diff --git a/man/journald.conf.xml b/man/journald.conf.xml index 1a68ba8698..1d615b110d 100644 --- a/man/journald.conf.xml +++ b/man/journald.conf.xml @@ -478,11 +478,14 @@ Audit= - Takes a boolean value. If enabled systemd-journald will turn on - kernel auditing on start-up. If disabled it will turn it off. If unset it will neither enable nor - disable it, leaving the previous state unchanged. This means if another tool turns on auditing even - if systemd-journald left it off, it will still collect the generated - messages. Defaults to on in the default journal namespace, and unset otherwise. + Takes a boolean value or special value keep. If enabled + systemd-journald will turn on kernel auditing on start-up. If disabled it will + turn it off. When keep it will neither enable nor disable it, leaving the previous + state unchanged. This means if another tool turns on auditing even if + systemd-journald left it off, it will still collect the generated messages. + Defaults to yes in the default journal namespace, and keep otherwise. + + Note that this option does not control whether systemd-journald collects generated audit records, it just controls whether it tells the kernel to generate them. If you need diff --git a/src/journal/journald-audit.c b/src/journal/journald-audit.c index 6f08875ca3..eec072d32f 100644 --- a/src/journal/journald-audit.c +++ b/src/journal/journald-audit.c @@ -465,10 +465,14 @@ static int manager_set_kernel_audit(Manager *m) { assert(m); assert(m->audit_fd >= 0); + assert(m->config.set_audit >= 0); - if (m->config.set_audit < 0) + if (m->config.set_audit == AUDIT_KEEP) return 0; + /* In the following, we can handle 'set_audit' as a boolean. */ + assert(IN_SET(m->config.set_audit, AUDIT_NO, AUDIT_YES)); + struct { union { struct nlmsghdr header; @@ -557,7 +561,7 @@ int manager_open_audit(Manager *m) { return 0; } -void manager_reset_kernel_audit(Manager *m, int old_set_audit) { +void manager_reset_kernel_audit(Manager *m, AuditSetMode old_set_audit) { assert(m); if (m->audit_fd < 0) diff --git a/src/journal/journald-audit.h b/src/journal/journald-audit.h index 1f1b778e37..339ae14a24 100644 --- a/src/journal/journald-audit.h +++ b/src/journal/journald-audit.h @@ -10,4 +10,4 @@ void manager_process_audit_message(Manager *m, const void *buffer, size_t buffer void process_audit_string(Manager *m, int type, const char *data, size_t size); int manager_open_audit(Manager *m); -void manager_reset_kernel_audit(Manager *m, int old_set_audit); +void manager_reset_kernel_audit(Manager *m, AuditSetMode old_set_audit); diff --git a/src/journal/journald-config.c b/src/journal/journald-config.c index dd2e29e296..8cffec880b 100644 --- a/src/journal/journald-config.c +++ b/src/journal/journald-config.c @@ -46,7 +46,7 @@ void journal_config_set_defaults(JournalConfig *c) { .compress.threshold_bytes = UINT64_MAX, .seal = -1, .read_kmsg = -1, - .set_audit = -1, + .set_audit = _AUDIT_SET_MODE_INVALID, .ratelimit_interval = DEFAULT_RATE_LIMIT_INTERVAL, .ratelimit_burst = DEFAULT_RATE_LIMIT_BURST, .forward_to_syslog = -1, @@ -59,6 +59,7 @@ void journal_config_set_defaults(JournalConfig *c) { .max_level_console = -1, .max_level_wall = -1, .max_level_socket = -1, + .split_mode = _SPLIT_INVALID, }; journal_reset_metrics(&c->system_storage_metrics); @@ -122,7 +123,7 @@ void manager_merge_configs(Manager *m) { MERGE_NON_NEGATIVE(read_kmsg, !m->namespace); /* By default, kernel auditing is enabled by the main namespace instance, and not controlled by * non-default namespace instances. */ - MERGE_NON_NEGATIVE(set_audit, m->namespace ? -1 : true); + MERGE_NON_NEGATIVE(set_audit, m->namespace ? AUDIT_KEEP : AUDIT_YES); MERGE_NON_ZERO(sync_interval_usec, DEFAULT_SYNC_INTERVAL_USEC); /* TODO: also merge them when comdline or credentials support to configure them. */ @@ -401,6 +402,16 @@ static const char* const split_mode_table[_SPLIT_MAX] = { DEFINE_STRING_TABLE_LOOKUP(split_mode, SplitMode); DEFINE_CONFIG_PARSE_ENUM(config_parse_split_mode, split_mode, SplitMode); +static const char* const audit_set_mode_table[_AUDIT_SET_MODE_MAX] = { + [AUDIT_NO] = "no", + [AUDIT_YES] = "yes", + [AUDIT_KEEP] = "keep", +}; + +DEFINE_PRIVATE_STRING_TABLE_LOOKUP_FROM_STRING_WITH_BOOLEAN(audit_set_mode, AuditSetMode, AUDIT_YES); +/* For backward compatibility, an empty string has special meaning and equals to 'keep'. */ +DEFINE_CONFIG_PARSE_ENUM_WITH_DEFAULT(config_parse_audit_set_mode, audit_set_mode, AuditSetMode, AUDIT_KEEP); + int config_parse_line_max( const char *unit, const char *filename, diff --git a/src/journal/journald-config.h b/src/journal/journald-config.h index c396c3a560..988badfb8a 100644 --- a/src/journal/journald-config.h +++ b/src/journal/journald-config.h @@ -27,6 +27,14 @@ typedef struct JournalCompressOptions { uint64_t threshold_bytes; } JournalCompressOptions; +typedef enum AuditSetMode { + AUDIT_NO = 0, /* Disables the kernel audit subsystem on start. */ + AUDIT_YES, /* Enables the kernel audit subsystem on start. */ + AUDIT_KEEP, /* Keep the current kernel audit subsystem state. */ + _AUDIT_SET_MODE_MAX, + _AUDIT_SET_MODE_INVALID = -EINVAL, +} AuditSetMode; + typedef struct JournalConfig { /* Storage=, cred: journal.storage */ Storage storage; @@ -37,7 +45,7 @@ typedef struct JournalConfig { /* ReadKMsg= */ int read_kmsg; /* Audit= */ - int set_audit; + AuditSetMode set_audit; /* SyncIntervalSec= */ usec_t sync_interval_usec; /* RateLimitIntervalSec= */ @@ -102,3 +110,4 @@ CONFIG_PARSER_PROTOTYPE(config_parse_line_max); CONFIG_PARSER_PROTOTYPE(config_parse_compress); CONFIG_PARSER_PROTOTYPE(config_parse_forward_to_socket); CONFIG_PARSER_PROTOTYPE(config_parse_split_mode); +CONFIG_PARSER_PROTOTYPE(config_parse_audit_set_mode); diff --git a/src/journal/journald-forward.h b/src/journal/journald-forward.h index 65458f46ab..ef597bbf11 100644 --- a/src/journal/journald-forward.h +++ b/src/journal/journald-forward.h @@ -6,6 +6,7 @@ typedef enum Storage Storage; typedef enum SplitMode SplitMode; +typedef enum AuditSetMode AuditSetMode; typedef struct JournalCompressOptions JournalCompressOptions; typedef struct JournalConfig JournalConfig; diff --git a/src/journal/journald-gperf.gperf b/src/journal/journald-gperf.gperf index 23caa287ff..22d4e683cc 100644 --- a/src/journal/journald-gperf.gperf +++ b/src/journal/journald-gperf.gperf @@ -23,7 +23,7 @@ Journal.Storage, config_parse_storage, 0, offsetof(Journa Journal.Compress, config_parse_compress, 0, offsetof(JournalConfig, compress) Journal.Seal, config_parse_tristate, 0, offsetof(JournalConfig, seal) Journal.ReadKMsg, config_parse_tristate, 0, offsetof(JournalConfig, read_kmsg) -Journal.Audit, config_parse_tristate, 0, offsetof(JournalConfig, set_audit) +Journal.Audit, config_parse_audit_set_mode, 0, offsetof(JournalConfig, set_audit) Journal.SyncIntervalSec, config_parse_sec, 0, offsetof(JournalConfig, sync_interval_usec) # The following is a legacy name for compatibility Journal.RateLimitInterval, config_parse_sec, 0, offsetof(JournalConfig, ratelimit_interval)