seccomp and audit_enabled
Tony Jones
tonyj at suse.de
Fri Nov 6 21:45:43 UTC 2015
On 10/13/2015 01:03 PM, Steve Grubb wrote:
>> No, it's the default audit.rules (-D, -b320). No actual rules loaded.
>> Let me add some instrumentation and figure out what's going on. auditd
>> is masked (via systemd) but systemd-journal seems to set audit_enabled=1
>> during startup (at least on our systems).
>
> Tony,
>
> We have bz 1227379
> https://bugzilla.redhat.com/show_bug.cgi?id=1227379
>
> There is a patch attached to disable systemd's propensity to turn on the audit
> system. Are people complaining and opening bugs in your distribution? If so,
> that might add more ammunition to get that fixed.
Hi Steve
we only have the one bug and it's related to:
1) noisy klog between when systemd enables audit and user manually disables it (rh bz#1160046)
2) after user manually disables audit (audit_enabled=0) seccomp messages still are output.
tony
More information about the Linux-audit
mailing list