[PATCH] Add audit events

Scott James Remnant scott at netsplit.com
Mon Nov 10 19:38:56 GMT 2008


Comments inline:

On Sun, 2008-11-09 at 08:06 -0500, Steve Grubb wrote:

> This patch adds new audit events defined in libaudit 1.7.9. The events defined
> are SYSTEM_STARTUP, RUNLEVEL_CHANGE, SYSTEM_SHUTDOWN. These events are
> required to aid audit session analysis by programs like aulast and a session
> exploration tool that is under development. I need these events to be
> generated from a place that is hard to bypass so that the audit logs are
> accurate.
> 
It's still relatively easy to change runlevel, bypassing the audit logs,
by just using "initctl emit" instead of the compat tools.

What is the behaviour of libaudit if the audit daemon is not running, or
has issues?  Will it block these commands?

> This patch is against the 0.5.0 release and requires adding --with-libaudit to
> the configure line. This patch has been tested on Fedora 9 and 10 with the
> aulast program in audit-1.7.9 package.
> 
Can libaudit not be detected?

> diff -urp upstart-0.5.0.orig/configure.ac upstart-0.5.0/configure.ac
> --- upstart-0.5.0.orig/configure.ac	2008-11-05 14:08:00.000000000 -0500
> +++ upstart-0.5.0/configure.ac	2008-11-05 14:18:54.000000000 -0500
> 
This bit should be done as a macro defined in an m4 file
(m4/libaudit.m4 - RH_LIB_AUDIT?)

See m4/libs.m4 NIH_LIB_DBUS for an example (though note that this has
libnih option handling you don't want)

Why the Automake Conditional?  You don't appear to use it.

In general, it's better to define Makefile variables than expand
directly in Makefile.am - e.g. use AC_ARG_VAR to define AUDIT_CFLAGS and
AUDIT_LIBS then use $AUDIT_LIBS instead of @LIBAUDIT@

> diff -urp upstart-0.5.0.orig/util/reboot.c upstart-0.5.0/util/reboot.c
> --- upstart-0.5.0.orig/util/reboot.c	2008-11-05 14:08:01.000000000 -0500
> +++ upstart-0.5.0/util/reboot.c	2008-11-05 14:15:17.000000000 -0500
> @@ -36,6 +36,9 @@
>  #include <stdlib.h>
>  #include <string.h>
>  #include <unistd.h>
> +#ifdef HAVE_LIBAUDIT
> +#include <libaudit.h>
> +#endif
>  
Style: the include should be indented, and the endif should be
commented.

> @@ -97,6 +100,7 @@ enum {
>  /* Prototypes for static functions */
>  static void down_drives     (void);
>  static void down_interfaces (void);
> +static void send_audit_event(void);
> 
Style: missing space between function and args.

> diff -urp upstart-0.5.0.orig/util/runlevel.c upstart-0.5.0/util/runlevel.c
> --- upstart-0.5.0.orig/util/runlevel.c	2008-11-05 14:08:01.000000000 -0500
> +++ upstart-0.5.0/util/runlevel.c	2008-11-05 14:12:27.000000000 -0500
> @@ -33,6 +33,9 @@
>  #include <stdlib.h>
>  #include <string.h>
>  #include <unistd.h>
> +#ifdef HAVE_LIBAUDIT
> +#include <libaudit.h>
> +#endif
>  
>  #include <nih/macros.h>
>  #include <nih/alloc.h>
> 
Style: see above

> @@ -44,6 +47,7 @@
>  
>  /* Prototypes for static functions */
>  static void store (short type, pid_t pid, const char *user);
> +static void send_audit_event (int old, int level);
>  
> 
>  /**
> 
Style, args should line up.

> diff -urp upstart-0.5.0.orig/util/shutdown.c upstart-0.5.0/util/shutdown.c
> --- upstart-0.5.0.orig/util/shutdown.c	2008-11-05 14:08:01.000000000 -0500
> +++ upstart-0.5.0/util/shutdown.c	2008-11-05 14:17:52.000000000 -0500
> @@ -38,6 +38,9 @@
>  #include <stdlib.h>
>  #include <string.h>
>  #include <unistd.h>
> +#ifdef HAVE_LIBAUDIT
> +#include <libaudit.h>
> +#endif
>  
>  #include <nih/macros.h>
>  #include <nih/alloc.h>
> 
Style: see above

> @@ -454,6 +457,23 @@ runlevel_setter (NihOption  *option,
>  	return 0;
>  }
>  
> +/**
> + * send_audit_event
> + *
> + * Send system shutdown audit event
> + **/
> +static void
> +send_audit_event (void)
> +{
> +#ifdef HAVE_LIBAUDIT
> +	int fd = audit_open ();
> +	if (fd < 0)
> +		return;
> +	audit_log_user_message (fd, AUDIT_SYSTEM_SHUTDOWN, "init",
> +		NULL, NULL, NULL, 1);
> +	close (fd);
> +#endif
> +}
>  
>  /**
>   * shutdown_now:
> 
No prototype for this.

Scott
-- 
Have you ever, ever felt like this?
Had strange things happen?  Are you going round the twist?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part
Url : https://lists.ubuntu.com/archives/upstart-devel/attachments/20081110/fa5d22b1/attachment.pgp 


More information about the upstart-devel mailing list