4:42 p.m.
Does anyone out there build kernels with CONFIG_AUDIT=y and
CONFIG_AUDITSYSCALL=n? I'm thinking of simply removing the
CONFIG_AUDITSYSCALL knob and moving all that code under CONFIG_AUDIT,
does anyone have any objections?
--
paul moore
www.paul-moore.com
7:58 a.m.
New subject: EXT :Fold CONFIG_AUDITSYSCALL into CONFIG_AUDIT?
Having never looked at the code, it sounds reasonable to me. It doesn't make a lot of
sense to disable syscall auditing independently.
Kevin Boyce
-----Original Message-----
From: linux-audit-bounces(a)redhat.com [mailto:linux-audit-bounces@redhat.com] On Behalf Of
Paul Moore
Sent: Monday, November 23, 2015 5:43 PM
To: linux-audit(a)redhat.com
Subject: EXT :Fold CONFIG_AUDITSYSCALL into CONFIG_AUDIT?
Does anyone out there build kernels with CONFIG_AUDIT=y and CONFIG_AUDITSYSCALL=n?
I'm thinking of simply removing the CONFIG_AUDITSYSCALL knob and moving all that code
under CONFIG_AUDIT, does anyone have any objections?
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit(a)redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
8:07 a.m.
New subject: EXT :Fold CONFIG_AUDITSYSCALL into CONFIG_AUDIT?
On Tue, Nov 24, 2015 at 8:58 AM, Boyce, Kevin P (AS)
<Kevin.Boyce(a)ngc.com> wrote:
Having never looked at the code, it sounds reasonable to me. It
doesn't make a lot of sense to disable syscall auditing independently.
I'd be very surprised to hear if anyone is running audit *without*
syscall auditing, but I thought I would toss the question out there on
the off chance I'm missing some critical use case.
-----Original Message-----
From: linux-audit-bounces(a)redhat.com [mailto:linux-audit-bounces@redhat.com] On Behalf Of
Paul Moore
Sent: Monday, November 23, 2015 5:43 PM
To: linux-audit(a)redhat.com
Subject: EXT :Fold CONFIG_AUDITSYSCALL into CONFIG_AUDIT?
Does anyone out there build kernels with CONFIG_AUDIT=y and CONFIG_AUDITSYSCALL=n?
I'm thinking of simply removing the CONFIG_AUDITSYSCALL knob and moving all that code
under CONFIG_AUDIT, does anyone have any objections?
--
paul moore
www.paul-moore.com
11:25 a.m.
New subject: EXT :Fold CONFIG_AUDITSYSCALL into CONFIG_AUDIT?
Is there an advantage to disabling syscall use like significantly reduced memory usage if
someone only needs to do file watches? In the end though I thought everything that was
auditable was via syscall.
Kevin Boyce
-----Original Message-----
From: Paul Moore [mailto:paul@paul-moore.com]
Sent: Tuesday, November 24, 2015 9:08 AM
To: Boyce, Kevin P (AS)
Cc: linux-audit(a)redhat.com
Subject: Re: EXT :Fold CONFIG_AUDITSYSCALL into CONFIG_AUDIT?
On Tue, Nov 24, 2015 at 8:58 AM, Boyce, Kevin P (AS) <Kevin.Boyce(a)ngc.com> wrote:
Having never looked at the code, it sounds reasonable to me. It
doesn't make a lot of sense to disable syscall auditing independently.
I'd be very surprised to hear if anyone is running audit *without* syscall auditing,
but I thought I would toss the question out there on the off chance I'm missing some
critical use case.
-----Original Message-----
From: linux-audit-bounces(a)redhat.com
[mailto:linux-audit-bounces@redhat.com] On Behalf Of Paul Moore
Sent: Monday, November 23, 2015 5:43 PM
To: linux-audit(a)redhat.com
Subject: EXT :Fold CONFIG_AUDITSYSCALL into CONFIG_AUDIT?
Does anyone out there build kernels with CONFIG_AUDIT=y and CONFIG_AUDITSYSCALL=n?
I'm thinking of simply removing the CONFIG_AUDITSYSCALL knob and moving all that code
under CONFIG_AUDIT, does anyone have any objections?
--
paul moore
www.paul-moore.com
12:03 p.m.
New subject: EXT :Fold CONFIG_AUDITSYSCALL into CONFIG_AUDIT?
On Tue, Nov 24, 2015 at 12:25 PM, Boyce, Kevin P (AS)
<Kevin.Boyce(a)ngc.com> wrote:
Is there an advantage to disabling syscall use like significantly
reduced memory usage if someone only needs to do file watches? In the end though I
thought everything that was auditable was via syscall.
You would save on kernel image size (code is compiled out) and
possibly some performance gains, but I'm not entirely sure of that
last point, I would need to go check the code a bit more. However, I
think the better question is, how useful are file watches without the
associated syscall record? I'm going to say "not very". Also, it is
probably moot, because as we mentioned earlier, I just don't believe
there is anyone using audit who disables syscall auditing - it just
doesn't make much sense.
-----Original Message-----
From: Paul Moore [mailto:paul@paul-moore.com]
Sent: Tuesday, November 24, 2015 9:08 AM
To: Boyce, Kevin P (AS)
Cc: linux-audit(a)redhat.com
Subject: Re: EXT :Fold CONFIG_AUDITSYSCALL into CONFIG_AUDIT?
On Tue, Nov 24, 2015 at 8:58 AM, Boyce, Kevin P (AS) <Kevin.Boyce(a)ngc.com> wrote:
> Having never looked at the code, it sounds reasonable to me. It doesn't make a
lot of sense to disable syscall auditing independently.
I'd be very surprised to hear if anyone is running audit *without* syscall auditing,
but I thought I would toss the question out there on the off chance I'm missing some
critical use case.
> -----Original Message-----
> From: linux-audit-bounces(a)redhat.com
> [mailto:linux-audit-bounces@redhat.com] On Behalf Of Paul Moore
> Sent: Monday, November 23, 2015 5:43 PM
> To: linux-audit(a)redhat.com
> Subject: EXT :Fold CONFIG_AUDITSYSCALL into CONFIG_AUDIT?
>
> Does anyone out there build kernels with CONFIG_AUDIT=y and CONFIG_AUDITSYSCALL=n?
I'm thinking of simply removing the CONFIG_AUDITSYSCALL knob and moving all that code
under CONFIG_AUDIT, does anyone have any objections?
--
paul moore
www.paul-moore.com
3315
days inactive
3316
days old
linux-audit@lists.linux-audit.osci.io
4 comments
2 participants
participants (2)
-
Boyce, Kevin P (AS) -
Paul Moore