From: Tyler Hicks <tyhicks@canonical.com>
To: Steve Grubb <sgrubb@redhat.com>
Cc: linux-audit@redhat.com
Subject: [PATCH 5/5] Conditionally build auditd network listener support
Date: Wed, 1 Aug 2012 00:00:24 -0700 [thread overview]
Message-ID: <1343804424-3172-6-git-send-email-tyhicks@canonical.com> (raw)
In-Reply-To: <1343804424-3172-1-git-send-email-tyhicks@canonical.com>
Add the --disable-listener configure option to leave the network
listener code out of auditd. By default, the listener code is still
included in auditd. When the listener is disabled, the listener init,
uninit, and reconfigure functions are stubbed out.
ifdefs are used in auditd-config.c to disable the listener-specific
parsers, following the style of the krb5 parser functions.
---
configure.ac | 14 ++++++++++++++
src/Makefile.am | 5 ++++-
src/auditd-config.c | 35 +++++++++++++++++++++++++++++++++++
src/auditd-listen.h | 21 +++++++++++++++++++++
4 files changed, 74 insertions(+), 1 deletion(-)
diff --git a/configure.ac b/configure.ac
index e14df60..76eaa26 100644
--- a/configure.ac
+++ b/configure.ac
@@ -104,6 +104,20 @@ fi
fi
AM_CONDITIONAL(HAVE_PYTHON, test ${python_found} = "yes")
+#auditd listener
+AC_MSG_CHECKING(whether to include auditd network listener support)
+AC_ARG_ENABLE(listener,
+ [AS_HELP_STRING([--disable-listener],
+ [Disable auditd network listener support])],
+ enable_listener=$enableval,
+ enable_listener=yes)
+if test "x$enable_listener" != "xno"; then
+ AC_DEFINE(USE_LISTENER, 1,
+ [Define if you want to use the auditd network listener.])
+fi
+AM_CONDITIONAL(ENABLE_LISTENER, test "x$enable_listener" != "xno")
+AC_MSG_RESULT($enable_listener)
+
#gssapi
AC_ARG_ENABLE(gssapi_krb5,
[AS_HELP_STRING([--enable-gssapi-krb5],[Enable GSSAPI Kerberos 5 support @<:@default=no@:>@])],
diff --git a/src/Makefile.am b/src/Makefile.am
index 57ddd27..fdfa5cf 100644
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -28,7 +28,10 @@ sbin_PROGRAMS = auditd auditctl aureport ausearch autrace
AM_CFLAGS = -D_GNU_SOURCE
noinst_HEADERS = auditd-config.h auditd-event.h auditd-listen.h ausearch-llist.h ausearch-options.h auditctl-llist.h aureport-options.h ausearch-parse.h aureport-scan.h ausearch-lookup.h ausearch-int.h auditd-dispatch.h ausearch-string.h ausearch-nvpair.h ausearch-common.h ausearch-avc.h ausearch-time.h ausearch-lol.h
-auditd_SOURCES = auditd.c auditd-event.c auditd-config.c auditd-reconfig.c auditd-sendmail.c auditd-dispatch.c auditd-listen.c
+auditd_SOURCES = auditd.c auditd-event.c auditd-config.c auditd-reconfig.c auditd-sendmail.c auditd-dispatch.c
+if ENABLE_LISTENER
+auditd_SOURCES += auditd-listen.c
+endif
auditd_CFLAGS = -fPIE -DPIE -g -D_REENTRANT -D_GNU_SOURCE -fno-strict-aliasing -pthread
auditd_LDFLAGS = -pie -Wl,-z,relro -Wl,-z,now
auditd_DEPENDENCIES = mt/libauditmt.a libev/libev.a
diff --git a/src/auditd-config.c b/src/auditd-config.c
index 9569378..13220bf 100644
--- a/src/auditd-config.c
+++ b/src/auditd-config.c
@@ -1189,6 +1189,12 @@ static int tcp_listen_port_parser(struct nv_pair *nv, int line,
audit_msg(LOG_DEBUG, "tcp_listen_port_parser called with: %s",
nv->value);
+#ifndef USE_LISTENER
+ audit_msg(LOG_DEBUG,
+ "Listener support is not enabled, ignoring value at line %d",
+ line);
+ return 0;
+#else
/* check that all chars are numbers */
for (i=0; ptr[i]; i++) {
if (!isdigit(ptr[i])) {
@@ -1223,6 +1229,7 @@ static int tcp_listen_port_parser(struct nv_pair *nv, int line,
}
config->tcp_listen_port = (unsigned int)i;
return 0;
+#endif
}
static int tcp_listen_queue_parser(struct nv_pair *nv, int line,
@@ -1234,6 +1241,12 @@ static int tcp_listen_queue_parser(struct nv_pair *nv, int line,
audit_msg(LOG_DEBUG, "tcp_listen_queue_parser called with: %s",
nv->value);
+#ifndef USE_LISTENER
+ audit_msg(LOG_DEBUG,
+ "Listener support is not enabled, ignoring value at line %d",
+ line);
+ return 0;
+#else
/* check that all chars are numbers */
for (i=0; ptr[i]; i++) {
if (!isdigit(ptr[i])) {
@@ -1270,6 +1283,7 @@ static int tcp_listen_queue_parser(struct nv_pair *nv, int line,
