From mboxrd@z Thu Jan  1 00:00:00 1970
From: "Boyce, Kevin P (AS)" <Kevin.Boyce@ngc.com>
Subject: RE: EXT :Fold CONFIG_AUDITSYSCALL into CONFIG_AUDIT?
Date: Tue, 24 Nov 2015 17:25:02 +0000
Message-ID: <822a6380c92247b6861b56d8ff8ec1d4@XCGVAG30.northgrum.com>
References: <CAHC9VhTfWjC2VLVgOrPPJZa_fDacdZ_cMT2CG5yLio6AX0qJBQ@mail.gmail.com>
	<97985b6b623c49f1bcf121e1541f268e@XCGVAG30.northgrum.com>
	<CAHC9VhRtVvX6=d7BT24EaCXL9p4hzW1bu99gQOAwtm0dPLF=sA@mail.gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
Received: from mx1.redhat.com (ext-mx03.extmail.prod.ext.phx2.redhat.com
	[10.5.110.27])
	by int-mx13.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP
	id tAOHRHHU005030
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256
	verify=NO)
	for <linux-audit@redhat.com>; Tue, 24 Nov 2015 12:27:17 -0500
Received: from xspv0103.northgrum.com (xspv0103.northgrum.com [134.223.120.78])
	by mx1.redhat.com (Postfix) with ESMTPS id 4A6198F27E
	for <linux-audit@redhat.com>; Tue, 24 Nov 2015 17:27:16 +0000 (UTC)
In-Reply-To: <CAHC9VhRtVvX6=d7BT24EaCXL9p4hzW1bu99gQOAwtm0dPLF=sA@mail.gmail.com>
Content-Language: en-US
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: Paul Moore <paul@paul-moore.com>
Cc: "linux-audit@redhat.com" <linux-audit@redhat.com>
List-Id: linux-audit@redhat.com

Is there an advantage to disabling syscall use like significantly reduced memory usage if someone only needs to do file watches?  In the end though I thought everything that was auditable was via syscall.

Kevin Boyce




-----Original Message-----
From: Paul Moore [mailto:paul@paul-moore.com] 
Sent: Tuesday, November 24, 2015 9:08 AM
To: Boyce, Kevin P (AS)
Cc: linux-audit@redhat.com
Subject: Re: EXT :Fold CONFIG_AUDITSYSCALL into CONFIG_AUDIT?

On Tue, Nov 24, 2015 at 8:58 AM, Boyce, Kevin P (AS) <Kevin.Boyce@ngc.com> wrote:
> Having never looked at the code, it sounds reasonable to me.  It doesn't make a lot of sense to disable syscall auditing independently.

I'd be very surprised to hear if anyone is running audit *without* syscall auditing, but I thought I would toss the question out there on the off chance I'm missing some critical use case.

> -----Original Message-----
> From: linux-audit-bounces@redhat.com 
> [mailto:linux-audit-bounces@redhat.com] On Behalf Of Paul Moore
> Sent: Monday, November 23, 2015 5:43 PM
> To: linux-audit@redhat.com
> Subject: EXT :Fold CONFIG_AUDITSYSCALL into CONFIG_AUDIT?
>
> Does anyone out there build kernels with CONFIG_AUDIT=y and CONFIG_AUDITSYSCALL=n?  I'm thinking of simply removing the CONFIG_AUDITSYSCALL knob and moving all that code under CONFIG_AUDIT, does anyone have any objections?

--
paul moore
www.paul-moore.com