On Thursday 22 March 2007 17:45, Amy Griffis wrote: > When audit_enabled was first implemented, it was only intended to turn > off syscall auditing, not _all_ auditing.
At that time, syscall auditing *was* all auditing. :) > This was so users could use audit for selinux messages without the overhead > of syscall audit. SE Linux has always been different and you shouldn't really consider it in the auditing system for enable/disable. The reason its different is that it uses audit as a transport mechanism and can happily use syslogs, too. > > The patch below solves this problem by checking audit_enabled before > > creating an audit event. > > If you want audit_enabled=0 to turn off audit completely, do you also > want to drop selinux messages? No, the SE Linux folks want avc messages at all times unless the admin specifically sets a rule to suppress them. -Steve -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