}
config->tcp_listen_queue = (unsigned int)i;
return 0;
+#endif
}
@@ -1282,6 +1296,12 @@ static int tcp_max_per_addr_parser(struct nv_pair *nv, int line,
audit_msg(LOG_DEBUG, "tcp_max_per_addr_parser called with: %s",
nv->value);
+#ifndef USE_LISTENER
+ audit_msg(LOG_DEBUG,
+ "Listener support is not enabled, ignoring value at line %d",
+ line);
+ return 0;
+#else
/* check that all chars are numbers */
for (i=0; ptr[i]; i++) {
if (!isdigit(ptr[i])) {
@@ -1318,6 +1338,7 @@ static int tcp_max_per_addr_parser(struct nv_pair *nv, int line,
}
config->tcp_max_per_addr = (unsigned int)i;
return 0;
+#endif
}
static int use_libwrap_parser(struct nv_pair *nv, int line,
@@ -1348,6 +1369,12 @@ static int tcp_client_ports_parser(struct nv_pair *nv, int line,
audit_msg(LOG_DEBUG, "tcp_listen_queue_parser called with: %s",
nv->value);
+#ifndef USE_LISTENER
+ audit_msg(LOG_DEBUG,
+ "Listener support is not enabled, ignoring value at line %d",
+ line);
+ return 0;
+#else
/* check that all chars are numbers, with an optional inclusive '-'. */
for (i=0; ptr[i]; i++) {
if (i > 0 && ptr[i] == '-' && ptr[i+1] != '\0') {
@@ -1412,6 +1439,7 @@ static int tcp_client_ports_parser(struct nv_pair *nv, int line,
config->tcp_client_min_port = (unsigned int)minv;
config->tcp_client_max_port = (unsigned int)maxv;
return 0;
+#endif
}
static int tcp_client_max_idle_parser(struct nv_pair *nv, int line,
@@ -1423,6 +1451,12 @@ static int tcp_client_max_idle_parser(struct nv_pair *nv, int line,
audit_msg(LOG_DEBUG, "tcp_client_max_idle_parser called with: %s",
nv->value);
+#ifndef USE_LISTENER
+ audit_msg(LOG_DEBUG,
+ "Listener support is not enabled, ignoring value at line %d",
+ line);
+ return 0;
+#else
/* check that all chars are numbers */
for (i=0; ptr[i]; i++) {
if (!isdigit(ptr[i])) {
@@ -1453,6 +1487,7 @@ static int tcp_client_max_idle_parser(struct nv_pair *nv, int line,
}
config->tcp_client_max_idle = (unsigned int)i;
return 0;
+#endif
}
static int enable_krb5_parser(struct nv_pair *nv, int line,
diff --git a/src/auditd-listen.h b/src/auditd-listen.h
index 024fd6f..69f9310 100644
--- a/src/auditd-listen.h
+++ b/src/auditd-listen.h
@@ -25,10 +25,31 @@
#define AUDITD_LISTEN_H
#include "ev.h"
+
+#ifdef USE_LISTENER
int auditd_tcp_listen_init ( struct ev_loop *loop, struct daemon_conf *config );
void auditd_tcp_listen_uninit ( struct ev_loop *loop,
struct daemon_conf *config );
void auditd_tcp_listen_reconfigure ( struct daemon_conf *nconf,
struct daemon_conf *oconf );
+#else
+static inline int auditd_tcp_listen_init ( struct ev_loop *loop,
+ struct daemon_conf *config )
+{
+ return 0;
+}
+
+static inline void auditd_tcp_listen_uninit ( struct ev_loop *loop,
+ struct daemon_conf *config )
+{
+ return;
+}
+
+static inline void auditd_tcp_listen_reconfigure ( struct daemon_conf *nconf,
+ struct daemon_conf *oconf )
+{
+ return;
+}
+#endif /* USE_LISTENER */
#endif
--
1.7.9.5
next prev parent reply other threads:[~2012-08-01 7:00 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-08-01 7:00 [PATCH 0/5] Build time disabling of auditd network listener Tyler Hicks
2012-08-01 7:00 ` [PATCH 1/5] Move auditd listener reconfigure code into auditd-listen.c Tyler Hicks
2012-08-01 7:00 ` [PATCH 2/5] Store daemon config pointer in the periodic watcher's private data Tyler Hicks
2012-08-01 7:00 ` [PATCH 3/5] Move periodic watcher into auditd-listen.c Tyler Hicks
2012-08-01 7:00 ` [PATCH 4/5] Consolidate periodic handler code Tyler Hicks
2012-08-01 7:00 ` Tyler Hicks [this message]
2012-09-10 18:39 ` [PATCH 0/5] Build time disabling of auditd network listener Tyler Hicks
2012-09-11 13:12 ` Steve Grubb
2012-09-11 17:10 ` Tyler Hicks
2012-10-26 17:09 ` Tyler Hicks
2012-10-26 17:14 ` Steve Grubb
2012-11-05 14:17 ` Steve Grubb
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1343804424-3172-6-git-send-email-tyhicks@canonical.com \
--to=tyhicks@canonical.com \
--cc=linux-audit@redhat.com \
--cc=sgrubb@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox