Sync from SUSE:SLFO:Main audit revision b45ec063c4e7856d1bf1ea7fa6a46c44

This commit is contained in:
Adrian Schröter 2024-05-03 11:11:31 +02:00
commit c08b6413a2
21 changed files with 3204 additions and 0 deletions

23
.gitattributes vendored Normal file
View File

@ -0,0 +1,23 @@
## Default LFS
*.7z filter=lfs diff=lfs merge=lfs -text
*.bsp filter=lfs diff=lfs merge=lfs -text
*.bz2 filter=lfs diff=lfs merge=lfs -text
*.gem filter=lfs diff=lfs merge=lfs -text
*.gz filter=lfs diff=lfs merge=lfs -text
*.jar filter=lfs diff=lfs merge=lfs -text
*.lz filter=lfs diff=lfs merge=lfs -text
*.lzma filter=lfs diff=lfs merge=lfs -text
*.obscpio filter=lfs diff=lfs merge=lfs -text
*.oxt filter=lfs diff=lfs merge=lfs -text
*.pdf filter=lfs diff=lfs merge=lfs -text
*.png filter=lfs diff=lfs merge=lfs -text
*.rpm filter=lfs diff=lfs merge=lfs -text
*.tbz filter=lfs diff=lfs merge=lfs -text
*.tbz2 filter=lfs diff=lfs merge=lfs -text
*.tgz filter=lfs diff=lfs merge=lfs -text
*.ttf filter=lfs diff=lfs merge=lfs -text
*.txz filter=lfs diff=lfs merge=lfs -text
*.whl filter=lfs diff=lfs merge=lfs -text
*.xz filter=lfs diff=lfs merge=lfs -text
*.zip filter=lfs diff=lfs merge=lfs -text
*.zst filter=lfs diff=lfs merge=lfs -text

View File

@ -0,0 +1,16 @@
All patches need to have a kernel-style patch description header.
PATCHES LACKING THIS OR NOT CORRECTLY FOLLOWING DESCRIPTION BELOW WILL BE
REJECTED OR REVERTED
From: Joe Smoe <joe@smoe.com>
Subject: Summary of fix
Date: Date of fix
References: Bugzilla reference [bsc#xxxx]
References: URL of relevant discussion thread, opensuse or upstream ML etc
Git-commit: Full SHA of upstream commit [if applicable]
Git-repo: [if different from https://github.com/linux-audit/audit-userspace.git]
Patch-mainline: revision of audit package or explanation if not [i.e v2.8.1 or "queued with maintainer" or "never; because ...." ]
Signed-Off-by: Joe Smoe <joe@smoe.com>
Short paragraph describing problem/fix.

BIN
audit-3.0.9.tar.gz (Stored with Git LFS) Normal file

Binary file not shown.

View File

@ -0,0 +1,25 @@
From: Tony Jones <tonyj@suse.de>
Subject: allow service stop
References: https://lists.fedoraproject.org/pipermail/devel/2012-June/169411.html
References: https://www.redhat.com/archives/linux-audit/2013-July/msg00048.html
---
legacy-actions is Fedora specific, so blocking manual stop won't work for
SUSE since we lack the ability to use a custom stop/restart
init.d/auditd.service | 1 -
1 file changed, 1 deletion(-)
Index: audit-3.0.9/init.d/auditd.service
===================================================================
--- audit-3.0.9.orig/init.d/auditd.service
+++ audit-3.0.9/init.d/auditd.service
@@ -11,7 +11,6 @@ After=local-fs.target systemd-tmpfiles-s
Before=sysinit.target shutdown.target
##Before=shutdown.target
Conflicts=shutdown.target
-RefuseManualStop=yes
ConditionKernelCommandLine=!audit=0
ConditionKernelCommandLine=!audit=off

View File

@ -0,0 +1,41 @@
From: William Preston <wpreston@suse.com>
Subject: ausearch is looking for the "tclass" field in the entries, which doesn't make sense for apparmor.
References: bnc#878687
References: https://www.redhat.com/archives/linux-audit/2014-May/msg00094.html https://www.redhat.com/archives/linux-audit/2014-June/msg00001.html
Upstream: never
Signed-off-by: Tony Jones <tonyj@suse.de>
---
src/ausearch-parse.c | 18 ++++++++----------
1 file changed, 8 insertions(+), 10 deletions(-)
Index: audit-3.0.9/src/ausearch-parse.c
===================================================================
--- audit-3.0.9.orig/src/ausearch-parse.c
+++ audit-3.0.9/src/ausearch-parse.c
@@ -2062,17 +2062,15 @@ other_avc:
// Now get the class...its at the end, so we do things different
str = strstr(term, "tclass=");
- if (str == NULL) {
- rc = 9;
- goto err;
+ if (str) {
+ str += 7;
+ term = strchr(str, ' ');
+ if (term)
+ *term = 0;
+ an.avc_class = strdup(str);
+ if (term)
+ *term = ' ';
}
- str += 7;
- term = strchr(str, ' ');
- if (term)
- *term = 0;
- an.avc_class = strdup(str);
- if (term)
- *term = ' ';
if (audit_avc_init(s) == 0) {
alist_append(s->avc, &an);

24
audit-no-gss.patch Normal file
View File

@ -0,0 +1,24 @@
From: Tony Jones <tonyj@suse.de>
Subject: Disable GSS options from config file
Upsteam: never
Disable GSS/Kerberos options from config file. They are disabled from configure
but need manual removal here.
---
init.d/auditd.conf | 3 ---
1 file changed, 3 deletions(-)
Index: audit-3.0.9/init.d/auditd.conf
===================================================================
--- audit-3.0.9.orig/init.d/auditd.conf
+++ audit-3.0.9/init.d/auditd.conf
@@ -30,8 +30,6 @@ tcp_max_per_addr = 1
##tcp_client_ports = 1024-65535
tcp_client_max_idle = 0
transport = TCP
-krb5_principal = auditd
-##krb5_key_file = /etc/audit/audit.key
distribute_network = no
q_depth = 2000
overflow_action = SYSLOG

29
audit-plugins-path.patch Normal file
View File

@ -0,0 +1,29 @@
From: Tony Jones <tonyj@suse.de>
Subject: Adjust location of plugins built by audit-secondary
Upsteam: never
Adjust location of plugins built by audit-secondary. These should never have
been in /sbin plus some (for SUSE) require lib dependancies on /usr/lib
--- a/audisp/plugins/remote/au-remote.conf
+++ b/audisp/plugins/remote/au-remote.conf
@@ -5,7 +5,7 @@
active = no
direction = out
-path = /sbin/audisp-remote
+path = /usr/sbin/audisp-remote
type = always
#args =
format = string
--- a/audisp/plugins/zos-remote/audispd-zos-remote.conf
+++ b/audisp/plugins/zos-remote/audispd-zos-remote.conf
@@ -8,7 +8,7 @@
active = no
direction = out
-path = /sbin/audispd-zos-remote
+path = /usr/sbin/audispd-zos-remote
type = always
args = /etc/audit/zos-remote.conf
format = string

