Matthew Miller <mattdm@xxxxxxxxxxxxxxxxx> writes: > On Mon, Nov 19, 2012 at 03:51:03PM +0100, lee wrote: >> what is auditd for? The manpage doesn't tell me, and I can't find any >> documentation about it telling me what the purpose is. Is there >> anything that speaks against disabling it? > > This records secure log messages from the kernel, including SELinux alerts. > You don't technically _need_ it, but these are important messages. Why does it need it's own daemon rather than using /var/log/messages where I might even see the messages? And aureport says there have been 8765 events within 17 days. How am I supposed to keep track of that with over 500 events per day in messages I never see? How would I reasonably read these messages? Will it at least send me an email when something happens I should know about? >> Similar with mcelog: What do I need that for? And benefits from it? I >> can probably just disable it. > > This handles hardware errors. In addition to logging, the daemon can (and is > configured to) take some corrective and preventative actions. You basically > want this. The manpage of mcelog says: ,---- | When a corrected error happens [...] mcelog [...] prints them on the | standard output or optionally into the system log. | | Optionally it can also take more options like keeping statistics | or triggering shell scripts on specific events. | | [...] | | When an uncorrected machine check error happens that the kernel | cannot recover from then it will usually panic the system. In | this case when there was a warm reset after the panic mcelog | should pick up the machine check errors after reboot. `---- When the error has been corrected, there isn't a problem. When it's not corrected, the kernel panics. So mcelog *might* be useful if I have problems with kernel panics, which I don't. Why would I want to run mcelog all the time and not only when I need the diagnostic functionality it provides? Does it really help to correct errors? And if so, where/how do I see what it has done and which errors it has corrected? /var/log/mcelog doesn't exist. >> Do I need polkitd? It doesn't make sense to me; if I want to do >> something for which more permissions are required, I do it as root. So >> what's the benefit I would have from polkitd? > > Polkit allows applications to use root permissions for fine-grained actions > rather than running as root all the time. So they become like 1/4, 3/8 or 1/2 root and do something only root should be allowed to do? > That increases security. How? It seems to do the opposite. > For example, a timezone applet can show you the time as a regular user > and only require extra authentication to change it. Regular users must not change the system time. It's on UTC and kept on track with chrony. > However, if you don't want or need this functionality, applications > are supposed to gracefully fall back to requiring root. So for example instead of ls or emacs becoming only 1/4 root, I would have to run them as root? And if I don't run them as root, I'd have to authenticate myself every time ls wants to list something only root can access and every time I want to save a buffer to a file only root can modify or when I want to visit one only root can read? Neither ls nor emacs ever asked me for extra authentication. And how would it increase security if I entered the password for root into arbitrary applications whenever they ask me for it? It certainly does decrease security getting users used to enter the root password everywhere. Polkit should be deprecated. "Enter your root password to install <this game> under /usr/local/games" ... and the game sends it to someone. Users will enter it once you got them used to do it. Great job. -- Fedora 17 -- users mailing list users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
