Hello,
On Thursday, September 15, 2022 8:11:39 AM EDT Vladimir Slavik wrote:
while trying to make sense of the remaining C bits in anaconda, I
found
that we actually have a mock auditd, which does nothing and replaces the
real auditd on boot.iso, via lorax templates.
Now I'm trying to understand why. Is it because it writes too much to
journal? Is it because it takes 90 MB memory? Something else?
Steve, Brian - would you know?
PS:
https://github.com/rhinstaller/anaconda/pull/4331 - moving it from the
python module directory where it was hiding.
I would guess that they are trying to prevent hardwired audit events from
going into the install logs. If you boot with audit=0, you wouldn't need a
mock auditd because auditing is disabled...except that systemd-journald
blindly enables auditing. Maybe they fixed it to respect the command line by
now, I don't know.
Another item, and maybe this is the reason, if there is no auditd, selinux
sends AVC's to syslog. So, maybe it's to suppress AVC's?
I'd suggest booting with audit=0. If you get any events in your logs, you can
probably replace auditd with a python variant. Libaudit has python bindings.
It is not well tested for handling audit events. But it is used by semanage
and some other python programs.
-Steve