737
audit-secondary.changes Normal file
View File

@ -0,0 +1,737 @@
-------------------------------------------------------------------
Tue Dec 27 10:21:56 UTC 2022 - Ludwig Nussel <lnussel@suse.com>
- Replace transitional %usrmerged macro with regular version check (boo#1206798)
-------------------------------------------------------------------
Thu Dec 15 19:17:35 UTC 2022 - Enzo Matsumiya <ematsumiya@suse.de>
- Enable build for ARM (32-bit)
- Update to version 3.0.9:
* In auditd, release the async flush lock on stop
* Don't allow auditd to log directly into /var/log when log_group is non-zero
* Cleanup krb5 memory leaks on error paths
* Update auditd.cron to use auditctl --signal
* In auparse, if too many fields, realloc array bigger (Paul Wolneykien)
* In auparse, special case kernel module name interpretation
* If overflow_action is ignore, don't treat as an error
(3.0.8)
* Add gcc function attributes for access and allocation
* Add some more man pages (MIZUTA Takeshi)
* In auditd, change the reinitializing of the plugin queue
* Fix path normalization in auparse (Sergio Correia)
* In libaudit, handle ECONNREFUSED for network uid/gid lookups (Enzo Matsumiya)
* In audisp-remote, fix hang with disk_low_action=suspend (Enzo Matsumiya)
* Drop ProtectHome from auditd.service as it interferes with rules
(3.0.7)
* Add support for the OPENAT2 record type (Richard Guy Briggs)
* In auditd, close the logging file descriptor when logging is suspended
* Update the capabilities lookup table to match 5.16 kernel
* Improve interpretation of renamat & faccessat family of syscalls
* Update syscall table for the 5.16 kernel
* Reduce dependency from initscripts to initscripts-service
- Refresh patches (context adjusment):
* audit-allow-manual-stop.patch
* audit-ausearch-do-not-require-tclass.patch
* audit-no-gss.patch
* enable-stop-rules.patch
* fix-hardened-service.patch
* harden_auditd.service.patch
- Remove patches (fixed by version update):
* libaudit-fix-unhandled-ECONNREFUSED-from-getpwnam-25.patch
* audisp-remote-fix-hang-with-disk_low_action-suspend-.patch
-------------------------------------------------------------------
Mon Apr 11 20:44:34 UTC 2022 - Jan Engelhardt <jengelh@inai.de>
- Drop buildrequire on C++ compiler.
- Modernize specfile constructs.
-------------------------------------------------------------------
Sat Mar 26 11:14:19 UTC 2022 - Stephan Kulow <coolo@suse.com>
- Fix buildrequire for openldap2-devel - audit doesn't require the
(outdated) C++ binding, but the C headers that happen to be pulled
in by buildrequiring the C++ devel package
-------------------------------------------------------------------
Fri Mar 25 04:56:19 UTC 2022 - Enzo Matsumiya <ematsumiya@suse.com>
- Fix unhandled ECONNREFUSED with LDAP environments (bsc#1196645)
* add libaudit-fix-unhandled-ECONNREFUSED-from-getpwnam-25.patch
- Fix hang in audisp-remote with disk_low_action=suspend (bsc#1196517)
* add audisp-remote-fix-hang-with-disk_low_action-suspend-.patch
-------------------------------------------------------------------
Wed Mar 23 16:37:06 UTC 2022 - Dirk Müller <dmueller@suse.com>
- add audit-userspace-517-compat.patch
-------------------------------------------------------------------
Mon Nov 29 13:13:56 UTC 2021 - Fabian Vogt <fvogt@suse.com>
- Use %autosetup
- Don't include sample rules as %doc, they're already installed
as normal files
- Fix create-augenrules-service.patch:
* auditd.service needs to require augenrules.service,
not the other way around
- Fix documentation for enable-stop-rules.patch
-------------------------------------------------------------------
Sun Nov 7 13:34:20 UTC 2021 - Callum Farmer <gmbr3@opensuse.org>
- Update to version 3.0.6:
* fixes a segfault on some SELINUX_ERR records
* makes IPX packet interpretation dependent on the ipx header
file existing
* adds b32/b64 support to ausyscall
* adds support for armv8l
* fixes auditctl list of syscalls on PPC
* auditd.service now restarts auditd under some conditions
-------------------------------------------------------------------
Fri Oct 15 11:13:26 UTC 2021 - Callum Farmer <gmbr3@opensuse.org>
- Add CONFIG parameter to %sysusers_generate_pre
-------------------------------------------------------------------
Wed Oct 13 19:12:06 UTC 2021 - Enzo Matsumiya <ematsumiya@suse.com>
- Create separate service for augenrules (bsc#1191614, bsc#1181400)
* add create-augenrules-service.patch
Remove ReadWritePaths=/etc/audit from auditd.service, also removes
augenrules call from ExecStartPost.
Create augenrules.service with the ReadWritePaths directive above.
This makes /etc/audit only accessible by augenrules.service and
let auditd.service (and daemon) to be sandboxed again.
- Update audit-secondary.spec to accomodate the new service file.
-------------------------------------------------------------------
Mon Sep 20 02:06:44 UTC 2021 - Enzo Matsumiya <ematsumiya@suse.com>
- Fix hardened auditd.service (bsc#1181400)
* add fix-hardened-service.patch
Make /etc/audit read-write from the service.
Remove PrivateDevices=true to expose /dev/* to auditd.service.
- Enable stop rules for audit.service (cf. bsc#1190227)
* add enable-stop-rules.patch
-------------------------------------------------------------------
Thu Sep 16 03:46:19 UTC 2021 - Enzo Matsumiya <ematsumiya@suse.com>
- Change default log_format from ENRICHED to RAW (bsc#1190500):
* add change-default-log_format.patch (SUSE-specific patch)
- Update to version 3.0.5:
* In auditd, flush uid/gid caches when user/group added/deleted/modified
* Fixed various issues when dealing with corrupted logs
* In auditd, check if log_file is valid before closing handle
- Include fixed from 3.0.4:
* Apply performance speedups to auparse library
* Optimize rule loading in auditctl
* Fix an auparse memory leak caused by glibc-2.33 by replacing realpath
* Update syscall table to the 5.14 kernel
* Fixed various issues when dealing with corrupted logs
-------------------------------------------------------------------
Mon Aug 16 13:29:21 UTC 2021 - Marcus Meissner <meissner@suse.com>
- harden_auditd.service.patch: automatic hardening applied to systemd
services
-------------------------------------------------------------------
Fri Jul 30 18:14:14 CEST 2021 - Enzo Matsumiya <ematsumiya@suse.com>
- Update to version 3.0.3:
* Dont interpret audit netlink groups unless AUDIT_NLGRP_MAX is defined
* Add support for AUDIT_RESP_ORIGIN_UNBLOCK_TIMED to ids
* Change auparse_feed_has_data in auparse to include incomplete events
* Auditd, stop linking against -lrt
* Add ProtectHome and RestrictRealtime to auditd.service
* In auditd, read up to 3 netlink packets in a row
* In auditd, do not validate path to plugin unless active
* In auparse, only emit config errors when AUPARSE_DEBUG env variable exists
- use https source urls
-------------------------------------------------------------------
Mon Jun 14 20:54:49 CEST 2021 - Enzo Matsumiya <ematsumiya@suse.com>
- Adjust audit.spec and audit-secondary.spec to support new version
- Include fix for libev
* add libev-werror.patch
- Update to version 3.0.2
- In audispd-statsd pluging, use struct sockaddr_storage (Ville Heikkinen)
- Optionally interpret auid in auditctl -l
- Update some syscall argument interpretations
- In auditd, do not allow spaces in the hostname name format
- Big documentation cleanup (MIZUTA Takeshi)
- Update syscall table to the 5.12 kernel
- Update the auparse normalizer for new event types
- Fix compiler warnings in ids subsystem
- Block a couple signals from flush & reconfigure threads
- In auditd, don't wait on flush thread when exiting
- Output error message if the path of input files are too long ausearch/report
Included fixes from 3.0.1
- Update syscall table to the 5.11 kernel
- Add new --eoe-timeout option to ausearch and aureport (Burn Alting)
- Only enable periodic timers when listening on the network
- Upgrade libev to 4.33
- Add auparse_new_buffer function to auparse library
- Use the select libev backend unless aggregating events
- Add sudoers to some base audit rules
- Update the auparse normalizer for some new syscalls and event types
Included fixes from 3.0
- Generate checkpoint file even when no results are returned (Burn Alting)
- Fix log file creation when file logging is disabled entirely (Vlad Glagolev)
- Convert auparse_test to run with python3 (Tomáš Chvátal)
- Drop support for prelude
- Adjust backlog_wait_time in rules to the kernel default (#1482848)
- Remove ids key syntax checking of rules in auditctl
- Use SIGCONT to dump auditd internal state (#1504251)
- Fix parsing of virtual timestamp fields in ausearch_expression (#1515903)
- Fix parsing of uid & success for ausearch
- Add support for not equal operator in audit by executable (Ondrej Mosnacek)
- Hide lru symbols in auparse
- Add systemd process protections
- Fix aureport summary time range reporting
- Allow unlimited retries on startup for remote logging
- Add queue_depth to remote logging stats and increase default queue_depth size
- Fix segfault on shutdown
- Merge auditd and audispd code
- Close on execute init_pipe fd (#1587995)
- Breakout audisp syslog plugin to be standalone program
- Create a common internal library to reduce code
- Move all audispd config files under /etc/audit/
- Move audispd.conf settings into auditd.conf
- Add queue depth statistics to internal state dump report
- Add network statistics to internal state dump report
- SIGUSR now also restarts queue processing if its suspended
- Update lookup tables for the 4.18 kernel
- Add auparse_normalizer support for SOFTWARE_UPDATE event
- Add 30-ospp-v42.rules to meet new Common Criteria requirements
- Deprecate enable_krb and replace with transport config opt for remote logging
- Mark netlabel events as simple events so that get processed quicker
- When auditd is reconfiguring, only SIGHUP plugins with valid pid (#1614833)
- In aureport, fix segfault in file report
- Add auparse_normalizer support for labeled networking events
- Fix memory leak in audisp-remote plugin when using krb5 transport. (#1622194)
- In ausearch/auparse, event aging is off by a second
