Add support for "exec" action in max_log_file_action

See issue #220

auditd now accepts an exec action for max_log_file_action. When triggered,
the daemon suspends logging, executes the configured program, and resumes
logging automatically once the process exits. A new configuration field
max_log_file_exe records the script to run. The daemon tracks the child
PID and handles SIGCHLD to resume logging.

- Documented the new “exec” option for max_log_file_action with usage details
- Added the SZ_EXEC enum and the max_log_file_exe path in the configuration
structure
- Implemented execution handling and resuming logic in check_log_file_size
- Exposed helper functions for child PID tracking
- Updated child_handler in auditd to resume logging when the exec child exits

Author: stevegrubb

docs/auditd.conf.5

@@ -110,12 +110,18 @@ is reached, it will trigger a configurable action. The value given must be numer
 .I max_log_file_action
 This parameter tells the system what action to take when the system has
 detected that the max file size limit has been reached. Valid values are
-.IR ignore ", " syslog ", " suspend ", " rotate " and "keep_logs.
+.IR ignore ", " syslog ", " exec ", " suspend ", " rotate " and "keep_logs.
 If set to
 .IR ignore ,
 the audit daemon does nothing.
 .IR syslog
 means that it will issue a warning to syslog.
+.IR exec
+/path-to-script will execute the script. You cannot pass parameters to the script. The script is also responsible for telling the auditd daemon to resume logging once its completed its action. This can be done by adding 
+.I auditdctl --signal resume
+to the script. Also note that logging is stpped which this script runs. Whatever it does needs to be real quick because events are backing up in the kernel. The script
+.B MUST
+delete or rename /var/log/audit/audit.log or when logging resumes, it will retrigger executing the script.
 .IR suspend
 will cause the audit daemon to stop writing records to the disk. The daemon will still be alive. The
 .IR rotate

src/auditd-config.c

@@ -230,6 +230,7 @@ static const struct nv_list size_actions[] =
 {
   {"ignore",  SZ_IGNORE },
   {"syslog",  SZ_SYSLOG },
+  {"exec",    SZ_EXEC },
   {"suspend", SZ_SUSPEND },
   {"rotate",  SZ_ROTATE },
   {"keep_logs", SZ_KEEP_LOGS},
@@ -313,6 +314,7 @@ void clear_config(struct daemon_conf *config)
 	config->node_name = NULL;
 	config->max_log_size = 0L;
 	config->max_log_size_action = SZ_IGNORE;
+	config->max_log_file_exe = NULL;
 	config->space_left = 0L;
 	config->space_left_percent = 0;
 	config->space_left_action = FA_IGNORE;
@@ -798,6 +800,52 @@ static int max_log_size_parser(const struct nv_pair *nv, int line,
 	return 0;
 }
 
