[bug#42427] [PATCH] services: Fix auditd startup.

[Robin Green <greenrd@greenrd.org>]

[-- Attachment #1: Type: text/plain, Size: 2352 bytes --]

On 2020-07-22 23:07, Ludovic Courtès wrote:
> Hello Robin,

Hi

> Robin Green <greenrd@greenrd.org> skribis:
> 
>> * gnu/services/auditd.scm: Make auditd start successfully in the default case.
>> * gnu/services/aux-files/auditd/auditd.conf: New file.
>> * doc/guix.texi (Miscellaneous Services): Update docs to reflect changes.
> 
> Nice, it’s a good idea.  Some comments below:
> 
>> -(define-configuration auditd-configuration
>> -  (audit
>> -   (package audit)
>> -   "Audit package."))
>> +(define-record-type* <auditd-configuration>
> 
> I think we should keep using ‘define-configuration’, unless there’s a
> good reason to change.  WDYT?

I couldn't get it to work with ‘define-configuration’ - I kept getting
errors. I asked on #guix, and it was suggested that I do it this way
instead.

>> +  auditd-configuration make-auditd-configuration
>> +  auditd-configuration?
>> +  (audit           auditd-configuration-audit            ; package
>> +                   (default audit))
>> +  (configdir       auditd-configuration-configdir))      ; local-file
> 
> s/configdir/configuration-directory/, to be consistent with the rest of
> the code.

Done

> You can also set its default value.

I don't see the value in doing that, because the default is already set
elsewhere, and if the user wants to use a different package, they
probably also want to use a different configuration file than the
default one!

> 
>> +                  (auditd-configuration
>> +                   (configdir (local-file "aux-files/auditd" #:recursive? #t))))))
>> diff --git a/gnu/services/aux-files/auditd/auditd.conf b/gnu/services/aux-files/auditd/auditd.conf
>> new file mode 100644
>> index 0000000000..6e7555cf4c
>> --- /dev/null
>> +++ b/gnu/services/aux-files/auditd/auditd.conf
> 
> Since it’s a small file, I have a slight preference for using
> ‘plain-file’ + ‘computed-file’:
> 
>   (define auditd.conf
>     (plain-file …))
> 
>   (define %default-auditd-configuration-directory ;make it public
>     (computed-file "auditd"
>                    #~(begin
>                        (mkdir #$output)
>                        (copy-file #$auditd.conf
>                                   (string-append #$output "/auditd.conf")))))
> 
> WDYT?

Agreed - done


[-- Attachment #2: [PATCH] services: Fix auditd startup. --]
[-- Type: text/x-patch, Size: 5010 bytes --]

From 2944613bee5a742b04c26a7c27d3a09f9047dbe5 Mon Sep 17 00:00:00 2001
From: Robin Green <greenrd@greenrd.org>
Date: Sun, 19 Jul 2020 08:32:31 +0100
Subject: [PATCH] services: Fix auditd startup.

* gnu/services/auditd.scm: Make auditd start successfully in the default case.
* gnu/services/aux-files/auditd/auditd.conf: New file.
* doc/guix.texi (Miscellaneous Services): Update docs to reflect changes.
---
 doc/guix.texi           | 11 +++++++++--
 gnu/services/auditd.scm | 41 ++++++++++++++++++++++++++++++-----------
 2 files changed, 39 insertions(+), 13 deletions(-)

diff --git a/doc/guix.texi b/doc/guix.texi
index 2c5c017eea..8c7c055ce0 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -27478,10 +27478,12 @@ Network access
 @command{auditctl} from the @code{audit} package can be used in order
 to add or remove events to be tracked (until the next reboot).
 In order to permanently track events, put the command line arguments
-of auditctl into @file{/etc/audit/audit.rules}.
+of auditctl into a file called @code{audit.rules} in the configuration
+directory (see below).
 @command{aureport} from the @code{audit} package can be used in order
 to view a report of all recorded events.
-The audit daemon usually logs into the directory @file{/var/log/audit}.
+The audit daemon by default logs into the file
+@file{/var/log/audit.log}.
 
 @end defvr
 
@@ -27493,6 +27495,11 @@ This is the data type representing the configuration of auditd.
 @item @code{audit} (default: @code{audit})
 The audit package to use.
 
+@item @code{configdir} (default: @code{(local-file "aux-files/auditd")})
+A directory containing a configuration file for the audit package, which
+must be named @code{auditd.conf}, and optionally some audit rules to
+instantiate on startup.
+
 @end table
 @end deftp
 
diff --git a/gnu/services/auditd.scm b/gnu/services/auditd.scm
index 8a9292015f..1750614207 100644
--- a/gnu/services/auditd.scm
+++ b/gnu/services/auditd.scm
@@ -1,5 +1,6 @@
 ;;; GNU Guix --- Functional package management for GNU
 ;;; Copyright © 2019 Danny Milosavljevic <dannym@scratchpost.org>
+;;; Copyright © 2020 Robin Green <greenrd@greenrd.org>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -26,29 +27,47 @@
   #:use-module (guix gexp)
   #:use-module (guix packages)
   #:export (auditd-configuration
-            auditd-service-type))
+            auditd-service-type
+            %default-auditd-configuration-directory))
 
-; /etc/audit/audit.rules
+(define auditd.conf
+  (plain-file "auditd.conf" "log_file = /var/log/audit.log\nlog_format = \
+ENRICHED\nfreq = 1\nspace_left = 5%\nspace_left_action = \
+syslog\nadmin_space_left_action = ignore\ndisk_full_action = \
+ignore\ndisk_error_action = syslog\n"))
 
-(define-configuration auditd-configuration
-  (audit
-   (package audit)
-   "Audit package."))
+(define %default-auditd-configuration-directory
+  (computed-file "auditd"
+                 #~(begin
+                     (mkdir #$output)
+                     (copy-file #$auditd.conf
+                                (string-append #$output "/auditd.conf")))))
+
+(define-record-type* <auditd-configuration>
+  auditd-configuration make-auditd-configuration
+  auditd-configuration?
+  (audit                   auditd-configuration-audit                          ; package
+                           (default audit))
+  (configuration-directory auditd-configuration-configuration-directory))      ; local-file
 
 (define (auditd-shepherd-service config)
-  (let* ((audit (auditd-configuration-audit config)))
+  (let* ((audit (auditd-configuration-audit config))
+         (configuration-directory (auditd-configuration-configuration-directory config)))
     (list (shepherd-service
-           (documentation "Auditd allows you to audit file system accesses.")
+           (documentation "Auditd allows you to audit file system accesses and process execution.")
            (provision '(auditd))
            (start #~(make-forkexec-constructor
-                     (list (string-append #$audit "/sbin/auditd"))))
+                     (list (string-append #$audit "/sbin/auditd") "-c" #$configuration-directory)
+                     #:pid-file "/var/run/auditd.pid"))
            (stop #~(make-kill-destructor))))))
 
 (define auditd-service-type
   (service-type (name 'auditd)
-                (description "Allows auditing file system accesses.")
+                (description "Allows auditing file system accesses and process execution.")
                 (extensions
                  (list
                   (service-extension shepherd-root-service-type
                                      auditd-shepherd-service)))
-                (default-value (auditd-configuration))))
+                (default-value
+                  (auditd-configuration
+                   (configuration-directory %default-auditd-configuration-directory)))))
-- 
2.27.0