diff --git a/0010-journald-disable-audit-support-completely-from-the-j.patch b/0010-journald-disable-audit-support-completely-from-the-j.patch deleted file mode 100644 index a9d3bb66..00000000 --- a/0010-journald-disable-audit-support-completely-from-the-j.patch +++ /dev/null @@ -1,80 +0,0 @@ -From aeb4ca8cf65ee8f22cf7635fea2c501c015fc906 Mon Sep 17 00:00:00 2001 -From: Franck Bui -Date: Wed, 29 Jun 2016 17:55:35 +0200 -Subject: [PATCH 10/12] journald: disable audit support completely from the - journal - -This patch not only prevents journald to enable audit system -unconditionally very early at boot but also prevents it to receive -audit messages for the audit netlink and to push them into the -journal. - -The first reason is that when journald enables kernel audit, it does -not disable syscall audit (it doesn't load the audit rules), which -introduced a global performance hit. This can be minimized if audit -service is started but that's not the case for all systems. - -The second reason is that for systems where audit was disabled by -default they will suddenly have audit enabled (unless audit=0 was -already passed to the kernel command line). This means tons of audit -messages will be sent to dmesg, syslog, journal files, etc... - -Note also that audit messages are duplicated in the journal since they -are received both from kmsg and from the audit netlink. A related bug -report can be found here: -https://bugzilla.redhat.com/show_bug.cgi?id=1160046. - -This basically reverts the following upstream commits: - - - 875c2e220e2611165e09051c4747971811f1de58 - - 4d9ced9956755901238fede6fc5a3d7e4e816aa6 - -Upstream issue: -https://github.com/systemd/systemd/issues/959 - -So disable all of this for now until a better option is found or -someone comes up with a real use case. - -Also drop systemd-journald-audit.socket, indeed audit-logs-in-journal 'feature' -has been removed but the socket was still shipped and was statically -enabled. Therefore if auditd service was enabled, incoming messages could be -queued up to 128M and were never read (hence freed) by journald. - -[fbui: fixes bsc#984034] -[fbui: fixes bsc#1109252] ---- - src/journal/journald-server.c | 4 ++-- - units/meson.build | 2 -- - 2 files changed, 2 insertions(+), 4 deletions(-) - -diff --git a/src/journal/journald-server.c b/src/journal/journald-server.c -index 5865bf9809..14934080cd 100644 ---- a/src/journal/journald-server.c -+++ b/src/journal/journald-server.c -@@ -2384,8 +2384,8 @@ int server_init(Server *s, const char *namespace) { - if (r < 0) - return r; - -- /* Unless we got *some* sockets and not audit, open audit socket */ -- if (s->audit_fd >= 0 || no_sockets) { -+ /* Suse: disable audit messages in journal entirely. */ -+ if (false && no_sockets) { - r = server_open_audit(s); - if (r < 0) - return r; -diff --git a/units/meson.build b/units/meson.build -index dadc9432ef..a31acd3b05 100644 ---- a/units/meson.build -+++ b/units/meson.build -@@ -110,8 +110,6 @@ units = [ - 'sysinit.target.wants/'], - ['systemd-journal-gatewayd.socket', 'ENABLE_REMOTE HAVE_MICROHTTPD'], - ['systemd-journal-remote.socket', 'ENABLE_REMOTE HAVE_MICROHTTPD'], -- ['systemd-journald-audit.socket', '', -- 'sockets.target.wants/'], - ['systemd-journald-dev-log.socket', '', - 'sockets.target.wants/'], - ['systemd-journald.socket', '', --- -2.26.2 - diff --git a/systemd-mini.changes b/systemd-mini.changes index d9dbd575..81b39a4e 100644 --- a/systemd-mini.changes +++ b/systemd-mini.changes @@ -1,3 +1,22 @@ +------------------------------------------------------------------- +Thu Sep 10 12:59:54 UTC 2020 - Franck Bui + +- Rework how we prevent journald from both enabling auditd