[arch-general] [arch-dev-public] Trimming down our default kernel configuration

Arthur Țițeică arthur at psw.ro
Fri Mar 28 06:54:44 EDT 2014


În ziua de Joi 27 Martie 2014, la 23:49:45, Thomas Bächler a scris:
> And here is my problem: Audit is enabled by default and must be
> explicitly disabled by the admin. This is a showstopper for me! There is
> no kernel option to configure audit to be disabled by default (as far as
> I am aware) so that it can be enabled with 'audit=1' on the command line.

I couldn't find a definitive answer but the two documents I did find ¹² 
suggest that having selinux and audit fully functional (not just enabled) has 
no real performance impact.

Kernel debugging options on the other side seem to have a much bigger impact.

It raises a question mark that the two most important components of a system 
(systemd and the kernel) have security measures disabled.

People in this thread like to put out the over subjective "lightweight" factor 
but still there are no bug reports or any other solid evidence that the kernel 
ate their computers since apparmor, selinux and audit were semi-silently 
enabled a few builds back.

The facts will remain though:

* the kernel will still be "everything and the kitchen sink".
* no provable performance enhancement so far.
* security measures will get back at square 1.

¹ http://www.phoronix.com/scan.php?page=article&item=fedora_debug_selinux
² https://dl.dropboxusercontent.com/u/29107946/Assessing-the-Performance-Impact-of-the-Linux-Kernel-Audit-Trail.pdf

As a side note I will try to test the worst case scenario in the Phoronix 
tests -- Postmark, and post the results here.

Arthur Țițeică
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part.
URL: <http://mailman.archlinux.org/pipermail/arch-general/attachments/20140328/347cec36/attachment-0001.asc>

More information about the arch-general mailing list