From e9d5f7ef6d0fdae00b084b9b1dd9cda75036eea5 Mon Sep 17 00:00:00 2001
From: Jason Xing <kerneljasonxing@linux.alibaba.com>
Date: Sat, 11 May 2019 00:36:15 +0800
Subject: [PATCH] configs: Add audit kernel support

Applications related to the security mostly need audit function which
may increase the overhead of performance howerver. So many tests have
been done on the whole system. The result says it actually doesn't have
impact only when disabling the service in the user-space. However, if
someone still tries to enable the feature, something like the balance of
the performance and the security must be taken into consideration.

Signed-off-by: Jason Xing <kerneljasonxing@linux.alibaba.com>
Reviewed-by: Joseph Qi <joseph.qi@linux.alibaba.com>
---
 config-4.19.y-x86_64       | 9 +++++++--
 config-4.19.y-x86_64-debug | 9 +++++++--
 2 files changed, 14 insertions(+), 4 deletions(-)

diff --git a/config-4.19.y-x86_64 b/config-4.19.y-x86_64
index d3db540b2f26..dfc120560efe 100644
--- a/config-4.19.y-x86_64
+++ b/config-4.19.y-x86_64
@@ -41,8 +41,11 @@ CONFIG_POSIX_MQUEUE=y
 CONFIG_POSIX_MQUEUE_SYSCTL=y
 # CONFIG_CROSS_MEMORY_ATTACH is not set
 # CONFIG_USELIB is not set
-# CONFIG_AUDIT is not set
+CONFIG_AUDIT=y
 CONFIG_HAVE_ARCH_AUDITSYSCALL=y
+CONFIG_AUDITSYSCALL=y
+CONFIG_AUDIT_WATCH=y
+CONFIG_AUDIT_TREE=y
 
 #
 # IRQ subsystem
@@ -645,7 +648,7 @@ CONFIG_VIRTUALIZATION=y
 CONFIG_KVM=m
 CONFIG_KVM_INTEL=m
 # CONFIG_KVM_AMD is not set
-# CONFIG_KVM_MMU_AUDIT is not set
+CONFIG_KVM_MMU_AUDIT=y
 CONFIG_VHOST_NET=m
 CONFIG_VHOST_SCSI=m
 CONFIG_VHOST_VSOCK=m
@@ -1121,6 +1124,7 @@ CONFIG_NETFILTER_XT_SET=m
 #
 # Xtables targets
 #
+CONFIG_NETFILTER_XT_TARGET_AUDIT=m
 CONFIG_NETFILTER_XT_TARGET_CHECKSUM=m
 CONFIG_NETFILTER_XT_TARGET_CLASSIFY=m
 CONFIG_NETFILTER_XT_TARGET_CONNMARK=m
@@ -3581,6 +3585,7 @@ CONFIG_FORTIFY_SOURCE=y
 # CONFIG_SECURITY_YAMA is not set
 CONFIG_INTEGRITY=y
 # CONFIG_INTEGRITY_SIGNATURE is not set
+CONFIG_INTEGRITY_AUDIT=y
 # CONFIG_IMA is not set
 # CONFIG_EVM is not set
 CONFIG_DEFAULT_SECURITY_DAC=y
diff --git a/config-4.19.y-x86_64-debug b/config-4.19.y-x86_64-debug
index 1079181afcbe..662a97a9f487 100644
--- a/config-4.19.y-x86_64-debug
+++ b/config-4.19.y-x86_64-debug
@@ -42,8 +42,11 @@ CONFIG_POSIX_MQUEUE=y
 CONFIG_POSIX_MQUEUE_SYSCTL=y
 # CONFIG_CROSS_MEMORY_ATTACH is not set
 # CONFIG_USELIB is not set
-# CONFIG_AUDIT is not set
+CONFIG_AUDIT=y
 CONFIG_HAVE_ARCH_AUDITSYSCALL=y
+CONFIG_AUDITSYSCALL=y
+CONFIG_AUDIT_WATCH=y
+CONFIG_AUDIT_TREE=y
 
 #
 # IRQ subsystem
@@ -649,7 +652,7 @@ CONFIG_VIRTUALIZATION=y
 CONFIG_KVM=m
 CONFIG_KVM_INTEL=m
 # CONFIG_KVM_AMD is not set
-# CONFIG_KVM_MMU_AUDIT is not set
+CONFIG_KVM_MMU_AUDIT=y
 CONFIG_VHOST_NET=m
 CONFIG_VHOST_SCSI=m
 CONFIG_VHOST_VSOCK=m
@@ -1120,6 +1123,7 @@ CONFIG_NETFILTER_XT_SET=m
 #
 # Xtables targets
 #
+CONFIG_NETFILTER_XT_TARGET_AUDIT=m
 CONFIG_NETFILTER_XT_TARGET_CHECKSUM=m
 CONFIG_NETFILTER_XT_TARGET_CLASSIFY=m
 CONFIG_NETFILTER_XT_TARGET_CONNMARK=m
@@ -3580,6 +3584,7 @@ CONFIG_FORTIFY_SOURCE=y
 # CONFIG_SECURITY_YAMA is not set
 CONFIG_INTEGRITY=y
 # CONFIG_INTEGRITY_SIGNATURE is not set
+CONFIG_INTEGRITY_AUDIT=y
 # CONFIG_IMA is not set
 # CONFIG_EVM is not set
 CONFIG_DEFAULT_SECURITY_DAC=y
-- 
GitLab