[PATCH] Add audit events

Steve Grubb sgrubb at redhat.com
Sat Nov 22 14:49:46 GMT 2008 

On Monday 10 November 2008 14:38:56 Scott James Remnant wrote:
> On Sun, 2008-11-09 at 08:06 -0500, Steve Grubb wrote:
> > This patch adds new audit events defined in libaudit 1.7.9. The events
> > defined are SYSTEM_STARTUP, RUNLEVEL_CHANGE, SYSTEM_SHUTDOWN. These
> > events are required to aid audit session analysis by programs like aulast
> > and a session exploration tool that is under development. I need these
> > events to be generated from a place that is hard to bypass so that the
> > audit logs are accurate.
>
> It's still relatively easy to change runlevel, bypassing the audit logs,
> by just using "initctl emit" instead of the compat tools.

Does initctl have any notion of a runlevel number? My main objective was to 
cover all the places that utmp is written to. A secondary goal was to provide 
runlevel transition information.


> What is the behaviour of libaudit if the audit daemon is not running, or
> has issues?  Will it block these commands?

The audit daemon receives events from the kernel. This patch sends events to 
the kernel. It uses the same libaudit functions that pam, gdm, sshd, and 
login use. At this point in time, its safe to use the audit library. It knows 
about different kernel return codes when people build their own custom 
kernels that either don't enable audit or netlink. If the audit daemon is not 
running, the kernel will send events to syslog if auditing is enabled. 
Otherwise the kernel eats them.

The events look like this:

node=127.0.0.1 type=SYSTEM_BOOT msg=audit(1227266144.197:5): user pid=1543 
uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:initrc_t:s0 
msg='init: exe="/sbin/runlevel" (hostname=?, addr=?, terminal=console 
res=success)' 

node=127.0.0.1 type=SYSTEM_RUNLEVEL msg=audit(1227362081.604:3): user pid=615 
uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:initrc_t:s0 
msg='old-level=0 new-level=S: exe="/sbin/runlevel" (hostname=?, addr=?, 
terminal=console res=success)' 

node=127.0.0.1 type=SYSTEM_SHUTDOWN msg=audit(1227357487.098:2873): user 
pid=3960 uid=0 auid=4294967295 ses=4294967295 
subj=system_u:system_r:consolekit_t:s0-s0:c0.c1023 msg='init: 
exe="/sbin/shutdown" (hostname=?, addr=?, terminal=? res=success)' 


> > This patch is against the 0.5.0 release and requires adding
> > --with-libaudit to the configure line. This patch has been tested on
> > Fedora 9 and 10 with the aulast program in audit-1.7.9 package.
>
> Can libaudit not be detected?

It can be auto detected if that's your preference. I usually code it such that 
its required to be added to the package's configure line so that 
nothing "unexpected" happens for the casual user.


> > diff -urp upstart-0.5.0.orig/configure.ac upstart-0.5.0/configure.ac
> > --- upstart-0.5.0.orig/configure.ac	2008-11-05 14:08:00.000000000 -0500
> > +++ upstart-0.5.0/configure.ac	2008-11-05 14:18:54.000000000 -0500
>
> This bit should be done as a macro defined in an m4 file
> (m4/libaudit.m4 - RH_LIB_AUDIT?)

I had planned to add a m4 macro to the audit-libs-devel package in the next 
release. I suppose I can go ahead and put it here if that's your preference. 
Many projects don't like things scattered throughout many files just to see 
all the logic. But I can make the change.


> Why the Automake Conditional?

Removed...I guess that was used in other Makefiles that I've patched but I 
guess it wasn't need it for upstart.


> In general, it's better to define Makefile variables than expand
> directly in Makefile.am - e.g. use AC_ARG_VAR to define AUDIT_CFLAGS and
> AUDIT_LIBS then use $AUDIT_LIBS instead of @LIBAUDIT@

I've seen it done many, many ways. If this is your preference, I will make the 
switch in the next patch.


> > diff -urp upstart-0.5.0.orig/util/reboot.c upstart-0.5.0/util/reboot.c
> > --- upstart-0.5.0.orig/util/reboot.c	2008-11-05 14:08:01.000000000 -0500
> > +++ upstart-0.5.0/util/reboot.c	2008-11-05 14:15:17.000000000 -0500
> > @@ -36,6 +36,9 @@
> >  #include <stdlib.h>
> >  #include <string.h>
> >  #include <unistd.h>
> > +#ifdef HAVE_LIBAUDIT
> > +#include <libaudit.h>
> > +#endif
>
> Style: the include should be indented, and the endif should be
> commented.

I fixed all the issues pointed out in the comments. I will update the patch 
and resend soon.

Thanks,
-Steve

More information about the upstart-devel mailing list