mirror of
https://github.com/systemd/systemd.git
synced 2024-12-21 13:34:21 +03:00
journal: give the ability to enable/disable systemd-journald-audit.socket
Before this patch the only way to prevent journald from reading the audit messages was to mask systemd-journald-audit.socket. However this had main drawback that downstream couldn't ship the socket disabled by default (beside the fact that masking units is not supposed to be the usual way to disable them). Fixes #15777
This commit is contained in:
parent
8112c91e48
commit
2aba77057e
@ -423,13 +423,18 @@
|
|||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term><varname>Audit=</varname></term>
|
<term><varname>Audit=</varname></term>
|
||||||
|
|
||||||
<listitem><para>Takes a boolean value. If enabled <command>systemd-journal</command> will turn on
|
<listitem><para>Takes a boolean value. If enabled <command>systemd-journald</command> will turn on
|
||||||
kernel auditing on start-up. If disabled it will turn it off. If unset it will neither enable nor
|
kernel auditing on start-up. If disabled it will turn it off. If unset it will neither enable nor
|
||||||
disable it, leaving the previous state unchanged. Note that this option does not control whether
|
disable it, leaving the previous state unchanged. This means if another tool turns on auditing even
|
||||||
<command>systemd-journald</command> collects generated audit records, it just controls whether it
|
if <command>systemd-journald</command> left it off, it will still collect the generated
|
||||||
tells the kernel to generate them. This means if another tool turns on auditing even if
|
messages. Defaults to on.</para>
|
||||||
<command>systemd-journald</command> left it off, it will still collect the generated
|
|
||||||
messages. Defaults to on.</para></listitem>
|
<para>Note that this option does not control whether <command>systemd-journald</command> collects
|
||||||
|
generated audit records, it just controls whether it tells the kernel to generate them. If you need
|
||||||
|
to prevent <command>systemd-journald</command> from collecting the generated messages, the socket
|
||||||
|
unit <literal>systemd-journald-audit.socket</literal> can be disabled and in this case this setting
|
||||||
|
is without effect.</para>
|
||||||
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
|
@ -332,7 +332,9 @@ systemd-tmpfiles --create --prefix /var/log/journal</programlisting>
|
|||||||
<listitem><para>Sockets and other file node paths that <command>systemd-journald</command> will
|
<listitem><para>Sockets and other file node paths that <command>systemd-journald</command> will
|
||||||
listen on and are visible in the file system. In addition to these,
|
listen on and are visible in the file system. In addition to these,
|
||||||
<command>systemd-journald</command> can listen for audit events using <citerefentry
|
<command>systemd-journald</command> can listen for audit events using <citerefentry
|
||||||
project='man-pages'><refentrytitle>netlink</refentrytitle><manvolnum>7</manvolnum></citerefentry>.</para></listitem>
|
project='man-pages'><refentrytitle>netlink</refentrytitle><manvolnum>7</manvolnum></citerefentry>,
|
||||||
|
depending on whether <literal>systemd-journald-audit.socket</literal> is enabled or
|
||||||
|
not.</para></listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
</variablelist>
|
</variablelist>
|
||||||
|
|
||||||
|
@ -24,6 +24,7 @@ enable systemd-homed.service
|
|||||||
enable systemd-userdbd.socket
|
enable systemd-userdbd.socket
|
||||||
enable systemd-pstore.service
|
enable systemd-pstore.service
|
||||||
enable systemd-boot-update.service
|
enable systemd-boot-update.service
|
||||||
|
enable systemd-journald-audit.socket
|
||||||
|
|
||||||
disable console-getty.service
|
disable console-getty.service
|
||||||
disable debug-shell.service
|
disable debug-shell.service
|
||||||
|
@ -2504,10 +2504,13 @@ int server_init(Server *s, const char *namespace) {
|
|||||||
|
|
||||||
/* Unless we got *some* sockets and not audit, open audit socket */
|
/* Unless we got *some* sockets and not audit, open audit socket */
|
||||||
if (s->audit_fd >= 0 || no_sockets) {
|
if (s->audit_fd >= 0 || no_sockets) {
|
||||||
|
log_info("Collecting audit messages is enabled.");
|
||||||
|
|
||||||
r = server_open_audit(s);
|
r = server_open_audit(s);
|
||||||
if (r < 0)
|
if (r < 0)
|
||||||
return r;
|
return r;
|
||||||
}
|
} else
|
||||||
|
log_info("Collecting audit messages is disabled.");
|
||||||
|
|
||||||
r = server_open_varlink(s, varlink_socket, varlink_fd);
|
r = server_open_varlink(s, varlink_socket, varlink_fd);
|
||||||
if (r < 0)
|
if (r < 0)
|
||||||
|
@ -123,8 +123,7 @@ units = [
|
|||||||
'sysinit.target.wants/'],
|
'sysinit.target.wants/'],
|
||||||
['systemd-journal-gatewayd.socket', 'ENABLE_REMOTE HAVE_MICROHTTPD'],
|
['systemd-journal-gatewayd.socket', 'ENABLE_REMOTE HAVE_MICROHTTPD'],
|
||||||
['systemd-journal-remote.socket', 'ENABLE_REMOTE HAVE_MICROHTTPD'],
|
['systemd-journal-remote.socket', 'ENABLE_REMOTE HAVE_MICROHTTPD'],
|
||||||
['systemd-journald-audit.socket', '',
|
['systemd-journald-audit.socket', ''],
|
||||||
'sockets.target.wants/'],
|
|
||||||
['systemd-journald-dev-log.socket', '',
|
['systemd-journald-dev-log.socket', '',
|
||||||
'sockets.target.wants/'],
|
'sockets.target.wants/'],
|
||||||
['systemd-journald.socket', '',
|
['systemd-journald.socket', '',
|
||||||
|
@ -20,3 +20,7 @@ Service=systemd-journald.service
|
|||||||
ReceiveBuffer=128M
|
ReceiveBuffer=128M
|
||||||
ListenNetlink=audit 1
|
ListenNetlink=audit 1
|
||||||
PassCredentials=yes
|
PassCredentials=yes
|
||||||
|
|
||||||
|
[Install]
|
||||||
|
WantedBy=sockets.target
|
||||||
|
WantedBy=systemd-journald.service
|
||||||
|
@ -38,7 +38,10 @@ RestrictRealtime=yes
|
|||||||
RestrictSUIDSGID=yes
|
RestrictSUIDSGID=yes
|
||||||
RuntimeDirectory=systemd/journal
|
RuntimeDirectory=systemd/journal
|
||||||
RuntimeDirectoryPreserve=yes
|
RuntimeDirectoryPreserve=yes
|
||||||
Sockets=systemd-journald.socket systemd-journald-dev-log.socket systemd-journald-audit.socket
|
# Audit socket is not listed here because this unit can be turned off. However
|
||||||
|
# the link between the socket and the service units is still created thanks to
|
||||||
|
# the 'Service=' setting specified in the socket unit.
|
||||||
|
Sockets=systemd-journald.socket systemd-journald-dev-log.socket
|
||||||
StandardOutput=null
|
StandardOutput=null
|
||||||
SystemCallArchitectures=native
|
SystemCallArchitectures=native
|
||||||
SystemCallErrorNumber=EPERM
|
SystemCallErrorNumber=EPERM
|
||||||
|
Loading…
Reference in New Issue
Block a user