Bug#1017541: auditd: Fails to generate/log events after systemd upgrade

Tue, 30 Aug 2022 12:51:16 -0700 

Am 30.08.22 um 19:46 schrieb Michael Biebl:


Am 30.08.22 um 19:31 schrieb Michael Biebl:

On Wed, 17 Aug 2022 19:17:16 +0200 Sven Mueller <s...@google.com> wrote:


It's reproducible only with systemd upgrades. We've reproduced it with
different versions of systemd, but always upgrading from 249.7-1 to
the version tested.


I assume this reproducer can be further reduced to

systemctl restart systemd-journald

? (which is part of systemd.postinst)


Could you check if replacing

debian/patches/Don-t-enable-audit-by-default.patch with the attached 
patch helps?



It was pointed out on IRC that we probably need to initialize the value 
with -1 (so it is "unset") instead of simply removing the line.

From: Martin Pitt <martin.p...@ubuntu.com>
Date: Sun, 28 Dec 2014 12:49:35 +0100
Subject: Don't enable audit by default

It causes flooding of dmesg and syslog, suppressing actually important
messages.

Don't enable it for now, until a better solution is found:
http://lists.freedesktop.org/archives/systemd-devel/2014-December/026591.html

Bug-Debian: https://bugs.debian.org/773528
---
 man/journald.conf.xml         | 2 +-
 src/journal/journald-server.c | 2 +-
 src/journal/journald.conf     | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/man/journald.conf.xml b/man/journald.conf.xml
index ed7e428..0abed9c 100644
--- a/man/journald.conf.xml
+++ b/man/journald.conf.xml
@@ -426,7 +426,7 @@
         <command>systemd-journald</command> collects generated audit records, it just controls whether it
         tells the kernel to generate them. This means if another tool turns on auditing even if
         <command>systemd-journald</command> left it off, it will still collect the generated
-        messages. Defaults to on.</para></listitem>
+        messages. Defaults to unset.</para></listitem>
       </varlistentry>
 
       <varlistentry>
diff --git a/src/journal/journald-server.c b/src/journal/journald-server.c
index 3ed8b80..5d373f4 100644
--- a/src/journal/journald-server.c
+++ b/src/journal/journald-server.c
@@ -2293,7 +2293,7 @@ int server_init(Server *s, const char *namespace) {
                 .compress.threshold_bytes = UINT64_MAX,
                 .seal = true,
 
-                .set_audit = true,
+                .set_audit = -1,
 
                 .watchdog_usec = USEC_INFINITY,
 
diff --git a/src/journal/journald.conf b/src/journal/journald.conf
index 64f4d4b..a690681 100644
--- a/src/journal/journald.conf
+++ b/src/journal/journald.conf
@@ -44,4 +44,4 @@
 #MaxLevelWall=emerg
 #LineMax=48K
 #ReadKMsg=yes
-#Audit=yes
+#Audit=



Attachment:
OpenPGP_signature

Description: OpenPGP digital signature






















					Reply via email to