Re: [PATCH] audit: set context->dummy even when audit is off

On Friday, November 1, 2019 9:24:17 AM EDT Chris Mason wrote: > On 31 Oct 2019, at 19:27, Paul Moore wrote: >> On Thu, Oct 31, 2019 at 12:40 PM Chris Mason <clm(a)fb.com&gt; wrote: >> [ ... ] >> Hi Chris, >> >> This is a rather hasty email as I'm at a conference right now, but I >> wanted to convey that I'm not opposed to making sure that the NTP >> records obey the audit configuration (that was the original intent >> after all), I think it is just that we are all a little confused as >> to >> why you are seeing the NTP records *and*only* the NTP records. > > This part is harder to nail down because there's a window during boot > where journald has enabled audit but chef hasn't yet run in and > turned > it off, so we get a lot of logs early and then mostly ntp after that. This is the root of the problem. Journald should never turn on audit since it has no idea if auditd even has rules to load. What if the end user does not want auditing? By blindly enabling audit without knowing if its wanted, it causes a system performance hit even with no rules loaded. It would be best if journald leaves audit alone. If it wants to listen on the multicast socket, so be it. It should just listen and not try to alter the system. Back to ntp, it sounds like the ntp record needs to check for audit_enabled rather than the dummy context.