libvirt/daemon/libvirtd.aug
Daniel P. Berrange 8f680ad3b8 Basic framework for auditing integration
Integrate with libaudit.so for auditing of important operations.
libvirtd gains a couple of config entries for auditing. By
default it will enable auditing, if its enabled on the host.
It can be configured to force exit if auditing is disabled
on the host. It will can also send audit messages via libvirt
internal logging API

Places requiring audit reporting can use the VIR_AUDIT
macro to report data. This is a no-op unless auditing is
enabled

* autobuild.sh, mingw32-libvirt.spec.in: Disable audit
  on mingw
* configure.ac: Add check for libaudit
* daemon/libvirtd.aug, daemon/libvirtd.conf,
  daemon/test_libvirtd.aug, daemon/libvirtd.c: Add config
  options to enable auditing
* include/libvirt/virterror.h, src/util/virterror.c: Add
  VIR_FROM_AUDIT source
* libvirt.spec.in: Enable audit
* src/util/virtaudit.h, src/util/virtaudit.c: Simple internal
  API for auditing messages
2010-10-19 17:31:31 +01:00

87 lines
3.2 KiB
Plaintext

(* /etc/libvirt/libvirtd.conf *)
module Libvirtd =
autoload xfm
let eol = del /[ \t]*\n/ "\n"
let value_sep = del /[ \t]*=[ \t]*/ " = "
let indent = del /[ \t]*/ ""
let array_sep = del /,[ \t\n]*/ ", "
let array_start = del /\[[ \t\n]*/ "[ "
let array_end = del /\]/ "]"
let str_val = del /\"/ "\"" . store /[^\"]*/ . del /\"/ "\""
let bool_val = store /0|1/
let int_val = store /[0-9]+/
let str_array_element = [ seq "el" . str_val ] . del /[ \t\n]*/ ""
let str_array_val = counter "el" . array_start . ( str_array_element . ( array_sep . str_array_element ) * ) ? . array_end
let str_entry (kw:string) = [ key kw . value_sep . str_val ]
let bool_entry (kw:string) = [ key kw . value_sep . bool_val ]
let int_entry (kw:string) = [ key kw . value_sep . int_val ]
let str_array_entry (kw:string) = [ key kw . value_sep . str_array_val ]
(* Config entry grouped by function - same order as example config *)
let network_entry = bool_entry "listen_tls"
| bool_entry "listen_tcp"
| str_entry "tls_port"
| str_entry "tcp_port"
| str_entry "listen_addr"
| bool_entry "mdns_adv"
| str_entry "mdns_name"
let sock_acl_entry = str_entry "unix_sock_group"
| str_entry "unix_sock_ro_perms"
| str_entry "unix_sock_rw_perms"
| str_entry "unix_sock_dir"
let authentication_entry = str_entry "auth_unix_ro"
| str_entry "auth_unix_rw"
| str_entry "auth_tcp"
| str_entry "auth_tls"
let certificate_entry = str_entry "key_file"
| str_entry "cert_file"
| str_entry "ca_file"
| str_entry "crl_file"
let authorization_entry = bool_entry "tls_no_verify_certificate"
| str_array_entry "tls_allowed_dn_list"
| str_array_entry "sasl_allowed_username_list"
let processing_entry = int_entry "min_workers"
| int_entry "max_workers"
| int_entry "max_clients"
| int_entry "max_requests"
| int_entry "max_client_requests"
let logging_entry = int_entry "log_level"
| str_entry "log_filters"
| str_entry "log_outputs"
let auditing_entry = int_entry "audit_level"
| bool_entry "audit_logging"
(* Each enty in the config is one of the following three ... *)
let entry = network_entry
| sock_acl_entry
| authentication_entry
| certificate_entry
| authorization_entry
| processing_entry
| logging_entry
| auditing_entry
let comment = [ label "#comment" . del /#[ \t]*/ "# " . store /([^ \t\n][^\n]*)?/ . del /\n/ "\n" ]
let empty = [ label "#empty" . eol ]
let record = indent . entry . eol
let lns = ( record | comment | empty ) *
let filter = incl "/etc/libvirt/libvirtd.conf"
. Util.stdexcl
let xfm = transform lns filter