journald: add configuration option for enabling/disabling audit during journald startup

Let's make it optional whether auditing is enabled at journald start-up
or not.

Note that this only controls whether audit is enabled/disabled in the
kernel. Either way we'll still collect the audit data if it is
generated, i.e. if some other tool enables it, we'll collect it.

Fixes: #959

man/journald.conf.xml

@@ -402,6 +402,18 @@
         this option is enabled by default, it is disabled in all others.</para></listitem>
       </varlistentry>
 
+      <varlistentry>
+        <term><varname>Audit=</varname></term>
+
+        <listitem><para>Takes a boolean value. If enabled <command>systemd-journal</command> will turn on
+        kernel auditing on start-up. If disabled it will turn it off. If unset it will neither enable nor
+        disable it, leaving the previous state unchanged. Note that this option does not control whether
+        <command>systemd-journald</command> collects generated audit records, it just controls whether it
+        tells the kernel to generate them. This means if another tool turns on auditing even if
+        <command>systemd-journald</command> left it off, it will still collect the generated
+        messages. Defaults to on.</para></listitem>
+      </varlistentry>
+
       <varlistentry>
         <term><varname>TTYPath=</varname></term>
 

src/journal/journald-audit.c

@@ -539,10 +539,16 @@ int server_open_audit(Server *s) {
         if (r < 0)
                 return log_error_errno(r, "Failed to add audit fd to event loop: %m");
 
-        /* We are listening now, try to enable audit */
-        r = enable_audit(s->audit_fd, true);
-        if (r < 0)
-                log_warning_errno(r, "Failed to issue audit enable call: %m");
+        if (s->set_audit >= 0) {
+                /* We are listening now, try to enable audit if configured so */
+                r = enable_audit(s->audit_fd, s->set_audit);
+                if (r < 0)
+                        log_warning_errno(r, "Failed to issue audit enable call: %m");
+                else if (s->set_audit > 0)
+                        log_debug("Auditing in kernel turned on.");
+                else
+                        log_debug("Auditing in kernel turned off.");
+        }
 
         return 0;
 }

src/journal/journald-gperf.gperf

@@ -22,6 +22,7 @@ Journal.Storage,            config_parse_storage,    0, offsetof(Server, storage
 Journal.Compress,           config_parse_compress,   0, offsetof(Server, compress)
 Journal.Seal,               config_parse_bool,       0, offsetof(Server, seal)
 Journal.ReadKMsg,           config_parse_bool,       0, offsetof(Server, read_kmsg)
+Journal.Audit,              config_parse_tristate,   0, offsetof(Server, set_audit)
 Journal.SyncIntervalSec,    config_parse_sec,        0, offsetof(Server, sync_interval_usec)
 # The following is a legacy name for compatibility
 Journal.RateLimitInterval,  config_parse_sec,        0, offsetof(Server, ratelimit_interval)

src/journal/journald-server.c

@@ -2208,6 +2208,8 @@ int server_init(Server *s, const char *namespace) {
                 .compress.threshold_bytes = (uint64_t) -1,
                 .seal = true,
 
+                .set_audit = true,
+
                 .watchdog_usec = USEC_INFINITY,
 
                 .sync_interval_usec = DEFAULT_SYNC_INTERVAL_USEC,

src/journal/journald-server.h

@@ -108,6 +108,7 @@ struct Server {
         JournalCompressOptions compress;
         bool seal;
         bool read_kmsg;
+        int set_audit;
 
         bool forward_to_kmsg;
         bool forward_to_syslog;

src/journal/journald.conf

@@ -41,3 +41,4 @@
 #MaxLevelWall=emerg
 #LineMax=48K
 #ReadKMsg=yes
+#Audit=yes