[PATCH] audit: set context->dummy even when audit is off
Lenny Bruzenak
lenny at magitekltd.com
Fri Nov 1 14:26:41 UTC 2019
On 11/1/19 9:16 AM, Steve Grubb wrote:
> This is the root of the problem. Journald should never turn on audit since it
> has no idea if auditd even has rules to load. What if the end user does not
> want auditing? By blindly enabling audit without knowing if its wanted, it
> causes a system performance hit even with no rules loaded. It would be best
> if journald leaves audit alone. If it wants to listen on the multicast
> socket, so be it. It should just listen and not try to alter the system.
+1 for me, except I would also question why it would even listen, as to
me it seems that implies storage.
If that's true, I would want to be able to disable it as I do not want
audit events stored elsewhere as well.
Thx,
LCB
--
Lenny Bruzenak
MagitekLTD
More information about the Linux-audit
mailing list