On Tuesday, June 11, 2019 8:14:30 AM EDT Boyce, Kevin P [US] (AS) wrote:
Does anyone have any ideas how to prevent the journal from filling up
with
events that come from audispd?
On RHEL 7, there is no systemd-journald-audit.socket. So, if you are wrapping
events to syslog, then that is how it gets filled. In general, systems that
hae the systemd-journald-audit.socket can just mask it to prevent that path.
systemctl mask systemd-journald-audit.socket
There is a double penalty due to this and it really slows down my
system
with a lot of rules in place.
Might also want to limit log size:
sed -i "/^#SystemMaxUse/s/#SystemMaxUse=/SystemMaxUse=200/" /etc/systemd/
journald.conf
I have audispd syslog plugin enabled to send remotely as LOG_LOCAL5.
Auditd is also writing output to /var/log/audit/audit.log.
If you wanted to restore your system to something that resembles normal
systems, then you can do something along these lines:
## Disable journald
systemctl mask systemd-journald.service
systemctl mask systemd-journald-dev-log.socket
systemctl mask systemd-journald.socket
systemctl mask systemd-journal-flush.service
systemctl mask systemd-journal-catalog-update.service
systemctl mask syslog.socket
## Enable rsyslog to handle logging
sed -i "/SysSock.Use/s/off/on/" /etc/rsyslog.conf
sed -i "/imjournal/s/module/#module/" /etc/rsyslog.conf
sed -i "/StateFile/s/^/#/" /etc/rsyslog.conf
sed -i "/imklog/s/#module/module/" /etc/rsyslog.conf
I tested this on recent Fedora. So, there may be some differences between F29
and RHEL 7. But this should be enough that you can experiment to finish it off.
After this, syslog is actually usable like it used to be.
-Steve
If you do journalctl -u auditd you also see copies of the syslog
events.
Is there any way to prevent this behavior? I did find this RedHat page but
it doesn't really sound like a good solution, having to modify selinux
policy.
https://bugzilla.redhat.com/show_bug.cgi?id=1419388
Thanks,
Kevin