On 2018-09-10 00:13, Eli Schwartz via arch-general wrote:
It is definitely not useless! It's historically been disabled because it did not have any good way to enable support, but keep it turned off by default. And having it turned on by default came with mandatory slowdowns for *all* users.
Ironically, Spectre has proven to be our friend here -- due to all the mitigations, there is now no fast path for these system calls, so your kernel is just as slow whether AUDIT is enabled or not. Therefore, we ended up simply enabling it.
That's not precisely like that - spectre & friends workarounds can be trivially disabled (e.g.: pti, spectre_v2, spec_store_bypass_disable, l1tf) - bringing "old" nominal performance back (whether good/bad idea, that of course depends on what/how you run your linux on for what purpose). Not mentioning cpus that will eventually come not needing those workarounds.
So in this context audit=0 is a very viable thing - if one (and that's probalby crushing majority of users) doesn't need this feature (directly or indirectly).