7 Feb 2025 |
raitobezarius | thanks arian! | 13:58:27 |
Arian | Container Optimized OS (That thing from Google) has journal audit enabled and auditd disabled but has no kmesg log-sam | 14:56:17 |
Arian | I have the feeling they might ship a kernel patch for that or something | 14:56:32 |
Arian | * | 14:59:54 |
raitobezarius | auditd disabled but journal audit? | 16:54:04 |
raitobezarius | weird | 16:54:08 |
Arian | you mean their setup is weird? | 16:56:48 |
raitobezarius | ye | 16:58:36 |
ElvishJerricco | Arian: So I'm completely unfamiliar with how this audit stuff works. Is there anything we need to do in stage 1 for this? Like do we need to ensure that stage 1 journald does or doesn't enable auditing or something? | 17:58:09 |
Arian | I think the whole idea of journald enabling auditing is broken and should be ignored | 17:58:36 |
Arian | hence defaulting it to not doing anything | 17:58:48 |
ElvishJerricco | sure | 17:58:54 |
ElvishJerricco | but if upstream defaults to true, then we need to disable it in stage 1, right? | 17:59:41 |
Arian | if stage-1 doesn’t have auditing enabled (doesn’t ship auditd; and also journald doesn’t enable it) then the audit logs will just buffer in ak ernel buffer | 17:59:44 |
Arian | yeh good point. but I don’t think we ship the socket in stage-1 which means the whole functionality is disabled | 18:00:03 |
ElvishJerricco | ah ok that'll do then | 18:00:15 |
Arian | I can fix that too; but then will also have to default Audit=null in the stage-1 kernel config | 18:00:29 |
ElvishJerricco | yea best leave stage 1 out of it entirely if we can | 18:00:45 |
Arian | how is the stage-1 journal configured anyway? if at all? | 18:00:50 |
ElvishJerricco | it's not :P | 18:00:56 |
Arian | then I suggest we just don’t ship the socket in stage-1 | 18:01:11 |
ElvishJerricco | though I think there's an open issue about maybe duplicating the stage 2 config in stage 1 | 18:01:15 |
Arian | (which I think is already the case today?) | 18:01:30 |
ElvishJerricco | Yea, I think we currently don't ship that socket and I agree we probably shouldn't | 18:01:47 |
ElvishJerricco | so no action required, it seems | 18:02:15 |
Arian | good callout though | 18:02:24 |
| terrorjack joined the room. | 22:46:14 |
8 Feb 2025 |
| terrorjack set a profile picture. | 02:24:25 |
| terrorjack removed their profile picture. | 02:24:59 |
| Marcel joined the room. | 20:27:51 |