Re: multicast listeners and audit events to kmsg

On Mi, 22.04.20 17:59, Paul Moore (paul(a)paul-moore.com) wrote: > > In systemd we just think that audit information is pretty interesting > > even if you don't want to buy into the whole government regulation > > stuff, even if you don't want the auditd to run, and the full audit > > package installed. i.e. we want to collect the data as one of our > > various data streams, as a secondary consumer of it, and leave it to > > the audit package itself to do everything else and be the primary > > consumer of it. > > > > Using the multicast group is our way of saying: "we don't want to own > > the audit stream, you can keep it; we just want to have a look > > too". > > The problem is that on systems without a running audit daemon there is > no one to "own" the audit stream so it floods the kmsg, spills onto > the console, and everyone's feet get wet. Are we going to blame the > source of the stream, or the person who turned on the tap in the first > place and caused the mess? It's not a question of blaming anyone. We are just looking for a nice way so that we can get the mcast stuff without the kmsg stuff. it can totally be something we toggle explicitly, i have no problem with that. > If systemd enables the audit stream, and doesn't want the stream to > flood kmsg, it needs to make sure that the stream is directed to a > suitable sink, be it auditd or some other daemon. This sounds as if journald should start using the unicast stream. This basically means auditd is out of the game, and cannot be added in anymore, because the unicast stream is then owned by journald. It wouldn't be sufficient to just install the audit package to get classic audit working anymore. You'd have to reconfigure everything. I mean, we try to be non-intrusive, not step into your territory too much, not replace auditd, not kick auditd out of the game. But you are basically telling us to do just that?