Open r-catania opened 2 years ago
Hi. The git history of https://github.com/xcp-ng-rpms/kernel/blame/master/SOURCES/kernel-x86_64.config shows this was changed when the kernel was updated to 4.19.19, that is in XCP-ng (and thus Citrix Hypervisor) 8.0.
I don't know the reason as the files were imported from Citrix Hypervisor 8.0's source RPMs, and all the information we have about choices that were made is the changelog in the spec file, which refers to tickets internal to Citrix. I don't see the mention of audit in the changelog. There is no public repository for the sources of the kernel RPM at Citrix, so we can't use the git commit history to get this information.
We can try to ask directly to @rosslagerwall whose name appears most frequently in the changelog around the date of the change.
Ross: do you know why CONFIG_AUDIT
was removed from the kernel build configuration for Citrix Hypervisor 8.0?
I think the general policy when updating the kernel config is:
This ensures that the kernel image is not bloated with features we don't need. Since Citrix Hypervisor does not use the audit functionality and it can't be built as a module, it was disabled.
It should be fine to enable it in the config if you have users that want to use it.
Thanks Ross.
Are there any plans to offer a kernel with auditd enabled?
We will build the kernel with auditd in XCP-ng 8.3
Unfortunately, we just found out that enabling auditd changes the kernel ABI in a very large way, which breaks the compatibility with all out-of-tree kernel modules that have been built against it prior to the change.
We provide such drivers in the form of RPMs and driver disks, and third party vendors also provide such drivers, so changing the ABI can only happen next time we change the kernel version, which will not happen in XCP-ng 8.3 but rather in the next one, XCP-ng 9.0.
We can enable auditd in the alternate kernel (https://docs.xcp-ng.org/installation/hardware/#-alternate-kernel), but this is not a kernel meant for production use.
We recently migrated from 7.6 to 8.2. We noticed that 8.2 does not support auditd anymore. That is true also for the alternate kernel. Is there a specific reason why this was disabled?
Being able to use auditd is a must for CIS controls. What is the recommended way to have audit logging for xcp-ng servers to satisfy CIS controls?