Restarting auditd from its dispatcher

asked 2016-07-21 00:19:04 -0600

this post is marked as community wiki

This post is a wiki. Anyone with karma >750 is welcome to improve it.

Hi, I would like to issue a restart from inside the dispatcher program that runs within auditd subsystem. So the entry to file below will have something like.

/etc/audit/auditd.conf

..
dispatcher = /usr/sbin/MyOwnDispatcher
...

I have tried implementing a fork exec in MyOwnDispatcher and it runs a child process. The child is able to issue "service auditd restart" but it gets killed before the restart it done, including auditd, MyOwnDispatcher exits gracefully after the fork.

This is my child process.

pid_t proc_find(const char* name)
{
    DIR* dir;
    struct dirent* ent;
    char* endptr;
    char buf[512];

    if (!(dir = opendir("/proc"))) {
        perror("can't open /proc");
        return -1;
    }

    while((ent = readdir(dir)) != NULL) {
        /* if endptr is not a null character, the directory is not
         * entirely numeric, so ignore it */
        long lpid = strtol(ent->d_name, &endptr, 10);
        if (*endptr != '\0') {
            continue;
        }

        /* try to open the cmdline file */
        snprintf(buf, sizeof(buf), "/proc/%ld/cmdline", lpid);
        FILE* fp = fopen(buf, "r");

        if (fp) {
            if (fgets(buf, sizeof(buf), fp) != NULL) {
                /* check the first token in the file, the program name */
                char* first = strtok(buf, " ");
                if (!strcmp(first, name)) {
                    fclose(fp);
                    closedir(dir);
                    return (pid_t)lpid;
                }
            }
            fclose(fp);
        }

    }

    closedir(dir);
    return -1;
}

int main( int argc, char *argv[] )
{
  setsid();
  pid_t pid = getpid();
  setpgid(pid,pid);

  ignoreSignal(); //Ignore SIGTERM, SIGHUP, SIGINT

  system("service auditd restart");
  sleep(5);

  while(1) {
    if ((proc_find("/usr/sbin/MyOwnDispatcher") == -1) && (proc_find("/sbin/auditd") == -1))
    {
       system("service auditd restart");
       sleep(5);
    }
    else
    {
       cout << "Break" << endl;
       break;
    }
  }
  printf("Exit now");
  return 0;
}

Can someone suggest the right approach? Appreciate your response. Thank you.

edit retag flag offensive close merge delete