Package: guix-patches;
Reported by: Robin Green <greenrd <at> greenrd.org>
Date: Sun, 19 Jul 2020 17:26:02 UTC
Severity: normal
Tags: patch
Done: Ludovic Courtès <ludo <at> gnu.org>
Bug is archived. No further changes may be made.
To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 42427 in the body.
You can then email your comments to 42427 AT debbugs.gnu.org in the normal way.
Toggle the display of automated, internal messages from the tracker.
View this report as an mbox folder, status mbox, maintainer mbox
guix-patches <at> gnu.org
:bug#42427
; Package guix-patches
.
(Sun, 19 Jul 2020 17:26:02 GMT) Full text and rfc822 format available.Robin Green <greenrd <at> greenrd.org>
:guix-patches <at> gnu.org
.
(Sun, 19 Jul 2020 17:26:02 GMT) Full text and rfc822 format available.Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
From: Robin Green <greenrd <at> greenrd.org> To: guix-patches <at> gnu.org Cc: Robin Green <greenrd <at> greenrd.org> Subject: [PATCH] services: Fix auditd startup. Date: Sun, 19 Jul 2020 18:17:31 +0100
* gnu/services/auditd.scm: Make auditd start successfully in the default case. * gnu/services/aux-files/auditd/auditd.conf: New file. * doc/guix.texi (Miscellaneous Services): Update docs to reflect changes. --- doc/guix.texi | 11 +++++++-- gnu/services/auditd.scm | 27 ++++++++++++++--------- gnu/services/aux-files/auditd/auditd.conf | 9 ++++++++ 3 files changed, 34 insertions(+), 13 deletions(-) create mode 100644 gnu/services/aux-files/auditd/auditd.conf diff --git a/doc/guix.texi b/doc/guix.texi index 2c5c017eea..8c7c055ce0 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -27478,10 +27478,12 @@ Network access @command{auditctl} from the @code{audit} package can be used in order to add or remove events to be tracked (until the next reboot). In order to permanently track events, put the command line arguments -of auditctl into @file{/etc/audit/audit.rules}. +of auditctl into a file called @code{audit.rules} in the configuration +directory (see below). @command{aureport} from the @code{audit} package can be used in order to view a report of all recorded events. -The audit daemon usually logs into the directory @file{/var/log/audit}. +The audit daemon by default logs into the file +@file{/var/log/audit.log}. @end defvr @@ -27493,6 +27495,11 @@ This is the data type representing the configuration of auditd. @item @code{audit} (default: @code{audit}) The audit package to use. +@item @code{configdir} (default: @code{(local-file "aux-files/auditd")}) +A directory containing a configuration file for the audit package, which +must be named @code{auditd.conf}, and optionally some audit rules to +instantiate on startup. + @end table @end deftp diff --git a/gnu/services/auditd.scm b/gnu/services/auditd.scm index 8a9292015f..73db202bb6 100644 --- a/gnu/services/auditd.scm +++ b/gnu/services/auditd.scm @@ -1,5 +1,6 @@ ;;; GNU Guix --- Functional package management for GNU ;;; Copyright © 2019 Danny Milosavljevic <dannym <at> scratchpost.org> +;;; Copyright © 2020 Robin Green <greenrd <at> greenrd.org> ;;; ;;; This file is part of GNU Guix. ;;; @@ -28,27 +29,31 @@ #:export (auditd-configuration auditd-service-type)) -; /etc/audit/audit.rules - -(define-configuration auditd-configuration - (audit - (package audit) - "Audit package.")) +(define-record-type* <auditd-configuration> + auditd-configuration make-auditd-configuration + auditd-configuration? + (audit auditd-configuration-audit ; package + (default audit)) + (configdir auditd-configuration-configdir)) ; local-file (define (auditd-shepherd-service config) - (let* ((audit (auditd-configuration-audit config))) + (let* ((audit (auditd-configuration-audit config)) + (configdir (auditd-configuration-configdir config))) (list (shepherd-service - (documentation "Auditd allows you to audit file system accesses.") + (documentation "Auditd allows you to audit file system accesses and process execution.") (provision '(auditd)) (start #~(make-forkexec-constructor - (list (string-append #$audit "/sbin/auditd")))) + (list (string-append #$audit "/sbin/auditd") "-c" #$configdir) + #:pid-file "/var/run/auditd.pid")) (stop #~(make-kill-destructor)))))) (define auditd-service-type (service-type (name 'auditd) - (description "Allows auditing file system accesses.") + (description "Allows auditing file system accesses and process execution.") (extensions (list (service-extension shepherd-root-service-type auditd-shepherd-service))) - (default-value (auditd-configuration)))) + (default-value + (auditd-configuration + (configdir (local-file "aux-files/auditd" #:recursive? #t)))))) diff --git a/gnu/services/aux-files/auditd/auditd.conf b/gnu/services/aux-files/auditd/auditd.conf new file mode 100644 index 0000000000..6e7555cf4c --- /dev/null +++ b/gnu/services/aux-files/auditd/auditd.conf @@ -0,0 +1,9 @@ +log_file = /var/log/audit.log +log_format = ENRICHED +freq = 1 +space_left = 5% +space_left_action = syslog +admin_space_left_action = ignore +disk_full_action = ignore +disk_error_action = syslog + -- 2.27.0
guix-patches <at> gnu.org
:bug#42427
; Package guix-patches
.
