Hello, while trying to make sense of the remaining C bits in anaconda, I found that we actually have a mock auditd, which does nothing and replaces the real auditd on boot.iso, via lorax templates.
Now I'm trying to understand why. Is it because it writes too much to journal? Is it because it takes 90 MB memory? Something else?
Steve, Brian - would you know?
PS: https://github.com/rhinstaller/anaconda/pull/4331 - moving it from the python module directory where it was hiding.
Best, Vladimir
Hello,
On Thursday, September 15, 2022 8:11:39 AM EDT Vladimir Slavik wrote:
while trying to make sense of the remaining C bits in anaconda, I found that we actually have a mock auditd, which does nothing and replaces the real auditd on boot.iso, via lorax templates.
Now I'm trying to understand why. Is it because it writes too much to journal? Is it because it takes 90 MB memory? Something else?
Steve, Brian - would you know?
PS: https://github.com/rhinstaller/anaconda/pull/4331 - moving it from the python module directory where it was hiding.
I would guess that they are trying to prevent hardwired audit events from going into the install logs. If you boot with audit=0, you wouldn't need a mock auditd because auditing is disabled...except that systemd-journald blindly enables auditing. Maybe they fixed it to respect the command line by now, I don't know.
Another item, and maybe this is the reason, if there is no auditd, selinux sends AVC's to syslog. So, maybe it's to suppress AVC's?
I'd suggest booting with audit=0. If you get any events in your logs, you can probably replace auditd with a python variant. Libaudit has python bindings. It is not well tested for handling audit events. But it is used by semanage and some other python programs.
-Steve
On Thu, Sep 15, 2022 at 10:20:04AM -0400, Steve Grubb wrote:
Hello,
On Thursday, September 15, 2022 8:11:39 AM EDT Vladimir Slavik wrote:
while trying to make sense of the remaining C bits in anaconda, I found that we actually have a mock auditd, which does nothing and replaces the real auditd on boot.iso, via lorax templates.
Now I'm trying to understand why. Is it because it writes too much to journal? Is it because it takes 90 MB memory? Something else?
Steve, Brian - would you know?
PS: https://github.com/rhinstaller/anaconda/pull/4331 - moving it from the python module directory where it was hiding.
I would guess that they are trying to prevent hardwired audit events from going into the install logs. If you boot with audit=0, you wouldn't need a mock auditd because auditing is disabled...except that systemd-journald blindly enables auditing. Maybe they fixed it to respect the command line by now, I don't know.
Another item, and maybe this is the reason, if there is no auditd, selinux sends AVC's to syslog. So, maybe it's to suppress AVC's?
I'd suggest booting with audit=0. If you get any events in your logs, you can probably replace auditd with a python variant. Libaudit has python bindings. It is not well tested for handling audit events. But it is used by semanage and some other python programs.
I talked to pjones (update in the PR as well) and it was because space was limited and something needed to listen to the socket to throw away the messages. My guess is that this is still valid, I don't think it would provide anything useful in the installer environment, and would just clutter up the journal with irrelevant messages. Maybe.
Booting with audit=0 may work, but one thing to remember is some people use PXE and wouldn't have the same cmdline as the iso, so it may be better to just keep this so it 'Just Works(TM)'.
Brian
Thank you both! I agree that keeping this is the better option for now. I'll add the information from here to a readme, so that this vital information will be available for the next code archeologist.
Best, V+
On Thu, Sep 15, 2022 at 5:31 PM Brian C. Lane bcl@redhat.com wrote:
On Thu, Sep 15, 2022 at 10:20:04AM -0400, Steve Grubb wrote:
Hello,
On Thursday, September 15, 2022 8:11:39 AM EDT Vladimir Slavik wrote:
while trying to make sense of the remaining C bits in anaconda, I found that we actually have a mock auditd, which does nothing and replaces
the
real auditd on boot.iso, via lorax templates.
Now I'm trying to understand why. Is it because it writes too much to journal? Is it because it takes 90 MB memory? Something else?
Steve, Brian - would you know?
PS: https://github.com/rhinstaller/anaconda/pull/4331 - moving it
from the
python module directory where it was hiding.
