/* Returns -1 on err, 0 on success, and 1 if eagain occurred and not an err */
int dispatch_event(const struct audit_reply *rep, int is_err)
{
int rc, count = 0;
struct iovec vec[2];
struct audit_dispatcher_header hdr;
if (disp_pipe[1] == -1)
return 0;
// Don't send reconfig or rotate as they are purely internal to daemon
if (rep->type == AUDIT_DAEMON_RECONFIG ||
rep->type == AUDIT_DAEMON_ROTATE)
return 0;
hdr.ver = AUDISP_PROTOCOL_VER; /* Hard-coded to current protocol */
hdr.hlen = sizeof(struct audit_dispatcher_header);
hdr.type = rep->type;
hdr.size = rep->len;
vec[0].iov_base = (void*)&hdr;
vec[0].iov_len = sizeof(hdr);
vec[1].iov_base = (void*)rep->message;
vec[1].iov_len = rep->len;
do {
rc = writev(disp_pipe[1], vec, 2);
} while (rc < 0 && errno == EAGAIN && count++ < 8);
// close pipe if no child or peer has been lost
if (rc <= 0) {
if (errno == EPIPE) {
shutdown_dispatcher();
n_errs = 0;
} else if (errno == EAGAIN && !is_err) {
return 1;
} else {
if (n_errs <= REPORT_LIMIT) {
audit_msg(LOG_ERR,
"dispatch err (%s) event lost",
errno == EAGAIN ? "pipe full" :
strerror(errno));
n_errs++;
}
if (n_errs == REPORT_LIMIT) {
audit_msg(LOG_ERR,
"dispatch error reporting limit"
" reached - ending report"
" notification.");
n_errs++;
}
return -1;
}
} else
n_errs = 0;
return 0;
}
int main(int argc, char *argv[])
{
struct sigaction sa;
struct rlimit limit;
int i, c, rc;
int opt_foreground = 0, opt_allow_links = 0;
enum startup_state opt_startup = startup_enable;
extern char *optarg;
extern int optind;
struct ev_loop *loop;
struct ev_io netlink_watcher;
struct ev_signal sigterm_watcher;
struct ev_signal sighup_watcher;
struct ev_signal sigusr1_watcher;
struct ev_signal sigusr2_watcher;
struct ev_signal sigchld_watcher;
/* Get params && set mode */
while ((c = getopt(argc, argv, "flns:")) != -1) {
switch (c) {
case 'f':
opt_foreground = 1;
break;
case 'l':
opt_allow_links=1;
break;
case 'n':
do_fork = 0;
break;
case 's':
for (i=0; i<startup_INVALID; i++) {
if (strncmp(optarg, startup_states[i],
strlen(optarg)) == 0) {
opt_startup = i;
break;
}
}
if (i == startup_INVALID) {
fprintf(stderr, "unknown startup mode '%s'\n",
optarg);
usage();
}
break;
default:
usage();
}
}
/* check for trailing command line following options */
if (optind < argc) {
usage();
}
if (opt_allow_links)
set_allow_links(1);
if (opt_foreground) {
config.daemonize = D_FOREGROUND;
set_aumessage_mode(MSG_STDERR, DBG_YES);
} else {
config.daemonize = D_BACKGROUND;
set_aumessage_mode(MSG_SYSLOG, DBG_NO);
(void) umask( umask( 077 ) | 022 );
}
#ifndef DEBUG
/* Make sure we are root */
if (getuid() != 0) {
fprintf(stderr, "You must be root to run this program.\n");
return 4;
}
#endif
/* Register sighandlers */
sa.sa_flags = 0 ;
sigemptyset( &sa.sa_mask ) ;
/* Ignore all signals by default */
sa.sa_handler = SIG_IGN;
for (i=1; i<NSIG; i++)
sigaction( i, &sa, NULL );
atexit(clean_exit);
/* Raise the rlimits in case we're being started from a shell
* with restrictions. Not a fatal error. */
limit.rlim_cur = RLIM_INFINITY;
limit.rlim_max = RLIM_INFINITY;
setrlimit(RLIMIT_FSIZE, &limit);
setrlimit(RLIMIT_CPU, &limit);
/* Load the Configuration File */
if (load_config(&config, TEST_AUDITD))
return 6;
if (config.priority_boost != 0) {
errno = 0;
rc = nice((int)-config.priority_boost);
if (rc == -1 && errno) {
audit_msg(LOG_ERR, "Cannot change priority (%s)",
strerror(errno));
return 1;
}
}
/* Daemonize or stay in foreground for debugging */
if (config.daemonize == D_BACKGROUND) {
if (become_daemon() != 0) {
audit_msg(LOG_ERR, "Cannot daemonize (%s)",
strerror(errno));
tell_parent(FAILURE);
return 1;
}
openlog("auditd", LOG_PID, LOG_DAEMON);
}
/* Init netlink */
if ((fd = audit_open()) < 0) {
