From 511e03a3eedb7613beb0ba59f98fdc1dd753aced Mon Sep 17 00:00:00 2001
From: Lennart Poettering <lennart@poettering.net>
Date: Thu, 16 Apr 2020 12:04:03 +0200
Subject: [PATCH] journald: add configuration option for enabling/disabling
 audit during journald startup

Let's make it optional whether auditing is enabled at journald start-up
or not.

Note that this only controls whether audit is enabled/disabled in the
kernel. Either way we'll still collect the audit data if it is
generated, i.e. if some other tool enables it, we'll collect it.

Fixes: #959
---
 man/journald.conf.xml            | 12 ++++++++++++
 src/journal/journald-audit.c     | 14 ++++++++++----
 src/journal/journald-gperf.gperf |  1 +
 src/journal/journald-server.c    |  2 ++
 src/journal/journald-server.h    |  1 +
 src/journal/journald.conf        |  1 +
 6 files changed, 27 insertions(+), 4 deletions(-)

diff --git a/man/journald.conf.xml b/man/journald.conf.xml
index e24c420ab0..8058f36e75 100644
--- a/man/journald.conf.xml
+++ b/man/journald.conf.xml
@@ -402,6 +402,18 @@
         this option is enabled by default, it is disabled in all others.</para></listitem>
       </varlistentry>
 
+      <varlistentry>
+        <term><varname>Audit=</varname></term>
+
+        <listitem><para>Takes a boolean value. If enabled <command>systemd-journal</command> will turn on
+        kernel auditing on start-up. If disabled it will turn it off. If unset it will neither enable nor
+        disable it, leaving the previous state unchanged. Note that this option does not control whether
+        <command>systemd-journald</command> collects generated audit records, it just controls whether it
+        tells the kernel to generate them. This means if another tool turns on auditing even if
+        <command>systemd-journald</command> left it off, it will still collect the generated
+        messages. Defaults to on.</para></listitem>
+      </varlistentry>
+
       <varlistentry>
         <term><varname>TTYPath=</varname></term>
 
diff --git a/src/journal/journald-audit.c b/src/journal/journald-audit.c
index 339e091dfd..5c31c43705 100644
--- a/src/journal/journald-audit.c
+++ b/src/journal/journald-audit.c
@@ -539,10 +539,16 @@ int server_open_audit(Server *s) {
         if (r < 0)
                 return log_error_errno(r, "Failed to add audit fd to event loop: %m");
 
-        /* We are listening now, try to enable audit */
-        r = enable_audit(s->audit_fd, true);
-        if (r < 0)
-                log_warning_errno(r, "Failed to issue audit enable call: %m");
+        if (s->set_audit >= 0) {
+                /* We are listening now, try to enable audit if configured so */
+                r = enable_audit(s->audit_fd, s->set_audit);
+                if (r < 0)
+                        log_warning_errno(r, "Failed to issue audit enable call: %m");
+                else if (s->set_audit > 0)
+                        log_debug("Auditing in kernel turned on.");
+                else
+                        log_debug("Auditing in kernel turned off.");
+        }
 
         return 0;
 }
diff --git a/src/journal/journald-gperf.gperf b/src/journal/journald-gperf.gperf
index 0774444e8d..c70ac9a5b6 100644
--- a/src/journal/journald-gperf.gperf
+++ b/src/journal/journald-gperf.gperf
@@ -22,6 +22,7 @@ Journal.Storage,            config_parse_storage,    0, offsetof(Server, storage
 Journal.Compress,           config_parse_compress,   0, offsetof(Server, compress)
 Journal.Seal,               config_parse_bool,       0, offsetof(Server, seal)
 Journal.ReadKMsg,           config_parse_bool,       0, offsetof(Server, read_kmsg)
+Journal.Audit,              config_parse_tristate,   0, offsetof(Server, set_audit)
 Journal.SyncIntervalSec,    config_parse_sec,        0, offsetof(Server, sync_interval_usec)
 # The following is a legacy name for compatibility
 Journal.RateLimitInterval,  config_parse_sec,        0, offsetof(Server, ratelimit_interval)
diff --git a/src/journal/journald-server.c b/src/journal/journald-server.c
index b7875dec1f..64cb3279f6 100644
--- a/src/journal/journald-server.c
+++ b/src/journal/journald-server.c
@@ -2208,6 +2208,8 @@ int server_init(Server *s, const char *namespace) {
                 .compress.threshold_bytes = (uint64_t) -1,
                 .seal = true,
 
+                .set_audit = true,
+
                 .watchdog_usec = USEC_INFINITY,
 
                 .sync_interval_usec = DEFAULT_SYNC_INTERVAL_USEC,
diff --git a/src/journal/journald-server.h b/src/journal/journald-server.h
index f3405e967c..b01ade5aee 100644
--- a/src/journal/journald-server.h
+++ b/src/journal/journald-server.h
@@ -108,6 +108,7 @@ struct Server {
         JournalCompressOptions compress;
         bool seal;
         bool read_kmsg;
+        int set_audit;
 
         bool forward_to_kmsg;
         bool forward_to_syslog;
diff --git a/src/journal/journald.conf b/src/journal/journald.conf
index 2f1c661153..2e1aacd8c5 100644
--- a/src/journal/journald.conf
+++ b/src/journal/journald.conf
@@ -41,3 +41,4 @@
 #MaxLevelWall=emerg
 #LineMax=48K
 #ReadKMsg=yes
+#Audit=yes