On 10/13/2015 12:19 PM, Paul Moore wrote: >> No, it's the default audit.rules (-D, -b320). No actual rules loaded. >> Let me add some instrumentation and figure out what's going on. auditd >> is masked (via systemd) but systemd-journal seems to set audit_enabled=1 >> during startup (at least on our systems). > > Yes, if systemd is involved it enables audit; we've had some > discussions with the systemd folks about fixing that, but they haven't > gone very far. I'm still a little curious as to why > audit_dummy_context() is false in this case, but I haven't looked at > how systemd/auditctl start/config the system too closely.
I'll debug what's going on (easy) on the test system and report back. I'm curious too. Have a bad cold today so I'm moving slower than normal. > I don't really care if it is audit or not (although we will need to > output something via audit if it is enabled to keep the CC crowd > happy); if you feel strongly that it isn't audit, we can just make it > a printk, that would work well with Kees' goals. To me the important > point here is that we send a message when seccomp alters the behavior > of the syscall (action != ALLOW). Yes, if audit is enabled, you should totally be able to use it. Rest sounds good also. thanks! Tony -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
