What are these for?

[lee]

Matthew Miller <mattdm at fedoraproject.org> writes:

> On Mon, Nov 19, 2012 at 03:51:03PM +0100, lee wrote:
>> what is auditd for?  The manpage doesn't tell me, and I can't find any
>> documentation about it telling me what the purpose is.  Is there
>> anything that speaks against disabling it?
>
> This records secure log messages from the kernel, including SELinux alerts.
> You don't technically _need_ it, but these are important messages.

Why does it need it's own daemon rather than using /var/log/messages
where I might even see the messages?  And aureport says there have been
8765 events within 17 days.  How am I supposed to keep track of that
with over 500 events per day in messages I never see?  How would I
reasonably read these messages?

Will it at least send me an email when something happens I should know
about?


>> Similar with mcelog:  What do I need that for?  And benefits from it?  I
>> can probably just disable it.
>
> This handles hardware errors. In addition to logging, the daemon can (and is
> configured to) take some corrective and preventative actions. You basically
> want this.

The manpage of mcelog says:


,----
|        When a corrected error happens [...]  mcelog [...] prints them on the
|        standard output or optionally into the system log.
| 
|        Optionally it can also take more options like  keeping  statistics
|        or triggering shell scripts on specific events.
| 
|        [...]
| 
|        When an uncorrected machine check error happens  that  the  kernel
|        cannot  recover  from  then  it will usually panic the system.  In
|        this case when there was a  warm  reset  after  the  panic  mcelog
|        should pick up the machine check errors after reboot.
`----


When the error has been corrected, there isn't a problem.  When it's not
corrected, the kernel panics.

So mcelog *might* be useful if I have problems with kernel panics, which
I don't.

Why would I want to run mcelog all the time and not only when I need the
diagnostic functionality it provides?  Does it really help to correct
errors?  And if so, where/how do I see what it has done and which errors
it has corrected?  /var/log/mcelog doesn't exist.


>> Do I need polkitd?  It doesn't make sense to me; if I want to do
>> something for which more permissions are required, I do it as root.  So
>> what's the benefit I would have from polkitd?
>
> Polkit allows applications to use root permissions for fine-grained actions
> rather than running as root all the time.

So they become like 1/4, 3/8 or 1/2 root and do something only root should
be allowed to do?

> That increases security.

How?  It seems to do the opposite.

> For example, a timezone applet can show you the time as a regular user
> and only require extra authentication to change it.

Regular users must not change the system time.  It's on UTC and kept on
track with chrony.

> However, if you don't want or need this functionality, applications
> are supposed to gracefully fall back to requiring root.

So for example instead of ls or emacs becoming only 1/4 root, I would
have to run them as root?  And if I don't run them as root, I'd have to
authenticate myself every time ls wants to list something only root can
access and every time I want to save a buffer to a file only root can
modify or when I want to visit one only root can read?

Neither ls nor emacs ever asked me for extra authentication.  And how
would it increase security if I entered the password for root into
arbitrary applications whenever they ask me for it?

It certainly does decrease security getting users used to enter the root
password everywhere.  Polkit should be deprecated.


"Enter your root password to install <this game> under /usr/local/games"
... and the game sends it to someone.  Users will enter it once you got
them used to do it.  Great job.


-- 
Fedora 17