From c08b6413a21c6e078fa5f93ffa96c9bb801ae9f8c4e2e37e0e8ea780bf7b4dfc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Adrian=20Schr=C3=B6ter?= Date: Fri, 3 May 2024 11:11:31 +0200 Subject: [PATCH] Sync from SUSE:SLFO:Main audit revision b45ec063c4e7856d1bf1ea7fa6a46c44 --- .gitattributes | 23 + README-BEFORE-ADDING-PATCHES | 16 + audit-3.0.9.tar.gz | 3 + audit-allow-manual-stop.patch | 25 + audit-ausearch-do-not-require-tclass.patch | 41 + audit-no-gss.patch | 24 + audit-plugins-path.patch | 29 + audit-secondary.changes | 737 ++++++++++ audit-secondary.spec | 329 +++++ audit-userspace-517-compat.patch | 38 + audit.changes | 1525 ++++++++++++++++++++ audit.spec | 152 ++ baselibs.conf | 7 + change-default-log_format.patch | 28 + change-default-log_group.patch | 21 + create-augenrules-service.patch | 97 ++ enable-stop-rules.patch | 29 + fix-hardened-service.patch | 32 + harden_auditd.service.patch | 20 + libev-werror.patch | 26 + system-group-audit.conf | 2 + 21 files changed, 3204 insertions(+) create mode 100644 .gitattributes create mode 100644 README-BEFORE-ADDING-PATCHES create mode 100644 audit-3.0.9.tar.gz create mode 100644 audit-allow-manual-stop.patch create mode 100644 audit-ausearch-do-not-require-tclass.patch create mode 100644 audit-no-gss.patch create mode 100644 audit-plugins-path.patch create mode 100644 audit-secondary.changes create mode 100644 audit-secondary.spec create mode 100644 audit-userspace-517-compat.patch create mode 100644 audit.changes create mode 100644 audit.spec create mode 100644 baselibs.conf create mode 100644 change-default-log_format.patch create mode 100644 change-default-log_group.patch create mode 100644 create-augenrules-service.patch create mode 100644 enable-stop-rules.patch create mode 100644 fix-hardened-service.patch create mode 100644 harden_auditd.service.patch create mode 100644 libev-werror.patch create mode 100644 system-group-audit.conf diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..9b03811 --- /dev/null +++ b/.gitattributes @@ -0,0 +1,23 @@ +## Default LFS +*.7z filter=lfs diff=lfs merge=lfs -text +*.bsp filter=lfs diff=lfs merge=lfs -text +*.bz2 filter=lfs diff=lfs merge=lfs -text +*.gem filter=lfs diff=lfs merge=lfs -text +*.gz filter=lfs diff=lfs merge=lfs -text +*.jar filter=lfs diff=lfs merge=lfs -text +*.lz filter=lfs diff=lfs merge=lfs -text +*.lzma filter=lfs diff=lfs merge=lfs -text +*.obscpio filter=lfs diff=lfs merge=lfs -text +*.oxt filter=lfs diff=lfs merge=lfs -text +*.pdf filter=lfs diff=lfs merge=lfs -text +*.png filter=lfs diff=lfs merge=lfs -text +*.rpm filter=lfs diff=lfs merge=lfs -text +*.tbz filter=lfs diff=lfs merge=lfs -text +*.tbz2 filter=lfs diff=lfs merge=lfs -text +*.tgz filter=lfs diff=lfs merge=lfs -text +*.ttf filter=lfs diff=lfs merge=lfs -text +*.txz filter=lfs diff=lfs merge=lfs -text +*.whl filter=lfs diff=lfs merge=lfs -text +*.xz filter=lfs diff=lfs merge=lfs -text +*.zip filter=lfs diff=lfs merge=lfs -text +*.zst filter=lfs diff=lfs merge=lfs -text diff --git a/README-BEFORE-ADDING-PATCHES b/README-BEFORE-ADDING-PATCHES new file mode 100644 index 0000000..8259e81 --- /dev/null +++ b/README-BEFORE-ADDING-PATCHES @@ -0,0 +1,16 @@ +All patches need to have a kernel-style patch description header. + +PATCHES LACKING THIS OR NOT CORRECTLY FOLLOWING DESCRIPTION BELOW WILL BE +REJECTED OR REVERTED + +From: Joe Smoe +Subject: Summary of fix +Date: Date of fix +References: Bugzilla reference [bsc#xxxx] +References: URL of relevant discussion thread, opensuse or upstream ML etc +Git-commit: Full SHA of upstream commit [if applicable] +Git-repo: [if different from https://github.com/linux-audit/audit-userspace.git] +Patch-mainline: revision of audit package or explanation if not [i.e v2.8.1 or "queued with maintainer" or "never; because ...." ] +Signed-Off-by: Joe Smoe + +Short paragraph describing problem/fix. diff --git a/audit-3.0.9.tar.gz b/audit-3.0.9.tar.gz new file mode 100644 index 0000000..3595002 --- /dev/null +++ b/audit-3.0.9.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:fd9570444df1573a274ca8ba23590082298a083cfc0618138957f590e845bc78 +size 1210655 diff --git a/audit-allow-manual-stop.patch b/audit-allow-manual-stop.patch new file mode 100644 index 0000000..82663c3 --- /dev/null +++ b/audit-allow-manual-stop.patch @@ -0,0 +1,25 @@ +From: Tony Jones +Subject: allow service stop +References: https://lists.fedoraproject.org/pipermail/devel/2012-June/169411.html +References: https://www.redhat.com/archives/linux-audit/2013-July/msg00048.html +--- + +legacy-actions is Fedora specific, so blocking manual stop won't work for +SUSE since we lack the ability to use a custom stop/restart + + + init.d/auditd.service | 1 - + 1 file changed, 1 deletion(-) + +Index: audit-3.0.9/init.d/auditd.service +=================================================================== +--- audit-3.0.9.orig/init.d/auditd.service ++++ audit-3.0.9/init.d/auditd.service +@@ -11,7 +11,6 @@ After=local-fs.target systemd-tmpfiles-s + Before=sysinit.target shutdown.target + ##Before=shutdown.target + Conflicts=shutdown.target +-RefuseManualStop=yes + ConditionKernelCommandLine=!audit=0 + ConditionKernelCommandLine=!audit=off + diff --git a/audit-ausearch-do-not-require-tclass.patch b/audit-ausearch-do-not-require-tclass.patch new file mode 100644 index 0000000..91c8fe7 --- /dev/null +++ b/audit-ausearch-do-not-require-tclass.patch @@ -0,0 +1,41 @@ +From: William Preston +Subject: ausearch is looking for the "tclass" field in the entries, which doesn't make sense for apparmor. +References: bnc#878687 +References: https://www.redhat.com/archives/linux-audit/2014-May/msg00094.html https://www.redhat.com/archives/linux-audit/2014-June/msg00001.html +Upstream: never +Signed-off-by: Tony Jones + +--- + src/ausearch-parse.c | 18 ++++++++---------- + 1 file changed, 8 insertions(+), 10 deletions(-) + +Index: audit-3.0.9/src/ausearch-parse.c +=================================================================== +--- audit-3.0.9.orig/src/ausearch-parse.c ++++ audit-3.0.9/src/ausearch-parse.c +@@ -2062,17 +2062,15 @@ other_avc: + + // Now get the class...its at the end, so we do things different + str = strstr(term, "tclass="); +- if (str == NULL) { +- rc = 9; +- goto err; ++ if (str) { ++ str += 7; ++ term = strchr(str, ' '); ++ if (term) ++ *term = 0; ++ an.avc_class = strdup(str); ++ if (term) ++ *term = ' '; + } +- str += 7; +- term = strchr(str, ' '); +- if (term) +- *term = 0; +- an.avc_class = strdup(str); +- if (term) +- *term = ' '; + + if (audit_avc_init(s) == 0) { + alist_append(s->avc, &an); diff --git a/audit-no-gss.patch b/audit-no-gss.patch new file mode 100644 index 0000000..feadd9c --- /dev/null +++ b/audit-no-gss.patch @@ -0,0 +1,24 @@ +From: Tony Jones +Subject: Disable GSS options from config file +Upsteam: never + +Disable GSS/Kerberos options from config file. They are disabled from configure +but need manual removal here. + +--- + init.d/auditd.conf | 3 --- + 1 file changed, 3 deletions(-) + +Index: audit-3.0.9/init.d/auditd.conf +=================================================================== +--- audit-3.0.9.orig/init.d/auditd.conf ++++ audit-3.0.9/init.d/auditd.conf +@@ -30,8 +30,6 @@ tcp_max_per_addr = 1 + ##tcp_client_ports = 1024-65535 + tcp_client_max_idle = 0 + transport = TCP +-krb5_principal = auditd +-##krb5_key_file = /etc/audit/audit.key + distribute_network = no + q_depth = 2000 + overflow_action = SYSLOG diff --git a/audit-plugins-path.patch b/audit-plugins-path.patch new file mode 100644 index 0000000..034aea8 --- /dev/null +++ b/audit-plugins-path.patch @@ -0,0 +1,29 @@ +From: Tony Jones +Subject: Adjust location of plugins built by audit-secondary +Upsteam: never + +Adjust location of plugins built by audit-secondary. These should never have +been in /sbin plus some (for SUSE) require lib dependancies on /usr/lib + +--- a/audisp/plugins/remote/au-remote.conf ++++ b/audisp/plugins/remote/au-remote.conf +@@ -5,7 +5,7 @@ + + active = no + direction = out +-path = /sbin/audisp-remote ++path = /usr/sbin/audisp-remote + type = always + #args = + format = string +--- a/audisp/plugins/zos-remote/audispd-zos-remote.conf ++++ b/audisp/plugins/zos-remote/audispd-zos-remote.conf +@@ -8,7 +8,7 @@ + + active = no + direction = out +-path = /sbin/audispd-zos-remote ++path = /usr/sbin/audispd-zos-remote + type = always + args = /etc/audit/zos-remote.conf + format = string diff --git a/audit-secondary.changes b/audit-secondary.changes new file mode 100644 index 0000000..f1c1137 --- /dev/null +++ b/audit-secondary.changes @@ -0,0 +1,737 @@ +------------------------------------------------------------------- +Tue Dec 27 10:21:56 UTC 2022 - Ludwig Nussel + +- Replace transitional %usrmerged macro with regular version check (boo#1206798) + +------------------------------------------------------------------- +Thu Dec 15 19:17:35 UTC 2022 - Enzo Matsumiya + +- Enable build for ARM (32-bit) +- Update to version 3.0.9: + * In auditd, release the async flush lock on stop + * Don't allow auditd to log directly into /var/log when log_group is non-zero + * Cleanup krb5 memory leaks on error paths + * Update auditd.cron to use auditctl --signal + * In auparse, if too many fields, realloc array bigger (Paul Wolneykien) + * In auparse, special case kernel module name interpretation + * If overflow_action is ignore, don't treat as an error + (3.0.8) + * Add gcc function attributes for access and allocation + * Add some more man pages (MIZUTA Takeshi) + * In auditd, change the reinitializing of the plugin queue + * Fix path normalization in auparse (Sergio Correia) + * In libaudit, handle ECONNREFUSED for network uid/gid lookups (Enzo Matsumiya) + * In audisp-remote, fix hang with disk_low_action=suspend (Enzo Matsumiya) + * Drop ProtectHome from auditd.service as it interferes with rules + (3.0.7) + * Add support for the OPENAT2 record type (Richard Guy Briggs) + * In auditd, close the logging file descriptor when logging is suspended + * Update the capabilities lookup table to match 5.16 kernel + * Improve interpretation of renamat & faccessat family of syscalls + * Update syscall table for the 5.16 kernel + * Reduce dependency from initscripts to initscripts-service +- Refresh patches (context adjusment): + * audit-allow-manual-stop.patch + * audit-ausearch-do-not-require-tclass.patch + * audit-no-gss.patch + * enable-stop-rules.patch + * fix-hardened-service.patch + * harden_auditd.service.patch +- Remove patches (fixed by version update): + * libaudit-fix-unhandled-ECONNREFUSED-from-getpwnam-25.patch + * audisp-remote-fix-hang-with-disk_low_action-suspend-.patch + +------------------------------------------------------------------- +Mon Apr 11 20:44:34 UTC 2022 - Jan Engelhardt + +- Drop buildrequire on C++ compiler. +- Modernize specfile constructs. + +------------------------------------------------------------------- +Sat Mar 26 11:14:19 UTC 2022 - Stephan Kulow + +- Fix buildrequire for openldap2-devel - audit doesn't require the + (outdated) C++ binding, but the C headers that happen to be pulled + in by buildrequiring the C++ devel package + +------------------------------------------------------------------- +Fri Mar 25 04:56:19 UTC 2022 - Enzo Matsumiya + +- Fix unhandled ECONNREFUSED with LDAP environments (bsc#1196645) + * add libaudit-fix-unhandled-ECONNREFUSED-from-getpwnam-25.patch +- Fix hang in audisp-remote with disk_low_action=suspend (bsc#1196517) + * add audisp-remote-fix-hang-with-disk_low_action-suspend-.patch + +------------------------------------------------------------------- +Wed Mar 23 16:37:06 UTC 2022 - Dirk Müller + +- add audit-userspace-517-compat.patch + +------------------------------------------------------------------- +Mon Nov 29 13:13:56 UTC 2021 - Fabian Vogt + +- Use %autosetup +- Don't include sample rules as %doc, they're already installed + as normal files +- Fix create-augenrules-service.patch: + * auditd.service needs to require augenrules.service, + not the other way around +- Fix documentation for enable-stop-rules.patch + +------------------------------------------------------------------- +Sun Nov 7 13:34:20 UTC 2021 - Callum Farmer + +- Update to version 3.0.6: + * fixes a segfault on some SELINUX_ERR records + * makes IPX packet interpretation dependent on the ipx header + file existing + * adds b32/b64 support to ausyscall + * adds support for armv8l + * fixes auditctl list of syscalls on PPC + * auditd.service now restarts auditd under some conditions + +------------------------------------------------------------------- +Fri Oct 15 11:13:26 UTC 2021 - Callum Farmer + +- Add CONFIG parameter to %sysusers_generate_pre + +------------------------------------------------------------------- +Wed Oct 13 19:12:06 UTC 2021 - Enzo Matsumiya + +- Create separate service for augenrules (bsc#1191614, bsc#1181400) + * add create-augenrules-service.patch + Remove ReadWritePaths=/etc/audit from auditd.service, also removes + augenrules call from ExecStartPost. + Create augenrules.service with the ReadWritePaths directive above. + This makes /etc/audit only accessible by augenrules.service and + let auditd.service (and daemon) to be sandboxed again. + +- Update audit-secondary.spec to accomodate the new service file. + +------------------------------------------------------------------- +Mon Sep 20 02:06:44 UTC 2021 - Enzo Matsumiya + +- Fix hardened auditd.service (bsc#1181400) + * add fix-hardened-service.patch + Make /etc/audit read-write from the service. + Remove PrivateDevices=true to expose /dev/* to auditd.service. + +- Enable stop rules for audit.service (cf. bsc#1190227) + * add enable-stop-rules.patch + +------------------------------------------------------------------- +Thu Sep 16 03:46:19 UTC 2021 - Enzo Matsumiya + +- Change default log_format from ENRICHED to RAW (bsc#1190500): + * add change-default-log_format.patch (SUSE-specific patch) + +- Update to version 3.0.5: + * In auditd, flush uid/gid caches when user/group added/deleted/modified + * Fixed various issues when dealing with corrupted logs + * In auditd, check if log_file is valid before closing handle + +- Include fixed from 3.0.4: + * Apply performance speedups to auparse library + * Optimize rule loading in auditctl + * Fix an auparse memory leak caused by glibc-2.33 by replacing realpath + * Update syscall table to the 5.14 kernel + * Fixed various issues when dealing with corrupted logs + +------------------------------------------------------------------- +Mon Aug 16 13:29:21 UTC 2021 - Marcus Meissner + +- harden_auditd.service.patch: automatic hardening applied to systemd + services + +------------------------------------------------------------------- +Fri Jul 30 18:14:14 CEST 2021 - Enzo Matsumiya + +- Update to version 3.0.3: + * Dont interpret audit netlink groups unless AUDIT_NLGRP_MAX is defined + * Add support for AUDIT_RESP_ORIGIN_UNBLOCK_TIMED to ids + * Change auparse_feed_has_data in auparse to include incomplete events + * Auditd, stop linking against -lrt + * Add ProtectHome and RestrictRealtime to auditd.service + * In auditd, read up to 3 netlink packets in a row + * In auditd, do not validate path to plugin unless active + * In auparse, only emit config errors when AUPARSE_DEBUG env variable exists +- use https source urls + +------------------------------------------------------------------- +Mon Jun 14 20:54:49 CEST 2021 - Enzo Matsumiya + +- Adjust audit.spec and audit-secondary.spec to support new version +- Include fix for libev + * add libev-werror.patch + +- Update to version 3.0.2 +- In audispd-statsd pluging, use struct sockaddr_storage (Ville Heikkinen) +- Optionally interpret auid in auditctl -l +- Update some syscall argument interpretations +- In auditd, do not allow spaces in the hostname name format +- Big documentation cleanup (MIZUTA Takeshi) +- Update syscall table to the 5.12 kernel +- Update the auparse normalizer for new event types +- Fix compiler warnings in ids subsystem +- Block a couple signals from flush & reconfigure threads +- In auditd, don't wait on flush thread when exiting +- Output error message if the path of input files are too long ausearch/report + +Included fixes from 3.0.1 +- Update syscall table to the 5.11 kernel +- Add new --eoe-timeout option to ausearch and aureport (Burn Alting) +- Only enable periodic timers when listening on the network +- Upgrade libev to 4.33 +- Add auparse_new_buffer function to auparse library +- Use the select libev backend unless aggregating events +- Add sudoers to some base audit rules +- Update the auparse normalizer for some new syscalls and event types + +Included fixes from 3.0 +- Generate checkpoint file even when no results are returned (Burn Alting) +- Fix log file creation when file logging is disabled entirely (Vlad Glagolev) +- Convert auparse_test to run with python3 (Tomáš Chvátal) +- Drop support for prelude +- Adjust backlog_wait_time in rules to the kernel default (#1482848) +- Remove ids key syntax checking of rules in auditctl +- Use SIGCONT to dump auditd internal state (#1504251) +- Fix parsing of virtual timestamp fields in ausearch_expression (#1515903) +- Fix parsing of uid & success for ausearch +- Add support for not equal operator in audit by executable (Ondrej Mosnacek) +- Hide lru symbols in auparse +- Add systemd process protections +- Fix aureport summary time range reporting +- Allow unlimited retries on startup for remote logging +- Add queue_depth to remote logging stats and increase default queue_depth size +- Fix segfault on shutdown +- Merge auditd and audispd code +- Close on execute init_pipe fd (#1587995) +- Breakout audisp syslog plugin to be standalone program +- Create a common internal library to reduce code +- Move all audispd config files under /etc/audit/ +- Move audispd.conf settings into auditd.conf +- Add queue depth statistics to internal state dump report +- Add network statistics to internal state dump report +- SIGUSR now also restarts queue processing if its suspended +- Update lookup tables for the 4.18 kernel +- Add auparse_normalizer support for SOFTWARE_UPDATE event +- Add 30-ospp-v42.rules to meet new Common Criteria requirements +- Deprecate enable_krb and replace with transport config opt for remote logging +- Mark netlabel events as simple events so that get processed quicker +- When auditd is reconfiguring, only SIGHUP plugins with valid pid (#1614833) +- In aureport, fix segfault in file report +- Add auparse_normalizer support for labeled networking events +- Fix memory leak in audisp-remote plugin when using krb5 transport. (#1622194) +- In ausearch/auparse, event aging is off by a second +- In ausearch/auparse, correct event ordering to process oldest first +- Migrate auparse python test to python3 +- auparse_reset was not clearing everything it should +- Add support for AUDIT_MAC_CALIPSO_ADD, AUDIT_MAC_CALIPSO_DEL events +- In ausearch/report, lightly parse selinux portion of USER_AVC events +- Add bpf syscall command argument interpretation to auparse +- In ausearch/report, limit record size when malformed +- Port af_unix plugin to libev +- In auditd, fix extract_type function for network originating events +- In auditd, calculate right size and location for network originating events +- Make legacy script wait for auditd to terminate (#1643567) +- Treat all network originating events as VER2 so dispatcher doesn't format it +- If an event has a node name make it VER2 so dispatcher doesnt format it +- In audisp-remote do an initial connection attempt (#1625156) +- In auditd, allow expression of space left as a percentage (#1650670) +- On PPC64LE systems, only allow 64 bit rules (#1462178) +- Make some parts of auditd state report optional based on config +- Update to libev-4.25 +- Fix ausearch when checkpointing a single file (Burn Alting) +- Fix scripting in 31-privileged.rules wrt filecap (#1662516) +- In ausearch, do not checkpt if stdin is input source +- In libev, remove __cold__ attribute for functions to allow proper hardening +- Add tests to configure.ac for openldap support +- Make systemd support files use /run rather than /var/run (Christian Hesse) +- Fix minor memory leak in auditd kerberos credentials code +- Allow exclude and user filter by executable name (Ondrej Mosnacek) +- Fix auditd regression where keep_logs is limited by rotate_logs 2 file test +- In ausearch/report fix --end to use midnight time instead of now (#1671338) +- Add substitue functions for strndupa & rawmemchr +- Fix memleak in auparse caused by corrected event ordering +- Fix legacy reload script to reload audit rules when daemon is reloaded +- Support for unescaping in trusted messages (Dmitry Voronin) +- In auditd, use standard template for DEAMON events (Richard Guy Briggs) +- In aureport, fix segfault for malformed USER_CMD events +- Add exe field to audit_log_user_command in libaudit +- In auditctl support filter on socket address families (Richard Guy Briggs) +- Deprecate support for Alpha & IA64 processors +- If space_left_action is rotate, allow it every time (#1718444) +- In auparse, drop standalone EOE events +- Add milliseconds column for ausearch extra time csv format +- Fix aureport first event reporting when no start given +- In audisp-remote, add new config item for startup connection errors +- Remove dependency on chkconfig +- Install rules to /usr/share/audit/sample-rules/ +- Split up ospp rules to make SCAP scanning easier (#1746018) +- In audisp-syslog, support interpreting records (#1497279) +- Audit USER events now sends msg as name value pair +- Add support for AUDIT_BPF event +- Auditd should not process AUDIT_REPLACE events +- Update syscall tables to the 5.5 kernel +- Improve personality interpretation by using PERS_MASK +- Speedup ausearch/report parsing RAW logging format by caching uid/name lookup +- Change auparse python bindings to shared object (Issue #121) +- Add error messages for watch permissions +- If audit rules file doesn't exist log error message instead of info message +- Revise error message for unmatched options in auditctl +- In audisp-remote, fixup remote endpoint disappearin in ascii format +- Add backlog_wait_time_actual reporting / resetting to auditctl (Max Englander) +- In auditctl, add support for sending a signal to auditd + +- Removes audit-fno-common.patch: fixed in upstream +- Removes audit-python3.patch: fixed in upstream + +------------------------------------------------------------------- +Mon Feb 1 18:13:18 UTC 2021 - Dominique Leuenberger + +- Do not explicitly provide group(audit) in system-users-audit: + this is automatically handled by rpm/providers. + +------------------------------------------------------------------- +Thu Jan 28 17:59:43 UTC 2021 - Enzo Matsumiya + +- Create new "audit" group for read access to logs (bsc#1178154) + * add change-default-log_group.patch + * update audit-secondary.spec + +------------------------------------------------------------------- +Wed Dec 2 11:49:28 UTC 2020 - Alexander Bergmann + +- Enable Aarch64 processor support. (bsc#1179515 bsc#1179806) + +------------------------------------------------------------------- +Fri Oct 16 09:40:34 UTC 2020 - Ludwig Nussel + +- prepare usrmerge (boo#1029961) + +------------------------------------------------------------------- +Mon Jan 13 17:39:03 UTC 2020 - Tony Jones + +- Update to version 2.8.5: + * Fix segfault on shutdown + * Fix hang on startup (#1587995) + * Add sleep to script to dump state so file is ready when needed + * Add auparse_normalizer support for SOFTWARE_UPDATE event + * Mark netlabel events as simple events so that get processed quicker + * When audispd is reconfiguring, only SIGHUP plugins with valid pid (#1614833) + * Add 30-ospp-v42.rules to meet new Common Criteria requirements + * Update lookup tables for the 4.18 kernel + * In aureport, fix segfault in file report + * Add auparse_normalizer support for labeled networking events + * Fix memory leak in audisp-remote plugin when using krb5 transport. (#1622194) + * Event aging is off by a second + * In ausearch/auparse, correct event ordering to process oldest first + * auparse_reset was not clearing everything it should + * Add support for AUDIT_MAC_CALIPSO_ADD, AUDIT_MAC_CALIPSO_DEL events + * In ausearch/report, lightly parse selinux portion of USER_AVC events + * In ausearch/report, limit record size when malformed + * In auditd, fix extract_type function for network originating events + * In auditd, calculate right size and location for network originating events + * Treat all network originating events as VER2 so dispatcher doesn't format it + * In audisp-remote do an initial connection attempt (#1625156) + * In auditd, allow expression of space left as a percentage (#1650670) + * On PPC64LE systems, only allow 64 bit rules (#1462178) + * Make some parts of auditd state report optional based on config + * Fix ausearch when checkpointing a single file (Burn Alting) + * Fix scripting in 31-privileged.rules wrt filecap (#1662516) + * In ausearch, do not checkpt if stdin is input source + * In libev, remove __cold__ attribute for functions to allow proper hardening + * Add tests to configure.ac for openldap support + * Make systemd support files use /run rather than /var/run (Christian Hesse) + * Fix minor memory leak in auditd kerberos credentials code + * Fix auditd regression where keep_logs is limited by rotate_logs 2 file test + * In ausearch/report fix --end to use midnight time instead of now (#1671338) + +- Fix build errors when using gcc-10 no-common default (bsc#1160384) + New patch: audit-fno-common.patch + +- Refresh audit-allow-manual-stop.patch + +------------------------------------------------------------------- +Thu Mar 21 10:32:43 UTC 2019 - Jan Engelhardt + +- Reduce scriptlets' hard dependency on systemd. + +------------------------------------------------------------------- +Sat Jun 23 08:16:07 UTC 2018 - antoine.belvire@opensuse.org + +- Update to version 2.8.4: + * Generate checkpoint file even when not results are returned + (Burn Alting). + * Fix log file creation when file logging is disabled entirely + (Vlad Glagolev). + * Use SIGCONT to dump auditd internal state (rh#1504251). + * Fix parsing of virtual timestamp fields in ausearch_expression + (rh#1515903). + * Fix parsing of uid & success for ausearch. + * Hide lru symbols in auparse. + * Fix aureport summary time range reporting. + * Allow unlimited retries on startup for remote logging. + * Add queue_depth to remote logging stats and increase default + queue_depth size. + +------------------------------------------------------------------- +Sun Jun 17 10:48:40 UTC 2018 - antoine.belvire@opensuse.org + +- Update to version 2.8.3: + * Correct msg function name in lru debug code. + * Fix a segfault in auditd when dns resolution isn't available. + * Make a reload legacy service for auditd. + * In auparse python bindings, expose some new types that were + missing. + * In normalizer, pickup subject kind for user_login events. + * Fix interpretation of unknown ioctcmds (rh#1540507). + * Add ANOM_LOGIN_SERVICE, RESP_ORIGIN_BLOCK, & + RESP_ORIGIN_BLOCK_TIMED events. + * In auparse_normalize for USER_LOGIN events, map acct for + subj_kind. + * Fix logging of IPv6 addresses in DAEMON_ACCEPT events + (rh#1534748). + * Do not rotate auditd logs when num_logs < 2 (brozs). + +------------------------------------------------------------------- +Tue Apr 3 13:33:34 CEST 2018 - kukuk@suse.de + +- Use %license instead of %doc [bsc#1082318] + +------------------------------------------------------------------- +Fri Mar 16 19:44:45 UTC 2018 - tonyj@suse.com + +- Change openldap dependency to client only (bsc#1085003) +- Resolve issue with previous change if both Python2 and Python3 are + present, tests were failing as python2 bindings are preferred in this + case. + +------------------------------------------------------------------- +Thu Feb 22 11:00:16 UTC 2018 - meissner@suse.com + +- reverted -j1 force ppc specific only + +------------------------------------------------------------------- +Wed Feb 7 09:26:35 UTC 2018 - tchvatal@suse.com + +- Add patch to fix test run without python2 interpreter: + * audit-python3.patch +- Update to 2.8.2 release: + * Update tables for 4.14 kernel + * Fixup ipv6 server side binding + * AVC report from aureport was missing result column header (#1511606) + * Add SOFTWARE_UPDATE event + * In ausearch/report pickup any path and new-disk fields as a file + * Fix value returned by auditctl --reset-lost (Richard Guy Briggs) + * In auparse, fix expr_create_timestamp_comparison_ex to be numeric field + * Fix building on old systems without linux/fanotify.h + * Fix shell portability issues reported by shellcheck + * Auditd validate_email should not use gethostbyname + +------------------------------------------------------------------- +Tue Feb 6 13:24:43 UTC 2018 - normand@linux.vnet.ibm.com + +- force -j1 for PowerPC make check to avoid build failure + (lookup_test.o: file not recognized: File truncated) + +------------------------------------------------------------------- +Wed Jan 17 15:25:55 UTC 2018 - tchvatal@suse.com + +- Add conditions around python plugins to allow us to conditionalize + them in enviroment without python2 + +------------------------------------------------------------------- +Thu Nov 9 16:21:23 UTC 2017 - mpluskal@suse.com + +- Rename python binding packages to match current python packaging + standards +- Update python build dependencies to resolve future split of + python2/3 + +------------------------------------------------------------------- +Sat Nov 4 21:11:35 UTC 2017 - aavindraa@gmail.com + +- Update to version 2.8.1. See audit.spec (libaudit1) for upstream + changelog +- Remove audit-implicit-writev.patch (fixed upstream across 2 + commits) + * 3b30db20ad983274989ce9a522120c3c225436b3 + * 07132c22314e9abbe64d1031fd8734243285bb3f +- Cleanup with spec-cleaner + +------------------------------------------------------------------- +Fri Aug 18 08:50:02 UTC 2017 - dimstar@opensuse.org + +- Add audit-implicit-writev.patch: include sys/uio.h to ensure + readv and writev are declared. + +------------------------------------------------------------------- +Mon Jul 24 13:59:06 UTC 2017 - jengelh@inai.de + +- Rectify RPM groups, diversify descriptions. +- Remove mentions of static libraries because they are not built. + +------------------------------------------------------------------- +Tue Jul 18 18:33:40 UTC 2017 - tonyj@suse.com + +- Update to version 2.7.7. See audit.spec (libaudit1) for upstream + changelog + Since commit 6cf57d27 (2.7.4) audit is now started as an non-forking + service (bsc#1042781). + Add config: audit-stop.rules + Refresh patch: audit-allow-manual-stop.patch + Refresh patch: audit-no-gss.patch + +------------------------------------------------------------------- +Fri Apr 1 14:59:05 UTC 2016 - tchvatal@suse.com + +- Version update to 2.5. See audit.spec (libaudit1) for upstream + changelog +- Cleanup with spec-cleaner +- Sort out bit /sbin /usr/sbin/ installation +- Install the rules as documentation +- Remove needless %py_requires from python subpkgs + +------------------------------------------------------------------- +Fri Aug 21 19:00:36 UTC 2015 - tonyj@suse.com + +- Update to version 2.4.4. See audit.spec (libaudit1) for upstream + changelog +- Add python3 bindings for libaudit and libauparse +- Remove patch 'audit-no_m4_dir.patch' + (added Fri Apr 26 11:14:39 UTC 2013 by mmeister@suse.com) + No idea what earlier 'automake' build error this was trying to fix but + it broke the handling of "--without-libcap-ng". Anyways, no build error + occurs now and m4 path is also needed in v2.4.4 to find ax_prog_cc_for_build + +------------------------------------------------------------------- +Tue Sep 2 17:35:12 UTC 2014 - tonyj@suse.com + +- Update to version 2.4. See audit.spec (libaudit1) for upstream + changelog + Drop patch: auditd-donot-start-if-kernel-cmdline-disabled.patch + +------------------------------------------------------------------- +Fri Aug 15 14:24:33 UTC 2014 - crrodriguez@opensuse.org + +- If the system has been booted with audit=0 in the kernel cmdline + auditd.service must refrain from starting as the relevant kernel + subsystem will be permanently disabled. + add patch: auditd-donot-start-if-kernel-cmdline-disabled.patch + +------------------------------------------------------------------- +Thu Jul 10 06:21:55 UTC 2014 - tonyj@suse.com + +- Do not require tclass field to be present when searching for AVC + records (bnc#878687) + add patch: audit-ausearch-do-not-require-tclass.patch + +------------------------------------------------------------------- +Tue Apr 15 00:52:16 UTC 2014 - tonyj@suse.com + +- Update to version 2.3.6. See audit.spec (libaudit1) for upstream + changelog + +------------------------------------------------------------------- +Wed Mar 26 18:41:33 UTC 2014 - crrodriguez@opensuse.org + +- fix systemd warning: + "Configuration file /usr/lib/systemd/system/auditd.service + is marked world-inaccessible. + This has no effect as configuration data is accessible + via APIs without restrictions" +* indeed restricting access to unit files using filesystem + permissions is non-sense. + +------------------------------------------------------------------- +Thu Feb 27 16:28:31 UTC 2014 - tonyj@suse.com + +- Add systemd requires (bnc#865849) + +------------------------------------------------------------------- +Tue Feb 4 00:06:30 UTC 2014 - tonyj@suse.com + +- Update to version 2.3.3. See audit.spec (libaudit1) for upstream + changelog + +------------------------------------------------------------------- +Tue Nov 26 18:28:58 UTC 2013 - tonyj@suse.com + +- Update to version 2.3.2. See audit.spec (libaudit1) for upstream + changelog +- Drop patch 'audit-fix-implicit-defn.patch' (upstream) +- Add patch 'audit-allow-manual-stop.patch' to reinstate service + stop/restart. +- /etc/sysconfig/audit still existed but was no longer referenced + by systemd, so remove +- Delete audit-no_plugins.patch, it was stale (no longer referenced + by specfiles) but