Networkmanager without auditd?

GaVenga · 15 November 2025 16:06

Auditd is a dependency of networkmanager
BUT not needed (?)
What about to change auditd to optional dependecy?
Reason (journald):
(NetworkManager[894]: <error> [1763220495.4485] audit: failed to open auditd socket: Protocol not supported)

Aragorn · 15 November 2025 16:41

It’s required by a lot more than NetworkManager. It’s also a requirement for systemd, dbus, shadow, and several other packages.

Nachlese · 15 November 2025 17:31

As far as I know, it is only a make dependency (has to be present when the package is built).

I have disabled the audit framework since like forever, with the kernel command line parameter:
audit=0

Audit framework - ArchWiki

GaVenga · 16 November 2025 09:42

Me too.
Additionally I masked “all (3)” entries in (system) systemd.
The protocol entry still appears (sometimes) - netsearch says “ignore this”;
I’m not clear on what caused the message, or whether it’s truly harmless.
Or are the aliens/allies curious?

Nachlese · 16 November 2025 10:41

this is all I see in my logs

journalctl -b0 | grep audit
Nov 16 11:28:14 jo-xfce kernel: Command line: BOOT_IMAGE=/boot/vmlinuz-6.12-x86_64 root=UUID=4c28c9c0-39c7-4aac-830f-034e92278642 rw mitigations=off quiet udev.log_priority=3 audit=0
Nov 16 11:28:14 jo-xfce kernel: Kernel command line: BOOT_IMAGE=/boot/vmlinuz-6.12-x86_64 root=UUID=4c28c9c0-39c7-4aac-830f-034e92278642 rw mitigations=off quiet udev.log_priority=3 audit=0
Nov 16 11:28:14 jo-xfce kernel: audit: disabled (until reboot)
Nov 16 11:28:14 jo-xfce systemd-journald[265]: Collecting audit messages is disabled.
Nov 16 11:30:49 jo-xfce lightdm[550]: Error opening audit socket: Protocol not supported

Virtual machine, audit only disabled via kernel command line, since it can’t be deinstalled because of dependencies.
I didn’t mask anything.
The Arch wiki only mentions one place, not three:

Note
In order to disable audit completely and suppress audit messages from appearing in journal you may set audit=0 as kernel parameter and/or mask systemd-journald-audit.socket.

GaVenga · 16 November 2025 13:11

however, in the imagination of an AI search engine, there are three..
The result however, it is the same as if I mask the socket only.
==> “Much helps much” <== my beloved paranoia…

GaVenga · 22 November 2025 12:29

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.