[PATCH v3] audit: Turn off TIF_SYSCALL_AUDIT when there are no rules
Steve Grubb
sgrubb at redhat.com
Mon Feb 10 17:47:21 UTC 2014
On Monday, February 10, 2014 09:29:19 AM Andy Lutomirski wrote:
> Grr. Why is all this crap tied up with syscall auditing anyway? ISTM
> it would have been a lot nicer if audit calls just immediately emitted
> audit records, completely independently of the syscall machinery.
Because the majority of people needing audit need syscall records for it to
make any sense. The auxiliary records generally report on the object of the
syscall. We still require information about who was doing something, what they
were doing, and what the result was.
Even if you just get the AVC's, you still don't know what happened. If you get
a deny record, was it really denied? The system could have been in permissive
mode and the syscall succeeded. You only get the real decision when you have
syscall records.
-Steve
More information about the Linux-audit
mailing list