On Friday, November 1, 2019 10:26:41 AM EDT Lenny Bruzenak wrote: > On 11/1/19 9:16 AM, Steve Grubb wrote: > > This is the root of the problem. Journald should never turn on audit > > since it has no idea if auditd even has rules to load. What if the end > > user does not want auditing? By blindly enabling audit without knowing > > if its wanted, it causes a system performance hit even with no rules > > loaded. It would be best if journald leaves audit alone. If it wants to > > listen on the multicast socket, so be it. It should just listen and not > > try to alter the system. > > +1 for me, except I would also question why it would even listen, as to > me it seems that implies storage. > > If that's true, I would want to be able to disable it as I do not want > audit events stored elsewhere as well.
It is true. You get 2 copies, one in the journal and it also relays one to rsyslog. This should fix it: systemctl mask systemd-journald-audit.socket -Steve -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
