On 10/07/2014 10:55 AM, William Roberts wrote: > It just dawned on me, isn't their another config to enable audit syscall in > the kernel? CONFIG_AUDITSYSCALL > Perhaps this is why I didn't see the messages.... > > I don't think my initial implementation set it to one, and josh's changes > to the readme include -e, so I'm assuming he added it. I'll have to check > to be certain.
CONFIG_AUDITSYSCALL defaults to y if SELinux is enabled although it isn't a dependency. Our kernel branches have a patch to set audit_default to 1 and audit_n_rules to 1 to enable syscall auditing by default and to enable pathname collection by default. We had a problem with getting -e 1 to work from audit.rules IIRC, so we ended up putting audit_set_enabled(audit_fd, 1) directly in the auditd code during initialization. There was some discussion around that back when the audit watch support was first posted. _______________________________________________ Seandroid-list mailing list Seandroid-list@tycho.nsa.gov To unsubscribe, send email to seandroid-list-le...@tycho.nsa.gov. To get help, send an email containing "help" to seandroid-list-requ...@tycho.nsa.gov.