I would guess that they are trying to prevent hardwired audit events
from
going into the install logs. If you boot with audit=0, you wouldn't need
a
mock auditd because auditing is disabled...except that systemd-journald blindly enables auditing. Maybe they fixed it to respect the command
line by
now, I don't know.
Another item, and maybe this is the reason, if there is no auditd,
selinux
sends AVC's to syslog. So, maybe it's to suppress AVC's?
I'd suggest booting with audit=0. If you get any events in your logs,
you can
probably replace auditd with a python variant. Libaudit has python
bindings.
It is not well tested for handling audit events. But it is used by
semanage
and some other python programs.
I talked to pjones (update in the PR as well) and it was because space was limited and something needed to listen to the socket to throw away the messages. My guess is that this is still valid, I don't think it would provide anything useful in the installer environment, and would just clutter up the journal with irrelevant messages. Maybe.
Booting with audit=0 may work, but one thing to remember is some people use PXE and wouldn't have the same cmdline as the iso, so it may be better to just keep this so it 'Just Works(TM)'.
Brian
-- Brian C. Lane (PST8PDT) - weldr.io - lorax - parted - pykickstart
Hi,
I wonder, couldn't we add `audit=0` to the initrd or enable it in the initrd by our dracut modules? I think that would be better solution that having a code to drop messages.
Best Regards, Jirka
Dne 15. 09. 22 v 17:31 Brian C. Lane napsal(a):
On Thu, Sep 15, 2022 at 10:20:04AM -0400, Steve Grubb wrote:
Hello,
On Thursday, September 15, 2022 8:11:39 AM EDT Vladimir Slavik wrote:
while trying to make sense of the remaining C bits in anaconda, I found that we actually have a mock auditd, which does nothing and replaces the real auditd on boot.iso, via lorax templates.
Now I'm trying to understand why. Is it because it writes too much to journal? Is it because it takes 90 MB memory? Something else?
Steve, Brian - would you know?
PS: https://github.com/rhinstaller/anaconda/pull/4331 - moving it from the python module directory where it was hiding.
I would guess that they are trying to prevent hardwired audit events from going into the install logs. If you boot with audit=0, you wouldn't need a mock auditd because auditing is disabled...except that systemd-journald blindly enables auditing. Maybe they fixed it to respect the command line by now, I don't know.
Another item, and maybe this is the reason, if there is no auditd, selinux sends AVC's to syslog. So, maybe it's to suppress AVC's?
I'd suggest booting with audit=0. If you get any events in your logs, you can probably replace auditd with a python variant. Libaudit has python bindings. It is not well tested for handling audit events. But it is used by semanage and some other python programs.
I talked to pjones (update in the PR as well) and it was because space was limited and something needed to listen to the socket to throw away the messages. My guess is that this is still valid, I don't think it would provide anything useful in the installer environment, and would just clutter up the journal with irrelevant messages. Maybe.
Booting with audit=0 may work, but one thing to remember is some people use PXE and wouldn't have the same cmdline as the iso, so it may be better to just keep this so it 'Just Works(TM)'.
Brian
Hello! So, the solution appears to be: keep all audit-related binaries on boot.iso, run auditctl -e 0 instead of our mock, and the result is roughly the same. So that's what we will do.
https://github.com/rhinstaller/anaconda/pull/4358 https://github.com/weldr/lorax/pull/1271
Best, Vladimir
On Thu, Sep 15, 2022 at 2:11 PM Vladimir Slavik vslavik@redhat.com wrote:
Hello, while trying to make sense of the remaining C bits in anaconda, I found that we actually have a mock auditd, which does nothing and replaces the real auditd on boot.iso, via lorax templates.
Now I'm trying to understand why. Is it because it writes too much to journal? Is it because it takes 90 MB memory? Something else?
Steve, Brian - would you know?
PS: https://github.com/rhinstaller/anaconda/pull/4331 - moving it from the python module directory where it was hiding.
Best, Vladimir
-- Vladimír Slávik vslavik@redhat.com Software Engineer, Platform Engineering Red Hat Czech, s.r.o.
anaconda-devel@lists.fedoraproject.org