Received: by 2002:a25:31c3:0:0:0:0:0 with SMTP id x186csp529478ybx; Fri, 1 Nov 2019 07:18:08 -0700 (PDT) X-Google-Smtp-Source: APXvYqzqkAOjRmGrVZO8qq03BtNS52TUwpwro0WP43Hu3wE9JyZLf6QI/yfMecWoyUBkzuXDzyZm X-Received: by 2002:a17:906:ccd6:: with SMTP id ot22mr9990926ejb.166.1572617888711; Fri, 01 Nov 2019 07:18:08 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1572617888; cv=none; d=google.com; s=arc-20160816; b=j4rQnagB0ScDTzBFbf7xeAttkp8UpOz1MUtLg6j2sF54jxHsJv1tNOtJXD7YjJoUlL g/6qlAcKCfyBTsHAJbdWt9nO5CVmsQ1ox6vQmiWH9NhMeeJNjxaFmAcYgPWtqTRPnW63 ibOY3qRt5o8Wg2+25mtk9/32Qwe/ogeeUw8Z3U1l7lpD0fwSJebdgHYrXslV2SvWCUGs xu5Xge69xP4vcITJDF2zYSL84E2a9aF9VF601tiH1ky06okIGgfQklGgxQSgTqCul2CM 1n1ylCEIrkdFziM6rvvprPH4JaXdjPgSv7aP4LutXDaAPf0QSV9dOYJgCBXnGTQxATTD 2+Pw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:organization:message-id:date:subject:cc:to :from:dkim-signature; bh=4bSMiX1ypW1OILzlSeuIV46rslZY2mLw6nq+CHipEz4=; b=Oa3mkftYY2xma3hhpjXgb9Yg7bHWen88JY2I+mxzViNY9PkUpqElyOtf8PUOXdbHgy mJJl2RGMJ5ELj+u6l6lnkGJlPI2byJUz3Hbx+20qCFSO/4uXMDsTiadOhoi3k7V5I7ob xMR+5zvZHwJxwhAsp9BrbCBc7+O97yx7wp3ACOH8h4nY3YLQRJnNQsQAiY9tZUBJ0cMw 9uWfrt0ozoTYCSoS3W2hQ7R9JprCX4ccvk0rq37logQH6v7fVar9W+Gpg8askHAk1HWC TsU0vW6ICUCf1FWOIYaIO6x5YhaEnq2wLEMNVM7ujLTL13oV+VoMcQmbzdU8uii9D1yn 062g== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=EQ0QPOn+; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id l8si6125214ejr.125.2019.11.01.07.17.45; Fri, 01 Nov 2019 07:18:08 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=EQ0QPOn+; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726912AbfKAORK (ORCPT + 99 others); Fri, 1 Nov 2019 10:17:10 -0400 Received: from us-smtp-delivery-1.mimecast.com ([207.211.31.120]:39217 "EHLO us-smtp-1.mimecast.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1726229AbfKAORK (ORCPT ); Fri, 1 Nov 2019 10:17:10 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1572617829; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=4bSMiX1ypW1OILzlSeuIV46rslZY2mLw6nq+CHipEz4=; b=EQ0QPOn+npPonSFq92wKHVT00rT5t8EM93rRNRfx2D2eePxIk4iUazRuHZA+seBOpzBfS6 H48m+lg2VaS/pU0/HadQ0a7HmYFVqB7KHOnAAJUHzwq1aCLiVOUGdpkmg5JDzI2OFVfJdJ qz574vmnqLAuG/VHUuXwdysqacMunsc= Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-81-f-5z6rJkPTuEgMjs-4OY5Q-1; Fri, 01 Nov 2019 10:17:05 -0400 Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.phx2.redhat.com [10.5.11.13]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 7218A5EA; Fri, 1 Nov 2019 14:17:04 +0000 (UTC) Received: from x2.localnet (ovpn-116-239.phx2.redhat.com [10.3.116.239]) by smtp.corp.redhat.com (Postfix) with ESMTP id C2302608D0; Fri, 1 Nov 2019 14:16:58 +0000 (UTC) From: Steve Grubb To: linux-audit@redhat.com Cc: Chris Mason , Paul Moore , Dave Jones , Kyle McMartin , "linux-kernel@vger.kernel.org" Subject: Re: [PATCH] audit: set context->dummy even when audit is off Date: Fri, 01 Nov 2019 10:16:56 -0400 Message-ID: <3063279.ZKBa9cPvsK@x2> Organization: Red Hat In-Reply-To: References: MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.13 X-MC-Unique: f-5z6rJkPTuEgMjs-4OY5Q-1 X-Mimecast-Spam-Score: 0 Content-Type: text/plain; charset=WINDOWS-1252 Content-Transfer-Encoding: 7Bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Friday, November 1, 2019 9:24:17 AM EDT Chris Mason wrote: > On 31 Oct 2019, at 19:27, Paul Moore wrote: > > On Thu, Oct 31, 2019 at 12:40 PM Chris Mason wrote: > > [ ... ] > > Hi Chris, > > > > This is a rather hasty email as I'm at a conference right now, but I > > wanted to convey that I'm not opposed to making sure that the NTP > > records obey the audit configuration (that was the original intent > > after all), I think it is just that we are all a little confused as to > > why you are seeing the NTP records *and*only* the NTP records. > > This part is harder to nail down because there's a window during boot > where journald has enabled audit but chef hasn't yet run in and turned > it off, so we get a lot of logs early and then mostly ntp after that. This is the root of the problem. Journald should never turn on audit since it has no idea if auditd even has rules to load. What if the end user does not want auditing? By blindly enabling audit without knowing if its wanted, it causes a system performance hit even with no rules loaded. It would be best if journald leaves audit alone. If it wants to listen on the multicast socket, so be it. It should just listen and not try to alter the system. Back to ntp, it sounds like the ntp record needs to check for audit_enabled rather than the dummy context. -Steve