On Jun 13, 2012, at 11:53 PM, Shawn Wells wrote: > I received this note from a colleague today regarding content in the > scap-security-guide for RHEL6: > >> Ext4 mounts devices with the relatime option by default. Probably not a >> good idea for secure environments. Means atime is not accurate. Very bad >> for systems using AIDE. RHEL 6 security guide needs to turn atime back on >> for Ext4 mounts. >> >> cat /proc/mounts >> >> Sent from iPhone. >> > > When he states that "atime is not accurate" I believe he's referring to how > relatime maintains atime data, but not for each time the file was accessed. > Only modified. > > From a performance perspective relatime makes a lot of sense. Enablement of > relatime means that the filesystem will not write read-times to a file when > read. Imagine recording every time a file in hadoop or a highly utilized > fileshare was read... that could be a lot of overhead which relatime prevents. > > With that said, we're writing a security guide and not a performance guide. > What does everyone think about this, and what should we do? One option is to > set "default_relatime=0" in grub to prevent any filesystem from doing this. > Is that overkill?
Overkill Audit rules record when something you care about has been accessed. joe _______________________________________________ scap-security-guide mailing list [email protected] https://fedorahosted.org/mailman/listinfo/scap-security-guide
