journald: disable audit support completely from the journal

This patch not only prevents journald to enable audit system unconditionally very early at boot but also prevents it to receive audit messages for the audit netlink and to push them into the journal. The first reason is that when journald enables kernel audit, it does not disable syscall audit (it doesn't load the audit rules), which introduced a global performance hit. This can be minimized if audit service is started but that's not the case for all systems. The second reason is that for systems where audit was disabled by default they will suddenly have audit enabled (unless audit=0 was already passed to the kernel command line). This means tons of audit messages will be sent to dmesg, syslog, journal files, etc... Note also that audit messages are duplicated in the journal since they are received both from kmsg and from the audit netlink. A related bug report can be found here: https://bugzilla.redhat.com/show_bug.cgi?id=1160046. This basically reverts the following upstream commits: - 875c2e2 - 4d9ced9 Upstream issue: systemd/systemd#959 So disable all of this for now until a better option is found or someone comes up with a real use case. [fbui: bsc#984034]
openSUSE · Mar 1, 2018 · d962c2f · d962c2f
1 parent 7eeb1e5
commit d962c2f
Showing 1 changed file with 2 additions and 2 deletions.
diff --git a/src/journal/journald-server.c b/src/journal/journald-server.c
@@ -1841,8 +1841,8 @@ int server_init(Server *s) {
         if (r < 0)
                 return r;
 
-        /* Unless we got *some* sockets and not audit, open audit socket */
-        if (s->audit_fd >= 0 || no_sockets) {
+        /* Suse: disable audit messages in journal entirely. */
+        if (false && no_sockets) {
                 r = server_open_audit(s);
                 if (r < 0)
                         return r;