and + recording audit messages + + journald.conf gained a new setting Audit= to control whether + journald enables audit during the boot process. So let's use it and + make sure it's disabled by default by shipping a drop-in that + overrides upstream default. + + Also we used to patch systemd to prevent journald from reading the + audit messages. There's still no way for downstream to configure + that properly (we would need to mask systemd-journald-audit.socket + meaning shipping a symlink in /etc) but I think dropping + systemd-journald-audit.socket from the package is a nicer way to do + that as some users might choose to reenable this setting (by + reintroducing the socket unit in /etc). + ------------------------------------------------------------------- Thu Sep 10 09:02:13 UTC 2020 - Franck Bui diff --git a/systemd-mini.spec b/systemd-mini.spec index 88c77ae6..f7f696ea 100644 --- a/systemd-mini.spec +++ b/systemd-mini.spec @@ -173,7 +173,6 @@ Patch6: 0006-sysv-generator-add-back-support-for-SysV-scripts-for.patch Patch7: 0007-networkd-make-network.service-an-alias-of-systemd-ne.patch Patch8: 0008-sysv-generator-translate-Required-Start-into-a-Wants.patch Patch9: 0009-pid1-handle-console-specificities-weirdness-for-s390.patch -Patch10: 0010-journald-disable-audit-support-completely-from-the-j.patch Patch11: 0011-core-disable-session-keyring-per-system-sevice-entir.patch Patch12: 0012-resolved-create-etc-resolv.conf-symlink-at-runtime.patch @@ -798,6 +797,19 @@ fi # which may still be used by yast. cat %{S:14} >>%{buildroot}%{_datarootdir}/systemd/kbd-model-map +# Create a drop-in to prevent journald from starting auditd during +# boot (bsc#984034). +mkdir -p %{buildroot}%{_prefix}/lib/systemd/journald.conf.d +cat >%{buildroot}%{_prefix}/lib/systemd/journald.conf.d/20-suse-defaults.conf < + +- Rework how we prevent journald from both enabling auditd and + recording audit messages + + journald.conf gained a new setting Audit= to control whether + journald enables audit during the boot process. So let's use it and + make sure it's disabled by default by shipping a drop-in that + overrides upstream default. + + Also we used to patch systemd to prevent journald from reading the + audit messages. There's still no way for downstream to configure + that properly (we would need to mask systemd-journald-audit.socket + meaning shipping a symlink in /etc) but I think dropping + systemd-journald-audit.socket from the package is a nicer way to do + that as some users might choose to reenable this setting (by + reintroducing the socket unit in /etc). + ------------------------------------------------------------------- Thu Sep 10 09:02:13 UTC 2020 - Franck Bui diff --git a/systemd.spec b/systemd.spec index 71f753ff..bd35fc30 100644 --- a/systemd.spec +++ b/systemd.spec @@ -171,7 +171,6 @@ Patch6: 0006-sysv-generator-add-back-support-for-SysV-scripts-for.patch Patch7: 0007-networkd-make-network.service-an-alias-of-systemd-ne.patch Patch8: 0008-sysv-generator-translate-Required-Start-into-a-Wants.patch Patch9: 0009-pid1-handle-console-specificities-weirdness-for-s390.patch -Patch10: 0010-journald-disable-audit-support-completely-from-the-j.patch Patch11: 0011-core-disable-session-keyring-per-system-sevice-entir.patch Patch12: 0012-resolved-create-etc-resolv.conf-symlink-at-runtime.patch @@ -796,6 +795,19 @@ fi # which may still be used by yast. cat %{S:14} >>%{buildroot}%{_datarootdir}/systemd/kbd-model-map +# Create a drop-in to prevent journald from starting auditd during +# boot (bsc#984034). +mkdir -p %{buildroot}%{_prefix}/lib/systemd/journald.conf.d +cat >%{buildroot}%{_prefix}/lib/systemd/journald.conf.d/20-suse-defaults.conf <