+static int check_exe_name(const char *val, int line)
+{
+	struct stat buf;
+
+	if (val == NULL) {
+		audit_msg(LOG_ERR, "Executable path needed for line %d", line);
+		return -1;
+	}
+
+	if (*val != '/') {
+		audit_msg(LOG_ERR, "Absolute path needed for %s - line %d",
+			val, line);
+		return -1;
+	}
+
+	if (stat(val, &buf) < 0) {
+		audit_msg(LOG_ERR, "Unable to stat %s (%s) - line %d", val,
+			strerror(errno), line);
+		return -1;
+	}
+	if (!S_ISREG(buf.st_mode)) {
+		audit_msg(LOG_ERR, "%s is not a regular file - line %d", val,
+			line);
+		return -1;
+	}
+	if (buf.st_uid != 0) {
+		audit_msg(LOG_ERR, "%s is not owned by root - line %d", val,
+			line);
+		return -1;
+	}
+	if ((buf.st_mode & (S_IRWXU|S_IRWXG|S_IRWXO)) !=
+			   (S_IRWXU|S_IRGRP|S_IXGRP) &&
+	    (buf.st_mode & (S_IRWXU|S_IRWXG|S_IRWXO)) !=
+			   (S_IRWXU|S_IRGRP|S_IXGRP|S_IROTH|S_IXOTH) &&
+	    (buf.st_mode & (S_IRWXU|S_IRWXG|S_IRWXO)) !=
+			   (S_IRUSR|S_IXUSR|S_IRGRP|S_IXGRP|S_IROTH|S_IXOTH) &&
+	    (buf.st_mode & (S_IRWXU|S_IRWXG|S_IRWXO)) !=
+			   (S_IRUSR|S_IXUSR|S_IRGRP|S_IXGRP|S_IROTH|S_IXOTH)) {
+		audit_msg(LOG_ERR,
+			"%s permissions should be 0750, 0755, 0555 or 0550 - line %d",
+			val, line);
+		return -1;
+	}
+	return 0;
+}
+
 static int max_log_size_action_parser(const struct nv_pair *nv, int line, 
 		struct daemon_conf *config)
 {
@@ -807,6 +855,11 @@ static int max_log_size_action_parser(const struct nv_pair *nv, int line,
 		nv->value);
 	for (i=0; size_actions[i].name != NULL; i++) {
 		if (strcasecmp(nv->value, size_actions[i].name) == 0) {
+			if (size_actions[i].option == SZ_EXEC) {
+				if (check_exe_name(nv->option, line))
+					return 1;
+				config->max_log_file_exe = strdup(nv->option);
+			}
 			config->max_log_size_action = size_actions[i].option;
 			return 0;
 		}
@@ -974,52 +1027,6 @@ static int space_left_parser(const struct nv_pair *nv, int line,
 	return 0;
 }
 
-static int check_exe_name(const char *val, int line)
-{
-	struct stat buf;
-
-	if (val == NULL) {
-		audit_msg(LOG_ERR, "Executable path needed for line %d", line);
-		return -1;
-	}
-
-	if (*val != '/') {
-		audit_msg(LOG_ERR, "Absolute path needed for %s - line %d",
-			val, line);
-		return -1;
-	}
-
-	if (stat(val, &buf) < 0) {
-		audit_msg(LOG_ERR, "Unable to stat %s (%s) - line %d", val,
-			strerror(errno), line);
-		return -1;
-	}
-	if (!S_ISREG(buf.st_mode)) {
-		audit_msg(LOG_ERR, "%s is not a regular file - line %d", val,
-			line);
-		return -1;
-	}
-	if (buf.st_uid != 0) {
-		audit_msg(LOG_ERR, "%s is not owned by root - line %d", val,
-			line);
-		return -1;
-	}
-	if ((buf.st_mode & (S_IRWXU|S_IRWXG|S_IRWXO)) !=
-			   (S_IRWXU|S_IRGRP|S_IXGRP) &&
-	    (buf.st_mode & (S_IRWXU|S_IRWXG|S_IRWXO)) !=
-			   (S_IRWXU|S_IRGRP|S_IXGRP|S_IROTH|S_IXOTH) &&
-	    (buf.st_mode & (S_IRWXU|S_IRWXG|S_IRWXO)) !=
-			   (S_IRUSR|S_IXUSR|S_IRGRP|S_IXGRP|S_IROTH|S_IXOTH) &&
-	    (buf.st_mode & (S_IRWXU|S_IRWXG|S_IRWXO)) !=
-			   (S_IRUSR|S_IXUSR|S_IRGRP|S_IXGRP|S_IROTH|S_IXOTH)) {
-		audit_msg(LOG_ERR,
-			"%s permissions should be 0750, 0755, 0555 or 0550 - line %d",
-			val, line);
-		return -1;
-	}
-	return 0;
-}
-
 static int space_action_parser(const struct nv_pair *nv, int line, 
 		struct daemon_conf *config)
 {
@@ -2033,14 +2040,15 @@ void free_config(struct daemon_conf *config)
 	free((void *)config->log_file);
 	free((void *)config->node_name);
 	free((void *)config->action_mail_acct);
+	free((void *)config->max_log_file_exe);
 	free((void *)config->space_left_exe);
-        free((void *)config->admin_space_left_exe);
-        free((void *)config->disk_full_exe);
-        free((void *)config->disk_error_exe);
-        free((void *)config->krb5_principal);
-        free((void *)config->krb5_key_file);
+	free((void *)config->admin_space_left_exe);
+	free((void *)config->disk_full_exe);
+	free((void *)config->disk_error_exe);
+	free((void *)config->krb5_principal);
+	free((void *)config->krb5_key_file);
 	free((void *)config->plugin_dir);
-        free((void *)config_dir);
+	free((void *)config_dir);
 	free(config_file);
         config_file = NULL;
 	config->config_dir = NULL;

