Skip to content

Commit

Permalink
Add auditd as an audit event source for middleware (#15263)
Browse files Browse the repository at this point in the history 
* Add auditd socket source to syslog-ng configuration.

This will be consumed by a script that reads the auditd socket and
consolidates / converts the audit events into single middleware
messages.
  • Loading branch information
@anodos325
anodos325 authored Dec 24, 2024
1 parent 655687e commit 617f2b4
Show file tree
Hide file tree
Showing 3 changed files with 8 additions and 1 deletion.
2 changes: 2 additions & 0 deletions src/middlewared/middlewared/etc_files/syslog-ng/conf.d/tnaudit.conf.mako
View file
Original file line number Diff line number Diff line change
Expand Up @@ -80,6 +80,8 @@ ${textwrap.indent(get_db(svc), ' ')}
log {
% if svc == 'MIDDLEWARE':
source(tn_middleware_src);
% elif svc == 'SYSTEM':
source(tn_auditd_src);
% else:
source(s_src);
% endif
Expand Down
5 changes: 5 additions & 0 deletions src/middlewared/middlewared/etc_files/syslog-ng/syslog-ng.conf.mako
View file
Original file line number Diff line number Diff line change
Expand Up @@ -71,6 +71,7 @@ def generate_syslog_remote_destination(advanced_config):
result += ' };\n'
result += 'log { source(tn_middleware_src); filter(f_tnremote); destination(loghost); };\n'
result += 'log { source(tn_auditd_src); filter(f_tnremote); destination(loghost); };\n'
result += 'log { source(s_src); filter(f_tnremote); destination(loghost); };\n'
return result
Expand Down Expand Up @@ -103,6 +104,10 @@ source tn_middleware_src {
unix-stream("${DEFAULT_SYSLOG_PATH}" create-dirs(yes) perm(0600));
};

source tn_auditd_src {
unix-stream("/var/run/syslog-ng/auditd.sock" create-dirs(yes) perm(0600));
};

##################
# filters
##################
Expand Down
2 changes: 1 addition & 1 deletion src/middlewared/middlewared/plugins/audit/utils.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@
from .schema.common import AuditEventParam

AUDIT_DATASET_PATH = '/audit'
AUDITED_SERVICES = [('MIDDLEWARE', 0.1), ('SMB', 0.1), ('SUDO', 0.1)]
AUDITED_SERVICES = [('MIDDLEWARE', 0.1), ('SMB', 0.1), ('SUDO', 0.1), ('SYSTEM', 0.1)]
AUDIT_TABLE_PREFIX = 'audit_'
AUDIT_LIFETIME = 7
AUDIT_DEFAULT_RESERVATION = 0
Expand Down

0 comments on commit 617f2b4

Please sign in to comment.