Package: guix-patches;
Reported by: Robin Green <greenrd <at> greenrd.org>
Date: Sun, 19 Jul 2020 17:26:02 UTC
Severity: normal
Tags: patch
Done: Ludovic Courtès <ludo <at> gnu.org>
Bug is archived. No further changes may be made.
Message #11 received at 42427 <at> debbugs.gnu.org (full text, mbox):
From: Robin Green <greenrd <at> greenrd.org> To: 42427 <at> debbugs.gnu.org Subject: Re: [bug#42427] [PATCH] services: Fix auditd startup. Date: Sun, 26 Jul 2020 17:28:49 +0100
[Message part 1 (text/plain, inline)]
On 2020-07-22 23:07, Ludovic Courtès wrote: > Hello Robin, Hi > Robin Green <greenrd <at> greenrd.org> skribis: > >> * gnu/services/auditd.scm: Make auditd start successfully in the default case. >> * gnu/services/aux-files/auditd/auditd.conf: New file. >> * doc/guix.texi (Miscellaneous Services): Update docs to reflect changes. > > Nice, it’s a good idea. Some comments below: > >> -(define-configuration auditd-configuration >> - (audit >> - (package audit) >> - "Audit package.")) >> +(define-record-type* <auditd-configuration> > > I think we should keep using ‘define-configuration’, unless there’s a > good reason to change. WDYT? I couldn't get it to work with ‘define-configuration’ - I kept getting errors. I asked on #guix, and it was suggested that I do it this way instead. >> + auditd-configuration make-auditd-configuration >> + auditd-configuration? >> + (audit auditd-configuration-audit ; package >> + (default audit)) >> + (configdir auditd-configuration-configdir)) ; local-file > > s/configdir/configuration-directory/, to be consistent with the rest of > the code. Done > You can also set its default value. I don't see the value in doing that, because the default is already set elsewhere, and if the user wants to use a different package, they probably also want to use a different configuration file than the default one! > >> + (auditd-configuration >> + (configdir (local-file "aux-files/auditd" #:recursive? #t)))))) >> diff --git a/gnu/services/aux-files/auditd/auditd.conf b/gnu/services/aux-files/auditd/auditd.conf >> new file mode 100644 >> index 0000000000..6e7555cf4c >> --- /dev/null >> +++ b/gnu/services/aux-files/auditd/auditd.conf > > Since it’s a small file, I have a slight preference for using > ‘plain-file’ + ‘computed-file’: > > (define auditd.conf > (plain-file …)) > > (define %default-auditd-configuration-directory ;make it public > (computed-file "auditd" > #~(begin > (mkdir #$output) > (copy-file #$auditd.conf > (string-append #$output "/auditd.conf"))))) > > WDYT? Agreed - done
[0001-services-Fix-auditd-startup.patch (text/x-patch, inline)]
From 2944613bee5a742b04c26a7c27d3a09f9047dbe5 Mon Sep 17 00:00:00 2001
From: Robin Green <greenrd <at> greenrd.org>
Date: Sun, 19 Jul 2020 08:32:31 +0100
Subject: [PATCH] services: Fix auditd startup.
* gnu/services/auditd.scm: Make auditd start successfully in the default case.
* gnu/services/aux-files/auditd/auditd.conf: New file.
* doc/guix.texi (Miscellaneous Services): Update docs to reflect changes.
---
doc/guix.texi | 11 +++++++++--
gnu/services/auditd.scm | 41 ++++++++++++++++++++++++++++++-----------
2 files changed, 39 insertions(+), 13 deletions(-)
diff --git a/doc/guix.texi b/doc/guix.texi
index 2c5c017eea..8c7c055ce0 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -27478,10 +27478,12 @@ Network access
@command{auditctl} from the @code{audit} package can be used in order
to add or remove events to be tracked (until the next reboot).
In order to permanently track events, put the command line arguments
-of auditctl into @file{/etc/audit/audit.rules}.
+of auditctl into a file called @code{audit.rules} in the configuration
+directory (see below).
@command{aureport} from the @code{audit} package can be used in order
to view a report of all recorded events.
-The audit daemon usually logs into the directory @file{/var/log/audit}.
+The audit daemon by default logs into the file
+@file{/var/log/audit.log}.
@end defvr
@@ -27493,6 +27495,11 @@ This is the data type representing the configuration of auditd.
@item @code{audit} (default: @code{audit})
The audit package to use.
+@item @code{configdir} (default: @code{(local-file "aux-files/auditd")})
+A directory containing a configuration file for the audit package, which
+must be named @code{auditd.conf}, and optionally some audit rules to
+instantiate on startup.
+
@end table
@end deftp
diff --git a/gnu/services/auditd.scm b/gnu/services/auditd.scm
index 8a9292015f..1750614207 100644
--- a/gnu/services/auditd.scm
+++ b/gnu/services/auditd.scm
@@ -1,5 +1,6 @@
;;; GNU Guix --- Functional package management for GNU
;;; Copyright © 2019 Danny Milosavljevic <dannym <at> scratchpost.org>
+;;; Copyright © 2020 Robin Green <greenrd <at> greenrd.org>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -26,29 +27,47 @@
#:use-module (guix gexp)
#:use-module (guix packages)
#:export (auditd-configuration
- auditd-service-type))
+ auditd-service-type
+ %default-auditd-configuration-directory))
-; /etc/audit/audit.rules
+(define auditd.conf
+ (plain-file "auditd.conf" "log_file = /var/log/audit.log\nlog_format = \
+ENRICHED\nfreq = 1\nspace_left = 5%\nspace_left_action = \
+syslog\nadmin_space_left_action = ignore\ndisk_full_action = \
+ignore\ndisk_error_action = syslog\n"))
-(define-configuration auditd-configuration
- (audit
- (package audit)
- "Audit package."))
+(define %default-auditd-configuration-directory
+ (computed-file "auditd"
+ #~(begin
+ (mkdir #$output)
+ (copy-file #$auditd.conf
+ (string-append #$output "/auditd.conf")))))
+
+(define-record-type* <auditd-configuration>
+ auditd-configuration make-auditd-configuration
+ auditd-configuration?
+ (audit auditd-configuration-audit ; package
+ (default audit))
+ (configuration-directory auditd-configuration-configuration-directory)) ; local-file
(define (auditd-shepherd-service config)
- (let* ((audit (auditd-configuration-audit config)))
+ (let* ((audit (auditd-configuration-audit config))
+ (configuration-directory (auditd-configuration-configuration-directory config)))
(list (shepherd-service
- (documentation "Auditd allows you to audit file system accesses.")
+ (documentation "Auditd allows you to audit file system accesses and process execution.")
(provision '(auditd))
(start #~(make-forkexec-constructor
- (list (string-append #$audit "/sbin/auditd"))))
+ (list (string-append #$audit "/sbin/auditd") "-c" #$configuration-directory)
+ #:pid-file "/var/run/auditd.pid"))
(stop #~(make-kill-destructor))))))
(define auditd-service-type
(service-type (name 'auditd)
- (description "Allows auditing file system accesses.")
+ (description "Allows auditing file system accesses and process execution.")
(extensions
(list
(service-extension shepherd-root-service-type
auditd-shepherd-service)))
- (default-value (auditd-configuration))))
+ (default-value
+ (auditd-configuration
+ (configuration-directory %default-auditd-configuration-directory)))))
--
2.27.0
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.