<varlistentry>
<term><varname>Audit=</varname></term>
- <listitem><para>Takes a boolean value. If enabled <command>systemd-journal</command> will turn on
+ <listitem><para>Takes a boolean value. If enabled <command>systemd-journald</command> will turn on
kernel auditing on start-up. If disabled it will turn it off. If unset it will neither enable nor
- disable it, leaving the previous state unchanged. Note that this option does not control whether
- <command>systemd-journald</command> collects generated audit records, it just controls whether it
- tells the kernel to generate them. This means if another tool turns on auditing even if
- <command>systemd-journald</command> left it off, it will still collect the generated
- messages. Defaults to on.</para></listitem>
+ disable it, leaving the previous state unchanged. This means if another tool turns on auditing even
+ if <command>systemd-journald</command> left it off, it will still collect the generated
+ messages. Defaults to on.</para>
+
+ <para>Note that this option does not control whether <command>systemd-journald</command> collects
+ generated audit records, it just controls whether it tells the kernel to generate them. If you need
+ to prevent <command>systemd-journald</command> from collecting the generated messages, the socket
+ unit <literal>systemd-journald-audit.socket</literal> can be disabled and in this case this setting
+ is without effect.</para>
+ </listitem>
</varlistentry>
<varlistentry>
<listitem><para>Sockets and other file node paths that <command>systemd-journald</command> will
listen on and are visible in the file system. In addition to these,
<command>systemd-journald</command> can listen for audit events using <citerefentry
- project='man-pages'><refentrytitle>netlink</refentrytitle><manvolnum>7</manvolnum></citerefentry>.</para></listitem>
+ project='man-pages'><refentrytitle>netlink</refentrytitle><manvolnum>7</manvolnum></citerefentry>,
+ depending on whether <literal>systemd-journald-audit.socket</literal> is enabled or
+ not.</para></listitem>
</varlistentry>
</variablelist>
enable systemd-userdbd.socket
enable systemd-pstore.service
enable systemd-boot-update.service
+enable systemd-journald-audit.socket
disable console-getty.service
disable debug-shell.service
/* Unless we got *some* sockets and not audit, open audit socket */
if (s->audit_fd >= 0 || no_sockets) {
+ log_info("Collecting audit messages is enabled.");
+
r = server_open_audit(s);
if (r < 0)
return r;
- }
+ } else
+ log_info("Collecting audit messages is disabled.");
r = server_open_varlink(s, varlink_socket, varlink_fd);
if (r < 0)
'sysinit.target.wants/'],
['systemd-journal-gatewayd.socket', 'ENABLE_REMOTE HAVE_MICROHTTPD'],
['systemd-journal-remote.socket', 'ENABLE_REMOTE HAVE_MICROHTTPD'],
- ['systemd-journald-audit.socket', '',
- 'sockets.target.wants/'],
+ ['systemd-journald-audit.socket', ''],
['systemd-journald-dev-log.socket', '',
'sockets.target.wants/'],
['systemd-journald.socket', '',
ReceiveBuffer=128M
ListenNetlink=audit 1
PassCredentials=yes
+
+[Install]
+WantedBy=sockets.target
+WantedBy=systemd-journald.service
RestrictSUIDSGID=yes
RuntimeDirectory=systemd/journal
RuntimeDirectoryPreserve=yes
-Sockets=systemd-journald.socket systemd-journald-dev-log.socket systemd-journald-audit.socket
+# Audit socket is not listed here because this unit can be turned off. However
+# the link between the socket and the service units is still created thanks to
+# the 'Service=' setting specified in the socket unit.
+Sockets=systemd-journald.socket systemd-journald-dev-log.socket
StandardOutput=null
SystemCallArchitectures=native
SystemCallErrorNumber=EPERM
projects / thirdparty / systemd.git / commitdiff
