From: Lennart Poettering <lennart@poettering.net>
To: Richard Guy Briggs <rgb@redhat.com>
Cc: linux-audit@redhat.com
Subject: Re: multicast listeners and audit events to kmsg
Date: Fri, 17 Apr 2020 21:21:24 +0200 [thread overview]
Message-ID: <20200417192124.GA55500@gardel-login> (raw)
In-Reply-To: <20200417185742.2v7elrmjpi75w6mm@madcap2.tricolour.ca>
On Fr, 17.04.20 14:57, Richard Guy Briggs (rgb@redhat.com) wrote:
> > Well, we try hard to not step on your toes and do not use the unicast
> > stuff and do not pretend to be auditd, so that auditd can be installed
> > and run in parallel to journald with us being in the backseat. It's my
> > understanding that the mcast stuff was added for this kind of thing,
> > except that it never became useful, since it also means that kmsg is
> > spammed by audit.
>
> Where your claim falls flat is that systemd/journald is stepping on
> auditd's toes by enabling audit. Enabling audit is auditd's job.
Again, we are interested in the audit information, because we think
it's useful. If we wouldn't enable audit in the kernel we wouldn't get
it. Hence we enable audit.
(But see: https://github.com/systemd/systemd/pull/15444 — with that
it's now configurable, but it still defaults to on, because we
actually think the data is useful, and we think it's useful event
without auditd around, regardless if that's because we run in the
earliest initrd where there never is auditd around or because we run
during normal operation and auditd is simply not installed.)
Lennart
--
Lennart Poettering, Berlin
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
next prev parent reply other threads:[~2020-04-17 20:32 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-04-14 9:27 multicast listeners and audit events to kmsg Luca BRUNO
2020-04-15 15:53 ` Richard Guy Briggs
2020-04-16 12:06 ` Lennart Poettering
2020-04-16 18:46 ` Lenny Bruzenak
2020-04-17 18:57 ` Richard Guy Briggs
2020-04-17 19:21 ` Lennart Poettering [this message]
2020-04-17 20:08 ` Richard Guy Briggs
2020-04-22 21:59 ` Paul Moore
2020-04-23 7:30 ` Lennart Poettering
2020-04-23 13:50 ` Paul Moore
2020-04-23 13:57 ` Lennart Poettering
2020-04-23 14:04 ` Paul Moore
2020-04-23 16:19 ` Casey Schaufler
2020-04-23 16:44 ` Lennart Poettering
2020-04-23 17:17 ` Steve Grubb
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200417192124.GA55500@gardel-login \
--to=lennart@poettering.net \
--cc=linux-audit@redhat.com \
--cc=rgb@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).