audit_msg(LOG_ERR, "Cannot open netlink audit socket");
tell_parent(FAILURE);
return 1;
}
/* Init the event handler thread */
write_pid_file();
if (init_event(&config)) {
if (pidfile)
unlink(pidfile);
tell_parent(FAILURE);
return 1;
}
if (init_dispatcher(&config)) {
if (pidfile)
unlink(pidfile);
tell_parent(FAILURE);
return 1;
}
/* Get machine name ready for use */
if (resolve_node(&config)) {
if (pidfile)
unlink(pidfile);
tell_parent(FAILURE);
return 1;
}
/* Write message to log that we are alive */
{
struct utsname ubuf;
char start[DEFAULT_BUF_SZ];
const char *fmt = audit_lookup_format((int)config.log_format);
if (fmt == NULL)
fmt = "UNKNOWN";
if (uname(&ubuf) != 0) {
if (pidfile)
unlink(pidfile);
tell_parent(FAILURE);
return 1;
}
if (getsubj(subj))
snprintf(start, sizeof(start),
"auditd start, ver=%s format=%s "
"kernel=%.56s auid=%u pid=%d subj=%s res=success",
VERSION, fmt, ubuf.release,
audit_getloginuid(), getpid(), subj);
else
snprintf(start, sizeof(start),
"auditd start, ver=%s format=%s "
"kernel=%.56s auid=%u pid=%d res=success",
VERSION, fmt, ubuf.release,
audit_getloginuid(), getpid());
if (send_audit_event(AUDIT_DAEMON_START, start)) {
audit_msg(LOG_ERR, "Cannot send start message");
if (pidfile)
unlink(pidfile);
shutdown_dispatcher();
tell_parent(FAILURE);
return 1;
}
}
/* Tell kernel not to kill us */
avoid_oom_killer();
/* let config manager init */
init_config_manager();
if (opt_startup != startup_nochange && (audit_is_enabled(fd) < 2) &&
audit_set_enabled(fd, (int)opt_startup) < 0) {
char emsg[DEFAULT_BUF_SZ];
if (*subj)
snprintf(emsg, sizeof(emsg),
"auditd error halt, auid=%u pid=%d subj=%s res=failed",
audit_getloginuid(), getpid(), subj);
else
snprintf(emsg, sizeof(emsg),
"auditd error halt, auid=%u pid=%d res=failed",
audit_getloginuid(), getpid());
stop = 1;
send_audit_event(AUDIT_DAEMON_ABORT, emsg);
audit_msg(LOG_ERR,
"Unable to set initial audit startup state to '%s', exiting",
startup_states[opt_startup]);
close_down();
if (pidfile)
unlink(pidfile);
shutdown_dispatcher();
tell_parent(FAILURE);
return 1;
}
/* Tell the kernel we are alive */
if (audit_set_pid(fd, getpid(), WAIT_YES) < 0) {
char emsg[DEFAULT_BUF_SZ];
if (*subj)
snprintf(emsg, sizeof(emsg),
"auditd error halt, auid=%u pid=%d subj=%s res=failed",
audit_getloginuid(), getpid(), subj);
else
snprintf(emsg, sizeof(emsg),
"auditd error halt, auid=%u pid=%d res=failed",
audit_getloginuid(), getpid());
stop = 1;
send_audit_event(AUDIT_DAEMON_ABORT, emsg);
audit_msg(LOG_ERR, "Unable to set audit pid, exiting");
close_down();
if (pidfile)
unlink(pidfile);
shutdown_dispatcher();
tell_parent(FAILURE);
return 1;
}
/* Depending on value of opt_startup (-s) set initial audit state */
loop = ev_default_loop (EVFLAG_NOENV);
ev_io_init (&netlink_watcher, netlink_handler, fd, EV_READ);
ev_io_start (loop, &netlink_watcher);
ev_signal_init (&sigterm_watcher, term_handler, SIGTERM);
ev_signal_start (loop, &sigterm_watcher);
ev_signal_init (&sighup_watcher, hup_handler, SIGHUP);
ev_signal_start (loop, &sighup_watcher);
ev_signal_init (&sigusr1_watcher, user1_handler, SIGUSR1);
ev_signal_start (loop, &sigusr1_watcher);
ev_signal_init (&sigusr2_watcher, user2_handler, SIGUSR2);
ev_signal_start (loop, &sigusr2_watcher);
ev_signal_init (&sigchld_watcher, child_handler, SIGCHLD);
ev_signal_start (loop, &sigchld_watcher);
if (auditd_tcp_listen_init (loop, &config)) {
char emsg[DEFAULT_BUF_SZ];
if (*subj)
snprintf(emsg, sizeof(emsg),
"auditd error halt, auid=%u pid=%d subj=%s res=failed",
audit_getloginuid(), getpid(), subj);
else
snprintf(emsg, sizeof(emsg),
"auditd error halt, auid=%u pid=%d res=failed",
audit_getloginuid(), getpid());
stop = 1;
send_audit_event(AUDIT_DAEMON_ABORT, emsg);
