I received this note from a colleague today regarding content in the
scap-security-guide for RHEL6:
Ext4 mounts devices with the relatime option by default. Probably not a good
idea for secure environments. Means atime is not accurate. Very bad for
systems using AIDE. RHEL 6 security guide needs to turn atime back on for Ext4
mounts.
cat /proc/mounts
Sent from iPhone.
When he states that "atime is not accurate" I believe he's referring to
how relatime maintains atime data, but not for each time the file was
accessed. Only /modified/.
From a performance perspective relatime makes a lot of sense.
Enablement of relatime means that the filesystem will not write
read-times to a file when read. Imagine recording every time a file in
hadoop or a highly utilized fileshare was read... that could be a lot of
overhead which relatime prevents.
With that said, we're writing a security guide and not a performance
guide. What does everyone think about this, and what should we do? One
option is to set "default_relatime=0" in grub to prevent any filesystem
from doing this. Is that overkill?
_______________________________________________
scap-security-guide mailing list
[email protected]
https://fedorahosted.org/mailman/listinfo/scap-security-guide
