CONFIG_AUDITFILESYSTEM RedHat only
Steve Grubb
sgrubb at redhat.com
Tue Apr 24 23:09:24 UTC 2007
On Tuesday 24 April 2007 17:58:10 Machin, Glenn D wrote:
> Can anyone tell me if the RedHat Kernel configuration that allows one to
> watch filesystem objects made it back into the Linux Kernel Archives
> (www.kernel.org)?
That config option is only valid in RHEL4U2 and higher kernels within the
RHEL4 series. That filesystem auditing attempt was rejected when it was
presented upstream on the basis of too much overlap with inotify. (6 months
prior we were told not to use inotify because we'd hurt its chances of
getting upstream.)
So, it was refactored and merged with the mainline kernel as of 2.6.19. (RHEL5
has all the right patches.) In the latest upstream kernels, you do not need
to use CONFIG_AUDITFILESYSTEM. It was decided that people might forget to
enable that option and only have half the functionality. So, if you specify
CONFIG_AUDITSYSCALL in current kernels, you get the whole thing.
> Is this a RedHat only enhancement?
The one that's in RHEL4 is. Well, CentOS, too. But I've preserved the user
space commandline interface so that rules written for RHEL4 work just as well
with any 2.6.19 or later kernel.
-Steve
More information about the Linux-audit
mailing list