Re: [PATCH] audit=0 appears not to completely disable auditing
Hi Steve,
Sorry for the delayed reply. I am just getting a chance to look at
this.
Steve Grubb wrote: [Fri Mar 09 2007, 03:50:11PM EST]
There was a bz, 231371, reporting that current upstream kernels do
not completely
disable auditing when boot with audit=0 and the audit daemon not configured to
run.
When audit_enabled was first implemented, it was only intended to turn
off syscall auditing, not _all_ auditing. This was so users could use
audit for selinux messages without the overhead of syscall audit.
However, since Al optimized the syscall audit data collection when
there are no rules, maybe this isn't necessary anymore. Is that what
you are thinking?
It does seem like audit_enabled has changed its meaning since it was
introduced...
The patch below solves this problem by checking audit_enabled before
creating
an audit event.
If you want audit_enabled=0 to turn off audit completely, do you also
want to drop selinux messages?
Amy