From: Frederick Lawler <fred@cloudflare.com>
To: Paul Moore <paul@paul-moore.com>, Eric Paris <eparis@redhat.com>
Cc: audit@vger.kernel.org, kernel-team@cloudflare.com,
linux-kernel@vger.kernel.org,
Frederick Lawler <fred@cloudflare.com>
Subject: [RFC PATCH] audit: make ADUITSYSCALL optional again
Date: Fri, 8 Aug 2025 14:40:34 -0500 [thread overview]
Message-ID: <20250808194034.3559323-2-fred@cloudflare.com> (raw)
In-Reply-To: <20250808194034.3559323-1-fred@cloudflare.com>
Since the introduction of commit cb74ed278f80 ("audit: always enable
syscall auditing when supported and audit is enabled"), eBPF
technologies are being adopted to track syscalls for auditing purposes.
Those technologies add an additional overhead ontop of AUDITSYSCALL.
Additionally, AUDIT infrastructure has expanded to include INTEGRITY which
offers some advantages over eBPF technologies, such as early-init/boot
integrity logs with. Therefore, make ADUITSYSCALL optional
again, but keep it default y.
Signed-off-by: Frederick Lawler <fred@cloudflare.com>
---
init/Kconfig | 11 ++++++++---
1 file changed, 8 insertions(+), 3 deletions(-)
diff --git a/init/Kconfig b/init/Kconfig
index af4c2f085455..2552918deb45 100644
--- a/init/Kconfig
+++ b/init/Kconfig
@@ -487,16 +487,21 @@ config AUDIT
help
Enable auditing infrastructure that can be used with another
kernel subsystem, such as SELinux (which requires this for
- logging of avc messages output). System call auditing is included
- on architectures which support it.
+ logging of avc messages output). Does not do system-call
+ auditing without CONFIG_AUDITSYSCALL.
config HAVE_ARCH_AUDITSYSCALL
bool
config AUDITSYSCALL
- def_bool y
+ bool "Enable system-call auditing support"
depends on AUDIT && HAVE_ARCH_AUDITSYSCALL
+ default y
select FSNOTIFY
+ help
+ Enable low-overhead system-call auditing infrastructure that
+ can be used indepdently or with another kernel subsystem,
+ such as SELiux.
source "kernel/irq/Kconfig"
source "kernel/time/Kconfig"
--
2.43.0
next prev parent reply other threads:[~2025-08-08 19:40 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-08-08 19:40 [PATCH 1/1] audit: make ADUITSYSCALL optional again Frederick Lawler
2025-08-08 19:40 ` Frederick Lawler [this message]
2025-08-13 16:01 ` Paul Moore
2025-08-13 20:39 ` Frederick Lawler
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250808194034.3559323-2-fred@cloudflare.com \
--to=fred@cloudflare.com \
--cc=audit@vger.kernel.org \
--cc=eparis@redhat.com \
--cc=kernel-team@cloudflare.com \
--cc=linux-kernel@vger.kernel.org \
--cc=paul@paul-moore.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox