diff mbox series

[bug#54309] services: auditd: use exclusive log directory for auditd

Message ID b2d2cc9b-0c3f-b5a3-e564-76ab8f17459f@gmail.com
State New
Headers show
Series [bug#54309] services: auditd: use exclusive log directory for auditd | expand

Checks

Context Check Description
cbaines/applying patch fail View Laminar job
cbaines/issue success View issue

Commit Message

fesoj000 March 9, 2022, 9 p.m. UTC 
Use the upstream default log file for auditd.

* gnu/services/auditd.scm: add auditd-activation function and extend
activation-service-type.
---
  gnu/services/auditd.scm | 17 ++++++++++++-----
  1 file changed, 12 insertions(+), 5 deletions(-)

Comments

Liliana Marie Prikler March 10, 2022, 7:12 a.m. UTC | #1 
Hi,

Am Mittwoch, dem 09.03.2022 um 22:00 +0100 schrieb fesoj000:
> Use the upstream default log file for auditd.
> 
> * gnu/services/auditd.scm: add auditd-activation function and extend
> activation-service-type.
> ---
>   gnu/services/auditd.scm | 17 ++++++++++++-----
>   1 file changed, 12 insertions(+), 5 deletions(-)
> 
> diff --git a/gnu/services/auditd.scm b/gnu/services/auditd.scm
> index abde811f51..c88e974adb 100644
> --- a/gnu/services/auditd.scm
> +++ b/gnu/services/auditd.scm
> @@ -31,10 +31,9 @@ (define-module (gnu services auditd)
>               %default-auditd-configuration-directory))
>   
>   (define auditd.conf
> -  (plain-file "auditd.conf" "log_file =
> /var/log/audit.log\nlog_format = \
> -ENRICHED\nfreq = 1\nspace_left = 5%\nspace_left_action = \
> -syslog\nadmin_space_left_action = ignore\ndisk_full_action = \
> -ignore\ndisk_error_action = syslog\n"))
> +  (plain-file "auditd.conf" "log_format = ENRICHED\nfreq =
> 1\nspace_left = 5% \
> +\nspace_left_action = syslog\nadmin_space_left_action = ignore\
> +\ndisk_full_action = ignore\ndisk_error_action = syslog\n"))
I'm not sure what the rationale behind writing auditd.conf this way is,
but note that can simply writethis as "\
log_format = ENRICHED
freq = 1
space_left = 5%
..."

Doing this, it would take up some more vertical real estate, but imho
it'd be easier to read.  We might also want to make some of these
configurable later on, e.g. space_left, but that's not relevant to this
patch set.

>   (define %default-auditd-configuration-directory
>     (computed-file "auditd"
> @@ -50,6 +49,12 @@ (define-record-type* <auditd-configuration>
>                              (default audit))
>     (configuration-directory auditd-configuration-configuration-
> directory))      ; file-like
>   
> +(define (auditd-activation config)
> +  (with-imported-modules '((guix build utils))
> +    #~(begin
> +        (use-modules (guix build utils))
> +        (mkdir-p "/var/log/audit"))))
I think guix should already create this directory with the 700
permissions auditd demands, to prevent any TOCTOU-style tampering.