had not been removed. + +------------------------------------------------------------------- +Wed Oct 2 12:48:50 UTC 2013 - opensuse@cboltz.de + +- (re-)add rcauditd as symlink to /usr/sbin/service + +------------------------------------------------------------------- +Thu Jun 27 15:17:16 UTC 2013 - tonyj@suse.com + +- Eliminate build cycles. audit.spec now builds only libs/devel. + Remainder (including daemon) built from audit-secondary.spec +- Add patch 'audit-fix-implicit-defn.patch' to fix implicit definition + warning. + +------------------------------------------------------------------- +Mon Mar 25 17:27:47 UTC 2013 - crrodriguez@opensuse.org + +- Buildrequires cap-ng library + +------------------------------------------------------------------- +Tue Jan 22 12:34:00 UTC 2013 - jengelh@inai.de + +- Executing autoreconf requires autoconf + +------------------------------------------------------------------- +Fri Oct 12 13:00:30 UTC 2012 - coolo@suse.com + +- Update to version 2.2.1, see audit's changes + +------------------------------------------------------------------- +Tue Feb 28 21:58:24 UTC 2012 - tonyj@suse.com + +- Update to version 2.1.3. See audit.spec upstream changelog + +------------------------------------------------------------------- +Sat Sep 17 13:38:42 UTC 2011 - jengelh@medozas.de + +- Remove redundant tags/sections from specfile + +------------------------------------------------------------------- +Fri May 20 16:54:38 UTC 2011 - tonyj@novell.com + +- Adjust license of audit-libs-python to be LGPLv2.1 or later. + +------------------------------------------------------------------- +Wed Apr 27 00:05:50 UTC 2011 - tonyj@novell.com + +- Upgrade to version 2.1.1 (see audit.changes for upstream change + history) + +------------------------------------------------------------------- +Wed Sep 29 00:22:38 UTC 2010 - tonyj@novell.com + +- Upgrade to version 2.0.5 (see audit.changes for upstream change + history) + +------------------------------------------------------------------- +Mon Jun 28 06:38:35 UTC 2010 - jengelh@medozas.de + +- use %_smp_mflags + +------------------------------------------------------------------- +Tue May 4 10:51:33 CEST 2010 - tonyj@suse.de + +- Upgrade to version 2.0.4 (see audit.changes for upstream change + history) + +------------------------------------------------------------------- +Sat Jun 20 12:33:00 CEST 2009 - cmorve69@yahoo.es + +- fixed build with --as-needed + +------------------------------------------------------------------- +Mon May 11 17:19:50 CEST 2009 - tonyj@suse.de + +- Update from 1.7.7 to 1.7.13 (see audit.changes for upstream change + history) + +------------------------------------------------------------------- +Fri Sep 26 23:27:36 CEST 2008 - tonyj@suse.de + +- Update from 1.7.4 to 1.7.7 (see audit.changes for upstream change + history) + +------------------------------------------------------------------- +Fri Aug 1 17:12:46 CEST 2008 - ro@suse.de + +- disable debuginfo for secondary specfile + +------------------------------------------------------------------- +Wed Jun 25 01:50:54 CEST 2008 - tonyj@suse.de + +- Update from 1.7.2 to 1.7.4 (see audit.changes for upstream change + history) + +- Update from 1.6.8 to 1.7.2 (see audit.changes for upstream change + history) + +------------------------------------------------------------------- +Tue Jun 3 21:49:41 CEST 2008 - coolo@suse.de + +- avoid packaging a directory with different permissions (creating + rpm -V output) + +------------------------------------------------------------------- +Wed Apr 16 12:09:26 CEST 2008 - aj@suse.de + +- Use %py_requires for proper requires. + +------------------------------------------------------------------- +Wed Mar 26 21:29:38 CET 2008 - tonyj@suse.de + +- Update to version 1.6.8. +- Rename to audit-secondary and build audisp-plugins from here + to minimise bootstrap dependancies. + +------------------------------------------------------------------- +Tue Mar 18 14:43:11 CET 2008 - schwab@suse.de + +- Use autoreconf. + +------------------------------------------------------------------- +Wed Oct 10 23:19:29 CEST 2007 - tonyj@suse.de + +- Upgrade to 1.6.2 + +------------------------------------------------------------------- +Wed Jul 25 01:13:09 CEST 2007 - tonyj@suse.de + +- Upgrade to 1.5.5 + Drop audit-swig-attribute.patch (upstreamed) + +------------------------------------------------------------------- +Fri Jul 13 01:58:29 CEST 2007 - tonyj@suse.de + +- Fix build errors on ppc + +------------------------------------------------------------------- +Thu Jul 12 01:38:36 CEST 2007 - tonyj@suse.de + +- Upgrade to 1.5.4 + +------------------------------------------------------------------- +Wed May 2 19:08:53 CEST 2007 - tonyj@suse.de + +- Upgrade to 1.5.3. + +------------------------------------------------------------------- +Wed Nov 29 02:47:22 CET 2006 - tonyj@suse.de + +- Upgrade to 1.2.9 (drop several patches which are now upstream) +- /usr/sbin/audispd now packaged by audit-libs-python + +------------------------------------------------------------------- +Sun Nov 5 00:45:21 CET 2006 - ro@suse.de + +- fix requires + +------------------------------------------------------------------- +Thu Aug 31 22:57:52 CEST 2006 - tonyj@suse.de + +- Upgrade to 1.2.6-1 + +------------------------------------------------------------------- +Wed Aug 16 16:19:20 CEST 2006 - cthiel@suse.de + +- split off package + diff --git a/audit-secondary.spec b/audit-secondary.spec new file mode 100644 index 0000000..1315a16 --- /dev/null +++ b/audit-secondary.spec @@ -0,0 +1,329 @@ +# +# spec file for package audit-secondary +# +# Copyright (c) 2023 SUSE LLC +# +# All modifications and additions to the file contributed by third parties +# remain the property of their copyright owners, unless otherwise agreed +# upon. The license for this file, and modifications and additions to the +# file, is the same license as for the pristine package itself (unless the +# license for the pristine package is not an Open Source License, in which +# case the license is the MIT License). An "Open Source License" is a +# license that conforms to the Open Source Definition (Version 1.9) +# published by the Open Source Initiative. + +# Please submit bugfixes or comments via https://bugs.opensuse.org/ +# + + +%bcond_without python2 +%bcond_without python3 +# This package contains all audit functionality except for audit-libs. +# The seperation is required to minimize unnecessary build cycles. +%define _name audit +Name: audit-secondary +Version: 3.0.9 +Release: 0 +Summary: Linux kernel audit subsystem utilities +License: GPL-2.0-or-later +Group: System/Monitoring +URL: https://people.redhat.com/sgrubb/audit/ +Source0: https://people.redhat.com/sgrubb/audit/%{_name}-%{version}.tar.gz +Source1: system-group-audit.conf +Patch1: audit-plugins-path.patch +Patch2: audit-no-gss.patch +Patch3: audit-allow-manual-stop.patch +Patch4: audit-ausearch-do-not-require-tclass.patch +Patch5: change-default-log_group.patch +Patch6: libev-werror.patch +Patch7: harden_auditd.service.patch +Patch8: change-default-log_format.patch +Patch9: fix-hardened-service.patch +Patch10: enable-stop-rules.patch +Patch11: create-augenrules-service.patch +Patch12: audit-userspace-517-compat.patch +BuildRequires: audit-devel = %{version} +BuildRequires: autoconf >= 2.12 +BuildRequires: kernel-headers >= 2.6.30 +BuildRequires: libtool +BuildRequires: openldap2-devel +BuildRequires: pkgconfig +%if %{with python2} +BuildRequires: python2-devel +%endif +%if %{with python3} +BuildRequires: python3-devel +%endif +BuildRequires: swig +BuildRequires: systemd-rpm-macros +BuildRequires: sysuser-tools +BuildRequires: tcpd-devel +BuildRequires: pkgconfig(libcap-ng) +Provides: bundled(libev) = 4.33 + +%description +The audit package contains the user space utilities for storing and +processing the records generated by the audit subsystem in the +Linux kernel. + +%package -n audit +Summary: User Space Tools for Kernel Auditing +License: LGPL-2.1-or-later +Group: System/Monitoring +Requires: %{_name}-libs = %{version} +Requires: coreutils +Requires: group(audit) +%{?systemd_ordering} + +%description -n audit +The audit package contains the user space utilities for storing and +processing the audit records generated by the audit subsystem in the +Linux kernel. + +%package -n system-group-audit +Summary: System group 'audit' +License: LGPL-2.1-or-later +Group: System/Fhs +%sysusers_requires + +%description -n system-group-audit +This package contains the system group 'audit' for read access to logs. + +%package -n python2-audit +Summary: Python Bindings for libaudit +License: LGPL-2.1-or-later +Group: Development/Languages/Python +Provides: audit-libs-python = %{version} +Obsoletes: audit-libs-python < %{version} + +%description -n python2-audit +The audit-libs-python package contains the bindings for using libaudit +by python. + +%package -n python3-audit +Summary: Python3 Bindings for libaudit +License: LGPL-2.1-or-later +Group: Development/Languages/Python +Provides: audit-libs-python3 = %{version} +Obsoletes: audit-libs-python3 < %{version} + +%description -n python3-audit +The audit-libs-python3 package contains the bindings for using libaudit +by python3. + +%package -n audit-audispd-plugins +Summary: Default plugins for the audit dispatcher +License: GPL-2.0-or-later +Group: System/Monitoring + +%description -n audit-audispd-plugins +The audit-audispd-plugins package contains plugin components for the +audit dispatcher (audispd). + +%prep +# remove selinux policy +rm -rf audisp/plugins/zos-remote/policy +# we don't build prelude +rm -rf audisp/plugins/prelude +%autosetup -p1 -n %{_name}-%{version} + +%if %{without python2} && %{with python3} +# Fix python env call in tests if we only have Python3. +# If both versions are present, python2 bindings are preferred by the tests and +# unconditionally using /usr/bin/python3 breaks the tests +# Probably the correct solution is to run the tests twice if both are present. +perl -i -lpe 's{#!/usr/bin/env python\S+}{#!/usr/bin/python3}' auparse/test/auparse_test.py +%endif + +%build +autoreconf -fi +export CFLAGS="%{optflags} -fno-strict-aliasing" +export CXXFLAGS="$CFLAGS" +export LDFLAGS="-Wl,-z,relro,-z,now" +# no krb support (omit --enable-gssapi-krb5=yes), see audit-no-gss.patch +%configure \ +%ifarch aarch64 + --with-aarch64 \ +%endif +%ifarch arm + --with-arm \ +%endif + --enable-systemd \ + --libexecdir=%{_libexecdir}/%{_name} \ + --with-apparmor \ + --with-libwrap \ + --with-libcap-ng=yes \ + --disable-static \ + %{?_with_python3} \ + %{?_without_python} + +%make_build + +%sysusers_generate_pre %{SOURCE1} audit system-group-audit.conf + +%install +%make_install + +mkdir -p %{buildroot}%{_localstatedir}/log/audit/ +touch %{buildroot}%{_localstatedir}/log/audit/audit.log +mkdir -p %{buildroot}%{_localstatedir}/spool/audit/ +mkdir -p %{buildroot}%{_sysusersdir} +install -m 0644 %{SOURCE1} %{buildroot}%{_sysusersdir}/ +# For ghost below, so that old location files will still be there when +# post copy runs +mkdir -p %{buildroot}%{_sysconfdir}/%{_name}/ +mkdir -p %{buildroot}%{_sysconfdir}/%{_name}/rules.d/ +touch %{buildroot}%{_sysconfdir}/{auditd.conf,audit.rules} %{buildroot}%{_sysconfdir}/audit/auditd.conf +# On platforms with 32 & 64 bit libs, we need to coordinate the timestamp +touch -r ./audit.spec %{buildroot}%{_sysconfdir}/libaudit.conf +# Starting with audit 2.5 no config is installed so start with no rules +install -m 0644 rules/10-no-audit.rules %{buildroot}%{_sysconfdir}/%{_name}/rules.d/audit.rules +# delete redhat scripts, use ours +rm -rf %{buildroot}%{_sysconfdir}/sysconfig/auditd +rm -rf %{buildroot}%{_initddir}/auditd +rm -rf %{buildroot}%{_sysconfdir}/rc.d/init.d +# delete redhat systemd legacy scripts, our systemd doesn't support the feature +# https://lists.fedoraproject.org/pipermail/devel/2012-June/169411.html +rm -rf %{buildroot}%{_libexecdir}/audit +# Clean up some unneeded library files +rm -f %{buildroot}/%{_libdir}/python*/site-packages/{_audit,_auparse,auparse}.{a,la} +rm -rf %{buildroot}/%{_libdir}/python*/site-packages/__pycache__ +# cleanup makefiles for the rules (installed by %%docs command) +rm -f %{buildroot}/%{_libdir}/pkgconfig/{audit,auparse}.pc +# cleanup files handled by audit.spec +rm -rf %{buildroot}/%{_datadir}/aclocal/ +rm -rf %{buildroot}/%{_includedir} +rm -f %{buildroot}/%{_libdir}/lib{audit,auparse}.* +rm -f %{buildroot}%{_sysconfdir}/libaudit.conf +rm -f %{buildroot}/%{_mandir}/man5/libaudit.conf.5 +rm -rf %{buildroot}/%{_mandir}/man3 +# Cleanup plugins +#USR-MERGE +%if 0%{?suse_version} < 1550 +mkdir %{buildroot}/sbin/ +for prog in auditctl auditd ausearch autrace aureport augenrules; do + ln -s %{_sbindir}/$prog %{buildroot}/sbin/$prog +done +%endif +#END-USR-MERGE +# rcauditd symlink +ln -s service %{buildroot}%{_sbindir}/rcauditd +chmod 0644 %{buildroot}%{_unitdir}/auditd.service +chmod 0644 %{buildroot}%{_unitdir}/augenrules.service + +%check +%make_build check + +%post -n audit +# Save existing audit files if any (from old locations) +if [ -f %{_sysconfdir}/auditd.conf ]; then + mv %{_sysconfdir}/audit/auditd.conf %{_sysconfdir}/audit/auditd.conf.new + mv %{_sysconfdir}/auditd.conf %{_sysconfdir}/audit/auditd.conf +fi +if [ -f %{_sysconfdir}/audit.rules ]; then + mv %{_sysconfdir}/audit.rules %{_sysconfdir}/audit/audit.rules +elif [ ! -f %{_sysconfdir}/audit/audit.rules ]; then + cp %{_sysconfdir}/audit/rules.d/audit.rules %{_sysconfdir}/audit/audit.rules +fi +%service_add_post auditd.service +%service_add_post augenrules.service + +%pre -n audit +%service_add_pre auditd.service +%service_add_pre augenrules.service + +%pre -n system-group-audit -f audit.pre + +%preun -n audit +%service_del_preun auditd.service +%service_del_preun augenrules.service + +%postun -n audit +%service_del_postun auditd.service +%service_del_postun augenrules.service + +%files -n audit +%license COPYING +%doc README ChangeLog init.d/auditd.cron +%attr(644,root,root) %{_mandir}/man8/auditctl.8.gz +%attr(644,root,root) %{_mandir}/man8/auditd.8.gz +%attr(644,root,root) %{_mandir}/man8/aureport.8.gz +%attr(644,root,root) %{_mandir}/man8/ausearch.8.gz +%attr(644,root,root) %{_mandir}/man8/autrace.8.gz +%attr(644,root,root) %{_mandir}/man8/aulast.8.gz +%attr(644,root,root) %{_mandir}/man8/aulastlog.8.gz +%attr(644,root,root) %{_mandir}/man8/ausyscall.8.gz +%attr(644,root,root) %{_mandir}/man7/audit.rules.7.gz +%attr(644,root,root) %{_mandir}/man5/auditd.conf.5.gz +%attr(644,root,root) %{_mandir}/man5/ausearch-expression.5.gz +%attr(644,root,root) %{_mandir}/man8/auvirt.8.gz +%attr(644,root,root) %{_mandir}/man8/augenrules.8.gz +%if 0%{?suse_version} < 1550 +/sbin/auditctl +/sbin/auditd +/sbin/ausearch +/sbin/autrace +/sbin/augenrules +/sbin/aureport +%endif +%attr(750,root,root) %{_sbindir}/auditctl +%attr(750,root,root) %{_sbindir}/auditd +%attr(755,root,root) %{_sbindir}/ausearch +%attr(750,root,root) %{_sbindir}/autrace +%attr(750,root,root) %{_sbindir}/augenrules +%attr(750,root,root) %{_sbindir}/audisp-syslog +%attr(755,root,root) %{_bindir}/aulast +%attr(755,root,root) %{_bindir}/aulastlog +%attr(755,root,root) %{_bindir}/ausyscall +%attr(755,root,root) %{_sbindir}/aureport +%attr(755,root,root) %{_bindir}/auvirt +%dir %attr(750,root,root) %{_sysconfdir}/audit +%attr(750,root,root) %dir %{_sysconfdir}/audit/plugins.d +%config(noreplace) %attr(640,root,root) %{_sysconfdir}/audit/plugins.d/af_unix.conf +%config(noreplace) %attr(640,root,root) %{_sysconfdir}/audit/plugins.d/syslog.conf +%ghost %{_sysconfdir}/auditd.conf +%ghost %{_sysconfdir}/audit.rules +%config(noreplace) %attr(640,root,root) %{_sysconfdir}/audit/auditd.conf +%dir %attr(750,root,root) %{_sysconfdir}/audit/rules.d +%config(noreplace) %attr(640,root,root) %{_sysconfdir}/audit/rules.d/audit.rules +%config(noreplace) %attr(640,root,root) %{_sysconfdir}/audit/audit-stop.rules +%dir %attr(750,root,audit) %{_localstatedir}/log/audit +%ghost %config(noreplace) %attr(640,root,audit) %{_localstatedir}/log/audit/audit.log +%dir %attr(700,root,root) %{_localstatedir}/spool/audit +%{_unitdir}/auditd.service +%{_unitdir}/augenrules.service +%{_sbindir}/rcauditd +%{_datadir}/audit/ + +%files -n system-group-audit +%{_sysusersdir}/system-group-audit.conf + +%if %{with python2} +%files -n python2-audit +%attr(755,root,root) %{python2_sitearch}/_audit.so +%attr(755,root,root) %{python2_sitearch}/auparse.so +%{python2_sitearch}/audit.py* +%endif + +%if %{with python3} +%files -n python3-audit +%attr(755,root,root) %{python3_sitearch}/* +%endif + +%files -n audit-audispd-plugins +%attr(644,root,root) %{_mandir}/man8/audispd-zos-remote.8.gz +%attr(644,root,root) %{_mandir}/man5/zos-remote.conf.5.gz +%attr(644,root,root) %{_mandir}/man5/audisp-remote.conf.5.gz +%attr(644,root,root) %{_mandir}/man5/auditd-plugins.5.gz +%attr(644,root,root) %{_mandir}/man8/audisp-remote.8.gz +%attr(644,root,root) %{_mandir}/man8/audisp-syslog.8.gz +%attr(750,root,root) %dir %{_sysconfdir}/audit +%attr(750,root,root) %dir %{_sysconfdir}/audit/plugins.d +%config(noreplace) %attr(640,root,root) %{_sysconfdir}/audit/plugins.d/audispd-zos-remote.conf +%config(noreplace) %attr(640,root,root) %{_sysconfdir}/audit/zos-remote.conf +%attr(750,root,root) %{_sbindir}/audisp-remote +%attr(750,root,root) %{_sbindir}/audispd-zos-remote +%config(noreplace) %attr(640,root,root) %{_sysconfdir}/audit/audisp-remote.conf +%config(noreplace) %attr(640,root,root) %{_sysconfdir}/audit/plugins.d/au-remote.conf + +%changelog diff --git a/audit-userspace-517-compat.patch b/audit-userspace-517-compat.patch new file mode 100644 index 0000000..6d3b72e --- /dev/null +++ b/audit-userspace-517-compat.patch @@ -0,0 +1,38 @@ +From: Sergei Trofimovich +Date: Wed, 23 Mar 2022 07:27:05 +0000 +Subject: [PATCH] auditswig.i: avoid setter generation for audit_rule_data::buf +References: https://github.com/linux-audit/audit-userspace/issues/252 +Git-commit: https://github.com/linux-audit/audit-userspace/pull/253/commits/beed138222421a2eb4212d83cb889404bd7efc49 +Git-repo: [if different from https://github.com/linux-audit/audit-userspace.git] +Patch-mainline: submitted for review upstream + +As it's a flexible array generated code was never safe to use. +With kernel's https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=ed98ea2128b6fd83bce13716edf8f5fe6c47f574 +change it's a build failure now: + + audit> audit_wrap.c:5010:15: error: invalid use of flexible array member + audit> 5010 | arg1->buf = (char [])(char *)memcpy(malloc((size)*sizeof(char)), (const char *)(arg2), sizeof(char)*(size)); + audit> | ^ + +Let's avoid setter generation entirely. + +Closes: https://github.com/linux-audit/audit-userspace/issues/252 +--- + bindings/swig/src/auditswig.i | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/bindings/swig/src/auditswig.i b/bindings/swig/src/auditswig.i +index 21aafca31..9a2c5661d 100644 +--- a/bindings/swig/src/auditswig.i ++++ b/bindings/swig/src/auditswig.i +@@ -39,6 +39,10 @@ signed + #define __attribute(X) /*nothing*/ + typedef unsigned __u32; + typedef unsigned uid_t; ++/* Sidestep SWIG's limitation of handling c99 Flexible arrays by not: ++ * generating setters against them: https://github.com/swig/swig/issues/1699 ++ */ ++%ignore audit_rule_data::buf; + %include "/usr/include/linux/audit.h" + #define __extension__ /*nothing*/ + %include diff --git a/audit.changes b/audit.changes new file mode 100644 index 0000000..22981df --- /dev/null +++ b/audit.changes @@ -0,0 +1,1525 @@ +------------------------------------------------------------------- +Thu Dec 15 19:17:35 UTC 2022 - Enzo Matsumiya + +- Enable build for ARM (32-bit) +- Update to version 3.0.9: + * In auditd, release the async flush lock on stop + * Don't allow auditd to log directly into /var/log when log_group is non-zero + * Cleanup krb5 memory leaks on error paths + * Update auditd.cron to use auditctl --signal + * In auparse, if too many fields, realloc array bigger (Paul Wolneykien) + * In auparse, special case kernel module name interpretation + * If overflow_action is ignore, don't treat as an error + (3.0.8) + * Add gcc function attributes for access and allocation + * Add some more man pages (MIZUTA Takeshi) + * In auditd, change the reinitializing of the plugin queue + * Fix path normalization in auparse (Sergio Correia) + * In libaudit, handle ECONNREFUSED for network uid/gid lookups (Enzo Matsumiya) + * In audisp-remote, fix hang with disk_low_action=suspend (Enzo Matsumiya) + * Drop ProtectHome from auditd.service as it interferes with rules + (3.0.7) + * Add support for the OPENAT2 record type (Richard Guy Briggs) + * In auditd, close the logging file descriptor when logging is suspended + * Update the capabilities lookup table to match 5.16 kernel + * Improve interpretation of renamat & faccessat family of syscalls + * Update syscall table for the 5.16 kernel + * Reduce dependency from initscripts to initscripts-service +- Refresh patches (context adjusment): + * audit-allow-manual-stop.patch + * audit-ausearch-do-not-require-tclass.patch + * audit-no-gss.patch + * enable-stop-rules.patch + * fix-hardened-service.patch + * harden_auditd.service.patch +- Remove patches (fixed by version update): + * libaudit-fix-unhandled-ECONNREFUSED-from-getpwnam-25.patch + * audisp-remote-fix-hang-with-disk_low_action-suspend-.patch + +------------------------------------------------------------------- +Mon Apr 11 20:45:33 UTC 2022 - Jan Engelhardt + +- Modernize specfile constructs. + +------------------------------------------------------------------- +Sun Nov 7 13:34:20 UTC 2021 - Callum Farmer + +- Update to version 3.0.6: + * fixes a segfault on some SELINUX_ERR records + * makes IPX packet interpretation dependent on the ipx header + file existing + * adds b32/b64 support to ausyscall + * adds support for armv8l + * fixes auditctl list of syscalls on PPC + * auditd.service now restarts auditd under some conditions + +------------------------------------------------------------------- +Thu Sep 16 03:46:19 UTC 2021 - Enzo Matsumiya + +- Update to version 3.0.5: + * In auditd, flush uid/gid caches when user/group added/deleted/modified + * Fixed various issues when dealing with corrupted logs + * In auditd, check if log_file is valid before closing handle + +- Include fixed from 3.0.4: + * Apply performance speedups to auparse library + * Optimize rule loading in auditctl + * Fix an auparse memory leak caused by glibc-2.33 by replacing realpath + * Update syscall table to the 5.14 kernel + * Fixed various issues when dealing with corrupted logs + +------------------------------------------------------------------- +Fri Jul 30 18:14:14 CEST 2021 - Enzo Matsumiya + +- Update to version 3.0.3: + * Dont interpret audit netlink groups unless AUDIT_NLGRP_MAX is defined + * Add support for AUDIT_RESP_ORIGIN_UNBLOCK_TIMED to ids + * Change auparse_feed_has_data in auparse to include incomplete events + * Auditd, stop linking against -lrt + * Add ProtectHome and RestrictRealtime to auditd.service + * In auditd, read up to 3 netlink packets in a row + * In auditd, do not validate path to plugin unless active + * In auparse, only emit config errors when AUPARSE_DEBUG env variable exists +- use https source urls + +------------------------------------------------------------------- +Mon Jun 14 20:54:49 CEST 2021 - Enzo Matsumiya + +- Adjust audit.spec and audit-secondary.spec to support new version +- Include fix for libev + * add libev-werror.patch + +- Update to version 3.0.2 +- In audispd-statsd pluging, use struct sockaddr_storage (Ville Heikkinen) +- Optionally interpret auid in auditctl -l +- Update some syscall argument interpretations +- In auditd, do not allow spaces in the hostname name format +- Big documentation cleanup (MIZUTA Takeshi) +- Update syscall table to the 5.12 kernel +- Update the auparse normalizer for new event types +- Fix compiler warnings in ids subsystem +- Block a couple signals from flush & reconfigure threads +- In auditd, don't wait on flush thread when exiting +- Output error message if the path of input files are too long ausearch/report + +Included fixes from 3.0.1 +- Update syscall table to the 5.11 kernel +- Add new --eoe-timeout option to ausearch and aureport (Burn Alting) +- Only enable periodic timers when listening on the network +- Upgrade libev to 4.33 +- Add auparse_new_buffer function to auparse library +- Use the select libev backend unless aggregating events +- Add sudoers to some base audit rules +- Update the auparse normalizer for some new syscalls and event types + +Included fixes from 3.0 +- Generate checkpoint file even when no results are returned (Burn Alting) +- Fix log file creation when file logging is disabled entirely (Vlad Glagolev) +- Convert auparse_test to run with python3 (Tomáš Chvátal) +- Drop support for prelude +- Adjust backlog_wait_time in rules to the kernel default (#1482848) +- Remove ids key syntax checking of rules in auditctl +- Use SIGCONT to dump auditd internal state (#1504251) +- Fix parsing of virtual timestamp fields in ausearch_expression (#1515903) +- Fix parsing of uid & success for ausearch +- Add support for not equal operator in audit by executable (Ondrej Mosnacek) +- Hide lru symbols in auparse +- Add systemd process protections +- Fix aureport summary time range reporting +- Allow unlimited retries on startup for remote logging +- Add queue_depth to remote logging stats and increase default queue_depth size +- Fix segfault on shutdown +- Merge auditd and audispd code +- Close on execute init_pipe fd (#1587995) +- Breakout audisp syslog plugin to be standalone program +- Create a common internal library to reduce code +- Move all audispd config files under /etc/audit/ +- Move audispd.conf settings into auditd.conf +- Add queue depth statistics to internal state dump report +- Add network statistics to internal state dump report +- SIGUSR now also restarts queue processing if its suspended +- Update lookup tables for the 4.18 kernel +- Add auparse_normalizer support for SOFTWARE_UPDATE event +- Add 30-ospp-v42.rules to meet new Common Criteria requirements +- Deprecate enable_krb and replace with transport config opt for remote logging +- Mark netlabel events as simple events so that get processed quicker +- When auditd is reconfiguring, only SIGHUP plugins with valid pid (#1614833) +- In aureport, fix segfault in file report +- Add auparse_normalizer support for labeled networking events +- Fix memory leak in audisp-remote plugin when using krb5 transport. (#1622194) +- In ausearch/auparse, event aging is off by a second +- In ausearch/auparse, correct event ordering to process oldest first +- Migrate auparse python test to python3 +- auparse_reset was not clearing everything it should +- Add support for AUDIT_MAC_CALIPSO_ADD, AUDIT_MAC_CALIPSO_DEL events +- In ausearch/report, lightly parse selinux portion of USER_AVC events +- Add bpf syscall command argument interpretation to auparse +- In ausearch/report, limit record size when malformed +- Port af_unix plugin to libev +- In auditd, fix extract_type function for network originating events +- In auditd, calculate right size and location for network originating events +- Make legacy script wait for auditd to terminate (#1643567) +- Treat all network originating events as VER2 so dispatcher doesn't format it +- If an event has a node name make it VER2 so dispatcher doesnt format it +- In audisp-remote do an initial connection attempt (#1625156) +- In auditd, allow expression of space left as a percentage (#1650670) +- On PPC64LE systems, only allow 64 bit rules (#1462178) +- Make some parts of auditd state report optional based on config +- Update to libev-4.25 +- Fix ausearch when checkpointing a single file (Burn Alting) +- Fix scripting in 31-privileged.rules wrt filecap (#1662516) +- In ausearch, do not checkpt if stdin is input source +- In libev, remove __cold__ attribute for functions to allow proper hardening +- Add tests to configure.ac for openldap support +- Make systemd support files use /run rather than /var/run (Christian Hesse) +- Fix minor memory leak in auditd kerberos credentials code +- Allow exclude and user filter by executable name (Ondrej Mosnacek) +- Fix auditd regression where keep_logs is limited by rotate_logs 2 file test +- In ausearch/report fix --end to use midnight time instead of now (#1671338) +- Add substitue functions for strndupa & rawmemchr +- Fix memleak in auparse caused by corrected event ordering +- Fix legacy reload script to reload audit rules when daemon is reloaded +- Support for unescaping in trusted messages (Dmitry Voronin) +- In auditd, use standard template for DEAMON events (Richard Guy Briggs) +- In aureport, fix segfault for malformed USER_CMD events +- Add exe field to audit_log_user_command in libaudit +- In auditctl support filter on socket address families (Richard Guy Briggs) +- Deprecate support for Alpha & IA64 processors +- If space_left_action is rotate, allow it every time (#1718444) +- In auparse, drop standalone EOE events +- Add milliseconds column for ausearch extra time csv format +- Fix aureport first event reporting when no start given +- In audisp-remote, add new config item for startup connection errors +- Remove dependency on chkconfig +- Install rules to /usr/share/audit/sample-rules/ +- Split up ospp rules to make SCAP scanning easier (#1746018) +- In audisp-syslog, support interpreting records (#1497279) +- Audit USER events now sends msg as name value pair +- Add support for AUDIT_BPF event +- Auditd should not process AUDIT_REPLACE events +- Update syscall tables to the 5.5 kernel +- Improve personality interpretation by using PERS_MASK +- Speedup ausearch/report parsing RAW logging format by caching uid/name lookup +- Change auparse python bindings to shared object (Issue #121) +- Add error messages for watch permissions +- If audit rules file doesn't exist log error message instead of info message +- Revise error message for unmatched options in auditctl +- In audisp-remote, fixup remote endpoint disappearin in ascii format +- Add backlog_wait_time_actual reporting / resetting to auditctl (Max Englander) +- In auditctl, add support for sending a signal to auditd + +- Remove audit-fno-common.patch: fixed in upstream +- Remove audit-python3.patch: fixed in upstream + +------------------------------------------------------------------- +Wed Dec 2 11:49:28 UTC 2020 - Alexander Bergmann + +- Enable Aarch64 processor support. (bsc#1179515 bsc#1179806) + +------------------------------------------------------------------- +Mon Jun 1 17:11:49 UTC 2020 - Enzo Matsumiya + +- Fix specfile to require libauparse0 and libaudit1 after splitting + audit-libs (bsc#1172295) + +------------------------------------------------------------------- +Mon Jan 13 17:39:03 UTC 2020 - Tony Jones + +- Update to version 2.8.5: + * Fix segfault on shutdown + * Fix hang on startup (#1587995) + * Add sleep to script to dump state so file is ready when needed + * Add auparse_normalizer support for SOFTWARE_UPDATE event + * Mark netlabel events as simple events so that get processed quicker + * When audispd is reconfiguring, only SIGHUP plugins with valid pid (#1614833) + * Add 30-ospp-v42.rules to meet new Common Criteria requirements + * Update lookup tables for the 4.18 kernel + * In aureport, fix segfault in file report + * Add auparse_normalizer support for labeled networking events + * Fix memory leak in audisp-remote plugin when using krb5 transport. (#1622194) + * Event aging is off by a second + * In ausearch/auparse, correct event ordering to process oldest first + * auparse_reset was not clearing everything it should + * Add support for AUDIT_MAC_CALIPSO_ADD, AUDIT_MAC_CALIPSO_DEL events + * In ausearch/report, lightly parse selinux portion of USER_AVC events + * In ausearch/report, limit record size when malformed + * In auditd, fix extract_type function for network originating events + * In auditd, calculate right size and location for network originating events + * Treat all network originating events as VER2 so dispatcher doesn't format it + * In audisp-remote do an initial connection attempt (#1625156) + * In auditd, allow expression of space left as a percentage (#1650670) + * On PPC64LE systems, only allow 64 bit rules (#1462178) + * Make some parts of auditd state report optional based on config + * Fix ausearch when checkpointing a single file (Burn Alting) + * Fix scripting in 31-privileged.rules wrt filecap (#1662516) + * In ausearch, do not checkpt if stdin is input source + * In libev, remove __cold__ attribute for functions to allow proper hardening + * Add tests to configure.ac for openldap support + * Make systemd support files use /run rather than /var/run (Christian Hesse) + * Fix minor memory leak in auditd kerberos credentials code + * Fix auditd regression where keep_logs is limited by rotate_logs 2 file test + * In ausearch/report fix --end to use midnight time instead of now (#1671338) + +- Remote zos building is now a configurable option. + It should be disabled in audit (and left enabled in audit-secondary). + +------------------------------------------------------------------- +Thu Mar 21 10:33:03 UTC 2019 - Jan Engelhardt + +- Make use of some %make_install. + +------------------------------------------------------------------- +Sat Jun 23 08:16:07 UTC 2018 - antoine.belvire@opensuse.org + +- Update to version 2.8.4: + * Generate checkpoint file even when not results are returned + (Burn Alting). + * Fix log file creation when file logging is disabled entirely + (Vlad Glagolev). + * Use SIGCONT to dump auditd internal state (rh#1504251). + * Fix parsing of virtual timestamp fields in ausearch_expression + (rh#1515903). + * Fix parsing of uid & success for ausearch. + * Hide lru symbols in auparse. + * Fix aureport summary time range reporting. + * Allow unlimited retries on startup for remote logging. + * Add queue_depth to remote logging stats and increase default + queue_depth size. + +------------------------------------------------------------------- +Sun