is audit_n_rules the number or rules in the rule table? I ask, so if the example audit.rules posted in the auditd directory is loaded, then it should have set audit_n_rules to something like 4. audit_enabled shoudl be 1, so we shoudl end up getting the syscall records in a similiar fashion to the kernel patch that hardcodes it? I ask because desktop world has -s support in audit.rules.
On Tue, Oct 7, 2014 at 7:58 AM, Stephen Smalley <s...@tycho.nsa.gov> wrote: > On 10/07/2014 10:55 AM, William Roberts wrote: >> It just dawned on me, isn't their another config to enable audit syscall in >> the kernel? CONFIG_AUDITSYSCALL >> Perhaps this is why I didn't see the messages.... >> >> I don't think my initial implementation set it to one, and josh's changes >> to the readme include -e, so I'm assuming he added it. I'll have to check >> to be certain. > > CONFIG_AUDITSYSCALL defaults to y if SELinux is enabled although it > isn't a dependency. > > Our kernel branches have a patch to set audit_default to 1 and > audit_n_rules to 1 to enable syscall auditing by default and to enable > pathname collection by default. > > We had a problem with getting -e 1 to work from audit.rules IIRC, so we > ended up putting audit_set_enabled(audit_fd, 1) directly in the auditd > code during initialization. There was some discussion around that back > when the audit watch support was first posted. > > > > -- Respectfully, William C Roberts _______________________________________________ Seandroid-list mailing list Seandroid-list@tycho.nsa.gov To unsubscribe, send email to seandroid-list-le...@tycho.nsa.gov. To get help, send an email containing "help" to seandroid-list-requ...@tycho.nsa.gov.
