From 617f2b41301fd71f395b4ce24f4c9c651253dcba Mon Sep 17 00:00:00 2001
From: Andrew Walker <awalker@ixsystems.com>
Date: Tue, 24 Dec 2024 10:10:19 -0600
Subject: [PATCH] Add auditd as an audit event source for middleware (#15263)

* Add auditd socket source to syslog-ng configuration.

This will be consumed by a script that reads the auditd socket and
consolidates / converts the audit events into single middleware
messages.
---
 .../middlewared/etc_files/syslog-ng/conf.d/tnaudit.conf.mako | 2 ++
 .../middlewared/etc_files/syslog-ng/syslog-ng.conf.mako      | 5 +++++
 src/middlewared/middlewared/plugins/audit/utils.py           | 2 +-
 3 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/src/middlewared/middlewared/etc_files/syslog-ng/conf.d/tnaudit.conf.mako b/src/middlewared/middlewared/etc_files/syslog-ng/conf.d/tnaudit.conf.mako
index e59962c4afcff..2aa62c96d261e 100644
--- a/src/middlewared/middlewared/etc_files/syslog-ng/conf.d/tnaudit.conf.mako
+++ b/src/middlewared/middlewared/etc_files/syslog-ng/conf.d/tnaudit.conf.mako
@@ -80,6 +80,8 @@ ${textwrap.indent(get_db(svc), '  ')}
 log {
 % if svc == 'MIDDLEWARE':
   source(tn_middleware_src);
+% elif svc == 'SYSTEM':
+  source(tn_auditd_src);
 % else:
   source(s_src);
 % endif
diff --git a/src/middlewared/middlewared/etc_files/syslog-ng/syslog-ng.conf.mako b/src/middlewared/middlewared/etc_files/syslog-ng/syslog-ng.conf.mako
index 0c6b56d625456..bcd948871aeeb 100644
--- a/src/middlewared/middlewared/etc_files/syslog-ng/syslog-ng.conf.mako
+++ b/src/middlewared/middlewared/etc_files/syslog-ng/syslog-ng.conf.mako
@@ -71,6 +71,7 @@ def generate_syslog_remote_destination(advanced_config):
 
     result += ' };\n'
     result += 'log { source(tn_middleware_src); filter(f_tnremote); destination(loghost); };\n'
+    result += 'log { source(tn_auditd_src); filter(f_tnremote); destination(loghost); };\n'
     result += 'log { source(s_src); filter(f_tnremote); destination(loghost); };\n'
 
     return result
@@ -103,6 +104,10 @@ source tn_middleware_src {
   unix-stream("${DEFAULT_SYSLOG_PATH}" create-dirs(yes) perm(0600));
 };
 
+source tn_auditd_src {
+  unix-stream("/var/run/syslog-ng/auditd.sock" create-dirs(yes) perm(0600));
+};
+
 ##################
 # filters
 ##################
diff --git a/src/middlewared/middlewared/plugins/audit/utils.py b/src/middlewared/middlewared/plugins/audit/utils.py
index f63d96e0757b0..1b726f288fc2d 100644
--- a/src/middlewared/middlewared/plugins/audit/utils.py
+++ b/src/middlewared/middlewared/plugins/audit/utils.py
@@ -6,7 +6,7 @@
 from .schema.common import AuditEventParam
 
 AUDIT_DATASET_PATH = '/audit'
-AUDITED_SERVICES = [('MIDDLEWARE', 0.1), ('SMB', 0.1), ('SUDO', 0.1)]
+AUDITED_SERVICES = [('MIDDLEWARE', 0.1), ('SMB', 0.1), ('SUDO', 0.1), ('SYSTEM', 0.1)]
 AUDIT_TABLE_PREFIX = 'audit_'
 AUDIT_LIFETIME = 7
 AUDIT_DEFAULT_RESERVATION = 0