Re: seccomp and audit_enabled
On 10/13/2015 01:03 PM, Steve Grubb wrote:
> No, it's the default audit.rules (-D, -b320). No actual
rules loaded.
> Let me add some instrumentation and figure out what's going on. auditd
> is masked (via systemd) but systemd-journal seems to set audit_enabled=1
> during startup (at least on our systems).
Tony,
We have bz 1227379
https://bugzilla.redhat.com/show_bug.cgi?id=1227379
There is a patch attached to disable systemd's propensity to turn on the audit
system. Are people complaining and opening bugs in your distribution? If so,
that might add more ammunition to get that fixed.
Hi Steve
we only have the one bug and it's related to:
1) noisy klog between when systemd enables audit and user manually disables it (rh
bz#1160046)
2) after user manually disables audit (audit_enabled=0) seccomp messages still are
output.
tony