From 7b9ee7375ca9a1521ff36dd9ceb8a26e59572a6e Mon Sep 17 00:00:00 2001 From: Mike Gilbert Date: Wed, 17 Sep 2025 15:40:57 -0400 Subject: [PATCH] journald: do not change the kernel audit setting by default Bug: https://bugs.gentoo.org/736910 --- man/journald.conf.xml | 2 +- src/journal/journald-config.c | 2 +- src/journal/journald.conf | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/man/journald.conf.xml b/man/journald.conf.xml index 1a68ba8698..a9a77a51d1 100644 --- a/man/journald.conf.xml +++ b/man/journald.conf.xml @@ -482,7 +482,7 @@ kernel auditing on start-up. If disabled it will turn it off. If unset it will neither enable nor disable it, leaving the previous state unchanged. This means if another tool turns on auditing even if systemd-journald left it off, it will still collect the generated - messages. Defaults to on in the default journal namespace, and unset otherwise. + messages. Note that this option does not control whether systemd-journald collects generated audit records, it just controls whether it tells the kernel to generate them. If you need diff --git a/src/journal/journald-config.c b/src/journal/journald-config.c index dd2e29e296..4160fa2ab9 100644 --- a/src/journal/journald-config.c +++ b/src/journal/journald-config.c @@ -122,7 +122,7 @@ void manager_merge_configs(Manager *m) { MERGE_NON_NEGATIVE(read_kmsg, !m->namespace); /* By default, kernel auditing is enabled by the main namespace instance, and not controlled by * non-default namespace instances. */ - MERGE_NON_NEGATIVE(set_audit, m->namespace ? -1 : true); + MERGE_NON_NEGATIVE(set_audit, -1); MERGE_NON_ZERO(sync_interval_usec, DEFAULT_SYNC_INTERVAL_USEC); /* TODO: also merge them when comdline or credentials support to configure them. */ diff --git a/src/journal/journald.conf b/src/journal/journald.conf index 9a12ca7657..e42efbcf84 100644 --- a/src/journal/journald.conf +++ b/src/journal/journald.conf @@ -47,4 +47,4 @@ #MaxLevelSocket=debug #LineMax=48K #ReadKMsg=yes -#Audit=yes +#Audit= -- 2.51.0