Is there an advantage to disabling syscall use like significantly reduced memory usage if someone only needs to do file watches? In the end though I thought everything that was auditable was via syscall.
Kevin Boyce -----Original Message----- From: Paul Moore [mailto:[email protected]] Sent: Tuesday, November 24, 2015 9:08 AM To: Boyce, Kevin P (AS) Cc: [email protected] Subject: Re: EXT :Fold CONFIG_AUDITSYSCALL into CONFIG_AUDIT? On Tue, Nov 24, 2015 at 8:58 AM, Boyce, Kevin P (AS) <[email protected]> wrote: > Having never looked at the code, it sounds reasonable to me. It doesn't make > a lot of sense to disable syscall auditing independently. I'd be very surprised to hear if anyone is running audit *without* syscall auditing, but I thought I would toss the question out there on the off chance I'm missing some critical use case. > -----Original Message----- > From: [email protected] > [mailto:[email protected]] On Behalf Of Paul Moore > Sent: Monday, November 23, 2015 5:43 PM > To: [email protected] > Subject: EXT :Fold CONFIG_AUDITSYSCALL into CONFIG_AUDIT? > > Does anyone out there build kernels with CONFIG_AUDIT=y and > CONFIG_AUDITSYSCALL=n? I'm thinking of simply removing the > CONFIG_AUDITSYSCALL knob and moving all that code under CONFIG_AUDIT, does > anyone have any objections? -- paul moore www.paul-moore.com -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
