Hello,
This patch adds new audit events defined in libaudit 1.7.9. The events defined
are SYSTEM_STARTUP, RUNLEVEL_CHANGE, SYSTEM_SHUTDOWN. These events are
required to aid audit session analysis by programs like aulast and a session
exploration tool that is under development. I need these events to be
generated from a place that is hard to bypass so that the audit logs are
accurate.
This patch is against the 0.5.0 release and requires adding --with-libaudit to
the configure line. This patch has been tested on Fedora 9 and 10 with the
aulast program in audit-1.7.9 package.
Thanks,
-Steve
diff -urp upstart-0.5.0.orig/config.h.in upstart-0.5.0/config.h.in
--- upstart-0.5.0.orig/config.h.in 2008-11-05 14:08:00.000000000 -0500
+++ upstart-0.5.0/config.h.in 2008-11-05 14:18:54.000000000 -0500
@@ -254,6 +254,9 @@
/* Define to 1 if your C compiler doesn't accept -c and -o together. */
#undef NO_MINUS_C_MINUS_O
+/* Define to 1 if you want audit support */
+#undef HAVE_LIBAUDIT
+
/* Name of package */
#undef PACKAGE
diff -urp upstart-0.5.0.orig/configure.ac upstart-0.5.0/configure.ac
--- upstart-0.5.0.orig/configure.ac 2008-11-05 14:08:00.000000000 -0500
+++ upstart-0.5.0/configure.ac 2008-11-05 14:18:54.000000000 -0500
@@ -41,6 +41,25 @@ case $upstart_sbindir in
;;
esac
+AC_ARG_WITH(libaudit,
+ [ --with-libaudit=[auto/yes/no] Add Linux audit support [default=auto]],,
+ with_libaudit=auto)
+
+# Check for Linux auditing API
+#
+# libaudit detection
+if test x$with_libaudit = xno ; then
+ have_libaudit=no;
+else
+ # See if we have audit daemon library
+ AC_CHECK_LIB(audit, audit_log_user_message,
+ LIBAUDIT=-laudit, LIBAUDIT="")
+fi
+AC_SUBST(LIBAUDIT)
+AM_CONDITIONAL(HAVE_LIBAUDIT, test x$LIBAUDIT != x)
+if test x$LIBAUDIT != x ; then
+ AC_DEFINE(HAVE_LIBAUDIT,1,[linux audit support])
+fi
AC_CONFIG_FILES([ Makefile m4/Makefile po/Makefile.in intl/Makefile
nih/Makefile init/Makefile dbus/Makefile doc/Makefile
diff -urp upstart-0.5.0.orig/util/Makefile.am upstart-0.5.0/util/Makefile.am
--- upstart-0.5.0.orig/util/Makefile.am 2008-11-05 14:08:01.000000000 -0500
+++ upstart-0.5.0/util/Makefile.am 2008-11-05 14:14:04.000000000 -0500
@@ -45,7 +45,8 @@ reboot_SOURCES = \
reboot_LDFLAGS = -static
reboot_LDADD = \
../nih/libnih.la \
- $(LTLIBINTL)
+ $(LTLIBINTL) \
+ @LIBAUDIT@
runlevel_SOURCES = \
@@ -54,7 +55,8 @@ runlevel_SOURCES = \
runlevel_LDFLAGS = -static
runlevel_LDADD = \
../nih/libnih.la \
- $(LTLIBINTL)
+ $(LTLIBINTL) \
+ @LIBAUDIT@
shutdown_SOURCES = \
@@ -68,7 +70,8 @@ shutdown_LDADD = \
../nih/libnih.la \
../nih/libnih-dbus.la \
$(LTLIBINTL) \
- $(DBUS_LIBS)
+ $(DBUS_LIBS) \
+ @LIBAUDIT@
diff -urp upstart-0.5.0.orig/util/reboot.c upstart-0.5.0/util/reboot.c
--- upstart-0.5.0.orig/util/reboot.c 2008-11-05 14:08:01.000000000 -0500
+++ upstart-0.5.0/util/reboot.c 2008-11-05 14:15:17.000000000 -0500
@@ -36,6 +36,9 @@
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
+#ifdef HAVE_LIBAUDIT
+#include <libaudit.h>
+#endif
#include <linux/if.h>
#include <linux/hdreg.h>
@@ -97,6 +100,7 @@ enum {
/* Prototypes for static functions */
static void down_drives (void);
static void down_interfaces (void);
+static void send_audit_event(void);
/**
@@ -267,6 +271,7 @@ main (int argc,
*/