Jun 17 10:48:40 UTC 2018 - antoine.belvire@opensuse.org + +- Update to version 2.8.3: + * Correct msg function name in lru debug code. + * Fix a segfault in auditd when dns resolution isn't available. + * Make a reload legacy service for auditd. + * In auparse python bindings, expose some new types that were + missing. + * In normalizer, pickup subject kind for user_login events. + * Fix interpretation of unknown ioctcmds (rh#1540507). + * Add ANOM_LOGIN_SERVICE, RESP_ORIGIN_BLOCK, & + RESP_ORIGIN_BLOCK_TIMED events. + * In auparse_normalize for USER_LOGIN events, map acct for + subj_kind. + * Fix logging of IPv6 addresses in DAEMON_ACCEPT events + (rh#1534748). + * Do not rotate auditd logs when num_logs < 2 (brozs). + +------------------------------------------------------------------- +Fri Mar 16 19:41:29 UTC 2018 - tonyj@suse.com + +- Update header in audit-python3.patch +- Update patch guidelines in README-BEFORE-ADDING-PATCHES + +------------------------------------------------------------------- +Wed Feb 7 09:26:35 UTC 2018 - tchvatal@suse.com + +- Add patch to fix test run without python2 interpreter: + * audit-python3.patch +- Update to 2.8.2 release: + * Update tables for 4.14 kernel + * Fixup ipv6 server side binding + * AVC report from aureport was missing result column header (#1511606) + * Add SOFTWARE_UPDATE event + * In ausearch/report pickup any path and new-disk fields as a file + * Fix value returned by auditctl --reset-lost (Richard Guy Briggs) + * In auparse, fix expr_create_timestamp_comparison_ex to be numeric field + * Fix building on old systems without linux/fanotify.h + * Fix shell portability issues reported by shellcheck + * Auditd validate_email should not use gethostbyname + +------------------------------------------------------------------- +Sat Nov 4 21:12:09 UTC 2017 - aavindraa@gmail.com + +- Update to version 2.8.1 release (includes 2.8 and 2.7.8 changes) + * many features added to auparse_normalize + * cli option added to auditd and audispd for setting config dir + * in auditd, restore the umask after creating a log file + * option added to auditd for skipping email verification +- Full changelog: http://people.redhat.com/sgrubb/audit/ChangeLog + +------------------------------------------------------------------- +Mon Jul 24 13:59:06 UTC 2017 - jengelh@inai.de + +- Rectify RPM groups, diversify descriptions. +- Remove mentions of static libraries because they are not built. + +------------------------------------------------------------------- +Tue Jul 18 18:32:56 UTC 2017 - tonyj@suse.com + +- Update to version 2.7.7 release + Changelog: https://people.redhat.com/sgrubb/audit/ChangeLog + +------------------------------------------------------------------- +Sat Apr 2 18:14:51 UTC 2016 - tchvatal@suse.com + +- Create folder for the m4 file from previous commit to avoid install + failure + +------------------------------------------------------------------- +Fri Apr 1 14:15:58 UTC 2016 - tchvatal@suse.com + +- Version update to 2.5 release +- Refresh two patches and README to contain SUSE and not SuSE + * audit-allow-manual-stop.patch + * audit-plugins-path.patch +- Cleanup with spec-cleaner and do not use subshells but rather use + -C parameter of make +- Install m4 file to the devel package + +------------------------------------------------------------------- +Wed Dec 2 12:14:38 UTC 2015 - p.drouand@gmail.com + +- Do not depend on insserv nor fillup; the package provides + neither sysconfig nor sysvinit files + +------------------------------------------------------------------- +Fri Aug 21 18:58:18 UTC 2015 - tonyj@suse.com + +- Update to version 2.4.4 (bsc#941922, CVE-2015-5186) +- Remove patch 'audit-no_m4_dir.patch' + (added Fri Apr 26 11:14:39 UTC 2013 by mmeister@suse.com) + No idea what earlier 'automake' build error this was trying to fix but + it broke the handling of "--without-libcap-ng". Anyways, no build error + occurs now and m4 path is also needed in v2.4.4 to find ax_prog_cc_for_build +- Require pkgconfig for build + + Changelog 2.4.4 + - Fix linked list correctness in ausearch/report + - Add more cross compile fixups (Clayton Shotwell) + - Update auparse python bindings + - Update libev to 4.20 + - Fix CVE-2015-5186 Audit: log terminal emulator escape sequences handling + + Changelog 2.4.3 + - Add python3 support for libaudit + - Cleanup automake warnings + - Add AuParser_search_add_timestamp_item_ex to python bindings + - Add AuParser_get_type_name to python bindings + - Correct processing of obj_gid in auditctl (Aleksander Zdyb) + - Make plugin config file parsing more robust for long lines (#1235457) + - Make auditctl status print lost field as unsigned number + - Add interpretation mode for auditctl -s + - Add python3 support to auparse library + - Make --enable-zos-remote a build time configuration option (Clayton Shotwell) + - Updates for cross compiling (Clayton Shotwell) + - Add MAC_CHECK audit event type + - Add libauparse pkgconfig file (Aleksander Zdyb) + + Changelog 2.4.2 + - Ausearch should parse exe field in SECCOMP events + - Improve output for short mode interpretations in auparse + - Add CRYPTO_IKE_SA and CRYPTO_IPSEC_SA events + - If auditctl is reading rules from a file, send messages to syslog (#1144252) + - Correct lookup of ppc64le when determining machine type + - Increase time buffer for wide character numbers in ausearch/report (#1200314) + - In aureport, add USER_TTY events to tty report + - In audispd, limit reporting of queue full messages (#1203810) + - In auditctl, don't segfault when invalid options passed (#1206516) + - In autrace, remove some older unimplemented syscalls for aarch64 (#1185892) + - In auditctl, correct lookup of aarch64 in arch field (#1186313) + - Update lookup tables for 4.1 kernel + +------------------------------------------------------------------- +Mon Nov 24 14:55:22 UTC 2014 - mq@suse.cz + +- Update to version 2.4.1 + + Changelog 2.4.1 + - Make python3 support easier + - Add support for ppc64le (Tony Jones) + - Add some translations for a1 of ioctl system calls + - Add command & virtualization reports to aureport + - Update aureport config report for new events + - Add account modification summary report to aureport + - Add GRP_MGMT and GRP_CHAUTHTOK event types + - Correct aureport account change reports + - Add integrity event report to aureport + - Add config change summary report to aureport + - Adjust some syslogging level settings in audispd + - Improve parsing performance in everything + - When ausearch outputs a line, use the previously parsed values (Burn Alting) + - Improve searching and interpreting groups in events + - Fully interpret the proctitle field in auparse + - Correct libaudit and auditctl support for kernel features + - Add support for backlog_time_wait setting via auditctl + - Update syscall tables for the 3.18 kernel + - Ignore DNS failure for email validation in auditd (#1138674) + - Allow rotate as action for space_left and disk_full in auditd.conf + - Correct login summary report of aureport + - Auditctl syscalls can be comma separated list now + - Update rules for new subsystems and capabilities + +- Drop patch audit-add-ppc64le-mach-support.patch (already upstream) + +------------------------------------------------------------------- +Tue Sep 2 17:33:11 UTC 2014 - tonyj@suse.com + +- Update to version 2.4 + + Changelog 2.4 + - Optionally parse loginuids, (e)uids, & (e)gids in ausearch/report + - In auvirt, anomaly events don't have uuid (#1111448) + - Fix category handling in various records (#1120286) + - Fix ausearch handling of session id on 32 bit systems + - Set systemd startup to wait until systemd-tmpfiles-setup.service (#1097314) + - Interpret a0 of socketcall and ipccall syscalls + - Add pkgconfig file for libaudit + - Add go language bindings for limited use of libaudit + - Fix ausearch handling of exit code on 32 bit systems + - Fix bug in aureport string linked list handling + - Document week-ago time setting in ausearch/report man page + - Update tables for 3.16 kernel + - In aulast, on bad logins only record user_login proof and use it + - Add libaudit API for kernel features + - If audit=0 on kernel cmnd line, skip systemd activation (Cristian Rodríguez) + - Add checkpoint --start option to ausearch (Burn Alting) + - Fix arch matching in ausearch + - Add --loginuid-immutable option to auditctl + - Fix memory leak in auditd when log_format is set to NOLOG + - Update auditctl to display features in the status command + - Add ausearch_add_timestamp_item_ex() to auparse + + Changelog 2.3.7 + - Limit number of options in a rule in libaudit + - Auditctl cannot load rule with lots of syscalls (#1089713) + - In ausearch, fix checkpointing when inode is reused by new log (Burn Alting) + - Add PROCTITLE and FEATURE_CHANGE event types + +------------------------------------------------------------------- +Tue Sep 2 17:33:11 UTC 2014 - tonyj@suse.com + +- Add support for ppc64le (bnc#891861) + New patch: audit-add-ppc64le-mach-support.patch + +------------------------------------------------------------------- +Tue Apr 15 00:50:50 UTC 2014 - tonyj@suse.com + +- Update to version 2.3.6 + + Changelog 2.3.6 + - Add an option to auditctl to interpret a0 - a3 of syscall rules when listing + - Improve ARM and AARCH64 support (AKASHI Takahiro) + - Add ausearch --checkpoint feature (Burn Alting) + - Add --arch option to ausearch + - Improve too long config line in audispd, auditd, and auparse (#1071580) + - Fix aulast to accept the new AUDIT_LOGIN record format + - Remove clear_config symbol in auparse + + Changelog 2.3.5 + - In CRYPTO_KEY_USER events, do not interpret the 'fp' field + - Change formatting of rules listing in auditctl to look like audit.rules + - Change auditctl to do all netlink comm and then print rules + - Add a debug option to ausearch to find skipped events + - Parse subject, auid, and ses in LOGIN events (3.14 kernel changed format) + - In auditd, when shifting logs, ignore the num_logs setting (#950158) + - Allow passing a directory as the input file for ausearch/report (LC Bruzenak) + - Interpret syscall fields in SECCOMP events + - Increase a couple buffers to handle longer input + + Changelog 2.3.4 + - Parse path in CONFIG_CHANGE events + - In audisp-remote, fix retry logic for temporary network failures + - In auparse, add get_type_name function + - Add --no-config command option to aureport + - Fix interpretting MCS seliunx contexts in ausearch (#970675) + - In auparse, classify selinux contexts as MAC_LABEL field type + - In ausearch/report parse vm-ctx and img-ctx as selinux labels + - Update translation tables for the 3.14 kernel + +------------------------------------------------------------------- +Tue Feb 4 00:05:38 UTC 2014 - tonyj@suse.com + +- Update to version 2.3.3 + + Changelog 2.3.3 + - Documentation updates + - Add AUDIT_USER_MAC_CONFIG_CHANGE event for MAC policy changes + - Update interpreting scheduler policy names + - Update automake files to automake-1.13.4 + - Remove CAP_COMPROMISE_KERNEL interpretation + - Parse name field in AVC's (#1049916) + - Add missing typedef for auparse_type_t enumeration (#1053424) + - Fix parsing encoded filenames in records + - Parse SECCOMP events + +------------------------------------------------------------------- +Tue Nov 26 18:26:57 UTC 2013 - tonyj@suse.com + +- Update to version 2.3.2 + + Changelog 2.3.2 + - Put RefuseManualStop in the right systemd section (#969345) + - Add legacy restart scripts for systemd support + - Add more syscall argument interpretations + - Add 'unset' keyword for uid & gid values in auditctl + - In ausearch, parse obj in IPC records + - In ausearch, parse subj in DAEMON_ROTATE records + - Fix interpretation of MQ_OPEN and MQ_NOTIFY events + - In auditd, restart dispatcher on SIGHUP if it had previously exited + - In audispd, exit when no active plugins are detected on reconfigure + - In audispd, clear signal mask set by libev so that SIGHUP works again + - In audispd, track binary plugins and restart if binary was updated + - In audispd, make sure we send signals to the correct process + - In auditd, clear signal mask when spawning any child process + - In audispd, make builtin plugins respond to SIGHUP + - In auparse, interpret mode flags of open syscall if O_CREAT is passed + - In audisp-remote, don't make address lookup always a permanent failure + - In audisp-remote, remove EOE events more efficiently + - In auditd, log the reason when email account is not valid + - In audisp-remote, change default remote_ending action to reconnect + - Add support for Aarch64 processors + + Changelog 2.3.1 + - Rearrange auditd setting enabled and pid to avoid a race (#910568) + - Interpret the ocomm field from OBJ_PID records + - Fix missing 'then' statement in sysvinit script + - Switch ausearch to use libauparse for interpretting fields + - In libauparse, interpret prctl arg0, sched_setscheduler arg1 + - In auparse, check source_list isn't NULL when opening next file (Liequan Che) + - In libauparse, interpret send* flags argument + - In libauparse, interpret level and name options for set/getsockopt + - In ausearch/report, don't flush events until last file (Burn Alting) + - Don't use systemctl to stop the audit daemon + + Changelog 2.3 + - The clone(2) man page is really clone(3), fix interpretation of clone syscall + - Add systemd support for reload (#901533) + - Allow -F msgtype on the user filter + - Add legacy support for resuming logging under systemd (#830780) + - Add legacy support for rotating logs under systemd (#916611) + - In auditd, collect SIGUSR2 info for DAEMON_RESUME events + - Updated man pages + - Update libev to 4.15 + - Update syscall tables for 3.9 kernel + - Interpret MQ_OPEN events + - Add augenrules support (Burn Alting) + - Consume less stack sending audit events + +------------------------------------------------------------------- +Fri Jun 28 09:30:54 UTC 2013 - coolo@suse.com + +- remove libcap-ng too from audit.spec as it's only needed for plugins + (and libcap-ng itself needs python to build bindings) + +------------------------------------------------------------------- +Thu Jun 27 15:15:07 UTC 2013 - tonyj@suse.com + +- Eliminate build cycles. audit.spec now builds only libs/devel. + Remainder (including daemon) built from audit-secondary.spec + +------------------------------------------------------------------- +Fri Apr 26 11:14:39 UTC 2013 - mmeister@suse.com + +- audit-no_m4_dir.patch: Removed AC_CONFIG_MACRO_DIR([m4]) from + configure.ac to fix build with new automake + +------------------------------------------------------------------- +Mon Mar 25 17:25:31 UTC 2013 - crrodriguez@opensuse.org + +- --with-libcap-ng=yes has no effect if libcap-ng is not + buildrequired and the lack of those requires causes a broken + configure script after autoreconf add pkgconfig(libcap-ng) + to both audit and audit-secondary, cap-ng is actually only + use in the latter. + +------------------------------------------------------------------- +Mon Mar 25 16:58:10 UTC 2013 - crrodriguez@opensuse.org + +- Version 2.2.3 +- Code cleanups +- In spec file, don't own lib64/audit +- Update man pages +- Aureport no longer reads auditd.conf when stdin is used +- Don't let systemd kill auditd if auditctl errors out +- Update syscall table for 3.7 and 3.8 kernels +- Add interpretation for setns and unshare syscalls +- Code cleanup (Tyler Hicks) +- Documentation cleanups (Laurent Bigonville) +- Add dirfd interpretation to the *at functions +- Add termination signal to clone flags interpretation +- Update stig.rules +- In auditctl, when listing rules don't print numeric value of dir fields +- Add support for rng resource type in auvirt +- Fix aulast bad login output (#922508) +- In ausearch, allow negative numbers for session and auid searches +- In audisp-remote, if disk_full_action is stop then stop sending (#908977) + +------------------------------------------------------------------- +Fri Mar 22 19:35:47 UTC 2013 - crrodriguez@opensuse.org + +- remove sysvinit scripts. + +------------------------------------------------------------------- +Wed Jan 30 23:19:33 UTC 2013 - crrodriguez@opensuse.org + +- remove old tarball and update -secondary spec + +------------------------------------------------------------------- +Wed Jan 30 23:12:19 UTC 2013 - crrodriguez@opensuse.org + +- Audit 2.2.2 , the purpose of this update is too add compatibility + with systemd for 12.3 +- In auditd, tcp_max_per_addr was allowing 1 more connection than specified +- In ausearch, fix matching of object records +- Auditctl was returning -1 when listing rules filtered on a key field +- Add interpretations for CAP_BLOCK_SUSPEND and CAP_COMPROMISE_KERNEL +- Add armv5tejl, armv5tel, armv6l and armv7l machine types (Nathaniel Husted) +- Updates for the 3.6 kernel +- Add auparse_feed_has_data function to libauparse +- Update audisp-prelude to use auparse_feed_has_data +- Add support to conditionally build auditd network listener (Tyler Hicks) +- In auditd, reset a flag after receiving USR1 signal info when rotating logs +- Add optional systemd init script support +- Add support for SECCOMP event type +- Don't interpret aN_len field in EXECVE records (#869555) +- In audisp-remote, do better job of draining queue +- Fix capability parsing in ausearch/auparse +- Interpret BPRM_FCAPS capability fields +- Add ANOM_LINK event type + +------------------------------------------------------------------- +Tue Jan 22 12:34:00 UTC 2013 - jengelh@inai.de + +- Executing autoreconf requires autoconf + +------------------------------------------------------------------- +Fri Oct 12 12:51:13 UTC 2012 - coolo@suse.com + +- update to 2.2.1, upstream changelog: + 2.2.1 + - Add more interpretations in auparse for syscall parameters + - Add some interpretations to ausearch for syscall parameters + - In ausearch/report and auparse, allocate extra space for node names + - Update syscall tables for the 3.3.0 kernel + - Update libev to 4.0.4 + - Reduce the size of some applications + - In auditctl, check usage against euid rather than uid + + 2.2 + - Correct all rules for clock_settime + - Fix possible segfault in auparse library + - Handle malformed socket addresses better + - Improve performance in audit_log_user_message() + - Improve performance in writing to the log file in auditd + - Syscall update for accept4 and recvmmsg + - Update autrace resource usage mode syscall list + - Improved sample rules for recent syscalls + - Add some debug info to audisp-remote startup and shutdown + - Make compiling with Python optional + - In auditd, if disk_error_action is ignore, don't syslog anything + - Fix some memory leaks + - If audispd is stopping, don't restart children + - Add support in auditctl for shell escaped filenames (Alexander) + - Add search support for virt events (Marcelo Cerri) + - Update interpretation tables + - Sync auparse's auditd config parser with auditd's parser + - In ausearch, also use cwd fields in file name searchs + - In ausearch, parse cwd in USER_CMD events + - In ausearch, correct parsing of uid in user space events + - In ausearch, update parsing of integrity events + - Apply some text cleanups from Debian (Russell Coker) + - In auditd, relax some permission checks for external apps + - Add ROLE_MODIFY event type + - In auditctl, new -c option to continue through bad rules but with failed exit + - Add auvirt program to do special reporting on virt events (Marcelo Cerri) + - Add interfield comparison support to auditctl (Peter Moody) + - Update auparse type intepretation for apparmor (Marcelo Cerri) + - Increase tcp_max_per_addr maximum to 1024. +- remove audit-no_python.patch, there is a configure switch for that now +- remove prereq on sysvinit + +------------------------------------------------------------------- +Tue Feb 28 21:55:39 UTC 2012 - tonyj@suse.com + +- Update to version 2.1.3, upstream changelog: + - 2.1.3 + - Fix parsing of EXECVE records to not escape argc field + - If auditd's disk is full, send the right reason to client (#715315) + - Add CAP_WAKE_ALARM to interpretations + - Some updates to audisp-remote's remote-fgets function (Mirek Trmac) + - Add detection of TTY events to audisp-prelude (Matteo Sessa) + - Updated syscall tables for the 3.0 kernel + - Update linker flags for better relro support + - Make default size of logs bigger (#727310) + - Extract obj from NETFILTER_PKT events + - Disable 2 kerberos config options in audisp-remote.conf + - 2.1.2 + - In ausearch/report, fix a segfault caused by MAC_POLICY_LOAD records + - In ausearch/report, add and update parsers + - In auditd, cleanup DAEMON_ACCEPT and DAEMON_CLOSE addr fields + - In ausearch/report, parse addr field of DAEMON_ACCEPT & DAEMON_CLOSE records + - In auditd, move startup success to after events are registered + - If auditd shutsdown due to failed tcp init, write a DAEMON_ABORT event + - Update auditd to avoid the oom killer in new kernels (Andreas Jaeger) + - Parse and interpret NETFILTER_PKT events correctly + - Return error if auditctl -l fails (#709345) + - In audisp-remote, replace glibc's fgets with custom implementation + +------------------------------------------------------------------- +Fri Sep 30 20:07:43 UTC 2011 - coolo@suse.com + +- add libtool as buildrequire to make the spec file more reliable + +------------------------------------------------------------------- +Sat Sep 17 13:38:24 UTC 2011 - jengelh@medozas.de + +- Remove redundant tags/sections from specfile +- Add audit-devel to baselibs + +------------------------------------------------------------------- +Wed May 11 09:39:35 CEST 2011 - meissner@suse.de + +- Adjust license of libaudit and libauparse to be + LGPLv2.1 or later. + +------------------------------------------------------------------- +Wed Apr 27 00:04:23 UTC 2011 - tonyj@novell.com + +- Update to version 2.1.1, upstream changelog: + - 2.1.1 + - When ausearch is interpretting, output "as is" if no = is found + - Correct socket setup in remote logging + - Adjusted a couple default settings for remote logging and init script + - Audispd was not marking restarted plugins as active + - Audisp-remote should keep a capability if local_port < 1024 + - When audispd restarts plugin, send event in its preferred format + - In audisp-remote, make all I/O asynchronous + - In audisp-remote, add sigusr1 handler to dump internal state + - Fix autrace to use correct syscalls on s390 and s390x systems + - Add shutdown syscall to remote logging teardowns + - Correct autrace rule for 32 bits systems + + 2.1 + - Update auditctl man page for new field on user filter + - Fix crash in aulast when auid is foreign to the system + - Code cleanups + - Add store and forward model to audispd-remote (Mirek Trmac) + - Free memory on failed startups in audisp-prelude + - Fix memory leak in aureport + - Fix parsing state problem in libauparse + - Improve the robustness of libaudit field encoding functions + - Update capability tables + - In auditd, make failure action config checking consistent + - In auditd, check that NULL is not being passed to safe_exec + - In audisp-remote, overflow_action wasn't suspending if that action was chosen + - Update interpretations for virt events + - Improve remote logging warning and error messages + - Add interpretations for netfilter events + + 2.0.6 + - ausearch/report performance improvements + - Synchronize all sample syscall rules to use action,list + - If program name provided to audit_log_acct_message, escape it + - Fix man page for the audit_encode_nv_string function (#647131) + - If value is NULL, don't segfault (#647128) + - Fix simple event parsing to not assume session id can't be last (Peng Haitao) + - Add support for new mmap audit event type + - Add ability for audispd syslog plugin to choose facility local0-7 (#593340) + - Fix autrace to use correct syscalls on i386 systems (Peng Haitao) + - On startup and reconfig, check for excess logs and unlink them + - Add a couple missing parser debug messages + - Fix error output resolving numeric address and update man page + - Add netfilter event types + - Fix spelling error in audit.rules man page (#667845) + - Improve warning in auditctl regarding immutable mode (#654883) + - Update syscall tables for the 2.6.37 kernel + - In ausearch, allow searching for auid -1 + - Add queue overflow_action to audisp-remote to control queue overflows + - Update sample rules for new syscalls and packages + +------------------------------------------------------------------- +Mon Feb 21 10:33:40 UTC 2011 - aj@suse.de + +- Fix value of oom_score_adj. + +------------------------------------------------------------------- +Tue Dec 7 21:17:24 UTC 2010 - coolo@novell.com + +- prereq init script syslog + +------------------------------------------------------------------- +Sun Nov 7 23:00:15 UTC 2010 - cristian.rodriguez@opensuse.org + +- use full RELRO. + +------------------------------------------------------------------- +Tue Sep 28 22:41:14 UTC 2010 - tonyj@novell.com + +- Update to version 2.0.5 (drop: audit-as_needed.patch) +- Update README-BEFORE-ADDING-PATCHES + +- Upstream 2.0.5 changelog: + - Make auparse handle empty AUSOURCE_FILE_ARRAY correctly (Miloslav Trmač) + - On i386, audit rules do not work on inode's with a large number (#554553) + - Fix displaying of inode values to be unsigned integers when listing rules + - Correct Makefile install of audispd (Jason Tang) + - Syscall table updates for 2.6.34 kernel + - Add definitions for service start and stop + - Fix handling of ignore errors in auditctl + - Fix gssapi support to build with new linker options + - Add virtualization event types + - Update aureport program help and man pages to show all options + +------------------------------------------------------------------- +Tue Sep 28 07:22:05 UTC 2010 - aj@suse.de + +- Annotate patch audit-oom_score_adj. + +------------------------------------------------------------------- +Mon Sep 27 08:47:32 UTC 2010 - aj@suse.de + +- Use /proc//oom_score_adj if available. + +------------------------------------------------------------------- +Mon Jun 28 06:38:35 UTC 2010 - jengelh@medozas.de + +- use %_smp_mflags + +------------------------------------------------------------------- +Fri Jun 25 21:22:51 UTC 2010 - tonyj@novell.com + +- Minor changes to README-BEFORE-ADDING-PATCHES file. +- Add this file as %source in spec + +------------------------------------------------------------------- +Fri Jun 25 17:50:31 CEST 2010 - dmueller@suse.de + +- obsolete -XXbit package + +------------------------------------------------------------------- +Tue May 4 10:51:58 CEST 2010 - tonyj@suse.de + +- Update to version 2.0.4. This is a major version update, + libaudit.so has changed version. There is no backward compatibility. + audit-libs has been split into libaudit1 and libauparse0. + +- Redhat changelog for 2.0 - 2.0.4 follows: + * 2.0.4 + - Make alpha processor support optional + - Add support for the arm eabi processor + - add a compatible regexp processing capability to auparse (Miloslav Trmač) + - Fix regression in parsing user space originating records in aureport + - Add tcp_max_per_addr option in auditd.conf to limit concurrent connections + - Rearrange shutdown of auditd to allow DAEMON_END event more time + + * 2.0.3 + - In auditd, tell libev to stop processing a connection when idle timeout + - In auditd, tell libev to stop processing a connection when shutting down + - Interpret CAPSET records in ausearch/auparse + + * 2.0.2 + - If audisp-remote plugin has a queue at exit, use non-zero exit code + - Fix autrace to use the exit filter + - In audisp-remote, add a sigchld handler + - In auditd, check for duplicate remote connections before accepting + - Remove trailing ':' if any are at the end of acct fields in ausearch + - Update remote logging code to do better sanity check of data + - Fix audisp-prelude to prefer files if multiple path records are encountered + - Add libaudit.conf man page + - In auditd, disconnect idle clients + + * 2.0.1 + - Aulast now reads daemon_start events for the kernel version of reboot + - Clarify the man pages for ausearch/report regarding locale and date formats + - Fix getloginuid for python bindings + - Disable the audispd af_unix plugin by default + - Add a couple new init script actions for LSB 3.2 + - In audisp-remote plugin, timeout network reads (#514090) + - Make some error logging in audisp-remote plugin more prominent + - Add audit.rules man page + - Interpret the session field in audit events + + * 2.0 + - Remove system-config-audit + - Get rid of () from userspace originating events + - Removed old syscall rules API - not needed since 2.6.16 + - Remove all use of the old rule structs from API + - Fix uninitialized variable in auditd log rotation + - Add libcap-ng support for audispd plugins + - Removed ancient defines that are part of kernel 2.6.29 headers + - Bump soname number for libaudit + - In auditctl, deprecate the entry filter and move rules to exit filter + - Parse integrity audit records in ausearch/report (Mimi Zohar) + - Updated syscall table for 2.6.31 kernel + - Remove support for the legacy negate syscall rule operator + - In auditd reset syslog warnings if disk space becomes available + +------------------------------------------------------------------- +Sun Dec 13 15:39:09 CET 2009 - jengelh@medozas.de + +- add baselibs.conf as a source + +------------------------------------------------------------------- +Tue Nov 3 19:11:33 UTC 2009 - coolo@novell.com + +- updated patches to apply with fuzz=0 + +------------------------------------------------------------------- +Mon Sep 28 16:23:29 CEST 2009 - crrodriguez@suse.de + +- do not package static libraries +- fix -devel package dependencies + +------------------------------------------------------------------- +Sat Jun 20 12:33:00 CEST 2009 - cmorve69@yahoo.es + +- fixed build with --as-needed + +------------------------------------------------------------------- +Fri Jun 19 10:35:46 CEST 2009 - coolo@novell.com + +- disable as-needed for this package as it fails to build with it + +------------------------------------------------------------------- +Mon May 11 17:20:28 CEST 2009 - tonyj@suse.de + +- Update from 1.7.7 to 1.7.13. +- Redhat changelog for 1.7.8 - 1.7.13 follows: + * Tue Apr 21 2009 Steve Grubb 1.7.13-1 + - Disable libev asserts unless --with-debug passed to configure + - Handle kernel 2.6.29's audit = 0 boot parameter better + - Install audit.py file in arch specific python directory (Dan Walsh) + - Fix problem with negative uids in audit rules on 32 bit systems + - When file type is unknown, output octal for mode field (Miloslav Trmač) + - Update tty keystroke interpretations (Miloslav Trmač) + + * Tue Feb 24 2009 Steve Grubb 1.7.12-1 + - Add definitions for crypto events + - Fix regression where msgtype couldn't be used as a range in audit rules + - In libaudit, extend time spent checking reply + - In acct events, prefer id over acct if given + - In aulast, try id and acct in USER_LOGIN events + - When in immutable mode, have auditctl tell user instead of sending rules + - Add option to sysconfig to disable audit system on auditd stop + - Add tcp_wrappers config option to auditd + - Aulastlog can now take input from stdin + - Update libaudit python bindings to throw exceptions on error + - Adjust formatting of TTY data in libauparse to be like ausearch/report + - Add more key mappings to TTY interpretations + - Add internal queue to audisp-remote + - Fix failure action code to allow executables in audisp-remote (Chu Li) + - Fix memory leak when NOLOG log_format option given to auditd + - Quieten some of the reconnect text being sent to syslog in audisp-remote + - Apply some libev fixups to auditd + - Cleanup shutdown sequence of auditd + - Allow auditd log rotation via SIGUSR1 when NOLOG log format option given + + * Sat Jan 10 2009 Steve Grubb 1.7.11-1 + - Don't error out in auditd when calling setsid + - Reformat a couple auditd error messages (Oden Eriksson) + - If log rotate fails, leave the old log writable + - Fixed bug in setting up auditd event loop when listening + - Warn if on biarch machine and auditctl rules show a syscall mismatch + - Audisp-remote was not parsing some config options correctly + - In auparse, check for single key in addition to virtual keys + - When auditd shuts down, send AUDIT_RMW_TYPE_ENDING messages to clients + - Created reconnect option to remote ending setting of audisp-remote + + * Sat Dec 13 2008 Steve Grubb 1.7.10-1 + - Fix ausearch and aureport to handle out of order events + - Add line-buffer option to ausearch & timeout pipe input (Tony Jones) + - Add support in ausearch/report for tty data + - In audisp-remote, allow the keyword "any" for local_port + - Tighten parsing for -m and -w options in auditctl + - Add session query hint for aulast proof + - Fix audisp-remote to tolerate krb5 config options when not supported + - Created new aureport option for tty keystroke report + - audispd should detect backup config files and not use them + - When checking for ack in netlink interface, retry on EAGAIN a few times + - In aureport, fix mods report to show acct acted upon + + * Wed Nov 05 2008 Steve Grubb 1.7.9-1 + - Fix uninitialized variable in aureport causing segfault + - Quieten down the gssapi not supported messages + - Fix bug interpretting i386 logs on x86_64 machines + - If kernel is in immutable mode, auditd should not send enable command + - Fix ausearch/report recent and now time keyword lookups + - Created aulast program + - prelude plugin should pull auid for login alert from 2nd uid field + - Add system boot, shutdown, and run level change events + - Add max_restarts to audispd.conf to limit times a plugin is restarted + - Expand session detection in ausearch + + * Wed Oct 22 2008 Steve Grubb 1.7.8-1 + - Interpret TTY audit data in auparse (Miloslav Trmač) + - Extract terminal from USER_AVC events for ausearch/report (Peng Haitao) + - Add USER_AVCs to aureport's