As discussed with Eric Paris: currently if no auditd is around, but an audit multicast subscriber is (such as journald from git), the kernel currently still pushes all log messages into the kernel log buffer. This has the effect that journald sees every message twice unless auditd is running: once via kmsg and once via netlink.
Proposed fix is available on LKML: http://thread.gmane.org/gmane.linux.kernel/1857321
I am dubious this problem actually can be solved at the kernel level. The multicast read-only socket was intended as a non-reliable delivery mechanism, so I don't see that detecting a multicast listener is sufficient grounds to stop writing to klog. I would prefer to have userspace determine if the messages are equivalent and toss the duplicates. If anything, I might make that a configurable option.
Feels to me like a 'disable klog' audit command (AUDIT_SET) would work. systemd could handle that when it starts it's mcast listener... dedup in userspace is a bad/really hard idea. This patch works wonderfulls today, since systemd is the only known multicast listener and you are going to get the data in the same places, but I'm not sure its appropriate for every potential mcast listener...
Once we resolve these last few serious outstanding bugs I'm going to be taking a long, hard look at the kernel's audit API (it's a terrible mess) and I'm considering delaying patches like this until after we fix the API (or perhaps as part of the API changes).
This bug appears to have been reported against 'rawhide' during the Fedora 22 development cycle. Changing version to '22'. More information and reason for this action is here: https://fedoraproject.org/wiki/Fedora_Program_Management/HouseKeeping/Fedora22
is this why some F22 systems seem to have their journals loaded with audit log spam?
No. This bug is about audit messages appearing twice in the journal in early boot: once through kmsg and second time through netlink. Normally audit is started somewhere in the boot process and messages stop being duplicated in the journal, although they are duplicated between /var/log/audit/audit.log and the journal. I'd guess that what you consider audit log spam is normal audit logs.
[adamw@adam SPECS]$ sudo journalctl -b | grep audit | wc -l [sudo] password for adamw: 2138 [adamw@adam SPECS]$ uptime 18:53:05 up 6:58, 1 user, load average: 1.54, 1.34, 1.26
Adam: My crude understanding is that systemd enables auditing unconditionally (http://lists.freedesktop.org/archives/systemd-devel/2014-December/026591.html found via https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=773528 ) so the only way to stop audit messages being in the *journal* logs would be to disable auditing on the kernel command line... If people want to know how to stop systemd audit messages it would need to be in a separate bug (ideally referenced from this one).
*********** MASS BUG UPDATE ************** We apologize for the inconvenience. There is a large number of bugs to go through and several of them have gone stale. Due to this, we are doing a mass bug update across all of the Fedora 22 kernel bugs. Fedora 22 has now been rebased to 4.2.3-200.fc22. Please test this kernel update (or newer) and let us know if you issue has been resolved or if it is still present with the newer kernel. If you have moved on to Fedora 23, and are still experiencing this issue, please change the version to Fedora 23. If you experience different issues, please open a new bug report for those.
Moving to Rawhide to avoid Fedora MASS BUG UPDATEs.
(In reply to David Herrmann from comment #1) > Proposed fix is available on LKML: > http://thread.gmane.org/gmane.linux.kernel/1857321 Link busted... https://lkml.org/lkml/2014/12/31/99
Created issue upstream: https://github.com/linux-audit/audit-kernel/issues/102