- In ausearch/auparse, correct event ordering to process oldest first
- Migrate auparse python test to python3
- auparse_reset was not clearing everything it should
- Add support for AUDIT_MAC_CALIPSO_ADD, AUDIT_MAC_CALIPSO_DEL events
- In ausearch/report, lightly parse selinux portion of USER_AVC events
- Add bpf syscall command argument interpretation to auparse
- In ausearch/report, limit record size when malformed
- Port af_unix plugin to libev
- In auditd, fix extract_type function for network originating events
- In auditd, calculate right size and location for network originating events
- Make legacy script wait for auditd to terminate (#1643567)
- Treat all network originating events as VER2 so dispatcher doesn't format it
- If an event has a node name make it VER2 so dispatcher doesnt format it
- In audisp-remote do an initial connection attempt (#1625156)
- In auditd, allow expression of space left as a percentage (#1650670)
- On PPC64LE systems, only allow 64 bit rules (#1462178)
- Make some parts of auditd state report optional based on config
- Update to libev-4.25
- Fix ausearch when checkpointing a single file (Burn Alting)
- Fix scripting in 31-privileged.rules wrt filecap (#1662516)
- In ausearch, do not checkpt if stdin is input source
- In libev, remove __cold__ attribute for functions to allow proper hardening
- Add tests to configure.ac for openldap support
- Make systemd support files use /run rather than /var/run (Christian Hesse)
- Fix minor memory leak in auditd kerberos credentials code
- Allow exclude and user filter by executable name (Ondrej Mosnacek)
- Fix auditd regression where keep_logs is limited by rotate_logs 2 file test
- In ausearch/report fix --end to use midnight time instead of now (#1671338)
- Add substitue functions for strndupa & rawmemchr
- Fix memleak in auparse caused by corrected event ordering
- Fix legacy reload script to reload audit rules when daemon is reloaded
- Support for unescaping in trusted messages (Dmitry Voronin)
- In auditd, use standard template for DEAMON events (Richard Guy Briggs)
- In aureport, fix segfault for malformed USER_CMD events
- Add exe field to audit_log_user_command in libaudit
- In auditctl support filter on socket address families (Richard Guy Briggs)
- Deprecate support for Alpha & IA64 processors
- If space_left_action is rotate, allow it every time (#1718444)
- In auparse, drop standalone EOE events
- Add milliseconds column for ausearch extra time csv format
- Fix aureport first event reporting when no start given
- In audisp-remote, add new config item for startup connection errors
- Remove dependency on chkconfig
- Install rules to /usr/share/audit/sample-rules/
- Split up ospp rules to make SCAP scanning easier (#1746018)
- In audisp-syslog, support interpreting records (#1497279)
- Audit USER events now sends msg as name value pair
- Add support for AUDIT_BPF event
- Auditd should not process AUDIT_REPLACE events
- Update syscall tables to the 5.5 kernel
- Improve personality interpretation by using PERS_MASK
- Speedup ausearch/report parsing RAW logging format by caching uid/name lookup
- Change auparse python bindings to shared object (Issue #121)
- Add error messages for watch permissions
- If audit rules file doesn't exist log error message instead of info message
- Revise error message for unmatched options in auditctl
- In audisp-remote, fixup remote endpoint disappearin in ascii format
- Add backlog_wait_time_actual reporting / resetting to auditctl (Max Englander)
- In auditctl, add support for sending a signal to auditd
- Removes audit-fno-common.patch: fixed in upstream
- Removes audit-python3.patch: fixed in upstream
-------------------------------------------------------------------
Mon Feb 1 18:13:18 UTC 2021 - Dominique Leuenberger <dimstar@opensuse.org>
- Do not explicitly provide group(audit) in system-users-audit:
this is automatically handled by rpm/providers.
-------------------------------------------------------------------
Thu Jan 28 17:59:43 UTC 2021 - Enzo Matsumiya <ematsumiya@suse.com>
- Create new "audit" group for read access to logs (bsc#1178154)
* add change-default-log_group.patch
* update audit-secondary.spec
-------------------------------------------------------------------
Wed Dec 2 11:49:28 UTC 2020 - Alexander Bergmann <abergmann@suse.com>
- Enable Aarch64 processor support. (bsc#1179515 bsc#1179806)
-------------------------------------------------------------------
Fri Oct 16 09:40:34 UTC 2020 - Ludwig Nussel <lnussel@suse.de>
- prepare usrmerge (boo#1029961)
-------------------------------------------------------------------
Mon Jan 13 17:39:03 UTC 2020 - Tony Jones <tonyj@suse.com>
- Update to version 2.8.5:
* Fix segfault on shutdown
* Fix hang on startup (#1587995)
* Add sleep to script to dump state so file is ready when needed
* Add auparse_normalizer support for SOFTWARE_UPDATE event
* Mark netlabel events as simple events so that get processed quicker
* When audispd is reconfiguring, only SIGHUP plugins with valid pid (#1614833)
* Add 30-ospp-v42.rules to meet new Common Criteria requirements
* Update lookup tables for the 4.18 kernel
* In aureport, fix segfault in file report
* Add auparse_normalizer support for labeled networking events
* Fix memory leak in audisp-remote plugin when using krb5 transport. (#1622194)
* Event aging is off by a second
* In ausearch/auparse, correct event ordering to process oldest first
* auparse_reset was not clearing everything it should
* Add support for AUDIT_MAC_CALIPSO_ADD, AUDIT_MAC_CALIPSO_DEL events
* In ausearch/report, lightly parse selinux portion of USER_AVC events
* In ausearch/report, limit record size when malformed
* In auditd, fix extract_type function for network originating events
* In auditd, calculate right size and location for network originating events
* Treat all network originating events as VER2 so dispatcher doesn't format it
* In audisp-remote do an initial connection attempt (#1625156)
* In auditd, allow expression of space left as a percentage (#1650670)
* On PPC64LE systems, only allow 64 bit rules (#1462178)
* Make some parts of auditd state report optional based on config
* Fix ausearch when checkpointing a single file (Burn Alting)
* Fix scripting in 31-privileged.rules wrt filecap (#1662516)
* In ausearch, do not checkpt if stdin is input source
* In libev, remove __cold__ attribute for functions to allow proper hardening
* Add tests to configure.ac for openldap support
* Make systemd support files use /run rather than /var/run (Christian Hesse)
* Fix minor memory leak in auditd kerberos credentials code
* Fix auditd regression where keep_logs is limited by rotate_logs 2 file test
* In ausearch/report fix --end to use midnight time instead of now (#1671338)
- Fix build errors when using gcc-10 no-common default (bsc#1160384)
New patch: audit-fno-common.patch
- Refresh audit-allow-manual-stop.patch
-------------------------------------------------------------------
Thu Mar 21 10:32:43 UTC 2019 - Jan Engelhardt <jengelh@inai.de>
- Reduce scriptlets' hard dependency on systemd.
-------------------------------------------------------------------
Sat Jun 23 08:16:07 UTC 2018 - antoine.belvire@opensuse.org
- Update to version 2.8.4:
* Generate checkpoint file even when not results are returned
(Burn Alting).
* Fix log file creation when file logging is disabled entirely
(Vlad Glagolev).
* Use SIGCONT to dump auditd internal state (rh#1504251).
* Fix parsing of virtual timestamp fields in ausearch_expression
(rh#1515903).
* Fix parsing of uid & success for ausearch.
* Hide lru symbols in auparse.
* Fix aureport summary time range reporting.
* Allow unlimited retries on startup for remote logging.
* Add queue_depth to remote logging stats and increase default
queue_depth size.
-------------------------------------------------------------------
Sun Jun 17 10:48:40 UTC 2018 - antoine.belvire@opensuse.org
- Update to version 2.8.3:
* Correct msg function name in lru debug code.
* Fix a segfault in auditd when dns resolution isn't available.
* Make a reload legacy service for auditd.
* In auparse python bindings, expose some new types that were
missing.
* In normalizer, pickup subject kind for user_login events.
* Fix interpretation of unknown ioctcmds (rh#1540507).
* Add ANOM_LOGIN_SERVICE, RESP_ORIGIN_BLOCK, &
RESP_ORIGIN_BLOCK_TIMED events.
* In auparse_normalize for USER_LOGIN events, map acct for
subj_kind.
* Fix logging of IPv6 addresses in DAEMON_ACCEPT events
(rh#1534748).
* Do not rotate auditd logs when num_logs < 2 (brozs).
-------------------------------------------------------------------
Tue Apr 3 13:33:34 CEST 2018 - kukuk@suse.de
- Use %license instead of %doc [bsc#1082318]
-------------------------------------------------------------------
Fri Mar 16 19:44:45 UTC 2018 - tonyj@suse.com
- Change openldap dependency to client only (bsc#1085003)
- Resolve issue with previous change if both Python2 and Python3 are
present, tests were failing as python2 bindings are preferred in this
case.
-------------------------------------------------------------------
Thu Feb 22 11:00:16 UTC 2018 - meissner@suse.com
- reverted -j1 force ppc specific only
-------------------------------------------------------------------
Wed Feb 7 09:26:35 UTC 2018 - tchvatal@suse.com
- Add patch to fix test run without python2 interpreter:
* audit-python3.patch
- Update to 2.8.2 release:
* Update tables for 4.14 kernel
* Fixup ipv6 server side binding
* AVC report from aureport was missing result column header (#1511606)
* Add SOFTWARE_UPDATE event
* In ausearch/report pickup any path and new-disk fields as a file
* Fix value returned by auditctl --reset-lost (Richard Guy Briggs)
* In auparse, fix expr_create_timestamp_comparison_ex to be numeric field
* Fix building on old systems without linux/fanotify.h
* Fix shell portability issues reported by shellcheck
* Auditd validate_email should not use gethostbyname
-------------------------------------------------------------------
Tue Feb 6 13:24:43 UTC 2018 - normand@linux.vnet.ibm.com
- force -j1 for PowerPC make check to avoid build failure
