一、当前环境
Kylin Linux Advanced Server
release V10 (SP1) /(Tercel)-aarch64-Build04/20200711
Kylin Linux Advanced Server
release V10 (SP1) /(Tercel)-aarch64-Build20/20210518
二、问题描述
Centos: audit 服务启动状态下,只会 /var/log/audit/audit.log 会记录 audit的信息
Kylinos: 在 audit 服务启动状态下,会同时向 /var/log/messages 和 /var/log/audit/audit.log 会记录 audit的信息
openeuler 也存在同样的问题
三、分析
1.经过分析,内核的audit使用netlink与用户空间进行通信。
如下图所示
2.下载systemd 243的源码,可见对内核的audit的netlink进行了连接
3.下载对应版本的audit服务的源码,也可见对内核的audit的netlink进行了连接。
4.如下图所示,左边为Kylin V10 SP1 20200711,左边CentOS8,Kylin-V10(SP1)多了一个systemd-journald-audit.socket。
5.当删除/usr/lib/systemd/system/systemd-journald-audit.socket文件时,/var/log/message日志中便不再保存audit日志了。
6.经过分析,该问题为systemd的问题,systemd-journald.service会记录audit的日志,开启auditd服务之后,又会去记录audit日志,导致audit日志记录了双份。
7.经资料查找,下面补丁,可以解决这个问题。
From 7a650ee8d3faf79fd5ef866b69741880a3a42b8d Mon Sep 17 00:00:00 2001
From: Jan Synacek <jsynacek@redhat.com>
Date: Thu, 2 May 2019 14:11:54 +0200
Subject: [PATCH] journal: don't enable systemd-journald-audit.socket
by default
Resolves: #1699287
---
units/meson.build | 3 +--
units/systemd-journald.service.in | 2 +-
2 files changed, 2 insertions(+), 3 deletions(-)
diff --git a/units/meson.build b/units/meson.build
index 4eb09a3..ccea8a6 100644
--- a/units/meson.build
+++ b/units/meson.build
@@ -110,8 +110,7 @@ units = [
'sysinit.target.wants/'],
['systemd-journal-gatewayd.socket', 'ENABLE_REMOTE HAVE_MICROHTTPD'],
['systemd-journal-remote.socket', 'ENABLE_REMOTE HAVE_MICROHTTPD'],
- ['systemd-journald-audit.socket', '',
- 'sockets.target.wants/'],
+ ['systemd-journald-audit.socket', ''],
['systemd-journald-dev-log.socket', '',
'sockets.target.wants/'],
['systemd-journald.socket', '',
diff --git a/units/systemd-journald.service.in b/units/systemd-journald.service.in
index 0cb1bfa..fa7348a 100644
--- a/units/systemd-journald.service.in
+++ b/units/systemd-journald.service.in
@@ -34,7 +34,7 @@ RestrictRealtime=yes
RestrictSUIDSGID=yes
RuntimeDirectory=systemd/journal
RuntimeDirectoryPreserve=yes
-Sockets=systemd-journald.socket systemd-journald-dev-log.socket systemd-journald-audit.socket
+Sockets=systemd-journald.socket systemd-journald-dev-log.socket
StandardOutput=null
SystemCallArchitectures=native
SystemCallErrorNumber=EPERM
--
2.23.0