Re: multicast listeners and audit events to kmsg
On Fr, 17.04.20 14:57, Richard Guy Briggs (rgb(a)redhat.com) wrote:
> Well, we try hard to not step on your toes and do not use the
unicast
> stuff and do not pretend to be auditd, so that auditd can be installed
> and run in parallel to journald with us being in the backseat. It's my
> understanding that the mcast stuff was added for this kind of thing,
> except that it never became useful, since it also means that kmsg is
> spammed by audit.
Where your claim falls flat is that systemd/journald is stepping on
auditd's toes by enabling audit. Enabling audit is auditd's job.
Again, we are interested in the audit information, because we think
it's useful. If we wouldn't enable audit in the kernel we wouldn't get
it. Hence we enable audit.
(But see: https://github.com/systemd/systemd/pull/15444 — with that
it's now configurable, but it still defaults to on, because we
actually think the data is useful, and we think it's useful event
without auditd around, regardless if that's because we run in the
earliest initrd where there never is auditd around or because we run
during normal operation and auditd is simply not installed.)
Lennart
--
Lennart Poettering, Berlin