[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [PATCH] audit=0 appears not to completely disable auditing



On Mon, 02 Apr 2007 14:57:11 EDT, Amy Griffis said:
> Steve Grubb wrote:  [Thu Mar 22 2007, 05:55:45PM EDT]
> > > If you want audit_enabled=0 to turn off audit completely, do you also
> > > want to drop selinux messages?
> > 
> > No, the SE Linux folks want avc messages at all times unless the admin 
> > specifically sets a rule to suppress them. 
> 
> Okay, makes sense. Do you think audit should return an error if
> someone tries to add a rule when audit_enabled=0 ?

Yes, probably.  You'd kind of think that the human doing the auditing would
like a large and loud complaint if auditing had been accidentally disabled.

The only question is what behavior it should have if a site (for whatever
reason) decides to first load all the rules, then enable auditing (possibly
to avoid spurious complaints about processes because not all the rules have
been loaded yet).

Attachment: pgpsaFty1q5px.pgp
Description: PGP signature


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]