Re: [Linux-ima-user] CONFIG_IMA_LSM_RULES depends on CONFIG_AUDIT?

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

On Mon, 2015-07-13 at 08:36 -0400, Mimi Zohar wrote:
> On Mon, 2015-07-13 at 13:55 +0200, Patrick Ohly wrote:
> > Hello!
> > 
> > I noticed that CONFIG_IMA_LSM_RULES can only be enabled when
> > CONFIG_AUDIT is also enabled. Why is that? At first glance it seemed
> > like it should be possible to compile the LSM code without auditing
> > enabled (not tested, though).
> > 
> > I was warned that enabling auditing has a performance impact. Is that
> > true even for just CONFIG_AUDIT=yes (and nothing else, in particular
> > nothing that turns on syscall auditing)?
> 
> The linux-integrity subsystem error messages use the audit subsystem
> facility.  Look at the security/integrity/integrity_audit.c:
> integrity_audit_msg() function.  Prior to systemd, the messages either
> went to the audit log, if enabled, or syslog.

Understood.

But why does CONFIG_IMA_LSM_RULES depend on audit support? The LSM part
of the policy has nothing to do with logging. I'm referring to the "&&
AUDIT" part in security/integrity/ima/Kconfig:

config IMA_LSM_RULES
        bool
        depends on IMA && AUDIT && (SECURITY_SELINUX || SECURITY_SMACK)
        default y
        help
          Disabling this option will disregard LSM based policy rules.

-- 
Best Regards, Patrick Ohly

The content of this message is my personal opinion only and although
I am an employee of Intel, the statements I make here in no way
represent Intel's position on the issue, nor am I authorized to speak
on behalf of Intel on this matter.