On Aug 8, 2025 Frederick Lawler <[email protected]> wrote: > > Since the introduction of commit cb74ed278f80 ("audit: always enable > syscall auditing when supported and audit is enabled"), eBPF > technologies are being adopted to track syscalls for auditing purposes. > Those technologies add an additional overhead ontop of AUDITSYSCALL. > Additionally, AUDIT infrastructure has expanded to include INTEGRITY which > offers some advantages over eBPF technologies, such as early-init/boot > integrity logs with. Therefore, make ADUITSYSCALL optional > again, but keep it default y. > > Signed-off-by: Frederick Lawler <[email protected]> > --- > init/Kconfig | 11 ++++++++--- > 1 file changed, 8 insertions(+), 3 deletions(-) Generally speaking the less Kconfig knobs the better; it tends to complicate things and for those that rely on distro kernels, there is always at least one group that is going to be upset about the Kconfig knob being set "wrong". In my ideal world, CONFIG_AUDITSYSCALL wouldn't exist at all, but sadly not all arches have the necessary support to do that at the moment, so CONFIG_AUDITSYSCALL remains a necessary evil.
Thank you for the patch, but IMO this is not the direction we want to go with audit. -- paul-moore.com
