[PATCH] audit=0 appears not to completely disable auditing
Amy Griffis
amy.griffis at hp.com
Thu Mar 22 21:45:19 UTC 2007
Hi Steve,
Sorry for the delayed reply. I am just getting a chance to look at
this.
Steve Grubb wrote: [Fri Mar 09 2007, 03:50:11PM EST]
> There was a bz, 231371, reporting that current upstream kernels do not completely
> disable auditing when boot with audit=0 and the audit daemon not configured to
> run.
When audit_enabled was first implemented, it was only intended to turn
off syscall auditing, not _all_ auditing. This was so users could use
audit for selinux messages without the overhead of syscall audit.
However, since Al optimized the syscall audit data collection when
there are no rules, maybe this isn't necessary anymore. Is that what
you are thinking?
It does seem like audit_enabled has changed its meaning since it was
introduced...
> The patch below solves this problem by checking audit_enabled before creating
> an audit event.
If you want audit_enabled=0 to turn off audit completely, do you also
want to drop selinux messages?
Amy
More information about the Linux-audit
mailing list