avc reporting (Peng Haitao) + - Short circuit hostname resolution in libaudit if host is empty + - If log_group and user are not root, don't check dispatcher perms + - Fix a bug when executing "ausearch -te today PM" + - Add --exit search option to ausearch + - Fix parsing config file when kerberos is disabled + + +------------------------------------------------------------------- +Tue Apr 14 14:52:39 CEST 2009 - dmueller@suse.de + +- refresh patches + +------------------------------------------------------------------- +Wed Dec 10 12:34:56 CET 2008 - olh@suse.de + +- use Obsoletes: -XXbit only for ppc64 to help solver during distupgrade + (bnc#437293) + +------------------------------------------------------------------- +Fri Dec 5 02:30:03 CET 2008 - tonyj@suse.de + +- Revision to previous fix for bnc#445353. + These should go into SLES11 RC1. + 1) Add --line-buffered option to limit when stdout is flushed (performance). + 2) Testing found a related bug where (if input is a pipe) the last logical + record would permanently be queued waiting for a subsequent record indicating + end of the previous. This subsequent record may never arrive. Timer is + now run causing this record to be flushed if no new record arrives within + timeout. This fix is upstream also. + +------------------------------------------------------------------- +Fri Nov 21 08:45:03 CET 2008 - tonyj@suse.de + +- Force ausearch to flush stdout if pipe (bnc#445353) + +------------------------------------------------------------------- +Thu Oct 30 12:34:56 CET 2008 - olh@suse.de + +- obsolete old -XXbit packages (bnc#437293) + +------------------------------------------------------------------- +Fri Sep 26 23:27:59 CEST 2008 - tonyj@suse.de + +- Update from 1.7.4 to 1.7.7. GSS support disabled for present +- Redhat changelog for 1.7.5 - 1.7.7 follows: + * Wed Sep 11 2008 Steve Grubb 1.7.7-1 + - Bug fixes for gss code in remote logging (DJ Delorie) + - Fix ausearch -i to keep the node field in the output + - ausyscall now does strstr match on syscall names + - Makefile cleanup (Philipp Hahn) + - Add watched syscall support to audisp-prelude + - Use the right define for tcp_wrappers in auditd + - Expose encoding API for fields being logged from user space + + * Wed Sep 11 2008 Steve Grubb 1.7.6-1 + - Update event record list and aureport classifications (Yu Zhiguo/Peng Haitao) + - Add subject to audit daemon events (Chu Li) + - Fix parsing of acct & exe fields in user records (Peng Haitao) + - Make client error handling in audisp-remote robust (DJ Delorie) + - Add tcp_wrappers support for auditd + - Updated syscall tables for 2.6.27 kernel + - Add heartbeat exchange to remote logging protocol (DJ Delorie) + - Audit connect/disconnect of remote clients + - In ausearch, collect pid from AVC records (Peng Haitao) + - Add auparse_get_field_type function to describe field's contents + - Add GSS/Kerberos encryption to the remote protocol (DJ Delorie) + + * Mon Aug 25 2008 Steve Grubb 1.7.5-1 + - Update system-config-audit to 0.4.8 + - Whole lot of bug fixes - see ChangeLog for details + - Reimplement auditd main loop using libev + - Add TCP listener to auditd to receive remote events + +------------------------------------------------------------------- +Tue Aug 5 03:13:56 CEST 2008 - tonyj@suse.de + +- Remove audit rules on audit stop (bnc#409093) + +------------------------------------------------------------------- +Wed Jun 25 01:50:54 CEST 2008 - tonyj@suse.de + +- Update from 1.7.2 to 1.7.4 +- Redhat changelog for 1.7.3 - 1.7.4 follows: + * Mon May 19 2008 Steve Grubb 1.7.4-1 + - Fix interpreting of keys in syscall records + - Interpret audit rule config change list fields + - Don't error on name=(null) PATH records in ausearch/report + - Add key report to aureport + - Fix --end today to be now + - Added python bindings for auparse_goto_record_num + - Update system-config-audit to 0.4.7 (Miloslav Trmac) + - Add support for the filetype field option in auditctl + - In audispd boost priority after starting children + + * Fri May 09 2008 Steve Grubb 1.7.3-1 + - Fix path processing in AVC records. + - auparse_find_field_next() wasn't resetting field ptr going to next record. + - auparse_find_field() wasn't checking current field before iterating + - cleanup some string handling in audisp-prelude plugin + - Update auditctl man page + - Fix output of keys in ausearch interpretted mode + - Fix ausearch/report --start now to not be reset to midnight + - Added auparse_goto_record_num function + - Prelude plugin now uses auparse_goto_record_num to avoid skipping a record + - audispd now has a priority boost config option + - Look for laddr in avcs reported via prelude + - Detect page 0 mmaps and alert via prelude + +- Update from 1.6.8 to 1.7.2 +- Complete fix for BNC# 378725 +- Redhat changelog for 1.6.9-1.7.2 follows: + * Wed Apr 09 2008 Steve Grubb 1.7.2-1 + - gen_table.c now includes IPC defines to avoid glibc-headers wild goose chase + - ausyscall program added for cross referencing syscall name and number info + - Add login session ID search capability to ausearch + + * Tue Apr 08 2008 Steve Grubb 1.7.1-1 + - Remove LSB headers info for init scripts + - Fix buffer overflow in audit_log_user_command, again (#438840) + - Fix memory leak in EOE code in auditd (#440075) + - In auditctl, don't use new operators in legacy rule format + - Made a couple corrections in alpha & x86_64 syscall tables (Miloslav Trmac) + - Add example STIG rules file + - Add string table lookup performance improvement patch (Miloslav Trmac) + - auparse_find_field_next performance improvement + + * Sun Mar 30 2008 Steve Grubb 1.7-1 + - Improve input error handling in audispd + - Improve end of event detection in auparse library + - Improve handling of abstract namespaces + - Add test mode for prelude plugin + - Handle user space avcs in prelude plugin + - Audit event serial number now recorded in idmef alert + - Add --just-one option to ausearch + - Fix watched account login detection for some failed login attempts + - Couple fixups in audit logging functions (Miloslav Trmac) + - Add support in auditctl for virtual keys + - Added new type for user space MAC policy load events + - auparse_find_field_next was not iterating correctly, fixed it + - Add idmef alerts for access or execution of watched file + - Fix buffer overflow in audit_log_user_command + - Add basic remote logging plugin - only sends & no flow control + - Update ausearch with interpret fixes from auparse + + * Sun Mar 09 2008 Steve Grubb 1.6.9-1 + - Apply hidden attribute cleanup patch (Miloslav Trmac) + - Apply auparse expression interface patch (Miloslav Trmac) + - Fix potential memleak in audit event dispatcher + - Change default audispd queue depth to 80 + - Update system-config-audit to version 0.4.6 (Miloslav Trmac) + - audisp-prelude alerts now controlled by config file + - Updated syscall table for 2.6.25 kernel + - Apply patch correcting acct field being misencoded (Miloslav Trmac) + - Added watched account login detection for prelude plugin + +------------------------------------------------------------------- +Wed Apr 23 14:17:17 CEST 2008 - tonyj@suse.de + +- Fix for bnc#378725 VUL-0: audit buffer overflow + +------------------------------------------------------------------- +Thu Apr 10 12:54:45 CEST 2008 - ro@suse.de + +- added baselibs.conf file to build xxbit packages + for multilib support + +------------------------------------------------------------------- +Wed Mar 26 21:29:38 CET 2008 - tonyj@suse.de + +- Update from 1.6.2 to 1.6.8. +- Move audisp-plugins to new secondary spec (along with existing + python libs). +- Redhat changelog follows: + + * Thu Feb 14 2008 Steve Grubb 1.6.8-1 + - Update for gcc 4.3 + - Cleanup descriptors in audispd before running plugin + - Fix 'recent' keyword for aureport/search + - Fix SE Linux policy for zos_remote plugin + - Add event type for group password authentication attempts + - Couple of updates to the translation tables + - Add detection of failed group authentication to audisp-prelude + + * Thu Jan 31 2008 Steve Grubb 1.6.7-1 + - In ausearch/report, prefer -if to stdin + - In ausearch/report, add new command line option --input-logs (#428860) + - Updated audisp-prelude based on feedback from prelude-devel + - Added prelude alert for promiscuous socket being opened + - Added prelude alert for SE Linux policy enforcement changes + - Added prelude alerts for Forbidden Login Locations and Time + - Applied patch to auparse fixing error handling of searching by + interpreted value (Miloslav Trmac) + + * Sat Jan 19 2008 Steve Grubb 1.6.6-1 + - Add prelude IDS plugin for IDMEF alerts + - Add --user option to aulastlog command + - Use desktop-file-install for system-config-audit + + * Mon Jan 07 2008 Steve Grubb 1.6.5-1 + - Add more errno strings for exit codes in auditctl + - Fix config parser to allow either 0640 or 0600 for audit logs (#427062) + - Check for audit log being writable by owner in auditd + - If auditd logging was suspended, it can be resumed with SIGUSR2 (#251639) + - Updated CAPP, LSPP, and NISPOM rules for new capabilities + - Added aulastlog utility + + * Sat Dec 29 2007 Steve Grubb 1.6.4-1 + - fchmod of log file was on wrong variable (#426934) + - Allow use of errno strings for exit codes in audit rules + + * Thu Dec 27 2007 Steve Grubb 1.6.3-1 + - Add kernel release string to DEAMON_START events + - Fix keep_logs when num_logs option disabled (#325561) + - Fix auparse to handle node fields for syscall records + - Update system-config-audit to version 0.4.5 (Miloslav Trmac) + - Add keyword week-ago to aureport & ausearch start/end times + - Fix audit log permissions on rotate. If group is root 0400, otherwise 0440 + - Add RACF zos remote audispd plugin (Klaus Kiwi) + - Add event queue overflow action to audispd + +------------------------------------------------------------------- +Tue Mar 18 14:43:11 CET 2008 - schwab@suse.de + +- Use autoreconf. + +------------------------------------------------------------------- +Wed Oct 31 07:08:38 CET 2007 - tonyj@suse.de + +- Incorporate 1 more Redhat fixe post 1.6.2 +- Go back to 10.2 behaviour wrt to starting in disabled state. + This time using patch submitted upstream, fix for #Bug 333739 + +------------------------------------------------------------------- +Wed Oct 10 23:18:24 CEST 2007 - tonyj@suse.de + +- Upgrade to 1.6.2 + Plus two bugs discovered in Fedora, will be fixed in 1.6.3 + +------------------------------------------------------------------- +Wed Jul 25 01:13:09 CEST 2007 - tonyj@suse.de + +- Upgrade to 1.5.5 + Correct bug in audit_make_equivalent function (Al Viro) + Local: add AppArmor audit ID (upstream in 1.5.6) + don't build RedHat system-config-audit + +------------------------------------------------------------------- +Thu Jul 12 01:38:36 CEST 2007 - tonyj@suse.de + +- Upgrade to 1.5.4 + Add feed interface to auparse library (John Dennis) + Apply patch to libauparse for unresolved symbols (#241178) + Apply patch to add line numbers for file events in libauparse (John Dennis) + Change seresults to seresult in libauparse (John Dennis) + Add unit32_t definition to swig (#244210) + Add support for directory auditing + Update acct field to be escaped +- Fix for #280487 "%ghost /var/log/audit/audit.log will remove the logfile" + +------------------------------------------------------------------- +Mon May 7 11:24:29 CEST 2007 - rguenther@suse.de + +- Drop pkg-config BuildRequires introduced by last change. + +------------------------------------------------------------------- +Wed May 2 19:08:53 CEST 2007 - tonyj@suse.de + +- Upgrade to 1.5.3. Drop AUDITD_DISABLE_CONTEXTS from audit sysconfig + +------------------------------------------------------------------- +Wed Nov 29 02:46:08 CET 2006 - tonyj@suse.de + +- Upgrade to 1.2.9 (drop several patches which are now upstream) +- Move to using /etc/audit directory for config files + +------------------------------------------------------------------- +Thu Aug 31 22:57:52 CEST 2006 - tonyj@suse.de + +- Upgrade to 1.2.6-1 + +------------------------------------------------------------------- +Sat Aug 26 09:01:50 CEST 2006 - olh@suse.de + +- do not define __KERNEL__ in userland apps +- remove unused sys/syscall.h include + +------------------------------------------------------------------- +Wed Aug 16 15:42:58 CEST 2006 - cthiel@suse.de + +- split audit into audit and audit-libs-python + +------------------------------------------------------------------- +Fri May 5 21:05:40 CEST 2006 - sbeattie@suse.de + +- disable syscall audit context creation by default #172154 + +------------------------------------------------------------------- +Mon Mar 20 16:18:29 CET 2006 - meissner@suse.de + +- Do not print a misleading errormessage when audit + is not compiled into the kernel. #152733 + +------------------------------------------------------------------- +Mon Mar 6 14:21:06 CET 2006 - meissner@suse.de + +- On kernels without auditing, which report ECONNREFUSED, + do not output stuff to stderr on startup. #152733 + +------------------------------------------------------------------- +Sat Feb 25 09:55:48 CET 2006 - kukuk@suse.de + +- Fix moving of devel libraries, don't install .la file + +------------------------------------------------------------------- +Wed Feb 22 15:10:44 CET 2006 - meissner@suse.de + +- moved libaudit.so symlink to /usr/lib and to -devel package, + as requested by Thorsten. + +------------------------------------------------------------------- +Fri Feb 17 19:56:14 CET 2006 - meissner@suse.de + +- check sendto() return against -1 (error with errno set). + +------------------------------------------------------------------- +Wed Jan 25 21:34:31 CET 2006 - mls@suse.de + +- converted neededforbuild to BuildRequires + +------------------------------------------------------------------- +Wed Jan 25 12:09:31 CET 2006 - ro@suse.de + +- fix fillup call since filename != packagename + +------------------------------------------------------------------- +Tue Jan 24 19:01:52 CET 2006 - ro@suse.de + +- do not skip fillup in postinstall + +------------------------------------------------------------------- +Mon Jan 23 08:54:33 CET 2006 - dreynolds@suse.de + +- Modified inssrv macro args to enable on boot + +------------------------------------------------------------------- +Wed Jan 18 21:33:21 CET 2006 - tonyj@suse.de + +- Add support for AppArmor (submitted upstream for 1.1.4) + +------------------------------------------------------------------- +Fri Jan 13 11:35:57 CET 2006 - meissner@suse.de + +- Updated to 1.1.3. +- Moved audispd to /usr/sbin since it uses /usr/lib/libstdc++ +- Updated sysconfig snippet. + +------------------------------------------------------------------- +Tue Nov 8 11:32:45 CET 2005 - meissner@suse.de + +- upgraded to 1.0.12. + +------------------------------------------------------------------- +Fri Nov 4 12:41:35 CET 2005 - kukuk@suse.de + +- Update to 1.0.9. + +------------------------------------------------------------------- +Wed Oct 12 17:24:55 CEST 2005 - meissner@suse.de + +- upgraded to 1.0.6. ptrdift patch now solved upstream. + +------------------------------------------------------------------- +Wed Oct 5 15:17:05 CEST 2005 - meissner@suse.de + +- Upgraded to 1.0.5 + +------------------------------------------------------------------- +Wed Oct 5 12:00:38 CEST 2005 - dmueller@suse.de + + - add norootforbuild + +------------------------------------------------------------------- +Mon Sep 26 11:40:27 CEST 2005 - meissner@suse.de + +- Upgraded to 1.0.4. + - Make rate & backlog 32 bit unsigned int in auditctl + - In auditctl, if -F arch is given with -t option, don't require list + - Update auditd man page + - Add size check to audit_send + - Update message for audit_open failure when kernel doesn't support audit + +------------------------------------------------------------------- +Tue Aug 23 14:07:44 CEST 2005 - meissner@suse.de + +- Upgraded to 1.0.3 bugfix release: + - adjust file perms of newly created log file in auditd + - fix 2 memory leaks and an out of bounds access in auditd + - fix case where auditd was closing netlink descriptor too early + - fix watch rules not to take field arguments in auditctl + - fix bug where inode, devmajor, devminor, exit, and success fields in auditctl + rules were not getting the correct value stored + +------------------------------------------------------------------- +Wed Aug 17 14:19:29 CEST 2005 - meissner@suse.de + +- Added /var/log/audit directory and ghost audit.log #105131 + +------------------------------------------------------------------- +Wed Aug 10 13:37:56 CEST 2005 - meissner@suse.de + +- Upgraded to 1.0.2 + +------------------------------------------------------------------- +Thu Aug 4 11:20:00 CEST 2005 - meissner@suse.de + +- Upgraded to 1.0.1. + +------------------------------------------------------------------- +Mon Jul 11 14:47:38 CEST 2005 - meissner@suse.de + +- Update to version 