Hi all, I'm trying to re-spin a very old thread related to multicast listeners and audit events to kmsg.
One surprising kernel behavior when using only a multicast listener to collect audit events (in this case, systemd-journald) is that audit events end up spamming the console [0]. [0] https://github.com/systemd/systemd/issues/15324 After a bunch of digging, it seems like this is due to a long-standing RFE on the kernel side [1] (plus further references on BZ and LKML). [1] https://github.com/linux-audit/audit-kernel/issues/102 Apparently there isn't a clear consensus on how this should be approached. Looking at the github and bugzilla tickets, it seems to me that Eric and Paul initially had in mind some logic based on multicast listener detection, while Richard doesn't deem that reliable and suggests an explicit configuration. I'm not personally knowledgeable enough to judge kernel-land approaches (nor to implement them), but I'd be happy if the audit folks could converge to a consensus on how to implement this RFE, how it would be consumed by userland, and what would be the kernel default behavior once this RFE is implemented. For Richard and the "explicit configuration" approach in particular, I'm missing some further details: * Is the current behavior considered buggy, or is that intended to be kept as the default? * Would this be tweaked via a (boolean?) sysctl, and what would be the semantics of flipping it? * How would this play with namespacing, especially netns? Ciao, Luca -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