Cheers
fesoj000 March 10, 2022, 10:36 a.m. UTC | #2 
Hi,

On 3/10/22 8:12 AM, Liliana Marie Prikler wrote:
> Hi,
> 
> Am Mittwoch, dem 09.03.2022 um 22:00 +0100 schrieb fesoj000:
>> Use the upstream default log file for auditd.
>>
>> * gnu/services/auditd.scm: add auditd-activation function and extend
>> activation-service-type.
>> ---
>>    gnu/services/auditd.scm | 17 ++++++++++++-----
>>    1 file changed, 12 insertions(+), 5 deletions(-)
>>
>> diff --git a/gnu/services/auditd.scm b/gnu/services/auditd.scm
>> index abde811f51..c88e974adb 100644
>> --- a/gnu/services/auditd.scm
>> +++ b/gnu/services/auditd.scm
>> @@ -31,10 +31,9 @@ (define-module (gnu services auditd)
>>                %default-auditd-configuration-directory))
>>    
>>    (define auditd.conf
>> -  (plain-file "auditd.conf" "log_file =
>> /var/log/audit.log\nlog_format = \
>> -ENRICHED\nfreq = 1\nspace_left = 5%\nspace_left_action = \
>> -syslog\nadmin_space_left_action = ignore\ndisk_full_action = \
>> -ignore\ndisk_error_action = syslog\n"))
>> +  (plain-file "auditd.conf" "log_format = ENRICHED\nfreq =
>> 1\nspace_left = 5% \
>> +\nspace_left_action = syslog\nadmin_space_left_action = ignore\
>> +\ndisk_full_action = ignore\ndisk_error_action = syslog\n"))
> I'm not sure what the rationale behind writing auditd.conf this way is,
> but note that can simply writethis as "\
> log_format = ENRICHED
> freq = 1
> space_left = 5%
> ..."
> 
> Doing this, it would take up some more vertical real estate, but imho
> it'd be easier to read.  We might also want to make some of these
> configurable later on, e.g. space_left, but that's not relevant to this
> patch set.
Sure, i will send a new patch later.

>>    (define %default-auditd-configuration-directory
>>      (computed-file "auditd"
>> @@ -50,6 +49,12 @@ (define-record-type* <auditd-configuration>
>>                               (default audit))
>>      (configuration-directory auditd-configuration-configuration-
>> directory))      ; file-like
>>    
>> +(define (auditd-activation config)
>> +  (with-imported-modules '((guix build utils))
>> +    #~(begin
>> +        (use-modules (guix build utils))
>> +        (mkdir-p "/var/log/audit"))))
> I think guix should already create this directory with the 700
> permissions auditd demands, to prevent any TOCTOU-style tampering.
Good point.
diff mbox series

Patch

diff --git a/gnu/services/auditd.scm b/gnu/services/auditd.scm
index abde811f51..c88e974adb 100644
--- a/gnu/services/auditd.scm
+++ b/gnu/services/auditd.scm
@@ -31,10 +31,9 @@  (define-module (gnu services auditd)
              %default-auditd-configuration-directory))
  
  (define auditd.conf
-  (plain-file "auditd.conf" "log_file = /var/log/audit.log\nlog_format = \
-ENRICHED\nfreq = 1\nspace_left = 5%\nspace_left_action = \
-syslog\nadmin_space_left_action = ignore\ndisk_full_action = \
-ignore\ndisk_error_action = syslog\n"))
+  (plain-file "auditd.conf" "log_format = ENRICHED\nfreq = 1\nspace_left = 5% \
+\nspace_left_action = syslog\nadmin_space_left_action = ignore\
+\ndisk_full_action = ignore\ndisk_error_action = syslog\n"))
  
  (define %default-auditd-configuration-directory
    (computed-file "auditd"
@@ -50,6 +49,12 @@  (define-record-type* <auditd-configuration>
                             (default audit))
    (configuration-directory auditd-configuration-configuration-directory))      ; file-like
  
+(define (auditd-activation config)
+  (with-imported-modules '((guix build utils))
+    #~(begin
+        (use-modules (guix build utils))
+        (mkdir-p "/var/log/audit"))))
+
  (define (auditd-shepherd-service config)
    (let* ((audit (auditd-configuration-audit config))
           (configuration-directory (auditd-configuration-configuration-directory config)))
@@ -67,7 +72,9 @@  (define auditd-service-type
                  (extensions
                   (list
                    (service-extension shepherd-root-service-type
-                                     auditd-shepherd-service)))
+                                     auditd-shepherd-service)
+                  (service-extension activation-service-type
+                                     auditd-activation)))
                  (default-value
                    (auditd-configuration
                     (configuration-directory %default-auditd-configuration-directory)))))