On 2018-09-10 00:13, Eli Schwartz via arch-general wrote: > > It is definitely not useless! It's historically been disabled because it > did not have any good way to enable support, but keep it turned off by > default. And having it turned on by default came with mandatory > slowdowns for *all* users. > > Ironically, Spectre has proven to be our friend here -- due to all the > mitigations, there is now no fast path for these system calls, so your > kernel is just as slow whether AUDIT is enabled or not. Therefore, we > ended up simply enabling it. > That's not precisely like that - spectre & friends workarounds can be trivially disabled (e.g.: pti, spectre_v2, spec_store_bypass_disable, l1tf) - bringing "old" nominal performance back (whether good/bad idea, that of course depends on what/how you run your linux on for what purpose). Not mentioning cpus that will eventually come not needing those workarounds. So in this context audit=0 is a very viable thing - if one (and that's probalby crushing majority of users) doesn't need this feature (directly or indirectly).
