Re: [PATCH] audit: set context->dummy even when audit is off
On 11/1/19 9:16 AM, Steve Grubb wrote:
This is the root of the problem. Journald should never turn on audit
since it
has no idea if auditd even has rules to load. What if the end user does not
want auditing? By blindly enabling audit without knowing if its wanted, it
causes a system performance hit even with no rules loaded. It would be best
if journald leaves audit alone. If it wants to listen on the multicast
socket, so be it. It should just listen and not try to alter the system.
+1 for me, except I would also question why it would even listen, as to
me it seems that implies storage.
If that's true, I would want to be able to disable it as I do not want
audit events stored elsewhere as well.
Thx,
LCB
--
Lenny Bruzenak
MagitekLTD