* Fold CONFIG_AUDITSYSCALL into CONFIG_AUDIT? @ 2015-11-23 22:42 Paul Moore 2015-11-24 13:58 ` EXT :Fold " Boyce, Kevin P (AS) 0 siblings, 1 reply; 5+ messages in thread From: Paul Moore @ 2015-11-23 22:42 UTC (permalink / raw) To: linux-audit Does anyone out there build kernels with CONFIG_AUDIT=y and CONFIG_AUDITSYSCALL=n? I'm thinking of simply removing the CONFIG_AUDITSYSCALL knob and moving all that code under CONFIG_AUDIT, does anyone have any objections? -- paul moore www.paul-moore.com ^ permalink raw reply [flat|nested] 5+ messages in thread
* RE: EXT :Fold CONFIG_AUDITSYSCALL into CONFIG_AUDIT? 2015-11-23 22:42 Fold CONFIG_AUDITSYSCALL into CONFIG_AUDIT? Paul Moore @ 2015-11-24 13:58 ` Boyce, Kevin P (AS) 2015-11-24 14:07 ` Paul Moore 0 siblings, 1 reply; 5+ messages in thread From: Boyce, Kevin P (AS) @ 2015-11-24 13:58 UTC (permalink / raw) To: Paul Moore, linux-audit Having never looked at the code, it sounds reasonable to me. It doesn't make a lot of sense to disable syscall auditing independently. Kevin Boyce -----Original Message----- From: linux-audit-bounces@redhat.com [mailto:linux-audit-bounces@redhat.com] On Behalf Of Paul Moore Sent: Monday, November 23, 2015 5:43 PM To: linux-audit@redhat.com Subject: EXT :Fold CONFIG_AUDITSYSCALL into CONFIG_AUDIT? Does anyone out there build kernels with CONFIG_AUDIT=y and CONFIG_AUDITSYSCALL=n? I'm thinking of simply removing the CONFIG_AUDITSYSCALL knob and moving all that code under CONFIG_AUDIT, does anyone have any objections? -- paul moore www.paul-moore.com -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: EXT :Fold CONFIG_AUDITSYSCALL into CONFIG_AUDIT? 2015-11-24 13:58 ` EXT :Fold " Boyce, Kevin P (AS) @ 2015-11-24 14:07 ` Paul Moore 2015-11-24 17:25 ` Boyce, Kevin P (AS) 0 siblings, 1 reply; 5+ messages in thread From: Paul Moore @ 2015-11-24 14:07 UTC (permalink / raw) To: Boyce, Kevin P (AS); +Cc: linux-audit On Tue, Nov 24, 2015 at 8:58 AM, Boyce, Kevin P (AS) <Kevin.Boyce@ngc.com> wrote: > Having never looked at the code, it sounds reasonable to me. It doesn't make a lot of sense to disable syscall auditing independently. I'd be very surprised to hear if anyone is running audit *without* syscall auditing, but I thought I would toss the question out there on the off chance I'm missing some critical use case. > -----Original Message----- > From: linux-audit-bounces@redhat.com [mailto:linux-audit-bounces@redhat.com] On Behalf Of Paul Moore > Sent: Monday, November 23, 2015 5:43 PM > To: linux-audit@redhat.com > Subject: EXT :Fold CONFIG_AUDITSYSCALL into CONFIG_AUDIT? > > Does anyone out there build kernels with CONFIG_AUDIT=y and CONFIG_AUDITSYSCALL=n? I'm thinking of simply removing the CONFIG_AUDITSYSCALL knob and moving all that code under CONFIG_AUDIT, does anyone have any objections? -- paul moore www.paul-moore.com ^ permalink raw reply [flat|nested] 5+ messages in thread
* RE: EXT :Fold CONFIG_AUDITSYSCALL into CONFIG_AUDIT? 2015-11-24 14:07 ` Paul Moore @ 2015-11-24 17:25 ` Boyce, Kevin P (AS) 2015-11-24 18:03 ` Paul Moore 0 siblings, 1 reply; 5+ messages in thread From: Boyce, Kevin P (AS) @ 2015-11-24 17:25 UTC (permalink / raw) To: Paul Moore; +Cc: linux-audit Is there an advantage to disabling syscall use like significantly reduced memory usage if someone only needs to do file watches? In the end though I thought everything that was auditable was via syscall. Kevin Boyce -----Original Message----- From: Paul Moore [mailto:paul@paul-moore.com] Sent: Tuesday, November 24, 2015 9:08 AM To: Boyce, Kevin P (AS) Cc: linux-audit@redhat.com Subject: Re: EXT :Fold CONFIG_AUDITSYSCALL into CONFIG_AUDIT? On