(Wed, 22 Jul 2020 22:08:01 GMT) Full text and rfc822 format available.Message #8 received at 42427 <at> debbugs.gnu.org (full text, mbox):
From: Ludovic Courtès <ludo <at> gnu.org> To: Robin Green <greenrd <at> greenrd.org> Cc: 42427 <at> debbugs.gnu.org Subject: Re: [bug#42427] [PATCH] services: Fix auditd startup. Date: Thu, 23 Jul 2020 00:07:28 +0200
Hello Robin, Robin Green <greenrd <at> greenrd.org> skribis: > * gnu/services/auditd.scm: Make auditd start successfully in the default case. > * gnu/services/aux-files/auditd/auditd.conf: New file. > * doc/guix.texi (Miscellaneous Services): Update docs to reflect changes. Nice, it’s a good idea. Some comments below: > -(define-configuration auditd-configuration > - (audit > - (package audit) > - "Audit package.")) > +(define-record-type* <auditd-configuration> I think we should keep using ‘define-configuration’, unless there’s a good reason to change. WDYT? > + auditd-configuration make-auditd-configuration > + auditd-configuration? > + (audit auditd-configuration-audit ; package > + (default audit)) > + (configdir auditd-configuration-configdir)) ; local-file s/configdir/configuration-directory/, to be consistent with the rest of the code. You can also set its default value. > + (auditd-configuration > + (configdir (local-file "aux-files/auditd" #:recursive? #t)))))) > diff --git a/gnu/services/aux-files/auditd/auditd.conf b/gnu/services/aux-files/auditd/auditd.conf > new file mode 100644 > index 0000000000..6e7555cf4c > --- /dev/null > +++ b/gnu/services/aux-files/auditd/auditd.conf Since it’s a small file, I have a slight preference for using ‘plain-file’ + ‘computed-file’: (define auditd.conf (plain-file …)) (define %default-auditd-configuration-directory ;make it public (computed-file "auditd" #~(begin (mkdir #$output) (copy-file #$auditd.conf (string-append #$output "/auditd.conf"))))) WDYT? Thanks, Ludo’.
guix-patches <at> gnu.org
:bug#42427
; Package guix-patches
.
