On 2020-04-17 21:21, Lennart Poettering wrote: > On Fr, 17.04.20 14:57, Richard Guy Briggs ([email protected]) wrote: > > > > Well, we try hard to not step on your toes and do not use the unicast > > > stuff and do not pretend to be auditd, so that auditd can be installed > > > and run in parallel to journald with us being in the backseat. It's my > > > understanding that the mcast stuff was added for this kind of thing, > > > except that it never became useful, since it also means that kmsg is > > > spammed by audit. > > > > Where your claim falls flat is that systemd/journald is stepping on > > auditd's toes by enabling audit. Enabling audit is auditd's job. > > Again, we are interested in the audit information, because we think > it's useful. If we wouldn't enable audit in the kernel we wouldn't get > it. Hence we enable audit.
But you are getting it via klog. This is what is causing the problem. > (But see: https://github.com/systemd/systemd/pull/15444 — with that > it's now configurable, but it still defaults to on, because we > actually think the data is useful, and we think it's useful event > without auditd around, regardless if that's because we run in the > earliest initrd where there never is auditd around or because we run > during normal operation and auditd is simply not installed.) > > Lennart - RGB -- Richard Guy Briggs <[email protected]> Sr. S/W Engineer, Kernel Security, Base Operating Systems Remote, Ottawa, Red Hat Canada IRC: rgb, SunRaycer Voice: +1.647.777.2635, Internal: (81) 32635 -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