tell_parent(FAILURE);
} else {
/* Now tell parent that everything went OK */
tell_parent(SUCCESS);
audit_msg(LOG_NOTICE,
"Init complete, auditd %s listening for events (startup state %s)",
VERSION,
startup_states[opt_startup]);
}
/* Parent should be gone by now... */
if (do_fork)
close(init_pipe[1]);
// Init complete, start event loop
if (!stop)
ev_loop (loop, 0);
auditd_tcp_listen_uninit (loop, &config);
// Tear down IO watchers Part 1
ev_signal_stop (loop, &sighup_watcher);
ev_signal_stop (loop, &sigusr1_watcher);
ev_signal_stop (loop, &sigusr2_watcher);
ev_signal_stop (loop, &sigterm_watcher);
/* Write message to log that we are going down */
rc = audit_request_signal_info(fd);
if (rc > 0) {
struct audit_reply trep;
rc = get_reply(fd, &trep, rc);
if (rc > 0) {
char txt[MAX_AUDIT_MESSAGE_LENGTH];
snprintf(txt, sizeof(txt),
"auditd normal halt, sending auid=%u "
"pid=%d subj=%s res=success",
trep.signal_info->uid,
trep.signal_info->pid,
trep.signal_info->ctx);
send_audit_event(AUDIT_DAEMON_END, txt);
}
}
if (rc <= 0)
send_audit_event(AUDIT_DAEMON_END,
"auditd normal halt, sending auid=? "
"pid=? subj=? res=success");
free(rep);
// Tear down IO watchers Part 2
ev_io_stop (loop, &netlink_watcher);
// Give DAEMON_END event a little time to be sent in case
// of remote logging
usleep(10000); // 10 milliseconds
shutdown_dispatcher();
// Tear down IO watchers Part 3
ev_signal_stop (loop, &sigchld_watcher);
close_down();
free_config(&config);
ev_default_destroy();
return 0;
}
static void netlink_handler(struct ev_loop *loop, struct ev_io *io,
int revents)
{
if (rep == NULL) {
if ((rep = malloc(sizeof(*rep))) == NULL) {
char emsg[DEFAULT_BUF_SZ];
if (*subj)
snprintf(emsg, sizeof(emsg),
"auditd error halt, auid=%u pid=%d subj=%s res=failed",
audit_getloginuid(), getpid(), subj);
else
snprintf(emsg, sizeof(emsg),
"auditd error halt, auid=%u pid=%d res=failed",
audit_getloginuid(), getpid());
EV_STOP ();
send_audit_event(AUDIT_DAEMON_ABORT, emsg);
audit_msg(LOG_ERR,
"Cannot allocate audit reply, exiting");
close_down();
if (pidfile)
unlink(pidfile);
shutdown_dispatcher();
return;
}
}
if (audit_get_reply(fd, &rep->reply,
GET_REPLY_NONBLOCKING, 0) > 0) {
switch (rep->reply.type)
{ /* For now dont process these */
case NLMSG_NOOP:
case NLMSG_DONE:
case NLMSG_ERROR:
case AUDIT_GET: /* Or these */
case AUDIT_LIST_RULES:
case AUDIT_FIRST_DAEMON...AUDIT_LAST_DAEMON:
break;
case AUDIT_SIGNAL_INFO:
if (hup_info_requested) {
audit_msg(LOG_DEBUG,
"HUP detected, starting config manager");
if (start_config_manager(rep)) {
send_audit_event(
AUDIT_DAEMON_CONFIG,
"auditd error getting hup info - no change,"
" sending auid=? pid=? subj=? res=failed");
}
rep = NULL;
hup_info_requested = 0;
} else if (usr1_info_requested) {
char usr1[MAX_AUDIT_MESSAGE_LENGTH];
if (rep->reply.len == 24) {
snprintf(usr1, sizeof(usr1),
"auditd sending auid=? pid=? subj=?");
} else {
snprintf(usr1, sizeof(usr1),
"auditd sending auid=%u pid=%d subj=%s",
rep->reply.signal_info->uid,
rep->reply.signal_info->pid,
rep->reply.signal_info->ctx);
}
send_audit_event(AUDIT_DAEMON_ROTATE, usr1);
usr1_info_requested = 0;
} else if (usr2_info_requested) {
char usr2[MAX_AUDIT_MESSAGE_LENGTH];
if (rep->reply.len == 24) {
snprintf(usr2, sizeof(usr2),
"auditd resuming logging, "
"sending auid=? pid=? subj=? "
"res=success");
} else {
snprintf(usr2, sizeof(usr2),
"auditd resuming logging, "
"sending auid=%u pid=%d subj=%s res=success",
rep->reply.signal_info->uid,
rep->reply.signal_info->pid,
rep->reply.signal_info->ctx);
}
resume_logging();
send_audit_event(AUDIT_DAEMON_RESUME, usr2);
usr2_info_requested = 0;
}
break;
default:
distribute_event(rep);
rep = NULL;
break;
}
} else {
if (errno == EFBIG) {
