diff options
-rw-r--r-- | man/journald.conf.xml | 17 | ||||
-rw-r--r-- | man/systemd-journald.service.xml | 4 | ||||
-rw-r--r-- | presets/90-systemd.preset | 1 | ||||
-rw-r--r-- | src/journal/journald-server.c | 5 | ||||
-rw-r--r-- | units/meson.build | 3 | ||||
-rw-r--r-- | units/systemd-journald-audit.socket | 4 | ||||
-rw-r--r-- | units/systemd-journald.service.in | 5 |
7 files changed, 28 insertions, 11 deletions
diff --git a/man/journald.conf.xml b/man/journald.conf.xml index 24cee4c8b2..50c33e4792 100644 --- a/man/journald.conf.xml +++ b/man/journald.conf.xml @@ -423,13 +423,18 @@ <varlistentry> <term><varname>Audit=</varname></term> - <listitem><para>Takes a boolean value. If enabled <command>systemd-journal</command> will turn on + <listitem><para>Takes a boolean value. If enabled <command>systemd-journald</command> will turn on kernel auditing on start-up. If disabled it will turn it off. If unset it will neither enable nor - disable it, leaving the previous state unchanged. Note that this option does not control whether - <command>systemd-journald</command> collects generated audit records, it just controls whether it - tells the kernel to generate them. This means if another tool turns on auditing even if - <command>systemd-journald</command> left it off, it will still collect the generated - messages. Defaults to on.</para></listitem> + disable it, leaving the previous state unchanged. This means if another tool turns on auditing even + if <command>systemd-journald</command> left it off, it will still collect the generated + messages. Defaults to on.</para> + + <para>Note that this option does not control whether <command>systemd-journald</command> collects + generated audit records, it just controls whether it tells the kernel to generate them. If you need + to prevent <command>systemd-journald</command> from collecting the generated messages, the socket + unit <literal>systemd-journald-audit.socket</literal> can be disabled and in this case this setting + is without effect.</para> + </listitem> </varlistentry> <varlistentry> diff --git a/man/systemd-journald.service.xml b/man/systemd-journald.service.xml index 8fa864473d..6b0fb3137c 100644 --- a/man/systemd-journald.service.xml +++ b/man/systemd-journald.service.xml @@ -332,7 +332,9 @@ systemd-tmpfiles --create --prefix /var/log/journal</programlisting> <listitem><para>Sockets and other file node paths that <command>systemd-journald</command> will listen on and are visible in the file system. In addition to these, <command>systemd-journald</command> can listen for audit events using <citerefentry - project='man-pages'><refentrytitle>netlink</refentrytitle><manvolnum>7</manvolnum></citerefentry>.</para></listitem> + project='man-pages'><refentrytitle>netlink</refentrytitle><manvolnum>7</manvolnum></citerefentry>, + depending on whether <literal>systemd-journald-audit.socket</literal> is enabled or + not.</para></listitem> </varlistentry> </variablelist> diff --git a/presets/90-systemd.preset b/presets/90-systemd.preset index 25936d8f57..2b8db9d476 100644 --- a/presets/90-systemd.preset +++ b/presets/90-systemd.preset @@ -24,6 +24,7 @@ enable systemd-homed.service enable systemd-userdbd.socket enable systemd-pstore.service enable systemd-boot-update.service +enable systemd-journald-audit.socket disable console-getty.service disable debug-shell.service diff --git a/src/journal/journald-server.c b/src/journal/journald-server.c index b59f42c4b8..c1fc5a8da9 100644 --- a/src/journal/journald-server.c +++ b/src/journal/journald-server.c @@ -2504,10 +2504,13 @@ int server_init(Server *s, const char *namespace) { /* Unless we got *some* sockets and not audit, open audit socket */ if (s->audit_fd >= 0 || no_sockets) { + log_info("Collecting audit messages is enabled."); + r = server_open_audit(s); if (r < 0) return r; - } + } else + log_info("Collecting audit messages is disabled."); r = server_open_varlink(s, varlink_socket, varlink_fd); if (r < 0) diff --git a/units/meson.build b/units/meson.build index 79e2935a50..69197f0c47 100644 --- a/units/meson.build +++ b/units/meson.build @@ -123,8 +123,7 @@ units = [ 'sysinit.target.wants/'], ['systemd-journal-gatewayd.socket', 'ENABLE_REMOTE HAVE_MICROHTTPD'], ['systemd-journal-remote.socket', 'ENABLE_REMOTE HAVE_MICROHTTPD'], - ['systemd-journald-audit.socket', '', - 'sockets.target.wants/'], + ['systemd-journald-audit.socket', ''], ['systemd-journald-dev-log.socket', '', 'sockets.target.wants/'], ['systemd-journald.socket', '', diff --git a/units/systemd-journald-audit.socket b/units/systemd-journald-audit.socket index f0c0aebc86..cf9b6e8b84 100644 --- a/units/systemd-journald-audit.socket +++ b/units/systemd-journald-audit.socket @@ -20,3 +20,7 @@ Service=systemd-journald.service ReceiveBuffer=128M ListenNetlink=audit 1 PassCredentials=yes + +[Install] +WantedBy=sockets.target +WantedBy=systemd-journald.service diff --git a/units/systemd-journald.service.in b/units/systemd-journald.service.in index 38ba3e2856..ece872c770 100644 --- a/units/systemd-journald.service.in +++ b/units/systemd-journald.service.in @@ -38,7 +38,10 @@ RestrictRealtime=yes RestrictSUIDSGID=yes RuntimeDirectory=systemd/journal RuntimeDirectoryPreserve=yes -Sockets=systemd-journald.socket systemd-journald-dev-log.socket systemd-journald-audit.socket +# Audit socket is not listed here because this unit can be turned off. However +# the link between the socket and the service units is still created thanks to +# the 'Service=' setting specified in the socket unit. +Sockets=systemd-journald.socket systemd-journald-dev-log.socket StandardOutput=null SystemCallArchitectures=native SystemCallErrorNumber=EPERM |