diff options
author | Franck Bui <fbui@suse.com> | 2022-12-06 20:15:43 +0100 |
---|---|---|
committer | Lennart Poettering <lennart@poettering.net> | 2023-01-11 17:18:57 +0100 |
commit | 2aba77057e55a1082296c10f61e19d8c5e1eb1f7 (patch) | |
tree | c5442e5aaeff446daa3d6635b35312e392590b13 | |
parent | 8112c91e484ea1a0ba0277f60a5069dd45a3b4b1 (diff) | |
download | systemd-2aba77057e55a1082296c10f61e19d8c5e1eb1f7.tar.gz |
journal: give the ability to enable/disable systemd-journald-audit.socket
Before this patch the only way to prevent journald from reading the audit
messages was to mask systemd-journald-audit.socket. However this had main
drawback that downstream couldn't ship the socket disabled by default (beside
the fact that masking units is not supposed to be the usual way to disable
them).
Fixes #15777
-rw-r--r-- | man/journald.conf.xml | 17 | ||||
-rw-r--r-- | man/systemd-journald.service.xml | 4 | ||||
-rw-r--r-- | presets/90-systemd.preset | 1 | ||||
-rw-r--r-- | src/journal/journald-server.c | 5 | ||||
-rw-r--r-- | units/meson.build | 3 | ||||
-rw-r--r-- | units/systemd-journald-audit.socket | 4 | ||||
-rw-r--r-- | units/systemd-journald.service.in | 5 |
7 files changed, 28 insertions, 11 deletions
diff --git a/man/journald.conf.xml b/man/journald.conf.xml index 24cee4c8b2..50c33e4792 100644 --- a/man/journald.conf.xml +++ b/man/journald.conf.xml @@ -423,13 +423,18 @@ <varlistentry> <term><varname>Audit=</varname></term> - <listitem><para>Takes a boolean value. If enabled <command>systemd-journal</command> will turn on + <listitem><para>Takes a boolean value. If enabled <command>systemd-journald</command> will turn on kernel auditing on start-up. If disabled it will turn it off. If unset it will neither enable nor - disable it, leaving the previous state unchanged. Note that this option does not control whether - <command>systemd-journald</command> collects generated audit records, it just controls whether it - tells the kernel to generate them. This means if another tool turns on auditing even if - <command>systemd-journald</command> left it off, it will still collect the generated - messages. Defaults to on.</para></listitem> + disable it, leaving the previous state unchanged. This means if another tool turns on auditing even + if <command>systemd-journald</command> left it off, it will still collect the generated + messages. Defaults to on.</para> + + <para>Note that this option does not control whether <command>systemd-journald</command> collects + generated audit records, it just controls whether it tells the kernel to generate them. If you need + to prevent <command>systemd-journald</command> from collecting the generated messages, the socket + unit <literal>systemd-journald-audit.socket</literal> can be disabled and in this case this setting + is without effect.</para> + </listitem> </varlistentry> <varlistentry> diff --git a/man/systemd-journald.service.xml b/man/systemd-journald.service.xml index 8fa864473d..6b0fb3137c 100644 --- a/man/systemd-journald.service.xml +++ b/man/systemd-journald.service.xml @@ -332,7 +332,9 @@ systemd-tmpfiles --create --prefix /var/log/journal</programlisting> <listitem><para>Sockets and other file node paths that <command>systemd-journald</command> will listen on and are visible in the file system. In addition to these, <command>systemd-journald</command> can listen for audit events using <citerefentry - project='man-pages'><refentrytitle>netlink</refentrytitle><manvolnum>7</manvolnum></citerefentry>.</para></listitem> + project='man-pages'><refentrytitle>netlink</refentrytitle><manvolnum>7</manvolnum></citerefentry>, + depending on whether <literal>systemd-journald-audit.socket</literal> is enabled or + not.</para></listitem> </varlistentry> </variablelist> diff --git a/presets/90-systemd.preset b/presets/90-systemd.preset index 25936d8f57..2b8db9d476 100644 --- a/presets/90-systemd.preset +++ b/presets/90-systemd.preset @@ -24,6 +24,7 @@ enable systemd-homed.service enable systemd-userdbd.socket enable systemd-pstore.service enable systemd-boot-update.service +enable systemd-journald-audit.socket disable console-getty.service disable debug-shell.service diff --git a/src/journal/journald-server.c b/src/journal/journald-server.c index b59f42c4b8..c1fc5a8da9 100644 --- a/src/journal/journald-server.c +++ b/src/journal/journald-server.c @@ -2504,10 +2504,13 @@ int server_init(Server *s, const char *namespace) { /* Unless we got *some* sockets and not audit, open audit socket */ if (s->audit_fd >= 0 || no_sockets) { + log_info("Collecting audit messages is enabled."); + r = server_open_audit(s); if (r < 0) return r; - } + } else + log_info("Collecting audit messages is disabled."); r = server_open_varlink(s, varlink_socket, varlink_fd); if (r < 0) diff --git a/units/meson.build b/units/meson.build index 79e2935a50..69197f0c47 100644 --- a/units/meson.build +++ b/units/meson.build @@ -123,8 +123,7 @@ units = [ 'sysinit.target.wants/'], ['systemd-journal-gatewayd.socket', 'ENABLE_REMOTE HAVE_MICROHTTPD'], ['systemd-journal-remote.socket', 'ENABLE_REMOTE HAVE_MICROHTTPD'], - ['systemd-journald-audit.socket', '', - 'sockets.target.wants/'], + ['systemd-journald-audit.socket', ''], ['systemd-journald-dev-log.socket', '', 'sockets.target.wants/'], ['systemd-journald.socket', '', diff --git a/units/systemd-journald-audit.socket b/units/systemd-journald-audit.socket index f0c0aebc86..cf9b6e8b84 100644 --- a/units/systemd-journald-audit.socket +++ b/units/systemd-journald-audit.socket @@ -20,3 +20,7 @@ Service=systemd-journald.service ReceiveBuffer=128M ListenNetlink=audit 1 PassCredentials=yes + +[Install] +WantedBy=sockets.target +WantedBy=systemd-journald.service diff --git a/units/systemd-journald.service.in b/units/systemd-journald.service.in index 38ba3e2856..ece872c770 100644 --- a/units/systemd-journald.service.in +++ b/units/systemd-journald.service.in @@ -38,7 +38,10 @@ RestrictRealtime=yes RestrictSUIDSGID=yes RuntimeDirectory=systemd/journal RuntimeDirectoryPreserve=yes -Sockets=systemd-journald.socket systemd-journald-dev-log.socket systemd-journald-audit.socket +# Audit socket is not listed here because this unit can be turned off. However +# the link between the socket and the service units is still created thanks to +# the 'Service=' setting specified in the socket unit. +Sockets=systemd-journald.socket systemd-journald-dev-log.socket StandardOutput=null SystemCallArchitectures=native SystemCallErrorNumber=EPERM |