[PATCH v3] audit: Turn off TIF_SYSCALL_AUDIT when there are no rules
Andy Lutomirski
luto at amacapital.net
Mon Feb 10 18:05:58 UTC 2014
On Mon, Feb 10, 2014 at 9:47 AM, Steve Grubb <sgrubb at redhat.com> wrote:
> On Monday, February 10, 2014 09:29:19 AM Andy Lutomirski wrote:
>> Grr. Why is all this crap tied up with syscall auditing anyway? ISTM
>> it would have been a lot nicer if audit calls just immediately emitted
>> audit records, completely independently of the syscall machinery.
>
> Because the majority of people needing audit need syscall records for it to
> make any sense. The auxiliary records generally report on the object of the
> syscall. We still require information about who was doing something, what they
> were doing, and what the result was.
>
> Even if you just get the AVC's, you still don't know what happened. If you get
> a deny record, was it really denied? The system could have been in permissive
> mode and the syscall succeeded. You only get the real decision when you have
> syscall records.
>
Fair enough.
I'll see if I can turn this into something more workable.
--Andy
More information about the Linux-audit
mailing list