Do not enable audit

[opoplawski]

See https://bugzilla.redhat.com/show_bug.cgi?id=1227379#c25 from Steve Grubb:

I think the root of the problem here is journald. There is a function, server_open_audit() which enables audit even if people don't want it on. Journald should not enable audit, that is the audit daemon's job. What journald should do is:

1. Stop enabling audit.
2. Make it configurable as to whether or not to include audit data in the logs. Because its potentially mixing Top Secret data with unclassified data, there needs to be a way for people to shut that off when needed. If enabled, just attach to the multicast group and listen. AVC's will still come out. If not, open a bug on that. But enabling audit will slow the system down. If you want the highest performance of your system, audit must be disabled since boot and never turned on.
3. Make it configurable as to whether or not to pass audit data to syslog. Again, journald is the only thing that knows the provenance of the data stream. Therefore its incumbent on journald to prevent unintended reclassification of data.

The audit subsystem leaves sending event to syslog as a configuration option. It defaults to off because that is what the majority of the people wanted. Some people want it on, though, so that its aggregated and searchable by splunk. But this is the minority.

[poettering]

Well, I very much disagree with this. Audit can be potentially useful, and we should centralize it by default in the journal. I really don't buy the "top secret" non-sense, UNIX doesn't work that way. Either you have access or you don't, but there aren't multiple levels of "root" defined. It's a completely valid option though to turn audit off (run "auditctl -e0" on boot, after journald; or "audit=0" on the kernel cmdline), and they can still: all we did is change things from opt-in to opt-out.

On Fedora auditing has always been on, as has been selinux. I am pretty sure that we should make use of it if it's available. If you don't want it, then turn off the whole subsystem with "audit=0" on the kernel command line. But if you don't explicitly disable it that way, then we should capture that information and add it to everything else that is logged.

rsyslog reads the data from the journal, it's not the journal that pushes the data to syslog anymore. Hence, if rsyslog doesn't want the audit data, then it should filter it out (by ignoring all log entries with _TRANSPORT=audit for example), but the journal really has no control over the filtering rsyslog applies on the data it collects.

Sorry, I don't think there's anything to fix here.

[klic]

Sorry, but you're wrong here. Every modern Unix has the possibility to use multiple levels of access. Think rbac or selinux MCs/mls. Ever heard of Bell/La Padua ? If you mix it here, you break that model, and either distributions for enterprises will have to fork systemd, or lose that market share. This is another era away from distinctions like uid==0 or not

Klaus

[davidelang]

having ti as an option is a good thing for those who want to combine all the data (which does include some enterprise users)

having it mandatory with no option and not passing the information on the source to syslog is a bad thing.

When logs are passed to syslog, I know that the logs can be passed (almost) as if journald wasn't involved. Is there also an option to pass structured data (i.e. JSON in the body of the log) so that the filtering can be done on this metadata inside the syslog infrastructure?

[poettering]

@davidelang as I wrote already, rsyslog pulls the data from the journal these days, journald's syslog forwarding is not used anymore. One of the reasons syslog was changed was to get the structured data.

[mbiebl]

@poettering on Debian/Ubuntu we still use the push model instead of letting rsyslog pull the data.
One reason is that not all existing syslog implementations support pulling data out of journald directly.

[mbiebl]

@poettering also, afaik, the imjournal module in rsyslog is not really maintained by rsyslog upstream directly, but it's mostly maintained by external contributor. At least from my understanding rsyslog upstream still recommends using the socket forwarding mode.

[johannbg]

@mbiebl which other syslog solution beside rsyslog ( the imjournal module is not officially supported upstream and I question of rsyslog will ever officially support journal since last time I checked Rainer Gerhards had some axe to grind with Lennart or binary logging in general ) does Debian have that does not support pulling data out of the journal directly ( syslog-ng does that and defaults to do that since what 3.6 or there about ).

Arguably distributions ( or rather their server versions since it makes no sense shipping both on the desktop alternatives ) should be defaulting to shipping syslog-ng ( due to that supported upstream integration ) in addition to the journal itself to provide that forwarding to centralized log server capability ( which is what administrators have mostly criticised and found lacking with the journal ).

We should have an option to disable this in journald only. You can tell us what (you think) UNIX is and what (you think) it is not but you should give us the oportunity to opt-out at least, and preferable to opt-in.

You shouldnt try to push your agenda on others when you are in a position such as yourself.

[bigon]

@johannbg Querying the apt cache, there are several packages that provide system-log-daemon( Provides: system-log-daemon in packages metadata)

$ LANG=C apt-cache search system-log-daemon
busybox-syslogd - Provides syslogd and klogd using busybox
dsyslog - advanced modular syslog daemon
inetutils-syslogd - system logging daemon
rsyslog - reliable system and kernel logging daemon
socklog-run - system and kernel logging services
syslog-ng-core - Enhanced system logging daemon (core)

[johannbg]

@doverride the unix philosophy ( written sometime in the 1970s and relates to the environment and the computation evolution at that time ) is just a set of developers guidelines ( aimed at developers not end users or administrators )which developers should just keep in the back of their head when developing but developers are under no obligation to follow those guidelines no more than they like but through time people seem to have obfuscated those development guidelines and taken the term "UNIX" and put what ever they think it means, meaning to it and expect others to follow it.

Systemd is not "UNIX" by those individuals measurements ( or in general and it's completely irrelevant to anyone what meaning people seem to be putting into it since nobody is under any obligations to follow it ) but most certainly if you look the unix philosophy and apply the development guidelines and principals the unix philosophy outlines to systemd and it's code and development you can clearly see those development guidelines have been followed to certain extent.

That said the systemd-journald is not optional and never will be so there is no availability for "opt-in" or "opt-out" capability hence traditional textual file based syslog applications need to be made systemd-journald compatible ( by directly reading from the journal and or from using /run/systemd/journal/syslog ) with the most common ones ( rsyslog and syslog-ng ) already being that ( for the the rest of what @bigon lists here I cannot say and there are ways you can configure rsyslog and syslog-ng to provide you with text file logging in conjunction with the journal ).

Distribution that ship syslogging components that are not systemd-journal compatible ( which effectively just means those components are systemd incompatible ) will need to conflict those components with systemd.

If distributions are supporting more than one init system and at the same time are providing components that are systemd ( journal or not ) compatible they will need to maintain two or more versions of their components, one that supports and setups the defaults for that component to be used in conjunction with systemd ( compile options,type units and or configuration defaults ) and one or more that support and setups the alternative init system they support ( their compile options,init script or configuration files and or configuration defaults ).

[davidelang]

so you are saying that Linux systems running systemd are not Unix systems?

boy will that be a money quote for the anti-systemd people

@johannbg I am not suggesting opt-in/-out of systemd-journald as a whole. Instead i am suggesting opt-in/-out of the ability to enclose audit related messages with the journal.

People with serious audit requirements cannot do with journald/journalctl as it is way too limited. This audience needs tools to be able to effectively analyze these audit messages as well. E.g. tools like ausearch, aureport. These tools cannot parse the journal. So that means that if you have a serious audit requirement that you must use auditd. Now we don't want duplicate audit logs (in journal as well as /var/log/audit) so we want to be able to tell journald:

"hey, were using another audit facility. so to avoid duplicate audit logs we kindly instruct you to stop logging audit messages altogether"