This allows for easier build-time disabling of the listener-specific code in auditd-event.c. --- src/auditd-event.c | 23 ++--------------------- src/auditd-listen.c | 28 +++++++++++++++++++++++++++- src/auditd-listen.h | 3 ++- 3 files changed, 31 insertions(+), 23 deletions(-) diff --git a/src/auditd-event.c b/src/auditd-event.c index b1b2f0a..acf5aa1 100644 --- a/src/auditd-event.c +++ b/src/auditd-event.c @@ -1177,27 +1177,8 @@ static void reconfigure(struct auditd_consumer_data *data) } } - /* Look at network things that do not need restarting */ - if (oconf->tcp_client_min_port != nconf->tcp_client_min_port || - oconf->tcp_client_max_port != nconf->tcp_client_max_port || - oconf->tcp_max_per_addr != nconf->tcp_max_per_addr) { - oconf->tcp_client_min_port = nconf->tcp_client_min_port; - oconf->tcp_client_max_port = nconf->tcp_client_max_port; - oconf->tcp_max_per_addr = nconf->tcp_max_per_addr; - auditd_set_ports(oconf->tcp_client_min_port, - oconf->tcp_client_max_port, - oconf->tcp_max_per_addr); - } - if (oconf->tcp_client_max_idle != nconf->tcp_client_max_idle) { - oconf->tcp_client_max_idle = nconf->tcp_client_max_idle; - periodic_reconfigure(); - } - if (oconf->tcp_listen_port != nconf->tcp_listen_port || - oconf->tcp_listen_queue != nconf->tcp_listen_queue) { - oconf->tcp_listen_port = nconf->tcp_listen_port; - oconf->tcp_listen_queue = nconf->tcp_listen_queue; - // FIXME: need to restart the network stuff - } + // network listener + auditd_tcp_listen_reconfigure(nconf, oconf); /* At this point we will work on the items that are related to * a single log file. */ diff --git a/src/auditd-listen.c b/src/auditd-listen.c index 741c424..0caf324 100644 --- a/src/auditd-listen.c +++ b/src/auditd-listen.c @@ -866,7 +866,7 @@ static void auditd_tcp_listen_handler( struct ev_loop *loop, send_audit_event(AUDIT_DAEMON_ACCEPT, emsg); } -void auditd_set_ports(int minp, int maxp, int max_p_addr) +static void auditd_set_ports(int minp, int maxp, int max_p_addr) { min_port = minp; max_port = maxp; @@ -1009,3 +1009,29 @@ void auditd_tcp_listen_check_idle (struct ev_loop *loop ) free(ev); } } + +void auditd_tcp_listen_reconfigure ( struct daemon_conf *nconf, + struct daemon_conf *oconf ) +{ + /* Look at network things that do not need restarting */ + if (oconf->tcp_client_min_port != nconf->tcp_client_min_port || + oconf->tcp_client_max_port != nconf->tcp_client_max_port || + oconf->tcp_max_per_addr != nconf->tcp_max_per_addr) { + oconf->tcp_client_min_port = nconf->tcp_client_min_port; + oconf->tcp_client_max_port = nconf->tcp_client_max_port; + oconf->tcp_max_per_addr = nconf->tcp_max_per_addr; + auditd_set_ports(oconf->tcp_client_min_port, + oconf->tcp_client_max_port, + oconf->tcp_max_per_addr); + } + if (oconf->tcp_client_max_idle != nconf->tcp_client_max_idle) { + oconf->tcp_client_max_idle = nconf->tcp_client_max_idle; + periodic_reconfigure(); + } + if (oconf->tcp_listen_port != nconf->tcp_listen_port || + oconf->tcp_listen_queue != nconf->tcp_listen_queue) { + oconf->tcp_listen_port = nconf->tcp_listen_port; + oconf->tcp_listen_queue = nconf->tcp_listen_queue; + // FIXME: need to restart the network stuff + } +} diff --git a/src/auditd-listen.h b/src/auditd-listen.h index 81e0ad3..440b6ab 100644 --- a/src/auditd-listen.h +++ b/src/auditd-listen.h @@ -25,9 +25,10 @@ #define AUDITD_LISTEN_H #include "ev.h" -void auditd_set_ports(int minp, int maxp, int max_p_addr); int auditd_tcp_listen_init ( struct ev_loop *loop, struct daemon_conf *config ); void auditd_tcp_listen_uninit ( struct ev_loop *loop ); void auditd_tcp_listen_check_idle ( struct ev_loop *loop ); +void auditd_tcp_listen_reconfigure ( struct daemon_conf *nconf, + struct daemon_conf *oconf ); #endif -- 1.7.9.5

