Re: [PATCH] audit: set context->dummy even when audit is off

On 11/1/19 9:16 AM, Steve Grubb wrote: > This is the root of the problem. Journald should never turn on audit > since it has no idea if auditd even has rules to load. What if the end > user does not want auditing? By blindly enabling audit without knowing > if its wanted, it causes a system performance hit even with no rules > loaded. It would be best if journald leaves audit alone. If it wants to > listen on the multicast socket, so be it. It should just listen and not > try to alter the system. +1 for me, except I would also question why it would even listen, as to me it seems that implies storage. If that's true, I would want to be able to disable it as I do not want audit events stored elsewhere as well.