src/auditd-config.h

@@ -36,8 +36,8 @@ typedef enum { LF_RAW, LF_NOLOG, LF_ENRICHED } logging_formats;
 typedef enum { FT_NONE, FT_INCREMENTAL, FT_INCREMENTAL_ASYNC, FT_DATA, FT_SYNC } flush_technique;
 typedef enum { FA_IGNORE, FA_SYSLOG, FA_ROTATE, FA_EMAIL, FA_EXEC, FA_SUSPEND,
 		FA_SINGLE, FA_HALT } failure_action_t;
-typedef enum { SZ_IGNORE, SZ_SYSLOG, SZ_SUSPEND, SZ_ROTATE, 
-		SZ_KEEP_LOGS } size_action;
+typedef enum { SZ_IGNORE, SZ_SYSLOG, SZ_EXEC, SZ_SUSPEND, SZ_ROTATE,
+               SZ_KEEP_LOGS } size_action;
 typedef enum { TEST_AUDITD, TEST_SEARCH } log_test_t;
 typedef enum { N_NONE, N_HOSTNAME, N_FQD, N_NUMERIC, N_USER } node_t;
 typedef enum { O_IGNORE, O_SYSLOG, O_SUSPEND, O_SINGLE,
@@ -63,6 +63,7 @@ struct daemon_conf
 	const char *node_name;
 	unsigned long max_log_size;
 	size_action max_log_size_action;
+	const char *max_log_file_exe;
 	unsigned long space_left;
 	unsigned int space_left_percent;
 	failure_action_t space_left_action;

src/auditd-event.c

@@ -71,11 +71,10 @@ static void rotate_logs(unsigned int num_logs, unsigned int keep_logs);
 static void shift_logs(void);
 static int  open_audit_log(void);
 static void change_runlevel(const char *level);
-static void safe_exec(const char *exe);
+static pid_t safe_exec(const char *exe);
 static void reconfigure(struct auditd_event *e);
 static void init_flush_thread(void);
 
-
 /* Local Data */
 static struct daemon_conf *config;
 static volatile int log_fd;
@@ -86,6 +85,7 @@ static int fs_admin_space_warning = 0;
 static int fs_space_left = 1;
 static int logging_suspended = 0;
 static unsigned int known_logs = 0;
+static pid_t exec_child_pid = -1;
 static const char *SINGLE = "1";
 static const char *HALT = "0";
 static char *format_buf = NULL;
@@ -107,6 +107,16 @@ int dispatch_network_events(void)
 	return config->distribute_network_events;
 }
 
+pid_t auditd_get_exec_pid(void)
+{
+       return exec_child_pid;
+}
+
+void auditd_clear_exec_pid(void)
+{
+       exec_child_pid = -1;
+}
+
 void write_logging_state(FILE *f)
 {
 	fprintf(f, "writing to logs = %s\n", config->write_logs ? "yes" : "no");
@@ -774,6 +784,15 @@ static void check_log_file_size(void)
 				audit_msg(LOG_ERR,
 			    "Audit daemon log file is larger than max size");
 				break;
+			case SZ_EXEC:
+				if (log_file)
+					fclose(log_file);
+				log_file = NULL;
+				log_fd = -1;
+				logging_suspended = 1;
+				exec_child_pid =
+					safe_exec(config->max_log_file_exe);
+				break;
 			case SZ_SUSPEND:
 				audit_msg(LOG_ERR,
 		    "Audit daemon is suspending logging due to logfile size.");
@@ -1467,35 +1486,41 @@ static void change_runlevel(const char *level)
 	exit(1);
 }
 
-static void safe_exec(const char *exe)
+/*
+ * This function executes a new process. It returns -1 on failure to fork.
+ * It returns a positive number to the parent. This positive number is the
+ * pid of the child. If the child fails to exec the new process, it exits
+ * with a 1. The exit code can be picked up in the sigchld handler.
+ */
+static pid_t safe_exec(const char *exe)
 {
 	char *argv[2];
-	int pid;
+	pid_t pid;
 	struct sigaction sa;
 
 	if (exe == NULL) {
 		audit_msg(LOG_ALERT,
 			"Safe_exec passed NULL for program to execute");
-		return;
+		return -1;
 	}
 
 	pid = fork();
 	if (pid < 0) {
 		audit_msg(LOG_ALERT,
 			"Audit daemon failed to fork doing safe_exec");
-		return;
+		return -1;
 	}
-	if (pid)	/* Parent */
-		return;
+	if (pid) /* Parent */
+	return pid;
 	/* Child */
-        sigfillset (&sa.sa_mask);
-        sigprocmask (SIG_UNBLOCK, &sa.sa_mask, 0);
+	sigfillset(&sa.sa_mask);
+	sigprocmask(SIG_UNBLOCK, &sa.sa_mask, 0);
 
 	argv[0] = (char *)exe;
 	argv[1] = NULL;
 	execve(exe, argv, NULL);
 	audit_msg(LOG_ALERT, "Audit daemon failed to exec %s", exe);
-	exit(1);
+	exit(1); /* FIXME: Maybe this should error instead of exit */
 }
 
 static void reconfigure(struct auditd_event *e)
@@ -1608,6 +1633,19 @@ static void reconfigure(struct auditd_event *e)
 		need_size_check = 1;
 	}
 
+	// max log exe
+	if (oconf->max_log_file_exe || nconf->max_log_file_exe) {
+		if (nconf->max_log_file_exe == NULL)
+                       ;
+		else if (oconf->max_log_file_exe == NULL && nconf->max_log_file_exe)
+			need_size_check = 1;
+		else if (strcmp(oconf->max_log_file_exe,
+				nconf->max_log_file_exe))
+			need_size_check = 1;
+		free((char *)oconf->max_log_file_exe);
+		oconf->max_log_file_exe = nconf->max_log_file_exe;
+	}
+
 	if (need_size_check) {
 		logging_suspended = 0;
 		check_log_file_size();

src/auditd-event.h

@@ -1,5 +1,5 @@
-/* auditd-event.h -- 
- * Copyright 2004,2005,2008,2016,2018 Red Hat Inc., Durham, North Carolina.
+/* auditd-event.h --
+ * Copyright 2004,2005,2008,2016,2018 Red Hat Inc.
  * All Rights Reserved.
  *
  * This program is free software; you can redistribute it and/or modify
@@ -18,7 +18,7 @@
  *
  * Authors:
  *   Steve Grubb <sgrubb@redhat.com>
- * 
+ *
  */
 
 #ifndef AUDITD_EVENT_H
@@ -43,7 +43,11 @@ int dispatch_network_events(void);
 void write_logging_state(FILE *f);
 void shutdown_events(void);
 int init_event(struct daemon_conf *config);
+pid_t auditd_get_exec_pid(void);
+void auditd_clear_exec_pid(void);
 void resume_logging(void);
+pid_t auditd_get_exec_pid(void);
+void auditd_clear_exec_pid(void);
 void cleanup_event(struct auditd_event *e);
 void format_event(struct auditd_event *e);
 void enqueue_event(struct auditd_event *e);

src/auditd.c

@@ -174,7 +174,7 @@ static void user2_handler( struct ev_loop *loop, struct ev_signal *sig, int reve
 }
 
 /*
- * Used with email alerts to cleanup
+ * Used with email alerts and max_log_size_exec to cleanup
  */
 static void child_handler(struct ev_loop *loop, struct ev_signal *sig,
 			int revents)
@@ -184,6 +184,10 @@ static void child_handler(struct ev_loop *loop, struct ev_signal *sig,
 	while ((pid = waitpid(-1, NULL, WNOHANG)) > 0) {
 		if (pid == dispatcher_pid())
 			dispatcher_reaped();
+		else if (pid == auditd_get_exec_pid()) {
+			resume_logging();
+			auditd_clear_exec_pid();
+		}
 	}
 }