From mboxrd@z Thu Jan  1 00:00:00 1970
From: Tony Jones <tonyj@suse.de>
Subject: Re: seccomp and audit_enabled
Date: Fri, 6 Nov 2015 13:45:43 -0800
Message-ID: <563D1F87.4070201@suse.de>
References: <56188AE9.4030306@suse.de> <561D3D03.30300@suse.de>
 <CAHC9VhQgDJAW0RrORwzRT0T1BaV7BbqCQvNmW7F6n2v6_=0K6A@mail.gmail.com>
 <1489773.CGhBT1IxtY@x2>
Mime-Version: 1.0
Content-Type: text/plain; charset=windows-1252
Content-Transfer-Encoding: 7bit
Return-path: <linux-security-module-owner@vger.kernel.org>
In-Reply-To: <1489773.CGhBT1IxtY@x2>
Sender: owner-linux-security-module@vger.kernel.org
To: Steve Grubb <sgrubb@redhat.com>, linux-audit@redhat.com
Cc: Paul Moore <paul@paul-moore.com>, linux-security-module <linux-security-module@vger.kernel.org>
List-Id: linux-audit@redhat.com

On 10/13/2015 01:03 PM, Steve Grubb wrote:
>> No, it's the default audit.rules (-D, -b320).   No actual rules loaded.
>> Let me add some instrumentation and figure out what's going on.  auditd
>> is masked (via systemd) but systemd-journal seems to set audit_enabled=1
>> during startup (at least on our systems).
> 
> Tony,
> 
> We have bz 1227379
> https://bugzilla.redhat.com/show_bug.cgi?id=1227379
> 
> There is a patch attached to disable systemd's propensity to turn on the audit 
> system. Are people complaining and opening bugs in your distribution? If so, 
> that might add more ammunition to get that fixed.

Hi Steve

we only have the one bug and it's related to:
1) noisy klog between when systemd enables audit and user manually disables it (rh bz#1160046)
2) after user manually disables audit (audit_enabled=0) seccomp messages still are output.

tony