On Wednesday, May 26, 2021 10:38:38 AM EDT Paul Moore wrote: > > > We would need to check with the current security requirements (there > > > are distro people on the linux-audit list that keep track of that > > > stuff), The requirements generally care about resource access. File open, connect, accept, etc. We don't care about read/write itself as that would flood the analysis. > > > but looking at the opcodes right now my gut feeling is that > > > most of the opcodes would be considered "security relevant" so > > > selective auditing might not be that useful in practice. I'd say maybe a quarter to a third look interesting. > > > It would > > > definitely clutter the code and increase the chances that new opcodes > > > would not be properly audited when they are merged. There is that... > > I'm curious, why it's enabled by many distros by default? Are there > > use cases they use? > > We've already talked about certain users and environments where audit > is an important requirement, e.g. public sector, health care, > financial institutions, etc.; without audit Linux wouldn't be an > option for these users, People that care about auditing are under regulatory mandates. They care more about the audit event than the performance. Imagine you have a system with some brand new medical discovery. You want to know anyone who accesses the information in case it gets leaked out. You don't care how slow the system gets - you simply *have* to know everyone who's looked at the documents. -Steve
