On 1 Nov 2019, at 10:16, Steve Grubb wrote: > On Friday, November 1, 2019 9:24:17 AM EDT Chris Mason wrote: >> On 31 Oct 2019, at 19:27, Paul Moore wrote: >>> On Thu, Oct 31, 2019 at 12:40 PM Chris Mason <[email protected]> wrote: >>> [ ... ] >>> Hi Chris, >>> >>> This is a rather hasty email as I'm at a conference right now, but I >>> wanted to convey that I'm not opposed to making sure that the NTP >>> records obey the audit configuration (that was the original intent >>> after all), I think it is just that we are all a little confused as >>> to >>> why you are seeing the NTP records *and*only* the NTP records. >> >> This part is harder to nail down because there's a window during boot >> where journald has enabled audit but chef hasn't yet run in and >> turned >> it off, so we get a lot of logs early and then mostly ntp after that. > > This is the root of the problem. Journald should never turn on audit > since it > has no idea if auditd even has rules to load. What if the end user > does not > want auditing? By blindly enabling audit without knowing if its > wanted, it > causes a system performance hit even with no rules loaded. It would be > best > if journald leaves audit alone. If it wants to listen on the multicast > socket, so be it. It should just listen and not try to alter the > system. > > Back to ntp, it sounds like the ntp record needs to check for > audit_enabled > rather than the dummy context.
I'm not against sprinkling more audit_enabled checks, but we'd have to change audit_inode() and a bunch of the other callers of audit_dummy_context() as well. -chris -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
