[PATCH] audit: set context->dummy even when audit is off
Steve Grubb
sgrubb at redhat.com
Fri Nov 1 14:49:04 UTC 2019
On Friday, November 1, 2019 10:26:41 AM EDT Lenny Bruzenak wrote:
> On 11/1/19 9:16 AM, Steve Grubb wrote:
> > This is the root of the problem. Journald should never turn on audit
> > since it has no idea if auditd even has rules to load. What if the end
> > user does not want auditing? By blindly enabling audit without knowing
> > if its wanted, it causes a system performance hit even with no rules
> > loaded. It would be best if journald leaves audit alone. If it wants to
> > listen on the multicast socket, so be it. It should just listen and not
> > try to alter the system.
>
> +1 for me, except I would also question why it would even listen, as to
> me it seems that implies storage.
>
> If that's true, I would want to be able to disable it as I do not want
> audit events stored elsewhere as well.
It is true. You get 2 copies, one in the journal and it also relays one to
rsyslog. This should fix it:
systemctl mask systemd-journald-audit.socket
-Steve
More information about the Linux-audit
mailing list