Ubuntu
audit package

remote listener disabled, no indication in man page, config file or start-up logs

Bug #1487941 reported by Robert Brooks
14
This bug affects 2 people
Affects Status Importance Assigned to Milestone
audit (Ubuntu)
Confirmed
Undecided
Unassigned

Bug Description

As per subject.

Please consider any/all of the following:

a) a comment in the stock config explaining the feature is disabled

b) a comment in the man page

c) logging an error when remote reception is enabled but is disabled in compile (push to upstream?)

d) enabling remote reception, for those that wish to turn it on.

Happy to provide a patch for the preferred option.

Rob

Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in audit (Ubuntu):
status: New → Confirmed
Kenyon Ralph (kralph)
summary: - remote listender disabled, no indication in man page, config file or
+ remote listener disabled, no indication in man page, config file or
start-up logs
Revision history for this message
Kenyon Ralph (kralph) wrote :

This is absurd: https://git.launchpad.net/ubuntu/+source/audit/commit/debian/rules?id=58c052d846f1ffd6575c04a373cd1e7f157cb3f8

auditd doesn't listen unless you configure it to listen. Why would Ubuntu build the package with listening support completely disabled? Nobody else does this. There's no reason for this. Highly annoying.

Revision history for this message
Kenyon Ralph (kralph) wrote :

That's silly: https://www.redhat.com/archives/linux-audit/2012-August/msg00007.html

:(

Revision history for this message
Seth Arnold (seth-arnold) wrote :

Hi Kenyon, this was indeed an intentional decision to allow us to reduce the potential attack surface of this high-privilege tool. It was relatively new and relatively under-inspected at the time and this seemed like a fair tradeoff.

At this point it's no longer new, but probably still under-inspected. Now might be a good time to consider turning it back on again. I wonder what it would be like to write an AppArmor profile for these tools first...

Thanks

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.