The audit daemon loaded the rules in the past. But eventaully it was noticed
that there was a problem where system events that were of interest occurred
before auditd could start. Splitting them allows the rules to load sooner so
the events are waiting when auditd registers with the kernel.
The secondary effect of this split is that some people may be satisfied with
audit events in journald. This would let them have auditing without having to
install auditd and it man pages and utilities. It certainly won't have search
and report capabilities. But they may be offloading events to a central SIEM
and don't care.
sgallagh
commented 4 months ago
The audit daemon loaded the rules in the past. But eventaully it was noticed
that there was a problem where system events that were of interest occurred
before auditd could start. Splitting them allows the rules to load sooner so
the events are waiting when auditd registers with the kernel.
The secondary effect of this split is that some people may be satisfied with
audit events in journald. This would let them have auditing without having to
install auditd and it man pages and utilities. It certainly won't have search
and report capabilities. But they may be offloading events to a central SIEM
and don't care.
https://bugzilla.redhat.com/show_bug.cgi?id=2258520
Signed-off-by: Stephen Gallagher sgallagh@redhat.com