[PATCH] Add audit events

Steve Grubb sgrubb at redhat.com
Sun Nov 9 13:06:22 GMT 2008 

Hello,

This patch adds new audit events defined in libaudit 1.7.9. The events defined
are SYSTEM_STARTUP, RUNLEVEL_CHANGE, SYSTEM_SHUTDOWN. These events are
required to aid audit session analysis by programs like aulast and a session
exploration tool that is under development. I need these events to be
generated from a place that is hard to bypass so that the audit logs are
accurate.

This patch is against the 0.5.0 release and requires adding --with-libaudit to
the configure line. This patch has been tested on Fedora 9 and 10 with the
aulast program in audit-1.7.9 package.

Thanks,
-Steve


diff -urp upstart-0.5.0.orig/config.h.in upstart-0.5.0/config.h.in
--- upstart-0.5.0.orig/config.h.in	2008-11-05 14:08:00.000000000 -0500
+++ upstart-0.5.0/config.h.in	2008-11-05 14:18:54.000000000 -0500
@@ -254,6 +254,9 @@
 /* Define to 1 if your C compiler doesn't accept -c and -o together. */
 #undef NO_MINUS_C_MINUS_O
 
+/* Define to 1 if you want audit support */
+#undef HAVE_LIBAUDIT
+
 /* Name of package */
 #undef PACKAGE
 
diff -urp upstart-0.5.0.orig/configure.ac upstart-0.5.0/configure.ac
--- upstart-0.5.0.orig/configure.ac	2008-11-05 14:08:00.000000000 -0500
+++ upstart-0.5.0/configure.ac	2008-11-05 14:18:54.000000000 -0500
@@ -41,6 +41,25 @@ case $upstart_sbindir in
 	;;
 esac
 
+AC_ARG_WITH(libaudit,
+  [  --with-libaudit=[auto/yes/no]  Add Linux audit support [default=auto]],,
+  with_libaudit=auto)
+
+# Check for Linux auditing API
+#
+# libaudit detection
+if test x$with_libaudit = xno ; then
+    have_libaudit=no;
+else
+    # See if we have audit daemon library
+    AC_CHECK_LIB(audit, audit_log_user_message,
+                 LIBAUDIT=-laudit, LIBAUDIT="")
+fi
+AC_SUBST(LIBAUDIT)
+AM_CONDITIONAL(HAVE_LIBAUDIT, test x$LIBAUDIT != x)
+if test x$LIBAUDIT != x ; then
+    AC_DEFINE(HAVE_LIBAUDIT,1,[linux audit support])
+fi
 
 AC_CONFIG_FILES([ Makefile m4/Makefile po/Makefile.in intl/Makefile
 		  nih/Makefile init/Makefile dbus/Makefile doc/Makefile
diff -urp upstart-0.5.0.orig/util/Makefile.am upstart-0.5.0/util/Makefile.am
--- upstart-0.5.0.orig/util/Makefile.am	2008-11-05 14:08:01.000000000 -0500
+++ upstart-0.5.0/util/Makefile.am	2008-11-05 14:14:04.000000000 -0500
@@ -45,7 +45,8 @@ reboot_SOURCES = \
 reboot_LDFLAGS = -static
 reboot_LDADD = \
 	../nih/libnih.la \
-	$(LTLIBINTL)
+	$(LTLIBINTL) \
+	@LIBAUDIT@
 
 
 runlevel_SOURCES = \
@@ -54,7 +55,8 @@ runlevel_SOURCES = \
 runlevel_LDFLAGS = -static
 runlevel_LDADD = \
 	../nih/libnih.la \
-	$(LTLIBINTL)
+	$(LTLIBINTL) \
+	@LIBAUDIT@
 
 
 shutdown_SOURCES = \
@@ -68,7 +70,8 @@ shutdown_LDADD = \
 	../nih/libnih.la \
 	../nih/libnih-dbus.la \
 	$(LTLIBINTL) \
-	$(DBUS_LIBS)
+	$(DBUS_LIBS) \
+	@LIBAUDIT@
 
 
 
diff -urp upstart-0.5.0.orig/util/reboot.c upstart-0.5.0/util/reboot.c
--- upstart-0.5.0.orig/util/reboot.c	2008-11-05 14:08:01.000000000 -0500
+++ upstart-0.5.0/util/reboot.c	2008-11-05 14:15:17.000000000 -0500
@@ -36,6 +36,9 @@
 #include <stdlib.h>
 #include <string.h>
 #include <unistd.h>
+#ifdef HAVE_LIBAUDIT
+#include <libaudit.h>
+#endif
 
 #include <linux/if.h>
 #include <linux/hdreg.h>
@@ -97,6 +100,7 @@ enum {
 /* Prototypes for static functions */
 static void down_drives     (void);
 static void down_interfaces (void);
+static void send_audit_event(void);
 