(lookup_test.o: file not recognized: File truncated)
-------------------------------------------------------------------
Wed Jan 17 15:25:55 UTC 2018 - tchvatal@suse.com
- Add conditions around python plugins to allow us to conditionalize
them in enviroment without python2
-------------------------------------------------------------------
Thu Nov 9 16:21:23 UTC 2017 - mpluskal@suse.com
- Rename python binding packages to match current python packaging
standards
- Update python build dependencies to resolve future split of
python2/3
-------------------------------------------------------------------
Sat Nov 4 21:11:35 UTC 2017 - aavindraa@gmail.com
- Update to version 2.8.1. See audit.spec (libaudit1) for upstream
changelog
- Remove audit-implicit-writev.patch (fixed upstream across 2
commits)
* 3b30db20ad983274989ce9a522120c3c225436b3
* 07132c22314e9abbe64d1031fd8734243285bb3f
- Cleanup with spec-cleaner
-------------------------------------------------------------------
Fri Aug 18 08:50:02 UTC 2017 - dimstar@opensuse.org
- Add audit-implicit-writev.patch: include sys/uio.h to ensure
readv and writev are declared.
-------------------------------------------------------------------
Mon Jul 24 13:59:06 UTC 2017 - jengelh@inai.de
- Rectify RPM groups, diversify descriptions.
- Remove mentions of static libraries because they are not built.
-------------------------------------------------------------------
Tue Jul 18 18:33:40 UTC 2017 - tonyj@suse.com
- Update to version 2.7.7. See audit.spec (libaudit1) for upstream
changelog
Since commit 6cf57d27 (2.7.4) audit is now started as an non-forking
service (bsc#1042781).
Add config: audit-stop.rules
Refresh patch: audit-allow-manual-stop.patch
Refresh patch: audit-no-gss.patch
-------------------------------------------------------------------
Fri Apr 1 14:59:05 UTC 2016 - tchvatal@suse.com
- Version update to 2.5. See audit.spec (libaudit1) for upstream
changelog
- Cleanup with spec-cleaner
- Sort out bit /sbin /usr/sbin/ installation
- Install the rules as documentation
- Remove needless %py_requires from python subpkgs
-------------------------------------------------------------------
Fri Aug 21 19:00:36 UTC 2015 - tonyj@suse.com
- Update to version 2.4.4. See audit.spec (libaudit1) for upstream
changelog
- Add python3 bindings for libaudit and libauparse
- Remove patch 'audit-no_m4_dir.patch'
(added Fri Apr 26 11:14:39 UTC 2013 by mmeister@suse.com)
No idea what earlier 'automake' build error this was trying to fix but
it broke the handling of "--without-libcap-ng". Anyways, no build error
occurs now and m4 path is also needed in v2.4.4 to find ax_prog_cc_for_build
-------------------------------------------------------------------
Tue Sep 2 17:35:12 UTC 2014 - tonyj@suse.com
- Update to version 2.4. See audit.spec (libaudit1) for upstream
changelog
Drop patch: auditd-donot-start-if-kernel-cmdline-disabled.patch
-------------------------------------------------------------------
Fri Aug 15 14:24:33 UTC 2014 - crrodriguez@opensuse.org
- If the system has been booted with audit=0 in the kernel cmdline
auditd.service must refrain from starting as the relevant kernel
subsystem will be permanently disabled.
add patch: auditd-donot-start-if-kernel-cmdline-disabled.patch
-------------------------------------------------------------------
Thu Jul 10 06:21:55 UTC 2014 - tonyj@suse.com
- Do not require tclass field to be present when searching for AVC
records (bnc#878687)
add patch: audit-ausearch-do-not-require-tclass.patch
-------------------------------------------------------------------
Tue Apr 15 00:52:16 UTC 2014 - tonyj@suse.com
- Update to version 2.3.6. See audit.spec (libaudit1) for upstream
changelog
-------------------------------------------------------------------
Wed Mar 26 18:41:33 UTC 2014 - crrodriguez@opensuse.org
- fix systemd warning:
"Configuration file /usr/lib/systemd/system/auditd.service
is marked world-inaccessible.
This has no effect as configuration data is accessible
via APIs without restrictions"
* indeed restricting access to unit files using filesystem
permissions is non-sense.
-------------------------------------------------------------------
Thu Feb 27 16:28:31 UTC 2014 - tonyj@suse.com
- Add systemd requires (bnc#865849)
-------------------------------------------------------------------
Tue Feb 4 00:06:30 UTC 2014 - tonyj@suse.com
- Update to version 2.3.3. See audit.spec (libaudit1) for upstream
changelog
-------------------------------------------------------------------
Tue Nov 26 18:28:58 UTC 2013 - tonyj@suse.com
- Update to version 2.3.2. See audit.spec (libaudit1) for upstream
changelog
- Drop patch 'audit-fix-implicit-defn.patch' (upstream)
- Add patch 'audit-allow-manual-stop.patch' to reinstate service
stop/restart.
- /etc/sysconfig/audit still existed but was no longer referenced
by systemd, so remove
- Delete audit-no_plugins.patch, it was stale (no longer referenced
by specfiles) but had not been removed.
-------------------------------------------------------------------
Wed Oct 2 12:48:50 UTC 2013 - opensuse@cboltz.de
- (re-)add rcauditd as symlink to /usr/sbin/service
-------------------------------------------------------------------
Thu Jun 27 15:17:16 UTC 2013 - tonyj@suse.com
- Eliminate build cycles. audit.spec now builds only libs/devel.
Remainder (including daemon) built from audit-secondary.spec
- Add patch 'audit-fix-implicit-defn.patch' to fix implicit definition
warning.
-------------------------------------------------------------------
Mon Mar 25 17:27:47 UTC 2013 - crrodriguez@opensuse.org
- Buildrequires cap-ng library
-------------------------------------------------------------------
Tue Jan 22 12:34:00 UTC 2013 - jengelh@inai.de
- Executing autoreconf requires autoconf
-------------------------------------------------------------------
Fri Oct 12 13:00:30 UTC 2012 - coolo@suse.com
- Update to version 2.2.1, see audit's changes
-------------------------------------------------------------------
Tue Feb 28 21:58:24 UTC 2012 - tonyj@suse.com
- Update to version 2.1.3. See audit.spec upstream changelog
-------------------------------------------------------------------
Sat Sep 17 13:38:42 UTC 2011 - jengelh@medozas.de
- Remove redundant tags/sections from specfile
-------------------------------------------------------------------
Fri May 20 16:54:38 UTC 2011 - tonyj@novell.com
- Adjust license of audit-libs-python to be LGPLv2.1 or later.
-------------------------------------------------------------------
Wed Apr 27 00:05:50 UTC 2011 - tonyj@novell.com
- Upgrade to version 2.1.1 (see audit.changes for upstream change
history)
-------------------------------------------------------------------
Wed Sep 29 00:22:38 UTC 2010 - tonyj@novell.com
- Upgrade to version 2.0.5 (see audit.changes for upstream change
history)
-------------------------------------------------------------------
Mon Jun 28 06:38:35 UTC 2010 - jengelh@medozas.de
- use %_smp_mflags
-------------------------------------------------------------------
Tue May 4 10:51:33 CEST 2010 - tonyj@suse.de
- Upgrade to version 2.0.4 (see audit.changes for upstream change
history)
-------------------------------------------------------------------
Sat Jun 20 12:33:00 CEST 2009 - cmorve69@yahoo.es
- fixed build with --as-needed
-------------------------------------------------------------------
Mon May 11 17:19:50 CEST 2009 - tonyj@suse.de
- Update from 1.7.7 to 1.7.13 (see audit.changes for upstream change
history)
-------------------------------------------------------------------
Fri Sep 26 23:27:36 CEST 2008 - tonyj@suse.de
- Update from 1.7.4 to 1.7.7 (see audit.changes for upstream change
history)
-------------------------------------------------------------------
Fri Aug 1 17:12:46 CEST 2008 - ro@suse.de
- disable debuginfo for secondary specfile
-------------------------------------------------------------------
Wed Jun 25 01:50:54 CEST 2008 - tonyj@suse.de
- Update from 1.7.2 to 1.7.4 (see audit.changes for upstream change
history)
- Update from 1.6.8 to 1.7.2 (see audit.changes for upstream change
history)
-------------------------------------------------------------------
Tue Jun 3 21:49:41 CEST 2008 - coolo@suse.de
- avoid packaging a directory with different permissions (creating
rpm -V output)
-------------------------------------------------------------------
Wed Apr 16 12:09:26 CEST 2008 - aj@suse.de
- Use %py_requires for proper requires.
-------------------------------------------------------------------
Wed Mar 26 21:29:38 CET 2008 - tonyj@suse.de
- Update to version 1.6.8.
- Rename to audit-secondary and build audisp-plugins from here
to minimise bootstrap dependancies.
-------------------------------------------------------------------
Tue Mar 18 14:43:11 CET 2008 - schwab@suse.de
- Use autoreconf.
-------------------------------------------------------------------
Wed Oct 10 23:19:29 CEST 2007 - tonyj@suse.de
- Upgrade to 1.6.2
-------------------------------------------------------------------
Wed Jul 25 01:13:09 CEST 2007 - tonyj@suse.de
- Upgrade to 1.5.5
Drop audit-swig-attribute.patch (upstreamed)
-------------------------------------------------------------------
Fri Jul 13 01:58:29 CEST 2007 - tonyj@suse.de
- Fix build errors on ppc
-------------------------------------------------------------------
Thu Jul 12 01:38:36 CEST 2007 - tonyj@suse.de
- Upgrade to 1.5.4
-------------------------------------------------------------------
Wed May 2 19:08:53 CEST 2007 - tonyj@suse.de
- Upgrade to 1.5.3.
-------------------------------------------------------------------
Wed Nov 29 02:47:22 CET 2006 - tonyj@suse.de
- Upgrade to 1.2.9 (drop several patches which are now upstream)
- /usr/sbin/audispd now packaged by audit-libs-python
-------------------------------------------------------------------
Sun Nov 5 00:45:21 CET 2006 - ro@suse.de
- fix requires
-------------------------------------------------------------------
Thu Aug 31 22:57:52 CEST 2006 - tonyj@suse.de
- Upgrade to 1.2.6-1
-------------------------------------------------------------------
Wed Aug 16 16:19:20 CEST 2006 - cthiel@suse.de
- split off package

