From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-5.8 required=3.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED, DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI, MENTIONS_GIT_HOSTING,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 8E7A6C54FD0 for ; Thu, 23 Apr 2020 14:08:00 +0000 (UTC) Received: from us-smtp-delivery-1.mimecast.com (us-smtp-1.mimecast.com [205.139.110.61]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 221FF2077D for ; Thu, 23 Apr 2020 14:07:59 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b="basnPSd7" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 221FF2077D Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=poettering.net Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=linux-audit-bounces@redhat.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1587650879; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=uf19zU1jy4/Cswf2Vh1a+TmuH37jG9OKq/oGajmNjlc=; b=basnPSd7aYnKCylKhurg7kahC1IiOl9hzMS4Rs3ZF7LkT79q+jU6EX3/gbfZno6RkfLVix CI2hfF8bD5NX+5FvCCz30m16zBNVMOeabOQit3zkQcGQreoldY5gKjn9D3KP9bjN8t+glq CTvp04AuWAGe55ffTcFh4SC9PsOQGv8= Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-122-6WdzvIZFN5a8Pw7bzsORCg-1; Thu, 23 Apr 2020 10:07:57 -0400 X-MC-Unique: 6WdzvIZFN5a8Pw7bzsORCg-1 Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.phx2.redhat.com [10.5.11.14]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id C573C8005BA; Thu, 23 Apr 2020 14:07:53 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.21]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 7FB595D9DA; Thu, 23 Apr 2020 14:07:53 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id 424FE4CA95; Thu, 23 Apr 2020 14:07:53 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.rdu2.redhat.com [10.11.54.4]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id 03NDvr2I004452 for ; Thu, 23 Apr 2020 09:57:53 -0400 Received: by smtp.corp.redhat.com (Postfix) id 3D3CB202683E; Thu, 23 Apr 2020 13:57:53 +0000 (UTC) Received: from mimecast-mx02.redhat.com (mimecast03.extmail.prod.ext.rdu2.redhat.com [10.11.55.19]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 37938202696C for ; Thu, 23 Apr 2020 13:57:50 +0000 (UTC) Received: from us-smtp-1.mimecast.com (us-smtp-delivery-1.mimecast.com [205.139.110.120]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 2429C800FFA for ; Thu, 23 Apr 2020 13:57:50 +0000 (UTC) Received: from gardel.0pointer.net (gardel.0pointer.net [85.214.157.71]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-396-UTDQxlXmNHm_5y3MGXUr_Q-1; Thu, 23 Apr 2020 09:57:46 -0400 X-MC-Unique: UTDQxlXmNHm_5y3MGXUr_Q-1 Received: from gardel-login.0pointer.net (gardel.0pointer.net [IPv6:2a01:238:43ed:c300:10c3:bcf3:3266:da74]) by gardel.0pointer.net (Postfix) with ESMTP id E5EF6E80645; Thu, 23 Apr 2020 15:57:43 +0200 (CEST) Received: by gardel-login.0pointer.net (Postfix, from userid 1000) id 7DE4D160364; Thu, 23 Apr 2020 15:57:43 +0200 (CEST) Date: Thu, 23 Apr 2020 15:57:43 +0200 From: Lennart Poettering To: Paul Moore Subject: Re: multicast listeners and audit events to kmsg Message-ID: <20200423135743.GB63067@gardel-login> References: <20200414092740.2fdf0f78@xantho> <20200415155355.qudqepcvvler55xs@madcap2.tricolour.ca> <20200416120612.GA52165@gardel-login> <20200423073021.GA62700@gardel-login> MIME-Version: 1.0 In-Reply-To: X-Scanned-By: MIMEDefang 2.78 on 10.11.54.4 X-MIME-Autoconverted: from quoted-printable to 8bit by lists01.pubmisc.prod.ext.phx2.redhat.com id 03NDvr2I004452 X-loop: linux-audit@redhat.com X-Mailman-Approved-At: Thu, 23 Apr 2020 10:07:52 -0400 Cc: Richard Guy Briggs , linux-audit@redhat.com X-BeenThere: linux-audit@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Linux Audit Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.14 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Content-Disposition: inline On Do, 23.04.20 09:50, Paul Moore (paul@paul-moore.com) wrote: > > > If systemd enables the audit stream, and doesn't want the stream to > > > flood kmsg, it needs to make sure that the stream is directed to a > > > suitable sink, be it auditd or some other daemon. > > > > This sounds as if journald should start using the unicast stream. This > > basically means auditd is out of the game, and cannot be added in > > anymore, because the unicast stream is then owned by journald. It > > wouldn't be sufficient to just install the audit package to get > > classic audit working anymore. You'd have to reconfigure everything. > > > > I mean, we try to be non-intrusive, not step into your territory too > > much, not replace auditd, not kick auditd out of the game. But you are > > basically telling us to do just that? > > My recommendation is that if you are going to enable audit you should > also ensure that auditd is running; that is what I'm telling you. Well, that's the "audit is my private kingdom" response, right? People are interested in collecting the audit stream without having the full audit daemon installed. There's useful data in the audit stream, already generated during really early boot, long before auditd runs, i.e. in the initrd. And for smaller systems auditd is not really something people want around. For example, Fedora CoreOS wants to enable selinux, thus is interested in audit messages, but have no intention to install auditd, in the typical, minimal images they generate. See: https://github.com/systemd/systemd/issues/15324 Lennart -- Lennart Poettering, Berlin -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit