aboutsummaryrefslogtreecommitdiff
;;; GNU Guix --- Functional package management for GNU
;;; Copyright © 2019 Danny Milosavljevic <dannym@scratchpost.org>
;;; Copyright © 2020 Robin Green <greenrd@greenrd.org>
;;;
;;; This file is part of GNU Guix.
;;;
;;; GNU Guix is free software; you can redistribute it and/or modify it
;;; under the terms of the GNU General Public License as published by
;;; the Free Software Foundation; either version 3 of the License, or (at
;;; your option) any later version.
;;;
;;; GNU Guix is distributed in the hope that it will be useful, but
;;; WITHOUT ANY WARRANTY; without even the implied warranty of
;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
;;; GNU General Public License for more details.
;;;
;;; You should have received a copy of the GNU General Public License
;;; along with GNU Guix.  If not, see <http://www.gnu.org/licenses/>.

(define-module (gnu services auditd)
  #:use-module (gnu services)
  #:use-module (gnu services configuration)
  #:use-module (gnu services base)
  #:use-module (gnu services shepherd)
  #:use-module (gnu packages admin)
  #:use-module (guix records)
  #:use-module (guix gexp)
  #:use-module (guix packages)
  #:export (auditd-configuration
            auditd-service-type
            %default-auditd-configuration-directory))

(define auditd.conf
  (plain-file "auditd.conf" "log_file = /var/log/audit.log\nlog_format = \
ENRICHED\nfreq = 1\nspace_left = 5%\nspace_left_action = \
syslog\nadmin_space_left_action = ignore\ndisk_full_action = \
ignore\ndisk_error_action = syslog\n"))

(define %default-auditd-configuration-directory
  (computed-file "auditd"
                 #~(begin
                     (mkdir #$output)
                     (copy-file #$auditd.conf
                                (string-append #$output "/auditd.conf")))))

(define-record-type* <auditd-configuration>
  auditd-configuration make-auditd-configuration
  auditd-configuration?
  (audit                   auditd-configuration-audit                          ; file-like
                           (default audit))
  (configuration-directory auditd-configuration-configuration-directory))      ; file-like

(define (auditd-shepherd-service config)
  (let* ((audit (auditd-configuration-audit config))
         (configuration-directory (auditd-configuration-configuration-directory config)))
    (list (shepherd-service
           (documentation "Auditd allows you to audit file system accesses and process execution.")
           (provision '(auditd))
           (start #~(make-forkexec-constructor
                     (list (string-append #$audit "/sbin/auditd") "-c" #$configuration-directory)
                     #:pid-file "/var/run/auditd.pid"))
           (stop #~(make-kill-destructor))))))

(define auditd-service-type
  (service-type (name 'auditd)
                (description "Allows auditing file system accesses and process execution.")
                (extensions
                 (list
                  (service-extension shepherd-root-service-type
                                     auditd-shepherd-service)))
                (default-value
                  (auditd-configuration
                   (configuration-directory %default-auditd-configuration-directory)))))
x/build/syscalls.scm (MS_SHARED): New variable. * doc/guix.texi (File Systems): Document shared flag. Oleg Pykhalov 2022-07-01file-systems: Add 'cleanly-unmounted-ext2?'....* gnu/build/file-systems.scm (ext2-superblock-cleanly-unmounted?) (cleanly-unmounted-ext2?): New procedures. Ludovic Courtès 2022-04-08file-systems: Invoke fsck tools with 'system*/tty'....This ensures those programs, if invoked by shepherd (where standard input is /dev/null), can still interact with the user if needed. * gnu/build/file-systems.scm (check-ext2-file-system) (check-bcachefs-file-system, check-btrfs-file-system): (check-fat-file-system, check-jfs-file-system): (check-f2fs-file-system, check-ntfs-file-system): (check-xfs-file-system): Use 'system*/tty' instead of 'system*'. Ludovic Courtès 2022-04-08mapped-devices: Ensure 'cryptsetup open' gets a tty....Fixes <https://issues.guix.gnu.org/54770>. Regression introduced in 400c9ed3d779308e56038305d40cd93acb496180. Previously, for an encrypted /home (say), "cryptsetup open" would be invoked by shepherd, with /dev/null as its standard input. It would thus run in non-interactive mode and, instead of asking for a passphrase, fail with: Nothing to read on input. This change ensures it runs in interactive mode. * gnu/build/file-systems.scm (system*/console, system*/tty): New procedures. * gnu/system/mapped-devices.scm (open-luks-device): Use 'system*/tty' instead of 'system*'. Ludovic Courtès