From: Lennart Poettering <lennart@poettering.net>
To: Paul Moore <paul@paul-moore.com>
Cc: Richard Guy Briggs <rgb@redhat.com>, linux-audit@redhat.com
Subject: Re: multicast listeners and audit events to kmsg
Date: Thu, 23 Apr 2020 15:57:43 +0200 [thread overview]
Message-ID: <20200423135743.GB63067@gardel-login> (raw)
In-Reply-To: <CAHC9VhSu=cbr_f3fyX_wdBdt_+xHwBBjOJojrk-iNgwhhBCg7w@mail.gmail.com>
On Do, 23.04.20 09:50, Paul Moore (paul@paul-moore.com) wrote:
> > > If systemd enables the audit stream, and doesn't want the stream to
> > > flood kmsg, it needs to make sure that the stream is directed to a
> > > suitable sink, be it auditd or some other daemon.
> >
> > This sounds as if journald should start using the unicast stream. This
> > basically means auditd is out of the game, and cannot be added in
> > anymore, because the unicast stream is then owned by journald. It
> > wouldn't be sufficient to just install the audit package to get
> > classic audit working anymore. You'd have to reconfigure everything.
> >
> > I mean, we try to be non-intrusive, not step into your territory too
> > much, not replace auditd, not kick auditd out of the game. But you are
> > basically telling us to do just that?
>
> My recommendation is that if you are going to enable audit you should
> also ensure that auditd is running; that is what I'm telling you.
Well, that's the "audit is my private kingdom" response, right?
People are interested in collecting the audit stream without having
the full audit daemon installed. There's useful data in the audit
stream, already generated during really early boot, long before auditd
runs, i.e. in the initrd. And for smaller systems auditd is not really
something people want around.
For example, Fedora CoreOS wants to enable selinux, thus is interested
in audit messages, but have no intention to install auditd, in the
typical, minimal images they generate. See:
https://github.com/systemd/systemd/issues/15324
Lennart
--
Lennart Poettering, Berlin
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
next prev parent reply other threads:[~2020-04-23 14:08 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-04-14 9:27 multicast listeners and audit events to kmsg Luca BRUNO
2020-04-15 15:53 ` Richard Guy Briggs
2020-04-16 12:06 ` Lennart Poettering
2020-04-16 18:46 ` Lenny Bruzenak
2020-04-17 18:57 ` Richard Guy Briggs
2020-04-17 19:21 ` Lennart Poettering
2020-04-17 20:08 ` Richard Guy Briggs
2020-04-22 21:59 ` Paul Moore
2020-04-23 7:30 ` Lennart Poettering
2020-04-23 13:50 ` Paul Moore
2020-04-23 13:57 ` Lennart Poettering [this message]
2020-04-23 14:04 ` Paul Moore
2020-04-23 16:19 ` Casey Schaufler
2020-04-23 16:44 ` Lennart Poettering
2020-04-23 17:17 ` Steve Grubb
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200423135743.GB63067@gardel-login \
--to=lennart@poettering.net \
--cc=linux-audit@redhat.com \
--cc=paul@paul-moore.com \
--cc=rgb@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).