Move the periodic watcher (un)initialization and handler code into auditd-listen.c to allow for easy disabling at build time. The (un)initialization is now handled by auditd_tcp_listen_init() and auditd_tcp_listen_uninit(). --- src/auditd-config.h | 2 -- src/auditd-listen.c | 40 +++++++++++++++++++++++++++++++++++++--- src/auditd-listen.h | 4 ++-- src/auditd.c | 32 +------------------------------- 4 files changed, 40 insertions(+), 38 deletions(-) diff --git a/src/auditd-config.h b/src/auditd-config.h index 9bf6698..f58a521 100644 --- a/src/auditd-config.h +++ b/src/auditd-config.h @@ -96,7 +96,5 @@ int start_config_manager(struct auditd_reply_list *rep); void shutdown_config(void); void free_config(struct daemon_conf *config); -void periodic_reconfigure(void); - #endif diff --git a/src/auditd-listen.c b/src/auditd-listen.c index 0caf324..01c14a0 100644 --- a/src/auditd-listen.c +++ b/src/auditd-listen.c @@ -75,6 +75,7 @@ typedef struct ev_tcp { static int listen_socket; static struct ev_io tcp_listen_watcher; +static struct ev_periodic periodic_watcher; static int min_port, max_port, max_per_addr; static int use_libwrap = 1; #ifdef USE_GSSAPI @@ -87,6 +88,8 @@ static char msgbuf[MAX_AUDIT_MESSAGE_LENGTH + 1]; static struct ev_tcp *client_chain = NULL; +static void auditd_tcp_listen_check_idle (struct ev_loop *loop ); + static char *sockaddr_to_ipv4(struct sockaddr_in *addr) { unsigned char *uaddr = (unsigned char *)&(addr->sin_addr); @@ -873,11 +876,26 @@ static void auditd_set_ports(int minp, int maxp, int max_p_addr) max_per_addr = max_p_addr; } +static void periodic_handler(struct ev_loop *loop, struct ev_periodic *per, + int revents ) +{ + struct daemon_conf *config = (struct daemon_conf *) per->data; + + if (config->tcp_client_max_idle) + auditd_tcp_listen_check_idle (loop); +} + int auditd_tcp_listen_init ( struct ev_loop *loop, struct daemon_conf *config ) { struct sockaddr_in address; int one = 1; + ev_periodic_init (&periodic_watcher, periodic_handler, + 0, config->tcp_client_max_idle, NULL); + periodic_watcher.data = config; + if (config->tcp_client_max_idle) + ev_periodic_start (loop, &periodic_watcher); + /* If the port is not set, that means we aren't going to listen for connections. */ if (config->tcp_listen_port == 0) @@ -963,7 +981,8 @@ int auditd_tcp_listen_init ( struct ev_loop *loop, struct daemon_conf *config ) return 0; } -void auditd_tcp_listen_uninit ( struct ev_loop *loop ) +void auditd_tcp_listen_uninit ( struct ev_loop *loop, + struct daemon_conf *config ) { #ifdef USE_GSSAPI OM_uint32 status; @@ -987,9 +1006,12 @@ void auditd_tcp_listen_uninit ( struct ev_loop *loop ) ev_io_stop (loop, &client_chain->io); close_client (client_chain); } + + if (config->tcp_client_max_idle) + ev_periodic_stop (loop, &periodic_watcher); } -void auditd_tcp_listen_check_idle (struct ev_loop *loop ) +static void auditd_tcp_listen_check_idle (struct ev_loop *loop ) { struct ev_tcp *ev, *next = NULL; int active; @@ -1010,6 +1032,18 @@ void auditd_tcp_listen_check_idle (struct ev_loop *loop ) } } +static void periodic_reconfigure(struct daemon_conf *config) +{ + struct ev_loop *loop = ev_default_loop (EVFLAG_AUTO); + if (config->tcp_client_max_idle) { + ev_periodic_set (&periodic_watcher, ev_now (loop), + config->tcp_client_max_idle, NULL); + ev_periodic_start (loop, &periodic_watcher); + } else { + ev_periodic_stop (loop, &periodic_watcher); + } +} + void auditd_tcp_listen_reconfigure ( struct daemon_conf *nconf, struct daemon_conf *oconf ) { @@ -1026,7 +1060,7 @@ void auditd_tcp_listen_reconfigure ( struct daemon_conf *nconf, } if (oconf->tcp_client_max_idle != nconf->tcp_client_max_idle) { oconf->tcp_client_max_idle = nconf->tcp_client_max_idle; - periodic_reconfigure(); + periodic_reconfigure(oconf); } if (oconf->tcp_listen_port != nconf->tcp_listen_port || oconf->tcp_listen_queue != nconf->tcp_listen_queue) { diff --git a/src/auditd-listen.h b/src/auditd-listen.h index 440b6ab..024fd6f 100644 --- a/src/auditd-listen.h +++ b/src/auditd-listen.h @@ -26,8 +26,8 @@ #include "ev.h" int auditd_tcp_listen_init ( struct ev_loop *loop, struct daemon_conf *config ); -void auditd_tcp_listen_uninit ( struct ev_loop *loop ); -void auditd_tcp_listen_check_idle ( struct ev_loop *loop ); +void auditd_tcp_listen_uninit ( struct ev_loop *loop, + struct daemon_conf *config ); void auditd_tcp_listen_reconfigure ( struct daemon_conf *nconf, struct daemon_conf *oconf ); diff --git a/src/auditd.c b/src/auditd.c index e0ee702..a369434 100644 --- a/src/auditd.c +++ b/src/auditd.c @@ -68,7 +68,6 @@ static int do_fork = 1; static struct auditd_reply_list *rep = NULL; static int hup_info_requested = 0, usr1_info_requested = 0; static char subj[SUBJ_LEN]; -static struct ev_periodic periodic_watcher; /* Local function prototypes */ int send_audit_event(int type, const char *str); @@ -442,27 +441,6 @@ static void netlink_handler(struct ev_loop *loop, struct ev_io *io, } } -static void periodic_handler(struct ev_loop *loop, struct ev_periodic *per, - int revents ) -{ - struct daemon_conf *config = (struct daemon_conf *) per->data; - - if (config->tcp_client_max_idle) - auditd_tcp_listen_check_idle (loop); -} - -void periodic_reconfigure(void) -{ - struct ev_loop *loop = ev_default_loop (EVFLAG_AUTO); - if (config.tcp_client_max_idle) { - ev_periodic_set (&periodic_watcher, ev_now (loop), - config.tcp_client_max_idle, NULL); - ev_periodic_start (loop, &periodic_watcher); - } else { - ev_periodic_stop (loop, &periodic_watcher); - } -} - int main(int argc, char *argv[]) { struct sigaction sa; @@ -719,12 +697,6 @@ int main(int argc, char *argv[]) ev_signal_init (&sigchld_watcher, child_handler, SIGCHLD); ev_signal_start (loop, &sigchld_watcher); - ev_periodic_init (&periodic_watcher, periodic_handler, - 0, config.tcp_client_max_idle, NULL); - periodic_watcher.data = &config; - if (config.tcp_client_max_idle) - ev_periodic_start (loop, &periodic_watcher); - if (auditd_tcp_listen_init (loop, &config)) { char emsg[DEFAULT_BUF_SZ]; if (*subj) @@ -755,15 +727,13 @@ int main(int argc, char *argv[]) if (!stop) ev_loop (loop, 0); - auditd_tcp_listen_uninit (loop); + auditd_tcp_listen_uninit (loop, &config); // Tear down IO watchers Part 1 ev_signal_stop (loop, &sighup_watcher); ev_signal_stop (loop, &sigusr1_watcher); ev_signal_stop (loop, &sigusr2_watcher); ev_signal_stop (loop, &sigterm_watcher); - if (config.tcp_client_max_idle) - ev_periodic_stop (loop, &periodic_watcher); /* Write message to log that we are going down */ rc = audit_request_signal_info(fd); -- 1.7.9.5