329
audit-secondary.spec Normal file
View File

@ -0,0 +1,329 @@
#
# spec file for package audit-secondary
#
# Copyright (c) 2023 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
# upon. The license for this file, and modifications and additions to the
# file, is the same license as for the pristine package itself (unless the
# license for the pristine package is not an Open Source License, in which
# case the license is the MIT License). An "Open Source License" is a
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.
# Please submit bugfixes or comments via https://bugs.opensuse.org/
#
%bcond_without python2
%bcond_without python3
# This package contains all audit functionality except for audit-libs.
# The seperation is required to minimize unnecessary build cycles.
%define _name audit
Name: audit-secondary
Version: 3.0.9
Release: 0
Summary: Linux kernel audit subsystem utilities
License: GPL-2.0-or-later
Group: System/Monitoring
URL: https://people.redhat.com/sgrubb/audit/
Source0: https://people.redhat.com/sgrubb/audit/%{_name}-%{version}.tar.gz
Source1: system-group-audit.conf
Patch1: audit-plugins-path.patch
Patch2: audit-no-gss.patch
Patch3: audit-allow-manual-stop.patch
Patch4: audit-ausearch-do-not-require-tclass.patch
Patch5: change-default-log_group.patch
Patch6: libev-werror.patch
Patch7: harden_auditd.service.patch
Patch8: change-default-log_format.patch
Patch9: fix-hardened-service.patch
Patch10: enable-stop-rules.patch
Patch11: create-augenrules-service.patch
Patch12: audit-userspace-517-compat.patch
BuildRequires: audit-devel = %{version}
BuildRequires: autoconf >= 2.12
BuildRequires: kernel-headers >= 2.6.30
BuildRequires: libtool
BuildRequires: openldap2-devel
BuildRequires: pkgconfig
%if %{with python2}
BuildRequires: python2-devel
%endif
%if %{with python3}
BuildRequires: python3-devel
%endif
BuildRequires: swig
BuildRequires: systemd-rpm-macros
BuildRequires: sysuser-tools
BuildRequires: tcpd-devel
BuildRequires: pkgconfig(libcap-ng)
Provides: bundled(libev) = 4.33
%description
The audit package contains the user space utilities for storing and
processing the records generated by the audit subsystem in the
Linux kernel.
%package -n audit
Summary: User Space Tools for Kernel Auditing
License: LGPL-2.1-or-later
Group: System/Monitoring
Requires: %{_name}-libs = %{version}
Requires: coreutils
Requires: group(audit)
%{?systemd_ordering}
%description -n audit
The audit package contains the user space utilities for storing and
processing the audit records generated by the audit subsystem in the
Linux kernel.
%package -n system-group-audit
Summary: System group 'audit'
License: LGPL-2.1-or-later
Group: System/Fhs
%sysusers_requires
%description -n system-group-audit
This package contains the system group 'audit' for read access to logs.
%package -n python2-audit
Summary: Python Bindings for libaudit
License: LGPL-2.1-or-later
Group: Development/Languages/Python
Provides: audit-libs-python = %{version}
Obsoletes: audit-libs-python < %{version}
%description -n python2-audit
The audit-libs-python package contains the bindings for using libaudit
by python.
%package -n python3-audit
Summary: Python3 Bindings for libaudit
License: LGPL-2.1-or-later
Group: Development/Languages/Python
Provides: audit-libs-python3 = %{version}
Obsoletes: audit-libs-python3 < %{version}
%description -n python3-audit
The audit-libs-python3 package contains the bindings for using libaudit
by python3.
%package -n audit-audispd-plugins
Summary: Default plugins for the audit dispatcher
License: GPL-2.0-or-later
Group: System/Monitoring
%description -n audit-audispd-plugins
The audit-audispd-plugins package contains plugin components for the
audit dispatcher (audispd).
%prep
# remove selinux policy
rm -rf audisp/plugins/zos-remote/policy
# we don't build prelude
rm -rf audisp/plugins/prelude
%autosetup -p1 -n %{_name}-%{version}
%if %{without python2} && %{with python3}
# Fix python env call in tests if we only have Python3.
# If both versions are present, python2 bindings are preferred by the tests and
# unconditionally using /usr/bin/python3 breaks the tests
# Probably the correct solution is to run the tests twice if both are present.
perl -i -lpe 's{#!/usr/bin/env python\S+}{#!/usr/bin/python3}' auparse/test/auparse_test.py
%endif
%build
autoreconf -fi
export CFLAGS="%{optflags} -fno-strict-aliasing"
export CXXFLAGS="$CFLAGS"
export LDFLAGS="-Wl,-z,relro,-z,now"
# no krb support (omit --enable-gssapi-krb5=yes), see audit-no-gss.patch
%configure \
%ifarch aarch64
--with-aarch64 \
%endif
%ifarch arm
--with-arm \
%endif
--enable-systemd \
--libexecdir=%{_libexecdir}/%{_name} \
--with-apparmor \
--with-libwrap \
--with-libcap-ng=yes \
--disable-static \
%{?_with_python3} \
%{?_without_python}
%make_build
%sysusers_generate_pre %{SOURCE1} audit system-group-audit.conf
%install
%make_install
mkdir -p %{buildroot}%{_localstatedir}/log/audit/
touch %{buildroot}%{_localstatedir}/log/audit/audit.log
mkdir -p %{buildroot}%{_localstatedir}/spool/audit/
mkdir -p %{buildroot}%{_sysusersdir}
install -m 0644 %{SOURCE1} %{buildroot}%{_sysusersdir}/
# For ghost below, so that old location files will still be there when
# post copy runs
mkdir -p %{buildroot}%{_sysconfdir}/%{_name}/
mkdir -p %{buildroot}%{_sysconfdir}/%{_name}/rules.d/
touch %{buildroot}%{_sysconfdir}/{auditd.conf,audit.rules} %{buildroot}%{_sysconfdir}/audit/auditd.conf
# On platforms with 32 & 64 bit libs, we need to coordinate the timestamp
touch -r ./audit.spec %{buildroot}%{_sysconfdir}/libaudit.conf
# Starting with audit 2.5 no config is installed so start with no rules
install -m 0644 rules/10-no-audit.rules %{buildroot}%{_sysconfdir}/%{_name}/rules.d/audit.rules
