CONFIG_AUDITFILESYSTEM RedHat only - Linux-audit - Linux-Audit List Archives

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

CONFIG_AUDITFILESYSTEM RedHat only

Audit recv on RHEL 4 x86_64

command missing

Machin, Glenn D

Tuesday, 24 April 2007 Tue, 24 Apr '07

4:58 p.m.

Can anyone tell me if the RedHat Kernel configuration that allows one to watch filesystem objects made it back into the Linux Kernel Archives (www.kernel.org)? Is this a RedHat only enhancement? Thanks, Glenn

Attachments:

attachment.html (text/html — 874 bytes)

Reply

Show replies by date

Steve Grubb

Tuesday, 24 April Tue, 24 Apr

6:09 p.m.

On Tuesday 24 April 2007 17:58:10 Machin, Glenn D wrote:

Can anyone tell me if the RedHat Kernel configuration that allows one to watch filesystem objects made it back into the Linux Kernel Archives (www.kernel.org)?

That config option is only valid in RHEL4U2 and higher kernels within the RHEL4 series. That filesystem auditing attempt was rejected when it was presented upstream on the basis of too much overlap with inotify. (6 months prior we were told not to use inotify because we'd hurt its chances of getting upstream.) So, it was refactored and merged with the mainline kernel as of 2.6.19. (RHEL5 has all the right patches.) In the latest upstream kernels, you do not need to use CONFIG_AUDITFILESYSTEM. It was decided that people might forget to enable that option and only have half the functionality. So, if you specify CONFIG_AUDITSYSCALL in current kernels, you get the whole thing.

Is this a RedHat only enhancement?

The one that's in RHEL4 is. Well, CentOS, too. But I've preserved the user space commandline interface so that rules written for RHEL4 work just as well with any 2.6.19 or later kernel. -Steve

Reply

6451

days inactive

6451

days old

linux-audit@lists.linux-audit.osci.io

Manage subscription

1 comments

2 participants

tags (0)

participants (2)

Machin, Glenn D
Steve Grubb