0.9.16. + +------------------------------------------------------------------- +Tue Jun 21 08:38:17 CEST 2005 - meissner@suse.de + +- Update to version 0.9.10. + +------------------------------------------------------------------- +Fri Jun 17 11:21:42 CEST 2005 - meissner@suse.de + +- Update to version 0.9.7. + +------------------------------------------------------------------- +Thu Jun 16 14:51:48 CEST 2005 - kukuk@suse.de + +- Update to version 0.9.5 + +------------------------------------------------------------------- +Tue Jun 14 01:30:20 CEST 2005 - ro@suse.de + +- make it build with current includes + +------------------------------------------------------------------- +Tue May 31 14:15:30 CEST 2005 - meissner@suse.de + +- Upgraded to 0.9. + +------------------------------------------------------------------- +Fri May 13 13:08:41 CEST 2005 - meissner@suse.de + +- upgraded to 0.6.8 + +------------------------------------------------------------------- +Tue Apr 19 10:39:54 CEST 2005 - meissner@suse.de + +- Upgraded to 0.6.11. + +------------------------------------------------------------------- +Fri Apr 15 17:52:43 CEST 2005 - pth@suse.de + +- Make libaudit.h define pgoff_t by itself. +- Fix a minor warning. + +------------------------------------------------------------------- +Wed Mar 30 17:58:32 CEST 2005 - meissner@suse.de + +- Upgraded to 0.6.9. + +------------------------------------------------------------------- +Fri Mar 4 11:23:29 CET 2005 - meissner@suse.de + +- Upgraded to 0.6.5. + +------------------------------------------------------------------- +Thu Mar 3 14:59:36 CET 2005 - meissner@suse.de + +- initial package of auditd for new kernel auditing system. + diff --git a/audit.spec b/audit.spec new file mode 100644 index 0000000..ac8a617 --- /dev/null +++ b/audit.spec @@ -0,0 +1,152 @@ +# +# spec file for package audit +# +# Copyright (c) 2023 SUSE LLC +# +# All modifications and additions to the file contributed by third parties +# remain the property of their copyright owners, unless otherwise agreed +# upon. The license for this file, and modifications and additions to the +# file, is the same license as for the pristine package itself (unless the +# license for the pristine package is not an Open Source License, in which +# case the license is the MIT License). An "Open Source License" is a +# license that conforms to the Open Source Definition (Version 1.9) +# published by the Open Source Initiative. + +# Please submit bugfixes or comments via https://bugs.opensuse.org/ +# + + +Name: audit +Version: 3.0.9 +Release: 0 +Summary: Linux kernel audit subsystem utilities +License: GPL-2.0-or-later +Group: System/Monitoring +URL: https://people.redhat.com/sgrubb/audit/ +Source0: https://people.redhat.com/sgrubb/audit/%{name}-%{version}.tar.gz +Source1: baselibs.conf +Source2: README-BEFORE-ADDING-PATCHES +Patch0: change-default-log_group.patch +BuildRequires: autoconf >= 2.12 +BuildRequires: kernel-headers >= 2.6.30 +BuildRequires: libtool +BuildRequires: pkgconfig +BuildRequires: tcpd-devel +Requires: libaudit1 = %{version} +Requires: libauparse0 = %{version} +Provides: bundled(libev) = 4.33 + +%description +The audit package contains the user space utilities for storing and +processing the records generated by the audit subsystem in the +Linux kernel. + +%package -n libaudit1 +Summary: Library for interfacing with the kernel audit subsystem +License: LGPL-2.1-or-later +Group: System/Libraries +Obsoletes: %{name}-libs < 2.0.4 +Provides: %{name}-libs = %{version} + +%description -n libaudit1 +The libaudit package contains the shared libraries needed for +applications to use the audit framework. + +%package -n libauparse0 +Summary: Library for parsing and interpreting audit events +License: LGPL-2.1-or-later +Group: System/Libraries + +%description -n libauparse0 +The libauparse package contains the shared libraries needed to +parse audit records. + +%package -n audit-devel +Summary: Header files for libaudit +License: LGPL-2.1-or-later +Group: Development/Libraries/C and C++ +Requires: libaudit1 = %{version} +Requires: libauparse0 = %{version} + +%description -n audit-devel +The audit-devel package contains the header files +needed for developing applications that need to use the audit framework +libraries. + +%prep +%autosetup -p1 + +%build +autoreconf -fi +export CFLAGS="%{optflags} -fno-strict-aliasing" +export CXXFLAGS="$CFLAGS" +export LDFLAGS="-Wl,-z,relro,-z,now" +# no krb support (omit --enable-gssapi-krb5=yes), see audit-no-gss.patch +%configure \ +%ifarch aarch64 + --with-aarch64 \ +%endif +%ifarch arm + --with-arm \ +%endif + --enable-systemd \ + --libexecdir=%{_libexecdir}/%{name} \ + --with-apparmor \ + --with-libcap-ng=no \ + --disable-static \ + --with-python=no \ + --disable-zos-remote + +%make_build -C common +%make_build -C lib +%make_build -C auparse +%make_build -C docs + +%install +%make_install -C common +%make_install -C lib +%make_install -C auparse +%make_install -C docs +rm -rf %{buildroot}/%{_mandir}/man[578] +mkdir -p %{buildroot}%{_sysconfdir} +mkdir -p %{buildroot}/%{_includedir} +mkdir -p %{buildroot}/%{_mandir}/man5 +# We manually install this since Makefile doesn't +install -m 0644 lib/libaudit.h %{buildroot}/%{_includedir} +install -D -m 0644 ./m4/audit.m4 %{buildroot}%{_datadir}/aclocal/audit.m4 +# Install libaudit.conf files by hand +install -m 0644 docs/libaudit.conf.5 %{buildroot}/%{_mandir}/man5 +install -m 0644 init.d/libaudit.conf %{buildroot}%{_sysconfdir} + +find %{buildroot} -type f -name "*.la" -delete -print + +%check +%make_build -C lib check +%make_build -C auparse check + +%post -n libaudit1 -p /sbin/ldconfig +%post -n libauparse0 -p /sbin/ldconfig +%postun -n libaudit1 -p /sbin/ldconfig +%postun -n libauparse0 -p /sbin/ldconfig + +%files -n libaudit1 +%{_libdir}/libaudit.so.* +%config(noreplace) %attr(640,root,root) %{_sysconfdir}/libaudit.conf +%{_mandir}/man5/libaudit.conf.5%{ext_man} + +%files -n libauparse0 +%{_libdir}/libauparse.so.* + +%files -n audit-devel +%doc contrib/plugin +%{_libdir}/libaudit.so +%{_libdir}/libauparse.so +%{_includedir}/libaudit.h +%{_includedir}/auparse.h +%{_includedir}/auparse-defs.h +%{_mandir}/man3/* +%{_datadir}/aclocal/audit.m4 +%{_libdir}/pkgconfig/audit.pc +%{_libdir}/pkgconfig/auparse.pc + +%changelog diff --git a/baselibs.conf b/baselibs.conf new file mode 100644 index 0000000..49ad9ec --- /dev/null +++ b/baselibs.conf @@ -0,0 +1,7 @@ +libaudit1 + obsoletes "audit-libs- < 2.0.4" +libauparse0 +audit-devel + requires -audit- + requires "libaudit1- = " + requires "libauparse0- = " diff --git a/change-default-log_format.patch b/change-default-log_format.patch new file mode 100644 index 0000000..a829bdf --- /dev/null +++ b/change-default-log_format.patch @@ -0,0 +1,28 @@ +From: Enzo Matsumiya +Subject: auditd.conf: change default log_format +References: bsc#1190500 + +Upstream commit bf1270cfe ("change default logging format and update roadmap") +changed the default log_format from RAW to ENRICHED. + +This causes non-audit tools to not interpret the GS character (group separator, +0x1d) that splits the raw data from the enriched data, causing it to be visually +concatenated. + +Since a candidate patch to change this was rejected by upstream, we change +the default log_format back to RAW instead, to avoid confusion on customers' +environments. + +Signed-off-by: Enzo Matsumiya + +--- a/init.d/auditd.conf ++++ b/init.d/auditd.conf +@@ -6,7 +6,7 @@ local_events = yes + write_logs = yes + log_file = /var/log/audit/audit.log + log_group = audit +-log_format = ENRICHED ++log_format = RAW + flush = INCREMENTAL_ASYNC + freq = 50 + max_log_file = 8 diff --git a/change-default-log_group.patch b/change-default-log_group.patch new file mode 100644 index 0000000..87883d0 --- /dev/null +++ b/change-default-log_group.patch @@ -0,0 +1,21 @@ +From: Enzo Matsumiya +Date: Thu Jan 28 18:11:39 UTC 2021 +References: bsc#1178154 +Patch-mainline: Not yet, under review +Subject: change default log_group to "audit" + +Change the default log_group to newly added "audit" group. + +Signed-Off-by: Enzo Matsumiya + +--- a/init.d/auditd.conf ++++ b/init.d/auditd.conf +@@ -5,7 +5,7 @@ + local_events = yes + write_logs = yes + log_file = /var/log/audit/audit.log +-log_group = root ++log_group = audit + log_format = ENRICHED + flush = INCREMENTAL_ASYNC + freq = 50 diff --git a/create-augenrules-service.patch b/create-augenrules-service.patch new file mode 100644 index 0000000..72c8745 --- /dev/null +++ b/create-augenrules-service.patch @@ -0,0 +1,97 @@ +Index: audit-3.0.9/init.d/augenrules.service +=================================================================== +--- /dev/null ++++ audit-3.0.9/init.d/augenrules.service +@@ -0,0 +1,29 @@ ++[Unit] ++Description=auditd rules generation ++After=auditd.service ++Documentation=man:augenrules(8) ++ ++[Service] ++Type=oneshot ++## NOTE: augenrules expect any rules to be added to /etc/audit/rules.d/ ++ExecStart=/sbin/augenrules --load ++# We need RemainAfterExit=true so augenrules is called again ++# in case auditd.service is restarted. ++RemainAfterExit=true ++ ++### Security Settings ### ++MemoryDenyWriteExecute=true ++LockPersonality=true ++ProtectControlGroups=true ++ProtectKernelModules=true ++ProtectHome=true ++RestrictRealtime=true ++# for details please see ++# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort ++ProtectSystem=full ++PrivateDevices=true ++ProtectHostname=true ++ProtectClock=true ++ProtectKernelTunables=true ++ProtectKernelLogs=true ++ReadWritePaths=/etc/audit +Index: audit-3.0.9/init.d/auditd.service +=================================================================== +--- audit-3.0.9.orig/init.d/auditd.service ++++ audit-3.0.9/init.d/auditd.service +@@ -15,15 +15,16 @@ ConditionKernelCommandLine=!audit=0 + ConditionKernelCommandLine=!audit=off + + Documentation=man:auditd(8) https://github.com/linux-audit/audit-documentation ++Requires=augenrules.service ++# This unit clears rules on stop, so make sure that augenrules runs again ++PropagatesStopTo=augenrules.service + + [Service] + Type=forking + PIDFile=/run/auditd.pid + ExecStart=/sbin/auditd +-## To not use augenrules, copy this file to /etc/systemd/system/auditd.service +-## and comment/delete the next line and uncomment the auditctl line. +-## NOTE: augenrules expect any rules to be added to /etc/audit/rules.d/ +-ExecStartPost=-/sbin/augenrules --load ++## To not use augenrules: copy this file to /etc/systemd/system/auditd.service, ++## uncomment the next line, and comment the Requires=augenrules.service above. + #ExecStartPost=-/sbin/auditctl -R /etc/audit/audit.rules + # By default we clear the rules on exit. To disable this, comment + # the next line after copying the file to /etc/systemd/system/auditd.service +@@ -46,7 +47,6 @@ ProtectClock=true + ProtectKernelTunables=true + ProtectKernelLogs=true + # end of automatic additions +-ReadWritePaths=/etc/audit + + [Install] + WantedBy=multi-user.target +Index: audit-3.0.9/init.d/Makefile.am +=================================================================== +--- audit-3.0.9.orig/init.d/Makefile.am ++++ audit-3.0.9/init.d/Makefile.am +@@ -26,7 +26,8 @@ EXTRA_DIST = auditd.init auditd.service + auditd.cron libaudit.conf auditd.condrestart \ + auditd.reload auditd.restart auditd.resume \ + auditd.rotate auditd.state auditd.stop \ +- audit-stop.rules augenrules audit-functions ++ audit-stop.rules augenrules audit-functions \ ++ augenrules.service + libconfig = libaudit.conf + if ENABLE_SYSTEMD + initdir = /usr/lib/systemd/system +@@ -54,6 +55,7 @@ if ENABLE_SYSTEMD + mkdir -p ${DESTDIR}${legacydir} + mkdir -p ${DESTDIR}${libexecdir} + $(INSTALL_SCRIPT) -D -m 644 ${srcdir}/auditd.service ${DESTDIR}${initdir} ++ $(INSTALL_SCRIPT) -D -m 644 ${srcdir}/augenrules.service ${DESTDIR}${initdir} + $(INSTALL_SCRIPT) -D -m 750 ${srcdir}/auditd.rotate ${DESTDIR}${legacydir}/rotate + $(INSTALL_SCRIPT) -D -m 750 ${srcdir}/auditd.resume ${DESTDIR}${legacydir}/resume + $(INSTALL_SCRIPT) -D -m 750 ${srcdir}/auditd.reload ${DESTDIR}${legacydir}/reload +@@ -72,6 +74,7 @@ uninstall-hook: + rm ${DESTDIR}${sysconfdir}/${libconfig} + if ENABLE_SYSTEMD + rm ${DESTDIR}${initdir}/auditd.service ++ rm ${DESTDIR}${initdir}/augenrules.service + rm ${DESTDIR}${legacydir}/rotate + rm ${DESTDIR}${legacydir}/resume + rm ${DESTDIR}${legacydir}/reload diff --git a/enable-stop-rules.patch b/enable-stop-rules.patch new file mode 100644 index 0000000..5ef0d37 --- /dev/null +++ b/enable-stop-rules.patch @@ -0,0 +1,29 @@ +From: Enzo Matsumiya +Subject: init.d/auditd.service: enable ExecStopPost directive in auditd.service +References: bsc#1190227 + +This has caused confusion for customers when relating stopping auditd service +is the same as stopping system auditing. This is completely understandable, but +it's by design, so kauditd can keep filling its queues for any other userspace +daemon to consume. + +Disable audit when auditd.service stops, so kauditd stops logging/running. + +Signed-off-by: Enzo Matsumiya + +Index: audit-3.0.9/init.d/auditd.service +=================================================================== +--- audit-3.0.9.orig/init.d/auditd.service ++++ audit-3.0.9/init.d/auditd.service +@@ -25,9 +25,9 @@ ExecStart=/sbin/auditd + ## NOTE: augenrules expect any rules to be added to /etc/audit/rules.d/ + ExecStartPost=-/sbin/augenrules --load + #ExecStartPost=-/sbin/auditctl -R /etc/audit/audit.rules +-# By default we don't clear the rules on exit. To enable this, uncomment ++# By default we clear the rules on exit. To disable this, comment + # the next line after copying the file to /etc/systemd/system/auditd.service +-#ExecStopPost=/sbin/auditctl -R /etc/audit/audit-stop.rules ++ExecStopPost=/sbin/auditctl -R /etc/audit/audit-stop.rules + Restart=on-failure + # Do not restart for intentional exits. See EXIT CODES section in auditd(8). + RestartPreventExitStatus=2 4 6 diff --git a/fix-hardened-service.patch b/fix-hardened-service.patch new file mode 100644 index 0000000..0fe1648 --- /dev/null +++ b/fix-hardened-service.patch @@ -0,0 +1,32 @@ +From: Enzo Matsumiya +Subject: init.d/auditd.service: make /etc/audit writable +References: bsc#1181400 + +systemd hardening effort (bsc#1181400) broke auditd.service when starting/ +restarting it. This was because auditd couldn't save/create audit.rules from +/etc/audit/rules.d/* files. + +Make /etc/audit writable for the service. + +Also remove PrivateDevices=true so /dev/* are exposed to auditd. + +Signed-off-by: Enzo Matsumiya + +Index: audit-3.0.9/init.d/auditd.service +=================================================================== +--- audit-3.0.9.orig/init.d/auditd.service ++++ audit-3.0.9/init.d/auditd.service +@@ -41,12 +41,12 @@ RestrictRealtime=true + # added automatically, for details please see + # https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort + ProtectSystem=full +-PrivateDevices=true + ProtectHostname=true + ProtectClock=true + ProtectKernelTunables=true + ProtectKernelLogs=true + # end of automatic additions ++ReadWritePaths=/etc/audit + + [Install] + WantedBy=multi-user.target diff --git a/harden_auditd.service.patch b/harden_auditd.service.patch new file mode 100644 index 0000000..3e3ad0f --- /dev/null +++ b/harden_auditd.service.patch @@ -0,0 +1,20 @@ +Index: audit-3.0.9/init.d/auditd.service +=================================================================== +--- audit-3.0.9.orig/init.d/auditd.service ++++ audit-3.0.9/init.d/auditd.service +@@ -38,6 +38,15 @@ LockPersonality=true + ProtectControlGroups=true + ProtectKernelModules=true + RestrictRealtime=true ++# added automatically, for details please see ++# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort ++ProtectSystem=full ++PrivateDevices=true ++ProtectHostname=true ++ProtectClock=true ++ProtectKernelTunables=true ++ProtectKernelLogs=true ++# end of automatic additions + + [Install] + WantedBy=multi-user.target diff --git a/libev-werror.patch b/libev-werror.patch new file mode 100644 index 0000000..68b2467 --- /dev/null +++ b/libev-werror.patch @@ -0,0 +1,26 @@ +From: Jan Engelhardt +Date: 2021-06-02 16:18:03.256597842 +0200 + +Cherry-pick http://cvs.schmorp.de/libev/ev_iouring.c?view=log&r1=1.25 +to fix some terrible code. + +[ 50s] ev_iouring.c: In function 'iouring_sqe_submit': +[ 50s] ev_iouring.c:300:1: error: no return statement in function returning non-void [-Werror=return-type] + +--- + src/libev/ev_iouring.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +Index: audit-3.0.1/src/libev/ev_iouring.c +=================================================================== +--- audit-3.0.1.orig/src/libev/ev_iouring.c ++++ audit-3.0.1/src/libev/ev_iouring.c +@@ -287,7 +287,7 @@ iouring_sqe_get (EV_P) + } + + inline_size +-struct io_uring_sqe * ++void + iouring_sqe_submit (EV_P_ struct io_uring_sqe *sqe) + { + unsigned idx = sqe - EV_SQES; diff --git a/system-group-audit.conf b/system-group-audit.conf new file mode 100644 index 0000000..582e782 --- /dev/null +++ b/system-group-audit.conf @@ -0,0 +1,2 @@ +# Type Name ID GECOS [HOME] +g audit -