# delete redhat scripts, use ours
rm -rf %{buildroot}%{_sysconfdir}/sysconfig/auditd
rm -rf %{buildroot}%{_initddir}/auditd
rm -rf %{buildroot}%{_sysconfdir}/rc.d/init.d
# delete redhat systemd legacy scripts, our systemd doesn't support the feature
# https://lists.fedoraproject.org/pipermail/devel/2012-June/169411.html
rm -rf %{buildroot}%{_libexecdir}/audit
# Clean up some unneeded library files
rm -f %{buildroot}/%{_libdir}/python*/site-packages/{_audit,_auparse,auparse}.{a,la}
rm -rf %{buildroot}/%{_libdir}/python*/site-packages/__pycache__
# cleanup makefiles for the rules (installed by %%docs command)
rm -f %{buildroot}/%{_libdir}/pkgconfig/{audit,auparse}.pc
# cleanup files handled by audit.spec
rm -rf %{buildroot}/%{_datadir}/aclocal/
rm -rf %{buildroot}/%{_includedir}
rm -f %{buildroot}/%{_libdir}/lib{audit,auparse}.*
rm -f %{buildroot}%{_sysconfdir}/libaudit.conf
rm -f %{buildroot}/%{_mandir}/man5/libaudit.conf.5
rm -rf %{buildroot}/%{_mandir}/man3
# Cleanup plugins
#USR-MERGE
%if 0%{?suse_version} < 1550
mkdir %{buildroot}/sbin/
for prog in auditctl auditd ausearch autrace aureport augenrules; do
ln -s %{_sbindir}/$prog %{buildroot}/sbin/$prog
done
%endif
#END-USR-MERGE
# rcauditd symlink
ln -s service %{buildroot}%{_sbindir}/rcauditd
chmod 0644 %{buildroot}%{_unitdir}/auditd.service
chmod 0644 %{buildroot}%{_unitdir}/augenrules.service
%check
%make_build check
%post -n audit
# Save existing audit files if any (from old locations)
if [ -f %{_sysconfdir}/auditd.conf ]; then
mv %{_sysconfdir}/audit/auditd.conf %{_sysconfdir}/audit/auditd.conf.new
mv %{_sysconfdir}/auditd.conf %{_sysconfdir}/audit/auditd.conf
fi
if [ -f %{_sysconfdir}/audit.rules ]; then
mv %{_sysconfdir}/audit.rules %{_sysconfdir}/audit/audit.rules
elif [ ! -f %{_sysconfdir}/audit/audit.rules ]; then
cp %{_sysconfdir}/audit/rules.d/audit.rules %{_sysconfdir}/audit/audit.rules
fi
%service_add_post auditd.service
%service_add_post augenrules.service
%pre -n audit
%service_add_pre auditd.service
%service_add_pre augenrules.service
%pre -n system-group-audit -f audit.pre
%preun -n audit
%service_del_preun auditd.service
%service_del_preun augenrules.service
%postun -n audit
%service_del_postun auditd.service
%service_del_postun augenrules.service
%files -n audit
%license COPYING
%doc README ChangeLog init.d/auditd.cron
%attr(644,root,root) %{_mandir}/man8/auditctl.8.gz
%attr(644,root,root) %{_mandir}/man8/auditd.8.gz
%attr(644,root,root) %{_mandir}/man8/aureport.8.gz
%attr(644,root,root) %{_mandir}/man8/ausearch.8.gz
%attr(644,root,root) %{_mandir}/man8/autrace.8.gz
%attr(644,root,root) %{_mandir}/man8/aulast.8.gz
%attr(644,root,root) %{_mandir}/man8/aulastlog.8.gz
%attr(644,root,root) %{_mandir}/man8/ausyscall.8.gz
%attr(644,root,root) %{_mandir}/man7/audit.rules.7.gz
%attr(644,root,root) %{_mandir}/man5/auditd.conf.5.gz
%attr(644,root,root) %{_mandir}/man5/ausearch-expression.5.gz
%attr(644,root,root) %{_mandir}/man8/auvirt.8.gz
%attr(644,root,root) %{_mandir}/man8/augenrules.8.gz
%if 0%{?suse_version} < 1550
/sbin/auditctl
/sbin/auditd
/sbin/ausearch
/sbin/autrace
/sbin/augenrules
/sbin/aureport
%endif
%attr(750,root,root) %{_sbindir}/auditctl
%attr(750,root,root) %{_sbindir}/auditd
%attr(755,root,root) %{_sbindir}/ausearch
%attr(750,root,root) %{_sbindir}/autrace
%attr(750,root,root) %{_sbindir}/augenrules
%attr(750,root,root) %{_sbindir}/audisp-syslog
%attr(755,root,root) %{_bindir}/aulast
%attr(755,root,root) %{_bindir}/aulastlog
%attr(755,root,root) %{_bindir}/ausyscall
%attr(755,root,root) %{_sbindir}/aureport
%attr(755,root,root) %{_bindir}/auvirt
%dir %attr(750,root,root) %{_sysconfdir}/audit
%attr(750,root,root) %dir %{_sysconfdir}/audit/plugins.d
%config(noreplace) %attr(640,root,root) %{_sysconfdir}/audit/plugins.d/af_unix.conf
%config(noreplace) %attr(640,root,root) %{_sysconfdir}/audit/plugins.d/syslog.conf
%ghost %{_sysconfdir}/auditd.conf
%ghost %{_sysconfdir}/audit.rules
%config(noreplace) %attr(640,root,root) %{_sysconfdir}/audit/auditd.conf
%dir %attr(750,root,root) %{_sysconfdir}/audit/rules.d
%config(noreplace) %attr(640,root,root) %{_sysconfdir}/audit/rules.d/audit.rules
%config(noreplace) %attr(640,root,root) %{_sysconfdir}/audit/audit-stop.rules
%dir %attr(750,root,audit) %{_localstatedir}/log/audit
%ghost %config(noreplace) %attr(640,root,audit) %{_localstatedir}/log/audit/audit.log
%dir %attr(700,root,root) %{_localstatedir}/spool/audit
%{_unitdir}/auditd.service
%{_unitdir}/augenrules.service
%{_sbindir}/rcauditd
%{_datadir}/audit/
%files -n system-group-audit
%{_sysusersdir}/system-group-audit.conf
%if %{with python2}
%files -n python2-audit
%attr(755,root,root) %{python2_sitearch}/_audit.so
%attr(755,root,root) %{python2_sitearch}/auparse.so
%{python2_sitearch}/audit.py*
%endif
%if %{with python3}
%files -n python3-audit
%attr(755,root,root) %{python3_sitearch}/*
%endif
%files -n audit-audispd-plugins
%attr(644,root,root) %{_mandir}/man8/audispd-zos-remote.8.gz
%attr(644,root,root) %{_mandir}/man5/zos-remote.conf.5.gz
%attr(644,root,root) %{_mandir}/man5/audisp-remote.conf.5.gz
%attr(644,root,root) %{_mandir}/man5/auditd-plugins.5.gz
%attr(644,root,root) %{_mandir}/man8/audisp-remote.8.gz
%attr(644,root,root) %{_mandir}/man8/audisp-syslog.8.gz
%attr(750,root,root) %dir %{_sysconfdir}/audit
%attr(750,root,root) %dir %{_sysconfdir}/audit/plugins.d
%config(noreplace) %attr(640,root,root) %{_sysconfdir}/audit/plugins.d/audispd-zos-remote.conf
%config(noreplace) %attr(640,root,root) %{_sysconfdir}/audit/zos-remote.conf
%attr(750,root,root) %{_sbindir}/audisp-remote
%attr(750,root,root) %{_sbindir}/audispd-zos-remote
%config(noreplace) %attr(640,root,root) %{_sysconfdir}/audit/audisp-remote.conf
%config(noreplace) %attr(640,root,root) %{_sysconfdir}/audit/plugins.d/au-remote.conf
%changelog

View File

@ -0,0 +1,38 @@
From: Sergei Trofimovich <slyich@gmail.com>
Date: Wed, 23 Mar 2022 07:27:05 +0000
Subject: [PATCH] auditswig.i: avoid setter generation for audit_rule_data::buf
References: https://github.com/linux-audit/audit-userspace/issues/252
Git-commit: https://github.com/linux-audit/audit-userspace/pull/253/commits/beed138222421a2eb4212d83cb889404bd7efc49
Git-repo: [if different from https://github.com/linux-audit/audit-userspace.git]
Patch-mainline: submitted for review upstream
As it's a flexible array generated code was never safe to use.
With kernel's https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=ed98ea2128b6fd83bce13716edf8f5fe6c47f574
change it's a build failure now:
audit> audit_wrap.c:5010:15: error: invalid use of flexible array member
audit> 5010 | arg1->buf = (char [])(char *)memcpy(malloc((size)*sizeof(char)), (const char *)(arg2), sizeof(char)*(size));
audit> | ^
Let's avoid setter generation entirely.
Closes: https://github.com/linux-audit/audit-userspace/issues/252
---
bindings/swig/src/auditswig.i | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/bindings/swig/src/auditswig.i b/bindings/swig/src/auditswig.i
index 21aafca31..9a2c5661d 100644
--- a/bindings/swig/src/auditswig.i
+++ b/bindings/swig/src/auditswig.i
@@ -39,6 +39,10 @@ signed
#define __attribute(X) /*nothing*/
typedef unsigned __u32;
typedef unsigned uid_t;
+/* Sidestep SWIG's limitation of handling c99 Flexible arrays by not:
+ * generating setters against them: https://github.com/swig/swig/issues/1699
+ */
+%ignore audit_rule_data::buf;
%include "/usr/include/linux/audit.h"
#define __extension__ /*nothing*/
%include <stdint.i>

1525
audit.changes Normal file

File diff suppressed because it is too large Load Diff

152
audit.spec Normal file
View File

@ -0,0 +1,152 @@
#
# spec file for package audit
#
# Copyright (c) 2023 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
# upon. The license for this file, and modifications and additions to the
# file, is the same license as for the pristine package itself (unless the
# license for the pristine package is not an Open Source License, in which
# case the license is the MIT License). An "Open Source License" is a
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.
# Please submit bugfixes or comments via https://bugs.opensuse.org/
#
Name: audit
Version: 3.0.9
Release: 0
Summary: Linux kernel audit subsystem utilities
License: GPL-2.0-or-later
Group: System/Monitoring
URL: https://people.redhat.com/sgrubb/audit/
Source0: https://people.redhat.com/sgrubb/audit/%{name}-%{version}.tar.gz
Source1: baselibs.conf
Source2: README-BEFORE-ADDING-PATCHES
Patch0: change-default-log_group.patch
BuildRequires: autoconf >= 2.12
BuildRequires: kernel-headers >= 2.6.30
BuildRequires: libtool
BuildRequires: pkgconfig
BuildRequires: tcpd-devel
Requires: libaudit1 = %{version}
Requires: libauparse0 = %{version}
Provides: bundled(libev) = 4.33
%description
The audit package contains the user space utilities for storing and
processing the records generated by the audit subsystem in the
Linux kernel.
%package -n libaudit1
Summary: Library for interfacing with the kernel audit subsystem
License: LGPL-2.1-or-later
Group: System/Libraries
Obsoletes: %{name}-libs < 2.0.4
Provides: %{name}-libs = %{version}
%description -n libaudit1
The libaudit package contains the shared libraries needed for
applications to use the audit framework.
%package -n libauparse0
Summary: Library for parsing and interpreting audit events
License: LGPL-2.1-or-later
Group: System/Libraries
%description -n libauparse0
The libauparse package contains the shared libraries needed to
parse audit records.
%package -n audit-devel
Summary: Header files for libaudit
License: LGPL-2.1-or-later
Group: Development/Libraries/C and C++
Requires: libaudit1 = %{version}
Requires: libauparse0 = %{version}
%description -n audit-devel
The audit-devel package contains the header files
needed for developing applications that need to use the audit framework
libraries.
%prep
%autosetup -p1
%build
autoreconf -fi
export CFLAGS="%{optflags} -fno-strict-aliasing"
export CXXFLAGS="$CFLAGS"
export LDFLAGS="-Wl,-z,relro,-z,now"
# no krb support (omit --enable-gssapi-krb5=yes), see audit-no-gss.patch
%configure \
%ifarch aarch64
--with-aarch64 \
%endif
%ifarch arm
--with-arm \
%endif
--enable-systemd \
--libexecdir=%{_libexecdir}/%{name} \
--with-apparmor \
--with-libcap-ng=no \
--disable-static \
--with-python=no \
--disable-zos-remote
%make_build -C common
%make_build -C lib
%make_build -C auparse
%make_build -C docs
%install
%make_install -C common
%make_install -C lib
%make_install -C auparse
%make_install -C docs
rm -rf %{buildroot}/%{_mandir}/man[578]
mkdir -p %{buildroot}%{_sysconfdir}
mkdir -p %{buildroot}/%{_includedir}
mkdir -p %{buildroot}/%{_mandir}/man5
# We manually install this since Makefile doesn't
install -m 0644 lib/libaudit.h %{buildroot}/%{_includedir}
install -D -m 0644 ./m4/audit.m4 %{buildroot}%{_datadir}/aclocal/audit.m4
# Install libaudit.conf files by hand
install -m 0644 docs/libaudit.conf.5 %{buildroot}/%{_mandir}/man5
install -m 0644 init.d/libaudit.conf %{buildroot}%{_sysconfdir}
find %{buildroot} -type f -name "*.la" -delete -print
%check
%make_build -C lib check
%make_build -C auparse check
%post -n libaudit1 -p /sbin/ldconfig
%post -n libauparse0 -p /sbin/ldconfig
%postun -n libaudit1 -p /sbin/ldconfig
%postun -n libauparse0 -p /sbin/ldconfig
%files -n libaudit1
%{_libdir}/libaudit.so.*
%config(noreplace) %attr(640,root,root) %{_sysconfdir}/libaudit.conf
%{_mandir}/man5/libaudit.conf.5%{ext_man}
%files -n libauparse0
%{_libdir}/libauparse.so.*
%files -n audit-devel
%doc contrib/plugin
%{_libdir}/libaudit.so
%{_libdir}/libauparse.so
%{_includedir}/libaudit.h
%{_includedir}/auparse.h
%{_includedir}/auparse-defs.h
%{_mandir}/man3/*
%{_datadir}/aclocal/audit.m4
%{_libdir}/pkgconfig/audit.pc
%{_libdir}/pkgconfig/auparse.pc
%changelog

7
baselibs.conf Normal file
View File

@ -0,0 +1,7 @@
libaudit1
obsoletes "audit-libs-<targettype> < 2.0.4"
libauparse0
audit-devel
requires -audit-<targettype>
requires "libaudit1-<targettype> = <version>"
requires "libauparse0-<targettype> = <version>"

View File

@ -0,0 +1,28 @@
From: Enzo Matsumiya <ematsumiya@suse.de>
Subject: auditd.conf: change default log_format
References: bsc#1190500
Upstream commit bf1270cfe ("change default logging format and update roadmap")
changed the default log_format from RAW to ENRICHED.
This causes non-audit tools to not interpret the GS character (group separator,
0x1d) that splits the raw data from the enriched data, causing it to be visually
concatenated.
Since a candidate patch to change this was rejected by upstream, we change
the default log_format back to RAW instead, to avoid confusion on customers'
environments.
Signed-off-by: Enzo Matsumiya <ematsumiya@suse.de>
--- a/init.d/auditd.conf
+++ b/init.d/auditd.conf
@@ -6,7 +6,7 @@ local_events = yes
write_logs = yes
log_file = /var/log/audit/audit.log
log_group = audit
-log_format = ENRICHED
+log_format = RAW
flush = INCREMENTAL_ASYNC
freq = 50
max_log_file = 8

View File

@ -0,0 +1,21 @@
From: Enzo Matsumiya <ematsumiya@suse.de>
Date: Thu Jan 28 18:11:39 UTC 2021
References: bsc#1178154
Patch-mainline: Not yet, under review
Subject: change default log_group to "audit"
Change the default log_group to newly added "audit" group.
Signed-Off-by: Enzo Matsumiya <ematsumiya@suse.de>
--- a/init.d/auditd.conf
+++ b/init.d/auditd.conf
@@ -5,7 +5,7 @@
local_events = yes
write_logs = yes
log_file = /var/log/audit/audit.log
-log_group = root
+log_group = audit
log_format = ENRICHED
flush = INCREMENTAL_ASYNC
freq = 50

