On Mon, 26 Jun 2023 12:51:18 +0100 Luca Boccassi <bl...@debian.org> wrote: > On Sat, 24 Jun 2023 00:38:16 -0700 Josh Triplett > <j...@joshtriplett.org> wrote: > > Package: systemd > > Version: 253-3 > > Severity: normal > > X-Debbugs-Cc: j...@joshtriplett.org > > > > The NEWS.Debian for the latest version of systemd mentions no longer > > disabling audit, and relying on the audit socket being disabled by > > default. However, despite that, upgrading systemd seems to have > enabled > > the audit socket unit: > > > > ~$ systemctl | grep audit > > systemd-journald-audit.socket loaded active running Journal > Audit Socket > > > > And there are a pile of audit messages in dmesg and the journal, > > drowning out other messages. > > > > I checked, and no units have Audit=yes, nor does anything appear to > > depend on systemd-journald-audit.socket, nor is > > systemd-journald-audit.socket included in sockets.target.wants. > > Turns out we overlooked one thing - systemd-journald.service lists the > audit socket under Sockets=, but that adds an implicit Wants, so > effectively it is always activated automatically.
This *seems* like it may have been triggered by the upgrade, specifically. Immediately after that upgrade, when systemd reloaded, I got this message: > Jun 24 00:24:10 o systemd-journald[237141]: Collecting audit messages is > enabled. But on a fresh boot, I get: > Jun 24 11:57:29 o systemd-journald[528]: Collecting audit messages is > disabled. Does that help?
