Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in

  FAQ | Search | Memberlist | Usergroups | Statistics | Profile | Log in to check your private messages | Log in | Register

How to enable periods processing with systemd audit [solved]
 View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
vaxbrat
l33t
l33t


Joined: 05 Oct 2005
Posts: 731
Location: DC Burbs
PostPosted: Tue Jun 14, 2016 10:12 pm    Post subject: How to enable periods processing with systemd audit [solved] Reply with quote
I wrote a framework of python scripts over the years to handle the collection and management of auditing on a number of platforms. For servers that are up 24x7, it's simple enough to put an entry in the root crontab that rotates the audit logs once a day and then does some post processing to convert the raw logs into an sqlite database for later review.

Things get a little more complicated when dealing with a server that is only used for "periods processing", that is it is only booted as necessary and then shut down and locked up when not in use. The logs must get broken up and processed in a sane fashion so that a reviewer can look at their reports on a day by partial day basis.

In the past this was simple enough to do with sysvinit, openrc and upstart based init scripts. I simply hooked a python script into the stop function in /etc/init.d/auditd to do the renaming and post processing after auditd was shut down. The system waits synchronously until the script exits before going into unmount and final shutdown. However Systemd appears to making life a lot harder for me to implement this.

I found the /usr/lib/systemd/system/auditd.service file and then started looking into the ExecStop and ExecStopPost options for hooking in my script. The docs are a bit vague, but I get the impression that using ExecStopPost starts my script as I want after auditd is dead, but the whole thing is asynchronous. Thus my stuff just barely gets started before the system goes into final shutdown. If I put things in ExecStop instead, it would appear that I need to hunt down the pidfile and send the SIGTERM on my own if I want my stuff to run on a cold audit.log. On the plus side, I get the impression that these commands force things to be synchronous. Hopefully that would sabotage things enough for systemd to keep things mounted and up until auditd.service is finally terminated.

Can anybody confirm this behavior or has anybody done something similar?
Back to top
View user's profile Send private message
vaxbrat
l33t
l33t


Joined: 05 Oct 2005
Posts: 731
Location: DC Burbs
PostPosted: Wed Jun 15, 2016 4:38 pm    Post subject: auditd.service Reply with quote
It looks like the trick is to use the ExecStop and not ExecStopPost functions. I had to send a kill -TERM and then do my script as follows. This file hides in /usr/lib/systemd/system/auditd.service on centos/rhel7. I presume it would be the same for a systemd based gentoo, but I would never let that sort of thing happen :wink:

Code:

[Unit]
Description=Security Auditing Service
DefaultDependencies=no
After=local-fs.target systemd-tmpfiles-setup.service
Conflicts=shutdown.target
Before=sysinit.target shutdown.target
RefuseManualStop=yes
ConditionKernelCommandLine=!audit=0

[Service]
ExecStart=/sbin/auditd -n
## To not use augenrules, copy this file to /etc/systemd/system/auditd.service
## and comment/delete the next line and uncomment the auditctl line.
## NOTE: augenrules expect any rules to be added to /etc/audit/rules.d/
ExecStartPost=-/sbin/augenrules --load
#ExecStartPost=-/sbin/auditctl -R /etc/audit/audit.rules
ExecReload=/bin/kill -HUP $MAINPID
#
#  handle periods processing
#
ExecStop=/bin/kill -TERM $MAINPID
ExecStop=/bin/python /home/audit/bin/process_audit.py

[Install]
WantedBy=multi-user.target


There are two things to note here: If you do a kill -9 instead of a kill -TERM, you will get a kernel panic on shutdown when it can no longer find an auditd process. With a -TERM instead, you will see the last snootfull of audit events on your system console. Also you will need to do a:

Code:
systemctl daemon-reload


after editing the service file or you will be duly ignored until probably after the next reboot or maybe longer. They must be caching this junk somewhere I guess.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



 Links: forums.gentoo.org | www.gentoo.org | bugs.gentoo.org | wiki.gentoo.org | forum-mods@gentoo.org

Copyright 2001-2025 Gentoo Foundation, Inc. Designed by Kyle Manna © 2003; Style derived from original subSilver theme. | Hosting by Gossamer Threads Inc. © | Powered by phpBB 2.0.23-gentoo-p11 © 2001, 2002 phpBB Group
Privacy Policy