Add the --disable-listener configure option to leave the network listener code out of auditd. By default, the listener code is still included in auditd. When the listener is disabled, the listener init, uninit, and reconfigure functions are stubbed out. ifdefs are used in auditd-config.c to disable the listener-specific parsers, following the style of the krb5 parser functions. --- configure.ac | 14 ++++++++++++++ src/Makefile.am | 5 ++++- src/auditd-config.c | 35 +++++++++++++++++++++++++++++++++++ src/auditd-listen.h | 21 +++++++++++++++++++++ 4 files changed, 74 insertions(+), 1 deletion(-) diff --git a/configure.ac b/configure.ac index e14df60..76eaa26 100644 --- a/configure.ac +++ b/configure.ac @@ -104,6 +104,20 @@ fi fi AM_CONDITIONAL(HAVE_PYTHON, test ${python_found} = "yes") +#auditd listener +AC_MSG_CHECKING(whether to include auditd network listener support) +AC_ARG_ENABLE(listener, + [AS_HELP_STRING([--disable-listener], + [Disable auditd network listener support])], + enable_listener=$enableval, + enable_listener=yes) +if test "x$enable_listener" != "xno"; then + AC_DEFINE(USE_LISTENER, 1, + [Define if you want to use the auditd network listener.]) +fi +AM_CONDITIONAL(ENABLE_LISTENER, test "x$enable_listener" != "xno") +AC_MSG_RESULT($enable_listener) + #gssapi AC_ARG_ENABLE(gssapi_krb5, [AS_HELP_STRING([--enable-gssapi-krb5],[Enable GSSAPI Kerberos 5 support @<:@default=no@:>@])], diff --git a/src/Makefile.am b/src/Makefile.am index 57ddd27..fdfa5cf 100644 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -28,7 +28,10 @@ sbin_PROGRAMS = auditd auditctl aureport ausearch autrace AM_CFLAGS = -D_GNU_SOURCE noinst_HEADERS = auditd-config.h auditd-event.h auditd-listen.h ausearch-llist.h ausearch-options.h auditctl-llist.h aureport-options.h ausearch-parse.h aureport-scan.h ausearch-lookup.h ausearch-int.h auditd-dispatch.h ausearch-string.h ausearch-nvpair.h ausearch-common.h ausearch-avc.h ausearch-time.h ausearch-lol.h -auditd_SOURCES = auditd.c auditd-event.c auditd-config.c auditd-reconfig.c auditd-sendmail.c auditd-dispatch.c auditd-listen.c +auditd_SOURCES = auditd.c auditd-event.c auditd-config.c auditd-reconfig.c auditd-sendmail.c auditd-dispatch.c +if ENABLE_LISTENER +auditd_SOURCES += auditd-listen.c +endif auditd_CFLAGS = -fPIE -DPIE -g -D_REENTRANT -D_GNU_SOURCE -fno-strict-aliasing -pthread auditd_LDFLAGS = -pie -Wl,-z,relro -Wl,-z,now auditd_DEPENDENCIES = mt/libauditmt.a libev/libev.a diff --git a/src/auditd-config.c b/src/auditd-config.c index 9569378..13220bf 100644 --- a/src/auditd-config.c +++ b/src/auditd-config.c @@ -1189,6 +1189,12 @@ static int tcp_listen_port_parser(struct nv_pair *nv, int line, audit_msg(LOG_DEBUG, "tcp_listen_port_parser called with: %s", nv->value); +#ifndef USE_LISTENER + audit_msg(LOG_DEBUG, + "Listener support is not enabled, ignoring value at line %d", + line); + return 0; +#else /* check that all chars are numbers */ for (i=0; ptr[i]; i++) { if (!isdigit(ptr[i])) { @@ -1223,6 +1229,7 @@ static int tcp_listen_port_parser(struct nv_pair *nv, int line, } config->tcp_listen_port = (unsigned int)i; return 0; +#endif } static int tcp_listen_queue_parser(struct nv_pair *nv, int