Why is syscall auditing on with no rules?
Andy Lutomirski
luto at amacapital.net
Sun Feb 2 02:32:31 UTC 2014
On a stock Fedora installation:
$ sudo auditctl -l
No rules
Nonetheless TIF_SYSCALL_AUDIT is set and the __audit_syscall_entry and
__audit_syscall_exit account for >20% of syscall overhead according to
perf.
This sucks. Unless I'm missing something, syscall auditing is *off*.
How hard would it be to arrange for TIF_SYSCALL_AUDIT to be cleared
when there are no syscall rules?
(This is extra bad in kernels before 3.13, where the clear call for
TIF_SYSCALL_AUDIT was completely missing.)
--Andy
More information about the Linux-audit
mailing list