Auditd reconfigure using SIGHUP

[Steve Grubb]

Hello,

On Friday, January 6, 2017 6:29:59 AM EST Bhagwat, Shriniketan Manjunath 
wrote:
> In my last email I missed mentioning the fix that I have implemented.
> 
> Issue 1) As you said, I have fixed it  by replacing the ev_signal by
> ev_child as below.
> 
> struct ev_child sigchld_watcher;
> 
>         ev_child_init (&sigchld_watcher, child_handler, 0, 0);
>         ev_child_start (EV_DEFAULT_ &sigchld_watcher);
> 
> static void child_handler(EV_P_ ev_child *w, int revents)
> {
>         int pid;
> 
>         if (w->rpid == dispatcher_pid()) {
>                        dispatcher_reaped();
>         }
> }

I tried this as a first step yesterday but what happens is the problem gets 
worse. It thinks the dispatcher is running all the time and never tries to 
restart it.
 
> Issue 2) In auditd.c main(), child_handler is registered not immediately
> after init_dispatcher() is called. I have modified the audit to register
> ev_child immediately after init_dispatcher() as below. Or maybe before
> calling init_dispatcher(). This fixed issue 2 for me. Below extract is from
> documentation of libev for ev_child: " It is permissible to install a child
> watcher after the child has been forked (which implies it might have
> already exited), as long as the event loop isn't entered (or is continued
> from a watcher), i.e., forking and then immediately registering a watcher
> for the child is fine, but forking and registering a watcher a few event
> loop iterations later or in the next callback invocation is not."
> 
>         if (init_dispatcher(&config)) {
>                 if (pidfile)
>                         unlink(pidfile);
>                 tell_parent(FAILURE);
>                 return 1;
>         }
>         ev_child_init (&sigchld_watcher, child_handler, 0, 0);
>         ev_child_start (EV_DEFAULT_ &sigchld_watcher);
> 
> Issue 3) With the above fix for issue 2, I did not see the issue 3 getting
> occurred for me. This could be because shutdown_dispatcher() is called from
> dispatcher_reaped() where the status on the pipe is not checked.

Using the above code I still see the descriptor getting stepped on by 
something. I have added some debug info to audispd in svn which makes the 
problem more clear.

Jan  6 11:43:13 audispd: Failed setting up input(Bad file descriptor, -1), 
exiting

In case anyone else wishes to have a regression test, here's some code:

#!/bin/sh

while [ 1 ]
do
        echo "disabling sedispatch"
        sed -i '/active/s/yes/no/' /etc/audisp/plugins.d/sedispatch.conf
        kill -HUP `pidof auditd`
        sleep 10
        pstree -p `pidof auditd`
        echo "enabling sedispatch"
        sed -i '/active/s/no/yes/' /etc/audisp/plugins.d/sedispatch.conf
        kill -HUP `pidof auditd`
        sleep 10
        pstree -p `pidof auditd`
done

Of course you might want to change the plugin that's being altered to 
something else.

-Steve