line, @@ -1234,6 +1241,12 @@ static int tcp_listen_queue_parser(struct nv_pair *nv, int line, audit_msg(LOG_DEBUG, "tcp_listen_queue_parser called with: %s", nv->value); +#ifndef USE_LISTENER + audit_msg(LOG_DEBUG, + "Listener support is not enabled, ignoring value at line %d", + line); + return 0; +#else /* check that all chars are numbers */ for (i=0; ptr[i]; i++) { if (!isdigit(ptr[i])) { @@ -1270,6 +1283,7 @@ static int tcp_listen_queue_parser(struct nv_pair *nv, int line, } config->tcp_listen_queue = (unsigned int)i; return 0; +#endif } @@ -1282,6 +1296,12 @@ static int tcp_max_per_addr_parser(struct nv_pair *nv, int line, audit_msg(LOG_DEBUG, "tcp_max_per_addr_parser called with: %s", nv->value); +#ifndef USE_LISTENER + audit_msg(LOG_DEBUG, + "Listener support is not enabled, ignoring value at line %d", + line); + return 0; +#else /* check that all chars are numbers */ for (i=0; ptr[i]; i++) { if (!isdigit(ptr[i])) { @@ -1318,6 +1338,7 @@ static int tcp_max_per_addr_parser(struct nv_pair *nv, int line, } config->tcp_max_per_addr = (unsigned int)i; return 0; +#endif } static int use_libwrap_parser(struct nv_pair *nv, int line, @@ -1348,6 +1369,12 @@ static int tcp_client_ports_parser(struct nv_pair *nv, int line, audit_msg(LOG_DEBUG, "tcp_listen_queue_parser called with: %s", nv->value); +#ifndef USE_LISTENER + audit_msg(LOG_DEBUG, + "Listener support is not enabled, ignoring value at line %d", + line); + return 0; +#else /* check that all chars are numbers, with an optional inclusive '-'. */ for (i=0; ptr[i]; i++) { if (i > 0 && ptr[i] == '-' && ptr[i+1] != '\0') { @@ -1412,6 +1439,7 @@ static int tcp_client_ports_parser(struct nv_pair *nv, int line, config->tcp_client_min_port = (unsigned int)minv; config->tcp_client_max_port = (unsigned int)maxv; return 0; +#endif } static int tcp_client_max_idle_parser(struct nv_pair *nv, int line, @@ -1423,6 +1451,12 @@ static int tcp_client_max_idle_parser(struct nv_pair *nv, int line, audit_msg(LOG_DEBUG, "tcp_client_max_idle_parser called with: %s", nv->value); +#ifndef USE_LISTENER + audit_msg(LOG_DEBUG, + "Listener support is not enabled, ignoring value at line %d", + line); + return 0; +#else /* check that all chars are numbers */ for (i=0; ptr[i]; i++) { if (!isdigit(ptr[i])) { @@ -1453,6 +1487,7 @@ static int tcp_client_max_idle_parser(struct nv_pair *nv, int line, } config->tcp_client_max_idle = (unsigned int)i; return 0; +#endif } static int enable_krb5_parser(struct nv_pair *nv, int line, diff --git a/src/auditd-listen.h b/src/auditd-listen.h index 024fd6f..69f9310 100644 --- a/src/auditd-listen.h +++ b/src/auditd-listen.h @@ -25,10 +25,31 @@ #define AUDITD_LISTEN_H #include "ev.h" + +#ifdef USE_LISTENER int auditd_tcp_listen_init ( struct ev_loop *loop, struct daemon_conf *config ); void auditd_tcp_listen_uninit ( struct ev_loop *loop, struct daemon_conf *config ); void auditd_tcp_listen_reconfigure ( struct daemon_conf *nconf, struct daemon_conf *oconf ); +#else +static inline int auditd_tcp_listen_init ( struct ev_loop *loop, + struct daemon_conf *config ) +{ + return 0; +} + +static inline void auditd_tcp_listen_uninit ( struct ev_loop *loop, + struct daemon_conf *config ) +{ + return; +} + +static inline void auditd_tcp_listen_reconfigure ( struct daemon_conf *nconf, + struct daemon_conf *oconf ) +{ + return; +} +#endif /* USE_LISTENER */ #endif -- 1.7.9.5