Disabling AUDIT in the kernel?

Optimize your system for ultimate performance.

Moderators: khz, MattKingUSA

User avatar
bluebell
Established Member
Posts: 1130
Joined: Sat Sep 15, 2012 11:44 am
Location: Saarland & Frankfurt, Germany

Disabling AUDIT in the kernel?

Postby bluebell » Sun Jul 28, 2019 8:36 am

On the jack-devel mailing list I posted my switched off spectre mitigations and got a hint:

Code: Select all

>"nohz=off threadirqs noibrs noibpb nopti
>nospectre_v2 nospectre_v1 l1tf=off nospec_store_bypass_disable
>no_stf_barrier mds=off mitigations=off quiet splash"

With those spectre mitigations turned off, it still might be of value
to disable audit, see
https://lists.archlinux.org/pipermail/arch-general/2018-September/045580.html


I use the AVLinux RT kernel and found out:

Code: Select all

hm@bubu:~$ zgrep -i audit /boot/config-4.16.12-rt5-avl1
CONFIG_AUDIT_ARCH=y
CONFIG_AUDIT=y
CONFIG_HAVE_ARCH_AUDITSYSCALL=y
CONFIG_AUDITSYSCALL=y
CONFIG_AUDIT_WATCH=y
CONFIG_AUDIT_TREE=y
CONFIG_NETFILTER_XT_TARGET_AUDIT=m
CONFIG_SECURITY_TOMOYO_MAX_AUDIT_LOG=1024
CONFIG_INTEGRITY_AUDIT=y
# CONFIG_AUDIT_ARCH_COMPAT_GENERIC is not set


Would it be advisable to disable those features in the kernel?

EDIT:
On https://www.kernel.org/doc/html/v4.14/a ... eters.html I found a kernel command line parm "audit" than can be set to 0.
Linux – MOTU UltraLite AVB – Qtractor – https://soundcloud.com/suedwestlicht

User avatar
bluebell
Established Member
Posts: 1130
Joined: Sat Sep 15, 2012 11:44 am
Location: Saarland & Frankfurt, Germany

Re: Disabling AUDIT in the kernel?

Postby bluebell » Sun Jul 28, 2019 9:28 am

With audit=0 I can down to a jackd buffer size of 12 without xruns when playing a mixcloud song in Firefox vie Pulseaudio via jack.

So my /etc/default/grub contains now:

Code: Select all

GRUB_CMDLINE_LINUX_DEFAULT="nohz=off threadirqs audit=0 noibrs noibpb nopti nospectre_v2 nospectre_v1 l1tf=off nospec_store_bypass_disable no_stf_barrier mds=off mitigations=off quiet splash"
Linux – MOTU UltraLite AVB – Qtractor – https://soundcloud.com/suedwestlicht

1234
Established Member
Posts: 9
Joined: Wed Nov 30, 2016 10:07 pm

Re: Disabling AUDIT in the kernel?

Postby 1234 » Thu Oct 17, 2019 10:24 pm

Hi,

I'll rewrite my bootloader config soon. Today I discovered that for current kernel releases only 'mitigations=off' is needed to disable mitigations.
Since I don't need audit, I started to build my kernels with audit not set again.
What is the content of your files in /sys/devices/system/cpu/vulnerabilities/ with and without mitigations disabled?

For my machine it's probably not worth the hassle, so I'm not in a hurry to rewrite the bootloader config. For one entry I tested turning off mitigations, but I did not check, if it makes a difference related to audio performance.

Code: Select all

[rocketmouse@archlinux ~]$ uname -rm
5.2.19-rt11-1.0 x86_64
[rocketmouse@archlinux ~]$ zgrep -eAPPARMOR -eAUDIT\  /proc/config.gz
# CONFIG_AUDIT is not set
# CONFIG_SECURITY_APPARMOR is not set
[rocketmouse@archlinux ~]$ grep https /boot/syslinux/syslinux.cfg
#   https://linuxreviews.org/HOWTO_make_Linux_run_blazing_fast_(again)_on_Intel_CPUs
[rocketmouse@archlinux ~]$ grep -A3 i^ /boot/syslinux/syslinux.cfg
    MENU LABEL Arch Linux Rt mitigati^ons=off
    LINUX ../vmlinuz-linux-rt
    APPEND root=LABEL=s3.archlinux ro mitigations=off
    INITRD ../intel-ucode.img,../initramfs-linux-rt.img
[rocketmouse@archlinux ~]$ grep . /sys/devices/system/cpu/vulnerabilities/* | cut -d/ -f7
l1tf:Mitigation: PTE Inversion; VMX: vulnerable, SMT disabled
mds:Vulnerable; SMT disabled
meltdown:Vulnerable
spec_store_bypass:Vulnerable
spectre_v1:Vulnerable: __user pointer sanitization and usercopy barriers only; no swapgs barriers
spectre_v2:Vulnerable, IBPB: disabled, STIBP: disabled
[rocketmouse@archlinux ~]$ sudo shutdown -r now
[sudo] password for rocketmouse:

[rocketmouse@archlinux ~]$ uname -rm
5.2.19-rt11-1.0 x86_64
[rocketmouse@archlinux ~]$ grep -A3 \ ^Rt /boot/syslinux/syslinux.cfg
    MENU LABEL Arch Linux ^Rt
    LINUX ../vmlinuz-linux-rt
    APPEND root=LABEL=s3.archlinux ro
    INITRD ../intel-ucode.img,../initramfs-linux-rt.img
[rocketmouse@archlinux ~]$ grep . /sys/devices/system/cpu/vulnerabilities/* | cut -d/ -f7
l1tf:Mitigation: PTE Inversion; VMX: conditional cache flushes, SMT disabled
mds:Mitigation: Clear CPU buffers; SMT disabled
meltdown:Mitigation: PTI
spec_store_bypass:Mitigation: Speculative Store Bypass disabled via prctl and seccomp
spectre_v1:Mitigation: usercopy
spectre_v2:Mitigation: Full generic retpoline, IBPB: conditional, IBRS_FW, STIBP: disabled, RSB filling

Regards,
Ralf


Return to “System Tuning and Configuration”

Who is online

Users browsing this forum: No registered users and 1 guest