Use configures runstatedir to locate audit.pid, auditd.state, and other run time files

stevegrubb · stevegrubb · commit 4ade1466f91d · 2025-07-31T22:08:15.000-04:00
diff --git a/README.md b/README.md
@@ -212,7 +212,7 @@ Another way to check performance is to use
 
 ```
 auditctl --signal state
-cat /var/run/auditd.state
+cat /run/audit/auditd.state
 
 audit version = 4.0.5
 current time = 06/02/25 20:21:31
@@ -241,7 +241,7 @@ glibc uordblks (in use memory) is: 92 KiB, was: 90 KiB
 glibc fordblks (total free space) is: 295 KiB, was: 297 KiB
 ```
 
-This command causes auditd to dump its internal metrics to /var/run/auditd.state. This can tell you if auditd is healthy. Also, you can make auditd periodically update the state file by adjusting the report_interval setting in auditd.conf (note - only available in audit-4.0.5 and later). See the man page for details. Setting this allows for the conitinuous updating for metrics collection.
+This command causes auditd to dump its internal metrics to /run/audit/auditd.state. This can tell you if auditd is healthy. Also, you can make auditd periodically update the state file by adjusting the report_interval setting in auditd.conf (note - only available in audit-4.0.5 and later). See the man page for details. Setting this allows for the conitinuous updating for metrics collection.
 
 AUPARSE
 -------
diff --git a/audisp/plugins/af_unix/af_unix.conf b/audisp/plugins/af_unix/af_unix.conf
@@ -8,5 +8,5 @@ active = no
 direction = out
 path = /sbin/audisp-af_unix
 type = always
-args = 0640 /var/run/audispd_events string
+args = 0640 /run/audit/audispd_events string
 format = binary
diff --git a/audisp/plugins/af_unix/audisp-af_unix.8 b/audisp/plugins/af_unix/audisp-af_unix.8
@@ -9,7 +9,7 @@ audisp-af_unix \- plugin to push audit events to an af_unix socket
 .B args
 line of the 
 .B af_unix.conf
-file expects three arguments: access mode, socket path, and output format. The access mode determines the permissions for the socket and defaults to 0640. The socket path specifies where the socket will be created, with the default location being /var/run/audispd_events. The output format determines the format in which events are delivered to the socket and supports two options: "string" and "binary". The "string" format delivers events in a human-readable form, while the "binary" format delivers events in their binary representation, which is essential for applications that need to process events in binary and reconstruct headers accurately. If the output format is not specified, the plugin defaults to the "string" format.
+file expects three arguments: access mode, socket path, and output format. The access mode determines the permissions for the socket and defaults to 0640. The socket path specifies where the socket will be created, with the default location being /run/audit/audispd_events. The output format determines the format in which events are delivered to the socket and supports two options: "string" and "binary". The "string" format delivers events in a human-readable form, while the "binary" format delivers events in their binary representation, which is essential for applications that need to process events in binary and reconstruct headers accurately. If the output format is not specified, the plugin defaults to the "string" format.
 
 The
 .B af_unix.conf
diff --git a/audisp/plugins/af_unix/audisp-af_unix.c b/audisp/plugins/af_unix/audisp-af_unix.c
@@ -46,7 +46,7 @@
 #include "auplugin.h"
 #include "audispd-pconfig.h"
 
-#define DEFAULT_PATH "/var/run/audispd_events"
+#define DEFAULT_PATH AUDIT_RUN_DIR"/audispd_events"
 //#define DEBUG
 
 /* Global Data */
diff --git a/audisp/plugins/ids/ids.c b/audisp/plugins/ids/ids.c
@@ -56,7 +56,7 @@ volatile int hup = 0;
 volatile int dump_state = 0;
 static auparse_state_t *au = NULL;
 #define NO_ACTIONS (!hup && !stop && !dump_state)
-#define STATE_FILE "/var/run/ids-state"
+#define STATE_FILE AUDIT_RUN_DIR"/ids-state"
 #define TIMER_INTERVAL 30	// Run every 30 seconds
 struct ids_conf config;
 
diff --git a/audisp/plugins/statsd/audisp-statsd.c b/audisp/plugins/statsd/audisp-statsd.c
@@ -39,7 +39,7 @@
 #include "auplugin.h"
 
 /* Global Definitions */
-#define STATE_REPORT "/var/run/auditd.state"
+#define STATE_REPORT AUDIT_RUN_DIR"/auditd.state"
 #define CONFIG "/etc/audit/audisp-statsd.conf"
 
 struct daemon_config
diff --git a/audit.spec b/audit.spec
@@ -233,7 +233,7 @@ fi
 %attr(750,root,root) %{_libexecdir}/initscripts/legacy-actions/auditd/state
 %attr(750,root,root) %{_libexecdir}/initscripts/legacy-actions/auditd/stop
 %attr(644,root,root) %{_sysconfdir}/bash_completion.d/audit.bash_completion
-%ghost %{_localstatedir}/run/auditd.state
+%ghost %{_runstatedir}/%{name}/auditd.state
 %attr(-,root,-) %dir %{_var}/log/audit
 %attr(750,root,root) %dir /etc/audit/plugins.d
 %config(noreplace) %attr(640,root,root) /etc/audit/auditd.conf
diff --git a/configure.ac b/configure.ac
@@ -61,6 +61,8 @@ AC_CHECK_SIZEOF([long])
 AC_CHECK_SIZEOF([time_t])
 dnl; next is needed for old compilers and plugins/ids/Makefile.am
 AM_PROG_CC_C_O
+AC_DEFINE_UNQUOTED([AUDIT_RUN_DIR], ["$runstatedir/audit"],
+       [Directory for audit runtime state files])
 AC_CHECK_DECLS([AUDIT_FEATURE_VERSION], [], [], [[#include <linux/audit.h>]])
 AC_CHECK_MEMBERS([struct audit_status.feature_bitmap], [], [], [[#include <linux/audit.h>]])
 AC_CHECK_DECLS([AUDIT_VERSION_BACKLOG_WAIT_TIME], [], [], [[#include <linux/audit.h>]])
diff --git a/docs/auditd-plugins.5 b/docs/auditd-plugins.5
@@ -53,7 +53,7 @@ option tells the dispatcher to completely change the event into a string suitabl
 .SH NOTE
 auditd has an internal queue to hold events for plugins. (See the \fIq_depth\fP setting in \fIauditd.conf\fP.) Plugins have to watch for and dequeue events as fast as possible and queue them internally if they can't be immediately processed. If the plugin is not able to dequeue records, the auditd internal queue will get filled. At any time, as root, you can run the following to check auditd's metrics:
 
-auditctl --signal cont ; sleep 1 ; cat /var/run/auditd.state
+auditctl --signal cont ; sleep 1 ; cat /run/audit/auditd.state
 
 Plugins using
 .BR libauplugin
diff --git a/docs/auditd.8 b/docs/auditd.8
@@ -51,7 +51,7 @@ causes auditd to immediately rotate the logs. It will consult the max_log_file_a
 causes auditd to attempt to resume logging and passing events to plugins. This is usually needed after logging has been suspended or the internal queue is overflowed. Either of these conditions depends on the applicable configuration settings.
 .TP
 .B SIGCONT
-causes auditd to dump a report of internal state to /var/run/auditd.state.
+causes auditd to dump a report of internal state to /run/audit/auditd.state.
 
 .SH EXIT CODES
 .TP
@@ -86,7 +86,7 @@ There is an error in the configuration file
 .B /etc/audit/audit-stop.rules
 - These rules are loaded when the audit daemon stops.
 .P
-.B /var/run/auditd.state
+.B /run/audit/auditd.state
 - report about internal state.
 
 .SH NOTES
diff --git a/docs/auditd.conf.5 b/docs/auditd.conf.5
@@ -402,7 +402,7 @@ for days, or
 .B M
 for months.
 The default is 0 which disables preriodic reporting. The largest value is 40 days. When set, auditd will periodically generate the state report written to
-.I /var/run/auditd.state.
+.I /run/audit/auditd.state.
 .SH RELOADING
 Most parameters can be changed while the daemon is running by sending
 .B SIGHUP
diff --git a/init.d/auditd.service.in b/init.d/auditd.service.in
@@ -30,7 +30,7 @@ Documentation=man:auditd(8) https://github.com/linux-audit/audit-documentation
 
 [Service]
 Type=forking
-PIDFile=@runstatedir@/auditd.pid
+PIDFile=@runstatedir@/audit/auditd.pid
 ExecStart=@sbindir@/auditd
 Restart=on-failure
 ## Do not restart for intentional exits. See EXIT CODES section in auditd(8).
diff --git a/init.d/auditd.state b/init.d/auditd.state
@@ -6,7 +6,7 @@
 test "$(id -u)" = "0"  ||  exit 4
 
 PATH=/sbin:/bin:/usr/bin:/usr/sbin
-state_file="/var/run/auditd.state"
+state_file="/run/audit/auditd.state"
 
 printf "Getting auditd internal state: "
 /sbin/auditctl --signal state
diff --git a/src/auditd.c b/src/auditd.c
@@ -78,8 +78,8 @@ volatile ATOMIC_INT stop = 0;
 /* Local data */
 static int fd = -1, pipefds[2] = {-1, -1};
 static struct daemon_conf config;
-static const char *pidfile = "/var/run/auditd.pid";
-static const char *state_file = "/var/run/auditd.state";
+static const char *pidfile = AUDIT_RUN_DIR"/auditd.pid";
+static const char *state_file = AUDIT_RUN_DIR"/auditd.state";
 static int init_pipe[2];
 static int do_fork = 1, opt_aggregate_only = 0, config_dir_set = 0;
 /*
@@ -104,6 +104,7 @@ static char *getsubj(char *subj);
 /* Manage access to the preallocated event pool */
 static struct auditd_event *alloc_pool_event(void);
 int event_is_prealloc(struct auditd_event *e);
+static int make_audit_run_dir(void);
 
 enum startup_state {startup_disable=0, startup_enable, startup_nochange,
 	startup_INVALID};
@@ -402,6 +403,24 @@ int send_audit_event(int type, const char *str)
 	return 0;
 }
 
+
+static int make_audit_run_dir(void)
+{
+	struct stat st;
+
+	if (stat(AUDIT_RUN_DIR, &st) < 0) {
+		if (mkdir(AUDIT_RUN_DIR, 0755) < 0) {
+			audit_msg(LOG_ERR,
+				"Cannot create run directory %s (%s)",
+				AUDIT_RUN_DIR, strerror(errno));
+			return -1;
+		}
+	} else if (!S_ISDIR(st.st_mode))
+		return -1;
+
+	return 0;
+}
+
 static int write_pid_file(void)
 {
 	int pidfd, len;
@@ -841,13 +860,19 @@ int main(int argc, char *argv[])
 			tell_parent(FAILURE);
 			free_config(&config);
 			return 1;
-		} 
+		}
 		openlog("auditd", LOG_PID, LOG_DAEMON);
 	}
 
 	/* Init netlink */
 	if ((fd = audit_open()) < 0) {
-        	audit_msg(LOG_ERR, "Cannot open netlink audit socket");
+		audit_msg(LOG_ERR, "Cannot open netlink audit socket");
+		tell_parent(FAILURE);
+		free_config(&config);
+		return 1;
+	}
+
+	if (make_audit_run_dir() < 0) {
 		tell_parent(FAILURE);
 		free_config(&config);
 		return 1;
