Merge pull request #15444 from poettering/audit-enable

journald: make whether we enable auditing at start-up optional
2025-03-08 20:58:20 +03:00 · 2020-04-18 15:55:10 +02:00 · 2020-04-18 15:55:10 +02:00 · 0d5071fb29
commit 0d5071fb29
parent 09f8722801 0648f9beb9
7 changed files with 35 additions and 7 deletions
--- a/man/journald.conf.xml
+++ b/man/journald.conf.xml
@ -402,6 +402,18 @@
        this option is enabled by default, it is disabled in all others.</para></listitem>
      </varlistentry>

+      <varlistentry>
+        <term><varname>Audit=</varname></term>
+
+        <listitem><para>Takes a boolean value. If enabled <command>systemd-journal</command> will turn on
+        kernel auditing on start-up. If disabled it will turn it off. If unset it will neither enable nor
+        disable it, leaving the previous state unchanged. Note that this option does not control whether
+        <command>systemd-journald</command> collects generated audit records, it just controls whether it
+        tells the kernel to generate them. This means if another tool turns on auditing even if
+        <command>systemd-journald</command> left it off, it will still collect the generated
+        messages. Defaults to on.</para></listitem>
+      </varlistentry>
+
      <varlistentry>
        <term><varname>TTYPath=</varname></term>

--- a/src/basic/errno-util.h
+++ b/src/basic/errno-util.h
@ -87,12 +87,16 @@ static inline bool ERRNO_IS_RESOURCE(int r) {
                      ENOMEM);
 }

-/* Three different errors for "operation/system call/ioctl not supported" */
+/* Seven different errors for "operation/system call/ioctl/socket feature not supported" */
 static inline bool ERRNO_IS_NOT_SUPPORTED(int r) {
        return IN_SET(abs(r),
                      EOPNOTSUPP,
                      ENOTTY,
-                      ENOSYS);
+                      ENOSYS,
+                      EAFNOSUPPORT,
+                      EPFNOSUPPORT,
+                      EPROTONOSUPPORT,
+                      ESOCKTNOSUPPORT);
 }

 /* Two different errors for access problems */
--- a/src/journal/journald-audit.c
+++ b/src/journal/journald-audit.c
@ -2,6 +2,7 @@

 #include "alloc-util.h"
 #include "audit-type.h"
+#include "errno-util.h"
 #include "fd-util.h"
 #include "hexdecoct.h"
 #include "io-util.h"
@ -512,7 +513,7 @@ int server_open_audit(Server *s) {

                s->audit_fd = socket(AF_NETLINK, SOCK_RAW|SOCK_CLOEXEC|SOCK_NONBLOCK, NETLINK_AUDIT);
                if (s->audit_fd < 0) {
-                        if (IN_SET(errno, EAFNOSUPPORT, EPROTONOSUPPORT))
+                        if (ERRNO_IS_NOT_SUPPORTED(errno))
                                log_debug("Audit not supported in the kernel.");
                        else
                                log_warning_errno(errno, "Failed to create audit socket, ignoring: %m");
@ -539,10 +540,16 @@ int server_open_audit(Server *s) {
        if (r < 0)
                return log_error_errno(r, "Failed to add audit fd to event loop: %m");

-        /* We are listening now, try to enable audit */
-        r = enable_audit(s->audit_fd, true);
-        if (r < 0)
-                log_warning_errno(r, "Failed to issue audit enable call: %m");
+        if (s->set_audit >= 0) {
+                /* We are listening now, try to enable audit if configured so */
+                r = enable_audit(s->audit_fd, s->set_audit);
+                if (r < 0)
+                        log_warning_errno(r, "Failed to issue audit enable call: %m");
+                else if (s->set_audit > 0)
+                        log_debug("Auditing in kernel turned on.");
+                else
+                        log_debug("Auditing in kernel turned off.");
+        }

        return 0;
 }
--- a/src/journal/journald-gperf.gperf
+++ b/src/journal/journald-gperf.gperf
@ -22,6 +22,7 @@ Journal.Storage,            config_parse_storage,    0, offsetof(Server, storage
 Journal.Compress,           config_parse_compress,   0, offsetof(Server, compress)
 Journal.Seal,               config_parse_bool,       0, offsetof(Server, seal)
 Journal.ReadKMsg,           config_parse_bool,       0, offsetof(Server, read_kmsg)
+Journal.Audit,              config_parse_tristate,   0, offsetof(Server, set_audit)
 Journal.SyncIntervalSec,    config_parse_sec,        0, offsetof(Server, sync_interval_usec)
 # The following is a legacy name for compatibility
 Journal.RateLimitInterval,  config_parse_sec,        0, offsetof(Server, ratelimit_interval)
--- a/src/journal/journald-server.c
+++ b/src/journal/journald-server.c
@ -2208,6 +2208,8 @@ int server_init(Server *s, const char *namespace) {
                .compress.threshold_bytes = (uint64_t) -1,
                .seal = true,

+                .set_audit = true,
+
                .watchdog_usec = USEC_INFINITY,

                .sync_interval_usec = DEFAULT_SYNC_INTERVAL_USEC,
--- a/src/journal/journald-server.h
+++ b/src/journal/journald-server.h
@ -108,6 +108,7 @@ struct Server {
        JournalCompressOptions compress;
        bool seal;
        bool read_kmsg;
+        int set_audit;

        bool forward_to_kmsg;
        bool forward_to_syslog;
--- a/src/journal/journald.conf
+++ b/src/journal/journald.conf
@ -41,3 +41,4 @@
 #MaxLevelWall=emerg
 #LineMax=48K
 #ReadKMsg=yes
+#Audit=yes