journald: disable audit support completely from the journal

fbuihuu · fbuihuu · commit 64f83d308740 · 2016-08-22T08:59:48.000+02:00
This patch not only prevents journald to enable audit system unconditionally very early at boot but also prevents it to receive audit messages for the audit netlink and to push them into the journal. The first reason is that when journald enables kernel audit, it does not disable syscall audit (it doesn't load the audit rules), which introduced a global performance hit. This can be minimized if audit service is started but that's not the case for all systems. The second reason is that for systems where audit was disabled by default they will suddenly have audit enabled (unless audit=0 was already passed to the kernel command line). This means tons of audit messages will be sent to dmesg, syslog, journal files, etc... Note also that audit messages are duplicated in the journal since they are received both from kmsg and from the audit netlink. A related bug report can be found here: https://bugzilla.redhat.com/show_bug.cgi?id=1160046. This basically reverts the following upstream commits: - 875c2e2 - 4d9ced9 Upstream issue: systemd/systemd#959 So disable all of this for now until a better option is found or someone comes up with a real use case. [fbui: bsc#984034]
diff --git a/src/journal/journald-server.c b/src/journal/journald-server.c
@@ -1826,8 +1826,8 @@ int server_init(Server *s) {
         if (r < 0)
                 return r;
 
-        /* Unless we got *some* sockets and not audit, open audit socket */
-        if (s->audit_fd >= 0 || no_sockets) {
+        /* Suse: disable audit messages in journal entirely. */
+        if (false && no_sockets) {
                 r = server_open_audit(s);
                 if (r < 0)
                         return r;
