From: Amy Griffis <amy.griffis@hp.com>
To: Steve Grubb <sgrubb@redhat.com>
Cc: Linux Audit <linux-audit@redhat.com>
Subject: Re: [PATCH] audit=0 appears not to completely disable auditing
Date: Thu, 22 Mar 2007 17:45:19 -0400 [thread overview]
Message-ID: <20070322214519.GA15039@fc.hp.com> (raw)
In-Reply-To: <200703091550.11104.sgrubb@redhat.com>
Hi Steve,
Sorry for the delayed reply. I am just getting a chance to look at
this.
Steve Grubb wrote: [Fri Mar 09 2007, 03:50:11PM EST]
> There was a bz, 231371, reporting that current upstream kernels do not completely
> disable auditing when boot with audit=0 and the audit daemon not configured to
> run.
When audit_enabled was first implemented, it was only intended to turn
off syscall auditing, not _all_ auditing. This was so users could use
audit for selinux messages without the overhead of syscall audit.
However, since Al optimized the syscall audit data collection when
there are no rules, maybe this isn't necessary anymore. Is that what
you are thinking?
It does seem like audit_enabled has changed its meaning since it was
introduced...
> The patch below solves this problem by checking audit_enabled before creating
> an audit event.
If you want audit_enabled=0 to turn off audit completely, do you also
want to drop selinux messages?
Amy
next prev parent reply other threads:[~2007-03-22 21:45 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-03-09 20:50 [PATCH] audit=0 appears not to completely disable auditing Steve Grubb
2007-03-22 21:45 ` Amy Griffis [this message]
2007-03-22 21:55 ` Steve Grubb
2007-04-02 18:57 ` Amy Griffis
2007-04-02 19:17 ` Valdis.Kletnieks
2007-09-26 16:52 ` Eric Paris
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20070322214519.GA15039@fc.hp.com \
--to=amy.griffis@hp.com \
--cc=linux-audit@redhat.com \
--cc=sgrubb@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox