Make Syscheck restart Auditd if the socket is missing

wazuh · Jun 25, 2018 · c38a280 · c38a280
1 parent c63adc7
commit c38a280
Show file tree

Hide file tree

Showing 3 changed files with 54 additions and 29 deletions.
diff --git a/src/headers/file_op.h b/src/headers/file_op.h
@@ -38,6 +38,8 @@ int IsDir(const char *file) __attribute__((nonnull));
 
 int IsFile(const char *file) __attribute__((nonnull));
 
+int IsSocket(const char * file) __attribute__((nonnull));
+
 int CreatePID(const char *name, int pid) __attribute__((nonnull));
 
 char *GetRandomNoise();

diff --git a/src/shared/file_op.c b/src/shared/file_op.c
@@ -421,6 +421,11 @@ int IsFile(const char *file)
 	return (!stat(file, &buf) && S_ISREG(buf.st_mode)) ? 0 : -1;
 }
 
+int IsSocket(const char * file) {
+    struct stat buf;
+	return (!stat(file, &buf) && S_ISSOCK(buf.st_mode)) ? 0 : -1;
+}
+
 off_t FileSize(const char * path) {
     struct stat buf;
     return stat(path, &buf) ? -1 : buf.st_size;

diff --git a/src/syscheckd/syscheck_audit.c b/src/syscheckd/syscheck_audit.c
@@ -84,14 +84,55 @@ int check_auditd_enabled(void) {
     return auditd_pid;
 }
 
-// Set audit socket configuration
-int set_auditd_config(void) {
+int audit_restart() {
     wfd_t * wfd;
     int status;
     char buffer[4096];
+    char * command[] = { "service", "auditd", "restart", NULL };
 
-    if (!IsFile(AUDIT_CONF_FILE)) {
+    if (wfd = wpopenv(*command, command, W_BIND_STDERR), !wfd) {
+        merror("Could not launch command to restart Auditd: %s (%d)", strerror(errno), errno);
+        return -1;
+    }
+
+    // Print stderr
+
+    while (fgets(buffer, sizeof(buffer), wfd->file)) {
+        mdebug1("auditd: %s", buffer);
+    }
+
+    switch (status = wpclose(wfd), WEXITSTATUS(status)) {
+    case 0:
         return 0;
+    case 127:
+        // exec error
+        merror("Could not launch command to restart Auditd.");
+        return -1;
+    default:
+        merror("Could not restart Auditd service.");
+        return -1;
+    }
+}
+
+// Set audit socket configuration
+int set_auditd_config(void) {
+
+    // Check that the plugin file is installed
+
+    if (!IsFile(AUDIT_CONF_FILE)) {
+        // Check that the socket exists
+
+        if (!IsSocket(AUDIT_SOCKET)) {
+            return 0;
+        }
+
+        if (syscheck.restart_audit) {
+            minfo("No socket found at '%s'. Restarting Auditd service.", AUDIT_SOCKET);
+            return audit_restart();
+        } else {
+            mwarn("Audit socket (%s) does not exist. You need to restart Auditd. Who-data will be disabled.", AUDIT_SOCKET);
+            return 1;
+        }
     }
 
     minfo("Generating Auditd socket configuration file: %s", AUDIT_CONF_FILE);
@@ -112,35 +153,12 @@ int set_auditd_config(void) {
 
     if (fclose(fp)) {
         merror(FCLOSE_ERROR, AUDIT_CONF_FILE, errno, strerror(errno));
+        return -1;
     }
 
     if (syscheck.restart_audit) {
-        char * command[] = { "service", "auditd", "restart", NULL };
-
-        minfo("Restarting Auditd service.");
-
-        if (wfd = wpopenv(*command, command, W_BIND_STDERR), !wfd) {
-            merror("Could not launch command to restart Auditd: %s (%d)", strerror(errno), errno);
-            return -1;
-        }
-
-        // Print stderr
-
-        while (fgets(buffer, sizeof(buffer), wfd->file)) {
-            mdebug1("auditd: %s", buffer);
-        }
-
-        switch (status = wpclose(wfd), WEXITSTATUS(status)) {
-        case 0:
-            return 0;
-        case 127:
-            // exec error
-            merror("Could not launch command to restart Auditd.");
-            return -1;
-        default:
-            merror("Could not restart Auditd service.");
-            return -1;
-        }
+        minfo("Auditsp configuration (%s) was modified. Restarting Auditd service.", AUDIT_CONF_FILE);
+        return audit_restart();
     } else {
         mwarn("Auditsp configuration was modified. You need to restart Auditd. Who-data will be disabled.");
     }