[PATCH] Add audit events
Steve Grubb
sgrubb at redhat.com
Wed Jan 14 17:48:12 GMT 2009
On Saturday 22 November 2008 09:49:46 am Steve Grubb wrote:
> I fixed all the issues pointed out in the comments. I will update the patch
> and resend soon.
Sorry about the delay...but I think I have it working as you had suggested. To
add audit support, it will automatically include it if it finds libaudit or if
you add --with-libaudit=no it will disable support even if the libraries are
present.
Audit 1.7.9 and later releases expect and can use the events defined in this
patch: SYSTEM_STARTUP, RUNLEVEL_CHANGE, SYSTEM_SHUTDOWN. These events are
required to aid audit session analysis by programs like aulast. Without it
there are no defined boundaries where the system is known to be up or down.
Thanks,
-Steve Grubb
diff -urpN upstart-0.5.0.orig/config.h.in upstart-0.5.0/config.h.in
--- upstart-0.5.0.orig/config.h.in 2008-11-05 14:08:00.000000000 -0500
+++ upstart-0.5.0/config.h.in 2008-11-22 09:53:33.000000000 -0500
@@ -254,6 +254,9 @@
/* Define to 1 if your C compiler doesn't accept -c and -o together. */
#undef NO_MINUS_C_MINUS_O
+/* Define to 1 if you want audit support */
+#undef HAVE_LIBAUDIT
+
/* Name of package */
#undef PACKAGE
diff -urpN upstart-0.5.0.orig/configure.ac upstart-0.5.0/configure.ac
--- upstart-0.5.0.orig/configure.ac 2008-11-05 14:08:00.000000000 -0500
+++ upstart-0.5.0/configure.ac 2009-01-14 11:48:58.000000000 -0500
@@ -20,6 +20,7 @@ AC_PROG_LIBTOOL
# Checks for libraries.
NIH_INIT([dbus])
+LINUX_AUDIT
# Checks for header files.
diff -urpN upstart-0.5.0.orig/m4/libaudit.m4 upstart-0.5.0/m4/libaudit.m4
--- upstart-0.5.0.orig/m4/libaudit.m4 1969-12-31 19:00:00.000000000 -0500
+++ upstart-0.5.0/m4/libaudit.m4 2009-01-14 11:51:54.000000000 -0500
@@ -0,0 +1,25 @@
+# libaudit.m4 - Checks for the Linux Audit System support
+# Copyright (c) 2009 Steve Grubb sgrubb at redhat.com
+#
+AC_DEFUN([LINUX_AUDIT],
+[
+ AC_ARG_WITH(libaudit,
+ [ --with-libaudit=[auto/yes/no] Add Linux audit support [default=auto]],,
+ with_libaudit=auto)
+
+ # Check for Linux auditing API
+ #
+ # libaudit detection
+
+ if test x$with_libaudit = xno ; then
+ have_libaudit=no;
+ else
+ # See if we have audit daemon library
+ AC_CHECK_LIB(audit, audit_log_user_message,
+ AUDIT_LDADD=-laudit,)
+ fi
+ AC_SUBST(AUDIT_LDADD)
+ if test x$AUDIT_LDADD != x ; then
+ AC_DEFINE(HAVE_LIBAUDIT,1,[linux audit support])
+ fi
+])
diff -urpN upstart-0.5.0.orig/util/Makefile.am upstart-0.5.0/util/Makefile.am
--- upstart-0.5.0.orig/util/Makefile.am 2008-11-05 14:08:01.000000000 -0500
+++ upstart-0.5.0/util/Makefile.am 2008-11-22 10:37:31.000000000 -0500
@@ -45,7 +45,8 @@ reboot_SOURCES = \
reboot_LDFLAGS = -static
reboot_LDADD = \
../nih/libnih.la \
- $(LTLIBINTL)
+ $(LTLIBINTL) \
+ $(AUDIT_LDADD)
runlevel_SOURCES = \
@@ -54,7 +55,8 @@ runlevel_SOURCES = \
runlevel_LDFLAGS = -static
runlevel_LDADD = \
../nih/libnih.la \
- $(LTLIBINTL)
+ $(LTLIBINTL) \
+ $(AUDIT_LDADD)
shutdown_SOURCES = \
@@ -68,7 +70,8 @@ shutdown_LDADD = \
../nih/libnih.la \
../nih/libnih-dbus.la \
$(LTLIBINTL) \
- $(DBUS_LIBS)
+ $(DBUS_LIBS) \
+ $(AUDIT_LDADD)
diff -urpN upstart-0.5.0.orig/util/reboot.c upstart-0.5.0/util/reboot.c
--- upstart-0.5.0.orig/util/reboot.c 2008-11-05 14:08:01.000000000 -0500
+++ upstart-0.5.0/util/reboot.c 2008-11-22 09:53:33.000000000 -0500
@@ -36,6 +36,9 @@
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
+#ifdef HAVE_LIBAUDIT
+# include <libaudit.h>
+#endif
#include <linux/if.h>
#include <linux/hdreg.h>
@@ -95,8 +98,9 @@ enum {
/* Prototypes for static functions */
-static void down_drives (void);
-static void down_interfaces (void);
+static void down_drives (void);
