On 11/1/19 9:16 AM, Steve Grubb wrote: > This is the root of the problem. Journald should never turn on audit since it > has no idea if auditd even has rules to load. What if the end user does not > want auditing? By blindly enabling audit without knowing if its wanted, it > causes a system performance hit even with no rules loaded. It would be best > if journald leaves audit alone. If it wants to listen on the multicast > socket, so be it. It should just listen and not try to alter the system.
+1 for me, except I would also question why it would even listen, as to me it seems that implies storage. If that's true, I would want to be able to disable it as I do not want audit events stored elsewhere as well. Thx, LCB -- Lenny Bruzenak MagitekLTD -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
