Re: [Linux-ima-user] CONFIG_IMA_LSM_RULES depends on CONFIG_AUDIT?

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

On Mon, 2015-07-13 at 13:55 +0200, Patrick Ohly wrote:
> Hello!
> 
> I noticed that CONFIG_IMA_LSM_RULES can only be enabled when
> CONFIG_AUDIT is also enabled. Why is that? At first glance it seemed
> like it should be possible to compile the LSM code without auditing
> enabled (not tested, though).
> 
> I was warned that enabling auditing has a performance impact. Is that
> true even for just CONFIG_AUDIT=yes (and nothing else, in particular
> nothing that turns on syscall auditing)?

The linux-integrity subsystem error messages use the audit subsystem
facility.  Look at the security/integrity/integrity_audit.c:
integrity_audit_msg() function.  Prior to systemd, the messages either
went to the audit log, if enabled, or syslog.

Mimi