pool/audit
SHA256
2
0
Fork 2
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
90ef868a13
audit/enable-stop-rules.patch

31 lines
1.1 KiB
Diff
Raw Normal View History

- Update to 4.0 * Includes fixes since v3.1.1 * Enhance support for newer (5.0+) kernels - Update spec: * Move rules-related files into new subpackage `audit-rules': * Files moved: - /sbin/auditctl, /sbin/augenrules, /etc/audit/{audit.rules,rules.d/audit.rules,audit-stop.rules} - manpages for auditctl, augenrules, and audit.rules - /etc/audit is now owned by `audit-rules' as well * Add new file /usr/lib/systemd/system/audit-rules.service * Remove in-house create-augenrules-service.patch that generated augenrules.service systemd unit service * Remove ownership of /usr/share/audit * Create /usr/share/audit-rules directory on %install * Remove audit-userspace-517-compat.patch (fixed upstream) * Remove libev-werror.patch (fixed upstream) * Remove audit-allow-manual-stop.patch (fixed upstream) * Add fix-auparse-test.patch (downstream): Upstream tests uses a static value (42) for 'gdm' uid/gid (based on Fedora values, apparently). Replace these occurrences with 'unknown(123456)' * Replace '--with-python' with '--with-python3' on %configure * Remove autrace and auvirt references (upstream) * Replace README with README.md - Drop `--enable-systemd' from %configure as SysV-style scripts aren't supported in upstream since 113ae191758c ("Drop support for SysVinit") - Update to 4.0 * Includes fixes since v3.1.1 * Enhance support for newer (5.0+) kernels - Update spec: * Add fix-auparse-test.patch (downstream): Upstream tests uses a static value (42) for 'gdm' uid/gid (based on Fedora values, apparently). Replace these occurrences with 'unknown(123456)' * Replace '--with-python' with '--with-python3' on %configure * Add new headers 'audit_logging.h' and 'audit-records.h' for audit-devel TODO: fix build for SLE/Leap OBS-URL: https://build.opensuse.org/package/show/security/audit?expand=0&rev=153
2024-09-17 10:11:59 +02:00
From: Enzo Matsumiya <ematsumiya@suse.de>
Subject: init.d/auditd.service: enable ExecStopPost directive in auditd.service
References: bsc#1190227
This has caused confusion for customers when relating stopping auditd service
is the same as stopping system auditing. This is completely understandable, but
it's by design, so kauditd can keep filling its queues for any other userspace
daemon to consume.
Disable audit when auditd.service stops, so kauditd stops logging/running.
Signed-off-by: Enzo Matsumiya <ematsumiya@suse.de>
---
init.d/auditd.service | 4 ++++
1 file changed, 4 insertions(+)
--- a/init.d/auditd.service
+++ b/init.d/auditd.service
@@ -22,6 +22,10 @@ Documentation=man:auditd(8) https://gith
Type=forking
PIDFile=/run/auditd.pid
ExecStart=/sbin/auditd
+ExecStartPost=-/sbin/augenrules --load
+# By default we clear the rules on exit. To disable this, comment
+# the next line after copying the file to /etc/systemd/system/auditd.service
+ExecStopPost=/sbin/auditctl -R /etc/audit/audit-stop.rules
Restart=on-failure
# Do not restart for intentional exits. See EXIT CODES section in auditd(8).
RestartPreventExitStatus=2 4 6
Reference in New Issue Copy Permalink