From mboxrd@z Thu Jan 1 00:00:00 1970 From: Amy Griffis Subject: Re: [PATCH] audit=0 appears not to completely disable auditing Date: Thu, 22 Mar 2007 17:45:19 -0400 Message-ID: <20070322214519.GA15039@fc.hp.com> References: <200703091550.11104.sgrubb@redhat.com> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Return-path: Content-Disposition: inline In-Reply-To: <200703091550.11104.sgrubb@redhat.com> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: Steve Grubb Cc: Linux Audit List-Id: linux-audit@redhat.com Hi Steve, Sorry for the delayed reply. I am just getting a chance to look at this. Steve Grubb wrote: [Fri Mar 09 2007, 03:50:11PM EST] > There was a bz, 231371, reporting that current upstream kernels do not completely > disable auditing when boot with audit=0 and the audit daemon not configured to > run. When audit_enabled was first implemented, it was only intended to turn off syscall auditing, not _all_ auditing. This was so users could use audit for selinux messages without the overhead of syscall audit. However, since Al optimized the syscall audit data collection when there are no rules, maybe this isn't necessary anymore. Is that what you are thinking? It does seem like audit_enabled has changed its meaning since it was introduced... > The patch below solves this problem by checking audit_enabled before creating > an audit event. If you want audit_enabled=0 to turn off audit completely, do you also want to drop selinux messages? Amy