* Fold CONFIG_AUDITSYSCALL into CONFIG_AUDIT?
@ 2015-11-23 22:42 Paul Moore
2015-11-24 13:58 ` EXT :Fold " Boyce, Kevin P (AS)
0 siblings, 1 reply; 5+ messages in thread
From: Paul Moore @ 2015-11-23 22:42 UTC (permalink / raw)
To: linux-audit
Does anyone out there build kernels with CONFIG_AUDIT=y and
CONFIG_AUDITSYSCALL=n? I'm thinking of simply removing the
CONFIG_AUDITSYSCALL knob and moving all that code under CONFIG_AUDIT,
does anyone have any objections?
--
paul moore
www.paul-moore.com
^ permalink raw reply [flat|nested] 5+ messages in thread
* RE: EXT :Fold CONFIG_AUDITSYSCALL into CONFIG_AUDIT?
2015-11-23 22:42 Fold CONFIG_AUDITSYSCALL into CONFIG_AUDIT? Paul Moore
@ 2015-11-24 13:58 ` Boyce, Kevin P (AS)
2015-11-24 14:07 ` Paul Moore
0 siblings, 1 reply; 5+ messages in thread
From: Boyce, Kevin P (AS) @ 2015-11-24 13:58 UTC (permalink / raw)
To: Paul Moore, linux-audit
Having never looked at the code, it sounds reasonable to me. It doesn't make a lot of sense to disable syscall auditing independently.
Kevin Boyce
-----Original Message-----
From: linux-audit-bounces@redhat.com [mailto:linux-audit-bounces@redhat.com] On Behalf Of Paul Moore
Sent: Monday, November 23, 2015 5:43 PM
To: linux-audit@redhat.com
Subject: EXT :Fold CONFIG_AUDITSYSCALL into CONFIG_AUDIT?
Does anyone out there build kernels with CONFIG_AUDIT=y and CONFIG_AUDITSYSCALL=n? I'm thinking of simply removing the CONFIG_AUDITSYSCALL knob and moving all that code under CONFIG_AUDIT, does anyone have any objections?
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: EXT :Fold CONFIG_AUDITSYSCALL into CONFIG_AUDIT?
2015-11-24 13:58 ` EXT :Fold " Boyce, Kevin P (AS)
@ 2015-11-24 14:07 ` Paul Moore
2015-11-24 17:25 ` Boyce, Kevin P (AS)
0 siblings, 1 reply; 5+ messages in thread
From: Paul Moore @ 2015-11-24 14:07 UTC (permalink / raw)
To: Boyce, Kevin P (AS); +Cc: linux-audit
On Tue, Nov 24, 2015 at 8:58 AM, Boyce, Kevin P (AS)
<Kevin.Boyce@ngc.com> wrote:
> Having never looked at the code, it sounds reasonable to me. It doesn't make a lot of sense to disable syscall auditing independently.
I'd be very surprised to hear if anyone is running audit *without*
syscall auditing, but I thought I would toss the question out there on
the off chance I'm missing some critical use case.
> -----Original Message-----
> From: linux-audit-bounces@redhat.com [mailto:linux-audit-bounces@redhat.com] On Behalf Of Paul Moore
> Sent: Monday, November 23, 2015 5:43 PM
> To: linux-audit@redhat.com
> Subject: EXT :Fold CONFIG_AUDITSYSCALL into CONFIG_AUDIT?
>
> Does anyone out there build kernels with CONFIG_AUDIT=y and CONFIG_AUDITSYSCALL=n? I'm thinking of simply removing the CONFIG_AUDITSYSCALL knob and moving all that code under CONFIG_AUDIT, does anyone have any objections?
--
paul moore
www.paul-moore.com
^ permalink raw reply [flat|nested] 5+ messages in thread
* RE: EXT :Fold CONFIG_AUDITSYSCALL into CONFIG_AUDIT?
2015-11-24 14:07 ` Paul Moore
@ 2015-11-24 17:25 ` Boyce, Kevin P (AS)
2015-11-24 18:03 ` Paul Moore
0 siblings, 1 reply; 5+ messages in thread
From: Boyce, Kevin P (AS) @ 2015-11-24 17:25 UTC (permalink / raw)
To: Paul Moore; +Cc: linux-audit
Is there an advantage to disabling syscall use like significantly reduced memory usage if someone only needs to do file watches? In the end though I thought everything that was auditable was via syscall.
Kevin Boyce
-----Original Message-----
From: Paul Moore [mailto:paul@paul-moore.com]
Sent: Tuesday, November 24, 2015 9:08 AM
To: Boyce, Kevin P (AS)
Cc: linux-audit@redhat.com
Subject: Re: EXT :Fold CONFIG_AUDITSYSCALL into CONFIG_AUDIT?
On Tue, Nov 24, 2015 at 8:58 AM, Boyce, Kevin P (AS) <Kevin.Boyce@ngc.com> wrote:
> Having never looked at the code, it sounds reasonable to me. It doesn't make a lot of sense to disable syscall auditing independently.
I'd be very surprised to hear if anyone is running audit *without* syscall auditing, but I thought I would toss the question out there on the off chance I'm missing some critical use case.
> -----Original Message-----
> From: linux-audit-bounces@redhat.com
> [mailto:linux-audit-bounces@redhat.com] On Behalf Of Paul Moore
> Sent: Monday, November 23, 2015 5:43 PM
> To: linux-audit@redhat.com
> Subject: EXT :Fold CONFIG_AUDITSYSCALL into CONFIG_AUDIT?
>
> Does anyone out there build kernels with CONFIG_AUDIT=y and CONFIG_AUDITSYSCALL=n? I'm thinking of simply removing the CONFIG_AUDITSYSCALL knob and moving all that code under CONFIG_AUDIT, does anyone have any objections?
--
paul moore
www.paul-moore.com
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: EXT :Fold CONFIG_AUDITSYSCALL into CONFIG_AUDIT?
2015-11-24 17:25 ` Boyce, Kevin P (AS)
@ 2015-11-24 18:03 ` Paul Moore
0 siblings, 0 replies; 5+ messages in thread
From: Paul Moore @ 2015-11-24 18:03 UTC (permalink / raw)
To: Boyce, Kevin P (AS); +Cc: linux-audit
On Tue, Nov 24, 2015 at 12:25 PM, Boyce, Kevin P (AS)
<Kevin.Boyce@ngc.com> wrote:
> Is there an advantage to disabling syscall use like significantly reduced memory usage if someone only needs to do file watches? In the end though I thought everything that was auditable was via syscall.
You would save on kernel image size (code is compiled out) and
possibly some performance gains, but I'm not entirely sure of that
last point, I would need to go check the code a bit more. However, I
think the better question is, how useful are file watches without the
associated syscall record? I'm going to say "not very". Also, it is
probably moot, because as we mentioned earlier, I just don't believe
there is anyone using audit who disables syscall auditing - it just
doesn't make much sense.
> -----Original Message-----
> From: Paul Moore [mailto:paul@paul-moore.com]
> Sent: Tuesday, November 24, 2015 9:08 AM
> To: Boyce, Kevin P (AS)
> Cc: linux-audit@redhat.com
> Subject: Re: EXT :Fold CONFIG_AUDITSYSCALL into CONFIG_AUDIT?
>
> On Tue, Nov 24, 2015 at 8:58 AM, Boyce, Kevin P (AS) <Kevin.Boyce@ngc.com> wrote:
>> Having never looked at the code, it sounds reasonable to me. It doesn't make a lot of sense to disable syscall auditing independently.
>
> I'd be very surprised to hear if anyone is running audit *without* syscall auditing, but I thought I would toss the question out there on the off chance I'm missing some critical use case.
>
>> -----Original Message-----
>> From: linux-audit-bounces@redhat.com
>> [mailto:linux-audit-bounces@redhat.com] On Behalf Of Paul Moore
>> Sent: Monday, November 23, 2015 5:43 PM
>> To: linux-audit@redhat.com
>> Subject: EXT :Fold CONFIG_AUDITSYSCALL into CONFIG_AUDIT?
>>
>> Does anyone out there build kernels with CONFIG_AUDIT=y and CONFIG_AUDITSYSCALL=n? I'm thinking of simply removing the CONFIG_AUDITSYSCALL knob and moving all that code under CONFIG_AUDIT, does anyone have any objections?
--
paul moore
www.paul-moore.com
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2015-11-24 18:03 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2015-11-23 22:42 Fold CONFIG_AUDITSYSCALL into CONFIG_AUDIT? Paul Moore
2015-11-24 13:58 ` EXT :Fold " Boyce, Kevin P (AS)
2015-11-24 14:07 ` Paul Moore
2015-11-24 17:25 ` Boyce, Kevin P (AS)
2015-11-24 18:03 ` Paul Moore
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.