[PATCH] audit=0 appears not to completely disable auditing
Steve Grubb
sgrubb at redhat.com
Thu Mar 22 21:55:45 UTC 2007
On Thursday 22 March 2007 17:45, Amy Griffis wrote:
> When audit_enabled was first implemented, it was only intended to turn
> off syscall auditing, not _all_ auditing.
At that time, syscall auditing *was* all auditing. :)
> This was so users could use audit for selinux messages without the overhead
> of syscall audit.
SE Linux has always been different and you shouldn't really consider it in the
auditing system for enable/disable. The reason its different is that it uses
audit as a transport mechanism and can happily use syslogs, too.
> > The patch below solves this problem by checking audit_enabled before
> > creating an audit event.
>
> If you want audit_enabled=0 to turn off audit completely, do you also
> want to drop selinux messages?
No, the SE Linux folks want avc messages at all times unless the admin
specifically sets a rule to suppress them.
-Steve
More information about the Linux-audit
mailing list