On Fr, 17.04.20 14:57, Richard Guy Briggs ([email protected]) wrote: > > Well, we try hard to not step on your toes and do not use the unicast > > stuff and do not pretend to be auditd, so that auditd can be installed > > and run in parallel to journald with us being in the backseat. It's my > > understanding that the mcast stuff was added for this kind of thing, > > except that it never became useful, since it also means that kmsg is > > spammed by audit. > > Where your claim falls flat is that systemd/journald is stepping on > auditd's toes by enabling audit. Enabling audit is auditd's job.
Again, we are interested in the audit information, because we think it's useful. If we wouldn't enable audit in the kernel we wouldn't get it. Hence we enable audit. (But see: https://github.com/systemd/systemd/pull/15444 — with that it's now configurable, but it still defaults to on, because we actually think the data is useful, and we think it's useful event without auditd around, regardless if that's because we run in the earliest initrd where there never is auditd around or because we run during normal operation and auditd is simply not installed.) Lennart -- Lennart Poettering, Berlin -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
