journald: add configuration option for enabling/disabling audit during journald startup

author Lennart Poettering <lennart@poettering.net>

Thu, 16 Apr 2020 10:04:03 +0000 (12:04 +0200)

committer Lennart Poettering <lennart@poettering.net>

Fri, 17 Apr 2020 14:05:22 +0000 (16:05 +0200)
author Lennart Poettering <lennart@poettering.net>
Thu, 16 Apr 2020 10:04:03 +0000 (12:04 +0200)
committer Lennart Poettering <lennart@poettering.net>
Fri, 17 Apr 2020 14:05:22 +0000 (16:05 +0200)
diff --git a/man/journald.conf.xml b/man/journald.conf.xml

index e24c420ab00316c10d3847ce83432acaef14a92b..8058f36e758a5adbf48648ba7c3b4d26df073714 100644 (file)
--- a/man/journald.conf.xml
+++ b/man/journald.conf.xml
@@ -402,6 +402,18 @@
          this option is enabled by default, it is disabled in all others.</para></listitem>
        </varlistentry>
  
+      <varlistentry>
+        <term><varname>Audit=</varname></term>
+
+        <listitem><para>Takes a boolean value. If enabled <command>systemd-journal</command> will turn on
+        kernel auditing on start-up. If disabled it will turn it off. If unset it will neither enable nor
+        disable it, leaving the previous state unchanged. Note that this option does not control whether
+        <command>systemd-journald</command> collects generated audit records, it just controls whether it
+        tells the kernel to generate them. This means if another tool turns on auditing even if
+        <command>systemd-journald</command> left it off, it will still collect the generated
+        messages. Defaults to on.</para></listitem>
+      </varlistentry>
+
        <varlistentry>
          <term><varname>TTYPath=</varname></term>
  
diff --git a/src/journal/journald-audit.c b/src/journal/journald-audit.c

index 339e091dfdeb236d20e4754c76db87532d97461e..5c31c43705b586869513f0d2b282513727e77e93 100644 (file)
--- a/src/journal/journald-audit.c
+++ b/src/journal/journald-audit.c
@@ -539,10 +539,16 @@ int server_open_audit(Server *s) {
          if (r < 0)
                  return log_error_errno(r, "Failed to add audit fd to event loop: %m");
  
-        /* We are listening now, try to enable audit */
-        r = enable_audit(s->audit_fd, true);
-        if (r < 0)
-                log_warning_errno(r, "Failed to issue audit enable call: %m");
+        if (s->set_audit >= 0) {
+                /* We are listening now, try to enable audit if configured so */
+                r = enable_audit(s->audit_fd, s->set_audit);
+                if (r < 0)
+                        log_warning_errno(r, "Failed to issue audit enable call: %m");
+                else if (s->set_audit > 0)
+                        log_debug("Auditing in kernel turned on.");
+                else
+                        log_debug("Auditing in kernel turned off.");
+        }
  
          return 0;
  }
diff --git a/src/journal/journald-gperf.gperf b/src/journal/journald-gperf.gperf

index 0774444e8d8256183b1550299a550480605253a1..c70ac9a5b6322bf7d875ba34f713139141443f9e 100644 (file)
--- a/src/journal/journald-gperf.gperf
+++ b/src/journal/journald-gperf.gperf
@@ -22,6 +22,7 @@ Journal.Storage,            config_parse_storage,    0, offsetof(Server, storage
  Journal.Compress,           config_parse_compress,   0, offsetof(Server, compress)
  Journal.Seal,               config_parse_bool,       0, offsetof(Server, seal)
  Journal.ReadKMsg,           config_parse_bool,       0, offsetof(Server, read_kmsg)
+Journal.Audit,              config_parse_tristate,   0, offsetof(Server, set_audit)
  Journal.SyncIntervalSec,    config_parse_sec,        0, offsetof(Server, sync_interval_usec)
  # The following is a legacy name for compatibility
  Journal.RateLimitInterval,  config_parse_sec,        0, offsetof(Server, ratelimit_interval)
diff --git a/src/journal/journald-server.c b/src/journal/journald-server.c

index b7875dec1f624f79c4d80dce9d8b9aa42e673311..64cb3279f64f6efcdbfc79a76eb277b24b22b79a 100644 (file)
--- a/src/journal/journald-server.c
+++ b/src/journal/journald-server.c
@@ -2208,6 +2208,8 @@ int server_init(Server *s, const char *namespace) {
                  .compress.threshold_bytes = (uint64_t) -1,
                  .seal = true,
  
+                .set_audit = true,
+
                  .watchdog_usec = USEC_INFINITY,
  
                  .sync_interval_usec = DEFAULT_SYNC_INTERVAL_USEC,
diff --git a/src/journal/journald-server.h b/src/journal/journald-server.h

index f3405e967cd0fbd357d7dc003722d461fd6ad6f7..b01ade5aeee4b93cb4f8289436f7620aa5542e19 100644 (file)
--- a/src/journal/journald-server.h
+++ b/src/journal/journald-server.h
@@ -108,6 +108,7 @@ struct Server {
          JournalCompressOptions compress;
          bool seal;
          bool read_kmsg;
+        int set_audit;
  
          bool forward_to_kmsg;
          bool forward_to_syslog;
diff --git a/src/journal/journald.conf b/src/journal/journald.conf

index 2f1c661153980dda8cf5bac2ef30b0150d18cf03..2e1aacd8c55bbc543c253511ce3283edf91f9f25 100644 (file)
--- a/src/journal/journald.conf
+++ b/src/journal/journald.conf
@@ -41,3 +41,4 @@
  #MaxLevelWall=emerg
  #LineMax=48K
  #ReadKMsg=yes
+#Audit=yes
author	Lennart Poettering <lennart@poettering.net>
	Thu, 16 Apr 2020 10:04:03 +0000 (12:04 +0200)
committer	Lennart Poettering <lennart@poettering.net>
	Fri, 17 Apr 2020 14:05:22 +0000 (16:05 +0200)
man/journald.conf.xml		patch \| blob \| blame \| history
src/journal/journald-audit.c		patch \| blob \| blame \| history
src/journal/journald-gperf.gperf		patch \| blob \| blame \| history
src/journal/journald-server.c		patch \| blob \| blame \| history
src/journal/journald-server.h		patch \| blob \| blame \| history
src/journal/journald.conf		patch \| blob \| blame \| history