From mboxrd@z Thu Jan 1 00:00:00 1970 From: Steve Grubb Subject: Re: [PATCH] audit: set context->dummy even when audit is off Date: Fri, 01 Nov 2019 10:49:04 -0400 Message-ID: <786313584.jd3umIO2dN@x2> References: <3063279.ZKBa9cPvsK@x2> Mime-Version: 1.0 Content-Type: text/plain; charset=WINDOWS-1252 Content-Transfer-Encoding: quoted-printable Return-path: In-Reply-To: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit@redhat.com List-Id: linux-audit@redhat.com On Friday, November 1, 2019 10:26:41 AM EDT Lenny Bruzenak wrote: > On 11/1/19 9:16 AM, Steve Grubb wrote: > > This is the root of the problem. Journald should never turn on audit > > since it has no idea if auditd even has rules to load. What if the end > > user does not want auditing? By blindly enabling audit without knowing > > if its wanted, it causes a system performance hit even with no rules > > loaded. It would be best if journald leaves audit alone. If it wants to > > listen on the multicast socket, so be it. It should just listen and not > > try to alter the system. > > +1 for me, except I would also question why it would even listen, as to > me it seems that implies storage. >=20 > If that's true, I would want to be able to disable it as I do not want > audit events stored elsewhere as well. It is true. You get 2 copies, one in the journal and it also relays one to= =20 rsyslog. This should fix it: systemctl mask systemd-journald-audit.socket -Steve