Restarting auditd from its dispatcher
Hi, I would like to issue a restart from inside the dispatcher program that runs within auditd subsystem. So the entry to file below will have something like.
/etc/audit/auditd.conf
..
dispatcher = /usr/sbin/MyOwnDispatcher
...
I have tried implementing a fork exec in MyOwnDispatcher and it runs a child process. The child is able to issue "service auditd restart" but it gets killed before the restart it done, including auditd, MyOwnDispatcher exits gracefully after the fork.
This is my child process.
pid_t proc_find(const char* name)
{
DIR* dir;
struct dirent* ent;
char* endptr;
char buf[512];
if (!(dir = opendir("/proc"))) {
perror("can't open /proc");
return -1;
}
while((ent = readdir(dir)) != NULL) {
/* if endptr is not a null character, the directory is not
* entirely numeric, so ignore it */
long lpid = strtol(ent->d_name, &endptr, 10);
if (*endptr != '\0') {
continue;
}
/* try to open the cmdline file */
snprintf(buf, sizeof(buf), "/proc/%ld/cmdline", lpid);
FILE* fp = fopen(buf, "r");
if (fp) {
if (fgets(buf, sizeof(buf), fp) != NULL) {
/* check the first token in the file, the program name */
char* first = strtok(buf, " ");
if (!strcmp(first, name)) {
fclose(fp);
closedir(dir);
return (pid_t)lpid;
}
}
fclose(fp);
}
}
closedir(dir);
return -1;
}
int main( int argc, char *argv[] )
{
setsid();
pid_t pid = getpid();
setpgid(pid,pid);
ignoreSignal(); //Ignore SIGTERM, SIGHUP, SIGINT
system("service auditd restart");
sleep(5);
while(1) {
if ((proc_find("/usr/sbin/MyOwnDispatcher") == -1) && (proc_find("/sbin/auditd") == -1))
{
system("service auditd restart");
sleep(5);
}
else
{
cout << "Break" << endl;
break;
}
}
printf("Exit now");
return 0;
}
Can someone suggest the right approach? Appreciate your response. Thank you.
add a comment
