Re: audit on Fedora Core 5
On Thursday 23 March 2006 13:45, Stephen Smalley wrote:
I think audit was made optional in FC5 because of the overhead
associated with syscall auditing, even if you aren't using any syscall
audit filters.
Precisely. I mentioned that we needed to work on performance way back in Sept.
https://www.redhat.com/archives/linux-audit/2005-September/msg00061.html
Its item number 2. I put that into the RFE because I thought this would happen
if we didn't address it. (That list is still open and in need of help since
most if not all requests are kernel work.)
It does yield a little surprise for SELinux users who just got
accustomed to
looking for audit.log in FC4,
If they are upgrading, the audit package should get pulled in. Only new
installs would be affected.
and we had already codified use of audit.log and ausearch in e.g.
the
audit2allow man page.
Long term, this is where we want to be. The audit log parsing library should
help any tool makers job easier.
I see the current situation as a temporary wrinkle that we have to work
through. Jason took a stab at alleviating the performance issue, but we can't
include it yet since there's a bug in it. I don't know if he'll have time in
the near future to continue working on it. If someone else wants to work
through the bugs in it, that would be great. If someone else wants to create
an alternate patch, that would be great. But we aren't likely to get back
into installed by default without something kernel side changing.
-Steve