Hello!
So, the solution appears to be: keep all audit-related binaries on boot.iso, run auditctl -e 0 instead of our mock, and the result is roughly the same. So that's what we will do.

https://github.com/rhinstaller/anaconda/pull/4358
https://github.com/weldr/lorax/pull/1271

Best,
Vladimir

On Thu, Sep 15, 2022 at 2:11 PM Vladimir Slavik <vslavik@redhat.com> wrote:
Hello,
while trying to make sense of the remaining C bits in anaconda, I found that we actually have a mock auditd, which does nothing and replaces the real auditd on boot.iso, via lorax templates.

Now I'm trying to understand why. Is it because it writes too much to journal? Is it because it takes 90 MB memory? Something else?

Steve, Brian - would you know?

PS: https://github.com/rhinstaller/anaconda/pull/4331 - moving it from the python module directory where it was hiding.

Best,
Vladimir

--
Vladimír Slávik <vslavik@redhat.com>
Software Engineer, Platform Engineering
Red Hat Czech, s.r.o.


--
Vladimír Slávik <vslavik@redhat.com>
Software Engineer, Platform Engineering
Red Hat Czech, s.r.o.