+static void down_interfaces (void);
+static void send_audit_event (void);
/**
@@ -267,6 +271,7 @@ main (int argc,
*/
reboot (RB_ENABLE_CAD);
kill (1, SIGTSTP);
+ send_audit_event ();
/* Sync the disks */
chdir ("/");
@@ -305,6 +310,23 @@ main (int argc,
return 0;
}
+/**
+ * send_audit_event
+ *
+ * Send system shutdown audit event
+ **/
+static void
+send_audit_event (void)
+{
+#ifdef HAVE_LIBAUDIT
+ int fd = audit_open ();
+ if (fd < 0)
+ return;
+ audit_log_user_message (fd, AUDIT_SYSTEM_SHUTDOWN, "init",
+ NULL, NULL, NULL, 1);
+ close (fd);
+#endif
+}
/**
* down_drives:
diff -urpN upstart-0.5.0.orig/util/runlevel.c upstart-0.5.0/util/runlevel.c
--- upstart-0.5.0.orig/util/runlevel.c 2008-11-05 14:08:01.000000000 -0500
+++ upstart-0.5.0/util/runlevel.c 2008-11-22 09:53:33.000000000 -0500
@@ -33,6 +33,9 @@
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
+#ifdef HAVE_LIBAUDIT
+# include <libaudit.h>
+#endif
#include <nih/macros.h>
#include <nih/alloc.h>
@@ -43,7 +46,8 @@
/* Prototypes for static functions */
-static void store (short type, pid_t pid, const char *user);
+static void store (short type, pid_t pid, const char *user);
+static void send_audit_event (int old, int level);
/**
@@ -109,6 +113,7 @@ main (int argc,
/* Store the reboot time? */
if (reboot) {
store (BOOT_TIME, 0, "reboot");
+ send_audit_event (0, 0);
exit (0);
}
@@ -143,6 +148,7 @@ main (int argc,
prev = cur;
if (! prev)
prev = 'N';
+ send_audit_event (prev, set[0]);
cur = set[0];
}
@@ -203,3 +209,35 @@ store (short type,
/* Write wtmp entry */
updwtmp (WTMP_FILE, &utmp);
}
+
+/**
+ * send_audit_event
+ * @old: current run level
+ * @level: new run level
+ *
+ * Send system runlevel change audit event. If level is 0, then
+ * we consider this to be a reboot event.
+ **/
+static void
+send_audit_event (int old, int level)
+{
+#ifdef HAVE_LIBAUDIT
+ int fd = audit_open ();
+
+ if (fd < 0)
+ return;
+
+ if (level) {
+ char buf[64];
+
+ snprintf (buf, sizeof (buf),
+ "old-level=%c new-level=%c", old, level);
+ audit_log_user_message (fd, AUDIT_SYSTEM_RUNLEVEL, buf,
+ NULL, NULL, NULL, 1);
+ } else
+ audit_log_user_message (fd, AUDIT_SYSTEM_BOOT, "init",
+ NULL, NULL, NULL, 1);
+ close (fd);
+#endif
+}
+
diff -urpN upstart-0.5.0.orig/util/shutdown.c upstart-0.5.0/util/shutdown.c
--- upstart-0.5.0.orig/util/shutdown.c 2008-11-05 14:08:01.000000000 -0500
+++ upstart-0.5.0/util/shutdown.c 2008-11-22 09:53:33.000000000 -0500
@@ -38,6 +38,9 @@
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
+#ifdef HAVE_LIBAUDIT
+# include <libaudit.h>
+#endif
#include <nih/macros.h>
#include <nih/alloc.h>
@@ -83,6 +86,7 @@
static int runlevel_setter (NihOption *option, const char *arg);
static void shutdown_now (void)
__attribute__ ((noreturn));
+static void send_audit_event (void);
static void cancel_callback (void *data, NihSignal *signal)
__attribute__ ((noreturn));
static void timer_callback (const char *message);
@@ -454,6 +458,23 @@ runlevel_setter (NihOption *option,
return 0;
}
+/**
+ * send_audit_event
+ *
+ * Send system shutdown audit event
+ **/
+static void
+send_audit_event (void)
+{
+#ifdef HAVE_LIBAUDIT
+ int fd = audit_open ();
+ if (fd < 0)
+ return;
+ audit_log_user_message (fd, AUDIT_SYSTEM_SHUTDOWN, "init",
+ NULL, NULL, NULL, 1);
+ close (fd);
+#endif
+}
/**
* shutdown_now:
@@ -501,6 +522,8 @@ shutdown_now (void)
NIH_MUST (nih_str_array_addp (&env, NULL, NULL, e));
NIH_MUST (e = nih_sprintf (NULL, "PREVLEVEL=%s", prev_level()));
NIH_MUST (nih_str_array_addp (&env, NULL, NULL, e));
+
+ send_audit_event ();
/* Send the message */
if (control_emit_event (proxy, "runlevel", env)) {
More information about the upstart-devel
mailing list