View File

@ -0,0 +1,97 @@
Index: audit-3.0.9/init.d/augenrules.service
===================================================================
--- /dev/null
+++ audit-3.0.9/init.d/augenrules.service
@@ -0,0 +1,29 @@
+[Unit]
+Description=auditd rules generation
+After=auditd.service
+Documentation=man:augenrules(8)
+
+[Service]
+Type=oneshot
+## NOTE: augenrules expect any rules to be added to /etc/audit/rules.d/
+ExecStart=/sbin/augenrules --load
+# We need RemainAfterExit=true so augenrules is called again
+# in case auditd.service is restarted.
+RemainAfterExit=true
+
+### Security Settings ###
+MemoryDenyWriteExecute=true
+LockPersonality=true
+ProtectControlGroups=true
+ProtectKernelModules=true
+ProtectHome=true
+RestrictRealtime=true
+# for details please see
+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
+ProtectSystem=full
+PrivateDevices=true
+ProtectHostname=true
+ProtectClock=true
+ProtectKernelTunables=true
+ProtectKernelLogs=true
+ReadWritePaths=/etc/audit
Index: audit-3.0.9/init.d/auditd.service
===================================================================
--- audit-3.0.9.orig/init.d/auditd.service
+++ audit-3.0.9/init.d/auditd.service
@@ -15,15 +15,16 @@ ConditionKernelCommandLine=!audit=0
ConditionKernelCommandLine=!audit=off
Documentation=man:auditd(8) https://github.com/linux-audit/audit-documentation
+Requires=augenrules.service
+# This unit clears rules on stop, so make sure that augenrules runs again
+PropagatesStopTo=augenrules.service
[Service]
Type=forking
PIDFile=/run/auditd.pid
ExecStart=/sbin/auditd
-## To not use augenrules, copy this file to /etc/systemd/system/auditd.service
-## and comment/delete the next line and uncomment the auditctl line.
-## NOTE: augenrules expect any rules to be added to /etc/audit/rules.d/
-ExecStartPost=-/sbin/augenrules --load
+## To not use augenrules: copy this file to /etc/systemd/system/auditd.service,
+## uncomment the next line, and comment the Requires=augenrules.service above.
#ExecStartPost=-/sbin/auditctl -R /etc/audit/audit.rules
# By default we clear the rules on exit. To disable this, comment
# the next line after copying the file to /etc/systemd/system/auditd.service
@@ -46,7 +47,6 @@ ProtectClock=true
ProtectKernelTunables=true
ProtectKernelLogs=true
# end of automatic additions
-ReadWritePaths=/etc/audit
[Install]
WantedBy=multi-user.target
Index: audit-3.0.9/init.d/Makefile.am
===================================================================
--- audit-3.0.9.orig/init.d/Makefile.am
+++ audit-3.0.9/init.d/Makefile.am
@@ -26,7 +26,8 @@ EXTRA_DIST = auditd.init auditd.service
auditd.cron libaudit.conf auditd.condrestart \
auditd.reload auditd.restart auditd.resume \
auditd.rotate auditd.state auditd.stop \
- audit-stop.rules augenrules audit-functions
+ audit-stop.rules augenrules audit-functions \
+ augenrules.service
libconfig = libaudit.conf
if ENABLE_SYSTEMD
initdir = /usr/lib/systemd/system
@@ -54,6 +55,7 @@ if ENABLE_SYSTEMD
mkdir -p ${DESTDIR}${legacydir}
mkdir -p ${DESTDIR}${libexecdir}
$(INSTALL_SCRIPT) -D -m 644 ${srcdir}/auditd.service ${DESTDIR}${initdir}
+ $(INSTALL_SCRIPT) -D -m 644 ${srcdir}/augenrules.service ${DESTDIR}${initdir}
$(INSTALL_SCRIPT) -D -m 750 ${srcdir}/auditd.rotate ${DESTDIR}${legacydir}/rotate
$(INSTALL_SCRIPT) -D -m 750 ${srcdir}/auditd.resume ${DESTDIR}${legacydir}/resume
$(INSTALL_SCRIPT) -D -m 750 ${srcdir}/auditd.reload ${DESTDIR}${legacydir}/reload
@@ -72,6 +74,7 @@ uninstall-hook:
rm ${DESTDIR}${sysconfdir}/${libconfig}
if ENABLE_SYSTEMD
rm ${DESTDIR}${initdir}/auditd.service
+ rm ${DESTDIR}${initdir}/augenrules.service
rm ${DESTDIR}${legacydir}/rotate
rm ${DESTDIR}${legacydir}/resume
rm ${DESTDIR}${legacydir}/reload

29
enable-stop-rules.patch Normal file
View File

@ -0,0 +1,29 @@
From: Enzo Matsumiya <ematsumiya@suse.de>
Subject: init.d/auditd.service: enable ExecStopPost directive in auditd.service
References: bsc#1190227
This has caused confusion for customers when relating stopping auditd service
is the same as stopping system auditing. This is completely understandable, but
it's by design, so kauditd can keep filling its queues for any other userspace
daemon to consume.
Disable audit when auditd.service stops, so kauditd stops logging/running.
Signed-off-by: Enzo Matsumiya <ematsumiya@suse.de>
Index: audit-3.0.9/init.d/auditd.service
===================================================================
--- audit-3.0.9.orig/init.d/auditd.service
+++ audit-3.0.9/init.d/auditd.service
@@ -25,9 +25,9 @@ ExecStart=/sbin/auditd
## NOTE: augenrules expect any rules to be added to /etc/audit/rules.d/
ExecStartPost=-/sbin/augenrules --load
#ExecStartPost=-/sbin/auditctl -R /etc/audit/audit.rules
-# By default we don't clear the rules on exit. To enable this, uncomment
+# By default we clear the rules on exit. To disable this, comment
# the next line after copying the file to /etc/systemd/system/auditd.service
-#ExecStopPost=/sbin/auditctl -R /etc/audit/audit-stop.rules
+ExecStopPost=/sbin/auditctl -R /etc/audit/audit-stop.rules
Restart=on-failure
# Do not restart for intentional exits. See EXIT CODES section in auditd(8).
RestartPreventExitStatus=2 4 6

View File

@ -0,0 +1,32 @@
From: Enzo Matsumiya <ematsumiya@suse.de>
Subject: init.d/auditd.service: make /etc/audit writable
References: bsc#1181400
systemd hardening effort (bsc#1181400) broke auditd.service when starting/
restarting it. This was because auditd couldn't save/create audit.rules from
/etc/audit/rules.d/* files.
Make /etc/audit writable for the service.
Also remove PrivateDevices=true so /dev/* are exposed to auditd.
Signed-off-by: Enzo Matsumiya <ematsumiya@suse.de>
Index: audit-3.0.9/init.d/auditd.service
===================================================================
--- audit-3.0.9.orig/init.d/auditd.service
+++ audit-3.0.9/init.d/auditd.service
@@ -41,12 +41,12 @@ RestrictRealtime=true
# added automatically, for details please see
# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
ProtectSystem=full
-PrivateDevices=true
ProtectHostname=true
ProtectClock=true
ProtectKernelTunables=true
ProtectKernelLogs=true
# end of automatic additions
+ReadWritePaths=/etc/audit
[Install]
WantedBy=multi-user.target

View File

@ -0,0 +1,20 @@
Index: audit-3.0.9/init.d/auditd.service
===================================================================
--- audit-3.0.9.orig/init.d/auditd.service
+++ audit-3.0.9/init.d/auditd.service
@@ -38,6 +38,15 @@ LockPersonality=true
ProtectControlGroups=true
ProtectKernelModules=true
RestrictRealtime=true
+# added automatically, for details please see
+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
+ProtectSystem=full
+PrivateDevices=true
+ProtectHostname=true
+ProtectClock=true
+ProtectKernelTunables=true
+ProtectKernelLogs=true
+# end of automatic additions
[Install]
WantedBy=multi-user.target

26
libev-werror.patch Normal file
View File

@ -0,0 +1,26 @@
From: Jan Engelhardt <jengelh@inai.de>
Date: 2021-06-02 16:18:03.256597842 +0200
Cherry-pick http://cvs.schmorp.de/libev/ev_iouring.c?view=log&r1=1.25
to fix some terrible code.
[ 50s] ev_iouring.c: In function 'iouring_sqe_submit':
[ 50s] ev_iouring.c:300:1: error: no return statement in function returning non-void [-Werror=return-type]
---
src/libev/ev_iouring.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
Index: audit-3.0.1/src/libev/ev_iouring.c
===================================================================
--- audit-3.0.1.orig/src/libev/ev_iouring.c
+++ audit-3.0.1/src/libev/ev_iouring.c
@@ -287,7 +287,7 @@ iouring_sqe_get (EV_P)
}
inline_size
-struct io_uring_sqe *
+void
iouring_sqe_submit (EV_P_ struct io_uring_sqe *sqe)
{
unsigned idx = sqe - EV_SQES;

2
system-group-audit.conf Normal file
View File

@ -0,0 +1,2 @@
# Type Name ID GECOS [HOME]
g audit -