[arch-general] [arch-dev-public] Trimming down our default kernel configuration
arthur at psw.ro
Fri Mar 28 06:54:44 EDT 2014
În ziua de Joi 27 Martie 2014, la 23:49:45, Thomas Bächler a scris:
> And here is my problem: Audit is enabled by default and must be
> explicitly disabled by the admin. This is a showstopper for me! There is
> no kernel option to configure audit to be disabled by default (as far as
> I am aware) so that it can be enabled with 'audit=1' on the command line.
I couldn't find a definitive answer but the two documents I did find ¹²
suggest that having selinux and audit fully functional (not just enabled) has
no real performance impact.
Kernel debugging options on the other side seem to have a much bigger impact.
It raises a question mark that the two most important components of a system
(systemd and the kernel) have security measures disabled.
People in this thread like to put out the over subjective "lightweight" factor
but still there are no bug reports or any other solid evidence that the kernel
ate their computers since apparmor, selinux and audit were semi-silently
enabled a few builds back.
The facts will remain though:
* the kernel will still be "everything and the kitchen sink".
* no provable performance enhancement so far.
* security measures will get back at square 1.
As a side note I will try to test the worst case scenario in the Phoronix
tests -- Postmark, and post the results here.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 836 bytes
Desc: This is a digitally signed message part.
More information about the arch-general