 
 /**
@@ -267,6 +271,7 @@ main (int   argc,
 	 */
 	reboot (RB_ENABLE_CAD);
 	kill (1, SIGTSTP);
+	send_audit_event ();
 
 	/* Sync the disks */
 	chdir ("/");
@@ -305,6 +310,23 @@ main (int   argc,
 	return 0;
 }
 
+/**
+ * send_audit_event
+ *
+ * Send system shutdown audit event
+ **/
+static void
+send_audit_event (void)
+{
+#ifdef HAVE_LIBAUDIT
+        int fd = audit_open ();
+        if (fd < 0)
+                return;
+        audit_log_user_message (fd, AUDIT_SYSTEM_SHUTDOWN, "init",
+                NULL, NULL, NULL, 1);
+        close (fd);
+#endif
+}
 
 /**
  * down_drives:
diff -urp upstart-0.5.0.orig/util/runlevel.c upstart-0.5.0/util/runlevel.c
--- upstart-0.5.0.orig/util/runlevel.c	2008-11-05 14:08:01.000000000 -0500
+++ upstart-0.5.0/util/runlevel.c	2008-11-05 14:12:27.000000000 -0500
@@ -33,6 +33,9 @@
 #include <stdlib.h>
 #include <string.h>
 #include <unistd.h>
+#ifdef HAVE_LIBAUDIT
+#include <libaudit.h>
+#endif
 
 #include <nih/macros.h>
 #include <nih/alloc.h>
@@ -44,6 +47,7 @@
 
 /* Prototypes for static functions */
 static void store (short type, pid_t pid, const char *user);
+static void send_audit_event (int old, int level);
 
 
 /**
@@ -109,6 +113,7 @@ main (int   argc,
 	/* Store the reboot time? */
 	if (reboot) {
 		store (BOOT_TIME, 0, "reboot");
+		send_audit_event (0, 0);
 		exit (0);
 	}
 
@@ -143,6 +148,7 @@ main (int   argc,
 		prev = cur;
 		if (! prev)
 			prev = 'N';
+		send_audit_event (prev, set[0]);
 
 		cur = set[0];
 	}
@@ -203,3 +209,35 @@ store (short       type,
 	/* Write wtmp entry */
 	updwtmp (WTMP_FILE, &utmp);
 }
+
+/**
+ * send_audit_event
+ * @old: current run level
+ * @level: new run level
+ *
+ * Send system runlevel change audit event. If level is 0, then 
+ * we consider this to be a reboot event.
+ **/
+static void
+send_audit_event (int old, int level)
+{
+#ifdef HAVE_LIBAUDIT
+        int fd = audit_open ();
+
+        if (fd < 0)
+                return;
+
+	if (level) {
+		char buf[64];
+
+	        snprintf (buf, sizeof (buf),
+			"old-level=%c new-level=%c", old, level);
+        	audit_log_user_message (fd, AUDIT_SYSTEM_RUNLEVEL, buf,
+                	NULL, NULL, NULL, 1);
+	} else
+        	audit_log_user_message (fd, AUDIT_SYSTEM_BOOT, "init",
+                	NULL, NULL, NULL, 1);
+        close (fd);
+#endif
+}
+
diff -urp upstart-0.5.0.orig/util/shutdown.c upstart-0.5.0/util/shutdown.c
--- upstart-0.5.0.orig/util/shutdown.c	2008-11-05 14:08:01.000000000 -0500
+++ upstart-0.5.0/util/shutdown.c	2008-11-05 14:17:52.000000000 -0500
@@ -38,6 +38,9 @@
 #include <stdlib.h>
 #include <string.h>
 #include <unistd.h>
+#ifdef HAVE_LIBAUDIT
+#include <libaudit.h>
+#endif
 
 #include <nih/macros.h>
 #include <nih/alloc.h>
@@ -454,6 +457,23 @@ runlevel_setter (NihOption  *option,
 	return 0;
 }
 
+/**
+ * send_audit_event
+ *
+ * Send system shutdown audit event
+ **/
+static void
+send_audit_event (void)
+{
+#ifdef HAVE_LIBAUDIT
+	int fd = audit_open ();
+	if (fd < 0)
+		return;
+	audit_log_user_message (fd, AUDIT_SYSTEM_SHUTDOWN, "init",
+		NULL, NULL, NULL, 1);
+	close (fd);
+#endif
+}
 
 /**
  * shutdown_now:
@@ -501,6 +521,8 @@ shutdown_now (void)
 	NIH_MUST (nih_str_array_addp (&env, NULL, NULL, e));
 	NIH_MUST (e = nih_sprintf (NULL, "PREVLEVEL=%s", prev_level()));
 	NIH_MUST (nih_str_array_addp (&env, NULL, NULL, e));
+
+	send_audit_event ();
 	
 	/* Send the message */
 	if (control_emit_event (proxy, "runlevel", env)) {

More information about the upstart-devel mailing list