Bug 1460459

Summary: audit info logged twice
Product: [Fedora] Fedora Reporter: Peter Backes <rtc>
Component: auditAssignee: Steve Grubb <sgrubb>
Status: CLOSED NOTABUG QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 25CC: sgrubb
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-09-29 14:51:06 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Peter Backes 2017-06-10 22:00:18 UTC 
Description of problem:
By default, systemd logs audit info to the journal, see systemd-journald-audit.socket(8)

Now, when I install audit, it enables auditd.service by default. This runs auditd, which is configured by default in /etc/audit/auditd.conf to log audit info to /var/log/audit/audit.log.

Thus, effectively, audit info is logged twice.

auditd is required for audispd which is required for setroubleshoot to work

Version-Release number of selected component (if applicable):
audit-2.7.6-1.fc25.i686

How reproducible:
always

Steps to Reproduce:
1. install auditd

Actual results:
audit info logged to journal as well as /var/log/audit/audit.log

Expected results:
only one location logged to.
Comment 1 Peter Backes 2017-06-10 23:19:09 UTC 
There is some discussion at bug 1227379, though it complains about /var/log messages, not journal vs. audit.log
Comment 2 Steve Grubb 2017-06-12 00:34:58 UTC 
So, what is the problem? Auditd is designed to collect and handle audit information and journald has no business doing that. If the author of journald decided on behalf of everyone that they want to waste your disk space, isn't that where the bug belongs?
Comment 3 Peter Backes 2017-06-13 20:55:44 UTC 
I'm just seeing that it is logged twice after audit is installed. Whether it should be only audit or only journald that is logging I cannot say. Feel free to assign the bug to systemd if you think that this will solve the problem.
Comment 4 Steve Grubb 2017-06-13 20:59:27 UTC 
Hello. One thing that you can do to fix it on your machine is to edit /etc/audit/auditd.conf. Set write_logs = no. Then restart auditd using the service command. This will make the events available to setroubleshoot and without writing anything to disk.
Comment 5 Peter Backes 2017-06-15 22:11:42 UTC 
poettering says on https://github.com/systemd/systemd/issues/959 "Audit can be potentially useful, and we should centralize it by default in the journal" So should perhaps write_logs = no be the default? Another option would be to  execute systemctl mask --now systemd-journald-audit.socket; systemctl restart systemd-journald.service in postinstall and systemctl unmask systemd-journald-audit.socket; systemctl restart systemd-journald.service in preuninstall.
Comment 6 Steve Grubb 2017-09-28 02:32:14 UTC 
Unless there is a good reason to keep this open, I will close it as not a bug. None of the audit tools work against the journal, so Lennart's suggestion is a non-starter.
Comment 7 Steve Grubb 2017-09-29 14:51:06 UTC 
Thanks for reporting this issue. I don't think there is anything I can do here. Audit tooling does not work against the journal.