Message ID | MWHPR19MB144029FE09AB17378DD835C2B99D0@MWHPR19MB1440.namprd19.prod.outlook.com |
---|---|
State | Changes Requested |
Headers | show |
Hello, On Thu, 15 Dec 2016 21:21:20 +0000, Adam Duskett wrote: > +[Unit] > +Description=Security Auditing Service > +DefaultDependencies=no > +After=local-fs.target systemd-tmpfiles-setup.service > +Conflicts=shutdown.target > +Before=sysinit.target shutdown.target > +RefuseManualStop=yes > +ConditionKernelCommandLine=!audit=0 > +Documentation=man:auditd(8) https://people.redhat.com/sgrubb/audit/ > + > +[Service] > +ExecStart=/sbin/auditd -n > +## To not use augenrules, copy this file to /etc/systemd/system/auditd.service > +## and comment/delete the next line and uncomment the auditctl line. > +## NOTE: augenrules expect any rules to be added to /etc/audit/rules.d/ > +ExecStartPost=-/sbin/augenrules --load > +#ExecStartPost=-/sbin/auditctl -R /etc/audit/audit.rules > +ExecReload=/bin/kill -HUP $MAINPID > +# By default we don't clear the rules on exit. To enable this, uncomment > +# the next line after copying the file to /etc/systemd/system/auditd.service > +#ExecStopPost=/sbin/auditctl -R /etc/audit/audit-stop.rules > + > +[Install] > +WantedBy=multi-user.target This is apparently a copy/paste from init.d/auditd.service in the audit source code. Why duplicate it rather than installing the file available in the audit source code? Also, another thing that bothers me is that this .service file by default runs 'augenrules --load', with the 'auditctl -R' solution commented out, but our sysv init script S01audit uses 'auditctl -R'. Unless there's a good reason, it probably makes sense to have our sysv init script and systemd unit file for audit do the same thing. Note: I have absolutely no idea why augenrules is doing compared to auditctl -R, and why one would chose the former or latter. Best regards, Thomas
diff --git a/package/audit/audit.mk b/package/audit/audit.mk index 0e5bd27..313ebec 100644 --- a/package/audit/audit.mk +++ b/package/audit/audit.mk @@ -37,6 +37,16 @@ else AUDIT_CONF_OPTS += --disable-systemd endif +define AUDIT_INSTALL_INIT_SYSTEMD + $(INSTALL) -D -m 0644 package/audit/audit.service \ + $(TARGET_DIR)/usr/lib/systemd/system/audit.service + + mkdir -p $(TARGET_DIR)/etc/systemd/system/multi-user.target.wants + + ln -fs ../../../../usr/lib/systemd/system/audit.service \ + $(TARGET_DIR)/etc/systemd/system/multi-user.target.wants/audit.service +endef + define AUDIT_INSTALL_INIT_SYSV $(INSTALL) -D -m 755 package/audit/S01auditd $(TARGET_DIR)/etc/init.d/S01auditd endef diff --git a/package/audit/auditd.service b/package/audit/auditd.service new file mode 100644 index 0000000..3fe3aa8 --- /dev/null +++ b/package/audit/auditd.service @@ -0,0 +1,24 @@ +[Unit] +Description=Security Auditing Service +DefaultDependencies=no +After=local-fs.target systemd-tmpfiles-setup.service +Conflicts=shutdown.target +Before=sysinit.target shutdown.target +RefuseManualStop=yes +ConditionKernelCommandLine=!audit=0 +Documentation=man:auditd(8) https://people.redhat.com/sgrubb/audit/ + +[Service] +ExecStart=/sbin/auditd -n +## To not use augenrules, copy this file to /etc/systemd/system/auditd.service +## and comment/delete the next line and uncomment the auditctl line. +## NOTE: augenrules expect any rules to be added to /etc/audit/rules.d/ +ExecStartPost=-/sbin/augenrules --load +#ExecStartPost=-/sbin/auditctl -R /etc/audit/audit.rules +ExecReload=/bin/kill -HUP $MAINPID +# By default we don't clear the rules on exit. To enable this, uncomment +# the next line after copying the file to /etc/systemd/system/auditd.service +#ExecStopPost=/sbin/auditctl -R /etc/audit/audit-stop.rules + +[Install] +WantedBy=multi-user.target
This patch adds the auditd.service file needed to start auditd during boot on devices running systemd. Signed-off-by: Adam Duskett <Adamduskett@outlook.com> --- package/audit/audit.mk | 10 ++++++++++ package/audit/auditd.service | 24 ++++++++++++++++++++++++ 2 files changed, 34 insertions(+) create mode 100644 package/audit/auditd.service