systemd services support setting a runtime directory via RuntimeDirectory, see systemd.exec(5). For this, it expects services to respect the $RUNTIME_DIRECTORY environment variable.
Currently, auditd hardcodes /var/run in various places, e.g.:
|
#define DEFAULT_PATH "/var/run/audispd_events" |
|
#define STATE_REPORT "/var/run/auditd.state" |
|
static const char *pidfile = "/var/run/auditd.pid"; |
|
static const char *state_file = "/var/run/auditd.state"; |
|
l = fopen("/var/run/audisp-ids.log", "wt"); |
This is fine if /var/run actually exists. On some systems (typically modern systemd systems), such as NixOS, /run is the actual runtime directory. /var/run -> /run is typically a symlink created by systemd-tmpfiles. This is fine as long as auditd starts after the systemd-tmpfiles-setup.service service. However, omitting this After= will result in various things failing. I discovered this while reviewing a cleanup PR to our audit setup (NixOS/nixpkgs#429553 (comment)). Such a dependency in the service is also not great, as it restricts how early in the boot process audit can start logging things.
Further, auditd polluting the global /run with files is not ideal. I'd prefer auditd using $RUNTIME_DIRECTORY/auditd/<...> for its various files. And while some of the audit files such as the audispd_events socket can be trivially moved using the config file, things like the pid file can not.
I understand this is a somewhat big change to request. I also understand $RUNTIME_DIRECTORY might not be set, especially on non-systemd setups, in which case it is probably fair to assume /var/run as a default.
systemd services support setting a runtime directory via
RuntimeDirectory, seesystemd.exec(5). For this, it expects services to respect the$RUNTIME_DIRECTORYenvironment variable.Currently,
auditdhardcodes/var/runin various places, e.g.:audit-userspace/audisp/plugins/af_unix/audisp-af_unix.c
Line 49 in 1200385
audit-userspace/audisp/plugins/statsd/audisp-statsd.c
Line 42 in 1200385
audit-userspace/src/auditd.c
Lines 81 to 82 in 1200385
audit-userspace/audisp/plugins/ids/ids.c
Line 79 in 1200385
This is fine if
/var/runactually exists. On some systems (typically modern systemd systems), such as NixOS,/runis the actual runtime directory./var/run -> /runis typically a symlink created bysystemd-tmpfiles. This is fine as long asauditdstarts after thesystemd-tmpfiles-setup.serviceservice. However, omitting thisAfter=will result in various things failing. I discovered this while reviewing a cleanup PR to our audit setup (NixOS/nixpkgs#429553 (comment)). Such a dependency in the service is also not great, as it restricts how early in the boot process audit can start logging things.Further,
auditdpolluting the global/runwith files is not ideal. I'd prefer auditd using$RUNTIME_DIRECTORY/auditd/<...>for its various files. And while some of the audit files such as theaudispd_eventssocket can be trivially moved using the config file, things like the pid file can not.I understand this is a somewhat big change to request. I also understand
$RUNTIME_DIRECTORYmight not be set, especially on non-systemd setups, in which case it is probably fair to assume/var/runas a default.