I've found that audit is enabled on my system, after update to systemd-246. After reseach, I've found that it is enabled by journald, by default, and can be disabled by Audit=no in journald.conf. It is a regression from Gentoo systemd-245, as previous ebuilds disabled audit using gentoo-Dont-enable-audit-by-default.patch. So, I think that default behavior should remain the same - audit is not enabled by journald, and only enabled by user, if needed.
I would prefer not to carry that patch any longer. Is enabling audit by default harmful in some way?
Hmm, the journald man page seems to send conflicting messages: Audit= Takes a boolean value. If enabled systemd-journal will turn on kernel auditing on start-up. If disabled it will turn it off. ***If unset*** it will ***neither enable nor disable it***, leaving the previous state unchanged. Note that this option does not control whether systemd-journald collects generated audit records, it just controls whether it tells the kernel to generate them. This means if another tool turns on auditing even if systemd-journald left it off, it will still collect the generated messages. ***Defaults to on.*** So, how can it be unset, and also default to "on"? Maybe this warrants an issue upstream?
Good point, but it will not be fixed in current version... Anyway, I'll create bug in upstream.
Here it is https://github.com/systemd/systemd/issues/16720
i also wondered about why my dmesg was so polluted... I disabled it... but I am unsure about what is the advantage upstream sees in keeping it enabled with so much spam. In that way is hard to detect a real error :/
The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3f7665c563412f6cdd8a4ba4bc918ecc2b983d08 commit 3f7665c563412f6cdd8a4ba4bc918ecc2b983d08 Author: Mike Gilbert <floppym@gentoo.org> AuthorDate: 2020-08-22 01:43:09 +0000 Commit: Mike Gilbert <floppym@gentoo.org> CommitDate: 2020-08-22 01:55:45 +0000 sys-apps/systemd: do not change the kernel audit setting by default Closes: https://bugs.gentoo.org/736910 Signed-off-by: Mike Gilbert <floppym@gentoo.org> sys-apps/systemd/files/gentoo-journald-audit.patch | 40 ++++++++++++++++++++++ ...ystemd-245.7.ebuild => systemd-245.7-r1.ebuild} | 1 + .../{systemd-246.ebuild => systemd-246-r1.ebuild} | 1 + sys-apps/systemd/systemd-9999.ebuild | 1 + 4 files changed, 43 insertions(+)