLOW for accessing auditd > configuration files? I assume there is a reason for not supporting links as > the default that is important enough to justify the extra work to add the > -l option but it is not clear to me. It was made that way to ensure that the security assumptions are exactly as expected. Meaning no one has replaced the real configuration with a weaker one somewhere else on disk. And since auditd is covered by selinux policy, moving the configuration also means policy label problems. So, this is kind of a strong hint to leave it where its supposed to be to avoid problems. In the old days, all it took was a simple edit to /etc/sysconfig/auditd to fix. But with systemd, it is a bit more work to copy the service file to the right place before editing. -Steve