(Sun, 26 Jul 2020 16:29:01 GMT) Full text and rfc822 format available.Message #11 received at 42427 <at> debbugs.gnu.org (full text, mbox):
From: Robin Green <greenrd <at> greenrd.org> To: 42427 <at> debbugs.gnu.org Subject: Re: [bug#42427] [PATCH] services: Fix auditd startup. Date: Sun, 26 Jul 2020 17:28:49 +0100
[Message part 1 (text/plain, inline)]
On 2020-07-22 23:07, Ludovic Courtès wrote: > Hello Robin, Hi > Robin Green <greenrd <at> greenrd.org> skribis: > >> * gnu/services/auditd.scm: Make auditd start successfully in the default case. >> * gnu/services/aux-files/auditd/auditd.conf: New file. >> * doc/guix.texi (Miscellaneous Services): Update docs to reflect changes. > > Nice, it’s a good idea. Some comments below: > >> -(define-configuration auditd-configuration >> - (audit >> - (package audit) >> - "Audit package.")) >> +(define-record-type* <auditd-configuration> > > I think we should keep using ‘define-configuration’, unless there’s a > good reason to change. WDYT? I couldn't get it to work with ‘define-configuration’ - I kept getting errors. I asked on #guix, and it was suggested that I do it this way instead. >> + auditd-configuration make-auditd-configuration >> + auditd-configuration? >> + (audit auditd-configuration-audit ; package >> + (default audit)) >> + (configdir auditd-configuration-configdir)) ; local-file > > s/configdir/configuration-directory/, to be consistent with the rest of > the code. Done > You can also set its default value. I don't see the value in doing that, because the default is already set elsewhere, and if the user wants to use a different package, they probably also want to use a different configuration file than the default one! > >> + (auditd-configuration >> + (configdir (local-file "aux-files/auditd" #:recursive? #t)))))) >> diff --git a/gnu/services/aux-files/auditd/auditd.conf b/gnu/services/aux-files/auditd/auditd.conf >> new file mode 100644 >> index 0000000000..6e7555cf4c >> --- /dev/null >> +++ b/gnu/services/aux-files/auditd/auditd.conf > > Since it’s a small file, I have a slight preference for using > ‘plain-file’ + ‘computed-file’: > > (define auditd.conf > (plain-file …)) > > (define %default-auditd-configuration-directory ;make it public > (computed-file "auditd" > #~(begin > (mkdir #$output) > (copy-file #$auditd.conf > (string-append #$output "/auditd.conf"))))) > > WDYT? Agreed - done
[0001-services-Fix-auditd-startup.patch (text/x-patch, inline)]
From 2944613bee5a742b04c26a7c27d3a09f9047dbe5 Mon Sep 17 00:00:00 2001 From: Robin Green <greenrd <at> greenrd.org> Date: Sun, 19 Jul 2020 08:32:31 +0100 Subject: [PATCH] services: Fix auditd startup. * gnu/services/auditd.scm: Make auditd start successfully in the default case. * gnu/services/aux-files/auditd/auditd.conf: New file. * doc/guix.texi (Miscellaneous Services): Update docs to reflect changes. --- doc/guix.texi | 11 +++++++++-- gnu/services/auditd.scm | 41 ++++++++++++++++++++++++++++++----------- 2 files changed, 39 insertions(+), 13 deletions(-) diff --git a/doc/guix.texi b/doc/guix.texi index 2c5c017eea..8c7c055ce0 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -27478,10 +27478,12 @@ Network access @command{auditctl} from the @code{audit} package can be used in order to add or remove events to be tracked (until the next reboot). In order to permanently track events, put the command line arguments -of auditctl into @file{/etc/audit/audit.rules}. +of auditctl into a file called @code{audit.rules} in the configuration +directory (see below). @command{aureport} from the @code{audit} package can be used in order to view a report of all recorded events. -The audit daemon usually logs into the directory @file{/var/log/audit}. +The audit daemon by default logs into the file +@file{/var/log/audit.log}. @end defvr @@ -27493,6 +27495,11 @@ This is the data type representing the configuration of auditd. @item @code{audit} (default: @code{audit}) The audit package to use. +@item @code{configdir} (default: @code{(local-file "aux-files/auditd")}) +A directory containing a configuration file for the audit package, which +must be named @code{auditd.conf}, and optionally some audit rules to +instantiate on startup. + @end table @end deftp diff --git a/gnu/services/auditd.scm b/gnu/services/auditd.scm index 8a9292015f..1750614207 100644 --- a/gnu/services/auditd.scm +++ b/gnu/services/auditd.scm @@ -1,5 +1,6 @@ ;;; GNU Guix --- Functional package management for GNU ;;; Copyright © 2019 Danny Milosavljevic <dannym <at> scratchpost.org> +;;; Copyright © 2020 Robin Green <greenrd <at> greenrd.org> ;;; ;;; This file is part of GNU Guix. ;;; @@ -26,29 +27,47 @@ #:use-module (guix gexp) #:use-module (guix packages) #:export (auditd-configuration - auditd-service-type)) + auditd-service-type + %default-auditd-configuration-directory)) -; /etc/audit/audit.rules +(define auditd.conf + (plain-file "auditd.conf" "log_file = /var/log/audit.log\nlog_format = \ +ENRICHED\nfreq = 1\nspace_left = 5%\nspace_left_action = \ +syslog\nadmin_space_left_action = ignore\ndisk_full_action = \ +ignore\ndisk_error_action = syslog\n")) -(define-configuration auditd-configuration - (audit - (package audit) - "Audit package.")) +(define %default-auditd-configuration-directory + (computed-file "auditd" + #~(begin + (mkdir #$output) + (copy-file #$auditd.conf + (string-append #$output "/auditd.conf"))))) + +(define-record-type* <auditd-configuration> + auditd-configuration make-auditd-configuration + auditd-configuration? + (audit auditd-configuration-audit ; package + (default audit)) + (configuration-directory auditd-configuration-configuration-directory)) ; local-file (define (auditd-shepherd-service config) - (let* ((audit (auditd-configuration-audit config))) + (let* ((audit (auditd-configuration-audit config)) + (configuration-directory (auditd-configuration-configuration-directory config))) (list (shepherd-service - (documentation "Auditd allows you to audit file system accesses.") + (documentation "Auditd allows you to audit file system accesses and process execution.") (provision '(auditd)) (start #~(make-forkexec-constructor - (list (string-append #$audit "/sbin/auditd")))) + (list (string-append #$audit "/sbin/auditd") "-c" #$configuration-directory) + #:pid-file "/var/run/auditd.pid")) (stop #~(make-kill-destructor)))))) (define auditd-service-type (service-type (name 'auditd) - (description "Allows auditing file system accesses.") + (description "Allows auditing file system accesses and process execution.") (extensions (list (service-extension shepherd-root-service-type auditd-shepherd-service))) - (default-value (auditd-configuration)))) + (default-value + (auditd-configuration + (configuration-directory %default-auditd-configuration-directory))))) -- 2.27.0
Ludovic Courtès <ludo <at> gnu.org>
:Robin Green <greenrd <at> greenrd.org>
:Message #16 received at 42427-done <at> debbugs.gnu.org (full text, mbox):
From: Ludovic Courtès <ludo <at> gnu.org> To: Robin Green <greenrd <at> greenrd.org> Cc: 42427-done <at> debbugs.gnu.org Subject: Re: [bug#42427] [PATCH] services: Fix auditd startup. Date: Mon, 27 Jul 2020 11:31:37 +0200
[Message part 1 (text/plain, inline)]
Hi, Robin Green <greenrd <at> greenrd.org> skribis: >>From 2944613bee5a742b04c26a7c27d3a09f9047dbe5 Mon Sep 17 00:00:00 2001 > From: Robin Green <greenrd <at> greenrd.org> > Date: Sun, 19 Jul 2020 08:32:31 +0100 > Subject: [PATCH] services: Fix auditd startup. > > * gnu/services/auditd.scm: Make auditd start successfully in the default case. > * gnu/services/aux-files/auditd/auditd.conf: New file. > * doc/guix.texi (Miscellaneous Services): Update docs to reflect changes. > --- > doc/guix.texi | 11 +++++++++-- > gnu/services/auditd.scm | 41 ++++++++++++++++++++++++++++++----------- > 2 files changed, 39 insertions(+), 13 deletions(-) Applied with the changes below and a tweaked commit log. Thank you! Ludo’.
[Message part 2 (text/x-patch, inline)]
diff --git a/doc/guix.texi b/doc/guix.texi index 8b9eb791c7..d4557b360a 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -27629,8 +27629,8 @@ This is the data type representing the configuration of auditd. @item @code{audit} (default: @code{audit}) The audit package to use. -@item @code{configdir} (default: @code{(local-file "aux-files/auditd")}) -A directory containing a configuration file for the audit package, which +@item @code{configuration-directory} (default: @code{%default-auditd-configuration-directory}) +The directory containing the configuration file for the audit package, which must be named @code{auditd.conf}, and optionally some audit rules to instantiate on startup. diff --git a/gnu/services/auditd.scm b/gnu/services/auditd.scm index 1750614207..cffc226ec9 100644 --- a/gnu/services/auditd.scm +++ b/gnu/services/auditd.scm @@ -48,7 +48,7 @@ ignore\ndisk_error_action = syslog\n")) auditd-configuration? (audit auditd-configuration-audit ; package (default audit)) - (configuration-directory auditd-configuration-configuration-directory)) ; local-file + (configuration-directory auditd-configuration-configuration-directory)) ; file-like (define (auditd-shepherd-service config) (let* ((audit (auditd-configuration-audit config))
Debbugs Internal Request <help-debbugs <at> gnu.org>
to internal_control <at> debbugs.gnu.org
.
(Mon, 24 Aug 2020 11:24:06 GMT) Full text and rfc822 format available.
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.