From mboxrd@z Thu Jan 1 00:00:00 1970 From: Paul Moore Subject: Re: EXT :Fold CONFIG_AUDITSYSCALL into CONFIG_AUDIT? Date: Tue, 24 Nov 2015 13:03:14 -0500 Message-ID: References: <97985b6b623c49f1bcf121e1541f268e@XCGVAG30.northgrum.com> <822a6380c92247b6861b56d8ff8ec1d4@XCGVAG30.northgrum.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: Received: from mx1.redhat.com (ext-mx08.extmail.prod.ext.phx2.redhat.com [10.5.110.32]) by int-mx13.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id tAOI3Hd8028965 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO) for ; Tue, 24 Nov 2015 13:03:17 -0500 Received: from mail-oi0-f44.google.com (mail-oi0-f44.google.com [209.85.218.44]) by mx1.redhat.com (Postfix) with ESMTPS id A111EC075670 for ; Tue, 24 Nov 2015 18:03:15 +0000 (UTC) Received: by oies6 with SMTP id s6so14822713oie.1 for ; Tue, 24 Nov 2015 10:03:14 -0800 (PST) In-Reply-To: <822a6380c92247b6861b56d8ff8ec1d4@XCGVAG30.northgrum.com> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: "Boyce, Kevin P (AS)" Cc: "linux-audit@redhat.com" List-Id: linux-audit@redhat.com On Tue, Nov 24, 2015 at 12:25 PM, Boyce, Kevin P (AS) wrote: > Is there an advantage to disabling syscall use like significantly reduced memory usage if someone only needs to do file watches? In the end though I thought everything that was auditable was via syscall. You would save on kernel image size (code is compiled out) and possibly some performance gains, but I'm not entirely sure of that last point, I would need to go check the code a bit more. However, I think the better question is, how useful are file watches without the associated syscall record? I'm going to say "not very". Also, it is probably moot, because as we mentioned earlier, I just don't believe there is anyone using audit who disables syscall auditing - it just doesn't make much sense. > -----Original Message----- > From: Paul Moore [mailto:paul@paul-moore.com] > Sent: Tuesday, November 24, 2015 9:08 AM > To: Boyce, Kevin P (AS) > Cc: linux-audit@redhat.com > Subject: Re: EXT :Fold CONFIG_AUDITSYSCALL into CONFIG_AUDIT? > > On Tue, Nov 24, 2015 at 8:58 AM, Boyce, Kevin P (AS) wrote: >> Having never looked at the code, it sounds reasonable to me. It doesn't make a lot of sense to disable syscall auditing independently. > > I'd be very surprised to hear if anyone is running audit *without* syscall auditing, but I thought I would toss the question out there on the off chance I'm missing some critical use case. > >> -----Original Message----- >> From: linux-audit-bounces@redhat.com >> [mailto:linux-audit-bounces@redhat.com] On Behalf Of Paul Moore >> Sent: Monday, November 23, 2015 5:43 PM >> To: linux-audit@redhat.com >> Subject: EXT :Fold CONFIG_AUDITSYSCALL into CONFIG_AUDIT? >> >> Does anyone out there build kernels with CONFIG_AUDIT=y and CONFIG_AUDITSYSCALL=n? I'm thinking of simply removing the CONFIG_AUDITSYSCALL knob and moving all that code under CONFIG_AUDIT, does anyone have any objections? -- paul moore www.paul-moore.com