EXT :Fold CONFIG_AUDITSYSCALL into CONFIG_AUDIT?
Boyce, Kevin P (AS)
Kevin.Boyce at ngc.com
Tue Nov 24 17:25:02 UTC 2015
Is there an advantage to disabling syscall use like significantly reduced memory usage if someone only needs to do file watches? In the end though I thought everything that was auditable was via syscall.
Kevin Boyce
-----Original Message-----
From: Paul Moore [mailto:paul at paul-moore.com]
Sent: Tuesday, November 24, 2015 9:08 AM
To: Boyce, Kevin P (AS)
Cc: linux-audit at redhat.com
Subject: Re: EXT :Fold CONFIG_AUDITSYSCALL into CONFIG_AUDIT?
On Tue, Nov 24, 2015 at 8:58 AM, Boyce, Kevin P (AS) <Kevin.Boyce at ngc.com> wrote:
> Having never looked at the code, it sounds reasonable to me. It doesn't make a lot of sense to disable syscall auditing independently.
I'd be very surprised to hear if anyone is running audit *without* syscall auditing, but I thought I would toss the question out there on the off chance I'm missing some critical use case.
> -----Original Message-----
> From: linux-audit-bounces at redhat.com
> [mailto:linux-audit-bounces at redhat.com] On Behalf Of Paul Moore
> Sent: Monday, November 23, 2015 5:43 PM
> To: linux-audit at redhat.com
> Subject: EXT :Fold CONFIG_AUDITSYSCALL into CONFIG_AUDIT?
>
> Does anyone out there build kernels with CONFIG_AUDIT=y and CONFIG_AUDITSYSCALL=n? I'm thinking of simply removing the CONFIG_AUDITSYSCALL knob and moving all that code under CONFIG_AUDIT, does anyone have any objections?
--
paul moore
www.paul-moore.com
More information about the Linux-audit
mailing list