reboot (RB_ENABLE_CAD);
kill (1, SIGTSTP);
+ send_audit_event ();
/* Sync the disks */
chdir ("/");
@@ -305,6 +310,23 @@ main (int argc,
return 0;
}
+/**
+ * send_audit_event
+ *
+ * Send system shutdown audit event
+ **/
+static void
+send_audit_event (void)
+{
+#ifdef HAVE_LIBAUDIT
+ int fd = audit_open ();
+ if (fd < 0)
+ return;
+ audit_log_user_message (fd, AUDIT_SYSTEM_SHUTDOWN, "init",
+ NULL, NULL, NULL, 1);
+ close (fd);
+#endif
+}
/**
* down_drives:
diff -urp upstart-0.5.0.orig/util/runlevel.c upstart-0.5.0/util/runlevel.c
--- upstart-0.5.0.orig/util/runlevel.c 2008-11-05 14:08:01.000000000 -0500
+++ upstart-0.5.0/util/runlevel.c 2008-11-05 14:12:27.000000000 -0500
@@ -33,6 +33,9 @@
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
+#ifdef HAVE_LIBAUDIT
+#include <libaudit.h>
+#endif
#include <nih/macros.h>
#include <nih/alloc.h>
@@ -44,6 +47,7 @@
/* Prototypes for static functions */
static void store (short type, pid_t pid, const char *user);
+static void send_audit_event (int old, int level);
/**
@@ -109,6 +113,7 @@ main (int argc,
/* Store the reboot time? */
if (reboot) {
store (BOOT_TIME, 0, "reboot");
+ send_audit_event (0, 0);
exit (0);
}
@@ -143,6 +148,7 @@ main (int argc,
prev = cur;
if (! prev)
prev = 'N';
+ send_audit_event (prev, set[0]);
cur = set[0];
}
@@ -203,3 +209,35 @@ store (short type,
/* Write wtmp entry */
updwtmp (WTMP_FILE, &utmp);
}
+
+/**
+ * send_audit_event
+ * @old: current run level
+ * @level: new run level
+ *
+ * Send system runlevel change audit event. If level is 0, then
+ * we consider this to be a reboot event.
+ **/
+static void
+send_audit_event (int old, int level)
+{
+#ifdef HAVE_LIBAUDIT
+ int fd = audit_open ();
+
+ if (fd < 0)
+ return;
+
+ if (level) {
+ char buf[64];
+
+ snprintf (buf, sizeof (buf),
+ "old-level=%c new-level=%c", old, level);
+ audit_log_user_message (fd, AUDIT_SYSTEM_RUNLEVEL, buf,
+ NULL, NULL, NULL, 1);
+ } else
+ audit_log_user_message (fd, AUDIT_SYSTEM_BOOT, "init",
+ NULL, NULL, NULL, 1);
+ close (fd);
+#endif
+}
+
diff -urp upstart-0.5.0.orig/util/shutdown.c upstart-0.5.0/util/shutdown.c
--- upstart-0.5.0.orig/util/shutdown.c 2008-11-05 14:08:01.000000000 -0500
+++ upstart-0.5.0/util/shutdown.c 2008-11-05 14:17:52.000000000 -0500
@@ -38,6 +38,9 @@
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
+#ifdef HAVE_LIBAUDIT
+#include <libaudit.h>
+#endif
#include <nih/macros.h>
#include <nih/alloc.h>
@@ -454,6 +457,23 @@ runlevel_setter (NihOption *option,
return 0;
}
+/**
+ * send_audit_event
+ *
+ * Send system shutdown audit event
+ **/
+static void
+send_audit_event (void)
+{
+#ifdef HAVE_LIBAUDIT
+ int fd = audit_open ();
+ if (fd < 0)
+ return;
+ audit_log_user_message (fd, AUDIT_SYSTEM_SHUTDOWN, "init",
+ NULL, NULL, NULL, 1);
+ close (fd);
+#endif
+}
/**
* shutdown_now:
@@ -501,6 +521,8 @@ shutdown_now (void)
NIH_MUST (nih_str_array_addp (&env, NULL, NULL, e));
NIH_MUST (e = nih_sprintf (NULL, "PREVLEVEL=%s", prev_level()));
NIH_MUST (nih_str_array_addp (&env, NULL, NULL, e));
+
+ send_audit_event ();
/* Send the message */
if (control_emit_event (proxy, "runlevel", env)) {
--
upstart-devel mailing list
upstart-devel@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/upstart-devel
