For the record, this is the response and kernel bug link from upstream. I propose we keep the "don't enable audit" patch in Debian until we get the kernel fix.
Martin ----- Forwarded message from Lennart Poettering <[email protected]> ----- Date: Mon, 29 Dec 2014 14:22:46 +0100 From: Lennart Poettering <[email protected]> To: [email protected] Subject: Re: [systemd-devel] Quiesce audit message flood from 218 X-Spam-Status: No, score=-1.9 required=3.4 tests=BAYES_00 autolearn=no version=3.3.2 On Sun, 28.12.14 12:45, Martin Pitt ([email protected]) wrote: > Hello all, > > systemd 218 now enables audit in the kernel unconditionally [1]. While > these messages might be nice to have in the journal, they literally > flood dmesg and thus /var/log/syslog and friends with messages like > > [39098.129349] audit: type=1105 audit(1419765421.403:4233): pid=25633 uid=0 > auid=0 ses=20 msg='op=PAM:session_open acct="root" exe="/usr/sbin/cron" > hostname=? addr=? terminal=cron res=success' > > $ dmesg |grep -c audit > 786 > > and more importantly, eats a lot of real kernel/daemon messages due to > rate limiting: I have many dozen messages like > > [37444.978307] audit_printk_skb: 222 callbacks suppressed > > and they demonstrably cause e. g. AppArmor violations to not get shown > due to this. > > Is there a way to make the audit messages *only* go to the journal, > but not to dmesg and sysloggers? If not, could we perhaps add a > ./configure or config file option for this, to disable audit on > systems where we don't need it? This is a known limitation of the in-kernel audit code, and is being tracked here. Needs to be fixed in the kernel. https://bugzilla.redhat.com/show_bug.cgi?id=1160046 Fix should be easy enough, but so far nobody looked into this yet. Lennart -- Lennart Poettering, Red Hat _______________________________________________ systemd-devel mailing list [email protected] http://lists.freedesktop.org/mailman/listinfo/systemd-devel ----- End forwarded message ----- -- Martin Pitt | http://www.piware.de Ubuntu Developer (www.ubuntu.com) | Debian Developer (www.debian.org) -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