Tue, Nov 24, 2015 at 8:58 AM, Boyce, Kevin P (AS) <Kevin.Boyce@ngc.com> wrote: > Having never looked at the code, it sounds reasonable to me. It doesn't make a lot of sense to disable syscall auditing independently. I'd be very surprised to hear if anyone is running audit *without* syscall auditing, but I thought I would toss the question out there on the off chance I'm missing some critical use case. > -----Original Message----- > From: linux-audit-bounces@redhat.com > [mailto:linux-audit-bounces@redhat.com] On Behalf Of Paul Moore > Sent: Monday, November 23, 2015 5:43 PM > To: linux-audit@redhat.com > Subject: EXT :Fold CONFIG_AUDITSYSCALL into CONFIG_AUDIT? > > Does anyone out there build kernels with CONFIG_AUDIT=y and CONFIG_AUDITSYSCALL=n? I'm thinking of simply removing the CONFIG_AUDITSYSCALL knob and moving all that code under CONFIG_AUDIT, does anyone have any objections? -- paul moore www.paul-moore.com ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: EXT :Fold CONFIG_AUDITSYSCALL into CONFIG_AUDIT? 2015-11-24 17:25 ` Boyce, Kevin P (AS) @ 2015-11-24 18:03 ` Paul Moore 0 siblings, 0 replies; 5+ messages in thread From: Paul Moore @ 2015-11-24 18:03 UTC (permalink / raw) To: Boyce, Kevin P (AS); +Cc: linux-audit On Tue, Nov 24, 2015 at 12:25 PM, Boyce, Kevin P (AS) <Kevin.Boyce@ngc.com> wrote: > Is there an advantage to disabling syscall use like significantly reduced memory usage if someone only needs to do file watches? In the end though I thought everything that was auditable was via syscall. You would save on kernel image size (code is compiled out) and possibly some performance gains, but I'm not entirely sure of that last point, I would need to go check the code a bit more. However, I think the better question is, how useful are file watches without the associated syscall record? I'm going to say "not very". Also, it is probably moot, because as we mentioned earlier, I just don't believe there is anyone using audit who disables syscall auditing - it just doesn't make much sense. > -----Original Message----- > From: Paul Moore [mailto:paul@paul-moore.com] > Sent: Tuesday, November 24, 2015 9:08 AM > To: Boyce, Kevin P (AS) > Cc: linux-audit@redhat.com > Subject: Re: EXT :Fold CONFIG_AUDITSYSCALL into CONFIG_AUDIT? > > On Tue, Nov 24, 2015 at 8:58 AM, Boyce, Kevin P (AS) <Kevin.Boyce@ngc.com> wrote: >> Having never looked at the code, it sounds reasonable to me. It doesn't make a lot of sense to disable syscall auditing independently. > > I'd be very surprised to hear if anyone is running audit *without* syscall auditing, but I thought I would toss the question out there on the off chance I'm missing some critical use case. > >> -----Original Message----- >> From: linux-audit-bounces@redhat.com >> [mailto:linux-audit-bounces@redhat.com] On Behalf Of Paul Moore >> Sent: Monday, November 23, 2015 5:43 PM >> To: linux-audit@redhat.com >> Subject: EXT :Fold CONFIG_AUDITSYSCALL into CONFIG_AUDIT? >> >> Does anyone out there build kernels with CONFIG_AUDIT=y and CONFIG_AUDITSYSCALL=n? I'm thinking of simply removing the CONFIG_AUDITSYSCALL knob and moving all that code under CONFIG_AUDIT, does anyone have any objections? -- paul moore www.paul-moore.com ^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2015-11-24 18:03 UTC | newest] Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2015-11-23 22:42 Fold CONFIG_AUDITSYSCALL into CONFIG_AUDIT? Paul Moore 2015-11-24 13:58 ` EXT :Fold " Boyce, Kevin P (AS) 2015-11-24 14:07 ` Paul Moore 2015-11-24 17:25 ` Boyce, Kevin P (AS) 2015-11-24 18:03 ` Paul Moore
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.