RE: EXT :Fold CONFIG_AUDITSYSCALL into CONFIG_AUDIT?
Is there an advantage to disabling syscall use like significantly reduced memory usage if
someone only needs to do file watches? In the end though I thought everything that was
auditable was via syscall.
Kevin Boyce
-----Original Message-----
From: Paul Moore [mailto:paul@paul-moore.com]
Sent: Tuesday, November 24, 2015 9:08 AM
To: Boyce, Kevin P (AS)
Cc: linux-audit(a)redhat.com
Subject: Re: EXT :Fold CONFIG_AUDITSYSCALL into CONFIG_AUDIT?
On Tue, Nov 24, 2015 at 8:58 AM, Boyce, Kevin P (AS) <Kevin.Boyce(a)ngc.com> wrote:
Having never looked at the code, it sounds reasonable to me. It
doesn't make a lot of sense to disable syscall auditing independently.
I'd be very surprised to hear if anyone is running audit *without* syscall auditing,
but I thought I would toss the question out there on the off chance I'm missing some
critical use case.
-----Original Message-----
From: linux-audit-bounces(a)redhat.com
[mailto:linux-audit-bounces@redhat.com] On Behalf Of Paul Moore
Sent: Monday, November 23, 2015 5:43 PM
To: linux-audit(a)redhat.com
Subject: EXT :Fold CONFIG_AUDITSYSCALL into CONFIG_AUDIT?
Does anyone out there build kernels with CONFIG_AUDIT=y and CONFIG_AUDITSYSCALL=n?
I'm thinking of simply removing the CONFIG_AUDITSYSCALL knob and moving all that code
under CONFIG_AUDIT, does anyone have any objections?
--
paul moore
www.paul-moore.com