seccomp and audit_enabled
Tony Jones
tonyj at suse.de
Tue Oct 13 19:46:47 UTC 2015
On 10/13/2015 12:19 PM, Paul Moore wrote:
>> No, it's the default audit.rules (-D, -b320). No actual rules loaded.
>> Let me add some instrumentation and figure out what's going on. auditd
>> is masked (via systemd) but systemd-journal seems to set audit_enabled=1
>> during startup (at least on our systems).
>
> Yes, if systemd is involved it enables audit; we've had some
> discussions with the systemd folks about fixing that, but they haven't
> gone very far. I'm still a little curious as to why
> audit_dummy_context() is false in this case, but I haven't looked at
> how systemd/auditctl start/config the system too closely.
I'll debug what's going on (easy) on the test system and report back. I'm curious
too. Have a bad cold today so I'm moving slower than normal.
> I don't really care if it is audit or not (although we will need to
> output something via audit if it is enabled to keep the CC crowd
> happy); if you feel strongly that it isn't audit, we can just make it
> a printk, that would work well with Kees' goals. To me the important
> point here is that we send a message when seccomp alters the behavior
> of the syscall (action != ALLOW).
Yes, if audit is enabled, you should totally be able to use it. Rest sounds good also.
thanks!
Tony
More information about the Linux-audit
mailing list