diff --git a/audit-3.1.1.tar.gz b/audit-3.1.1.tar.gz deleted file mode 100644 index 16cf0d9..0000000 --- a/audit-3.1.1.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:46e46b37623cce09e6ee134e78d668afc34f4e1c870c853ef12e4193078cfe87 -size 1218111 diff --git a/audit-4.0.tar.gz b/audit-4.0.tar.gz new file mode 100644 index 0000000..a6596da --- /dev/null +++ b/audit-4.0.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:bf422d4126ab77a92a4c3ac39de5473f278dc3de35724d2518a48c7be15d54d8 +size 1179876 diff --git a/audit-allow-manual-stop.patch b/audit-allow-manual-stop.patch deleted file mode 100644 index 82663c3..0000000 --- a/audit-allow-manual-stop.patch +++ /dev/null @@ -1,25 +0,0 @@ -From: Tony Jones -Subject: allow service stop -References: https://lists.fedoraproject.org/pipermail/devel/2012-June/169411.html -References: https://www.redhat.com/archives/linux-audit/2013-July/msg00048.html ---- - -legacy-actions is Fedora specific, so blocking manual stop won't work for -SUSE since we lack the ability to use a custom stop/restart - - - init.d/auditd.service | 1 - - 1 file changed, 1 deletion(-) - -Index: audit-3.0.9/init.d/auditd.service -=================================================================== ---- audit-3.0.9.orig/init.d/auditd.service -+++ audit-3.0.9/init.d/auditd.service -@@ -11,7 +11,6 @@ After=local-fs.target systemd-tmpfiles-s - Before=sysinit.target shutdown.target - ##Before=shutdown.target - Conflicts=shutdown.target --RefuseManualStop=yes - ConditionKernelCommandLine=!audit=0 - ConditionKernelCommandLine=!audit=off - diff --git a/audit-secondary.changes b/audit-secondary.changes index e1fb40f..97000ad 100644 --- a/audit-secondary.changes +++ b/audit-secondary.changes @@ -1,3 +1,71 @@ +------------------------------------------------------------------- +Thu Sep 26 16:51:29 UTC 2024 - Enzo Matsumiya + +- Update audit-secondary.spec: + * Add "Requires: audit-rules" for audit package + * Remove preun/postun handling of audit-rules.service + +------------------------------------------------------------------- +Tue Sep 17 18:23:15 UTC 2024 - Enzo Matsumiya + +- Update to 4.0 + - Drop python2 support + - Drop auvirt and autrace programs + - Drop SysVinit support + - Require the use of the 5.0 or later kernel headers + - New README.md file + - Rewrite legacy service functions in terms of systemctl + - Consolidate and update end of event detection to a common function + - Split off rule loading from auditd.service into audit-rules.service + - Refactor libaudit.h to split out logging functions and record numbers + - Speed up aureport --summary reports + - Limit libaudit python bindings to logging functions + - Add a metrics function for auparse + - Change auditctl to use pidfd_send_signal for signaling auditd + - Adjust watches to optimize syscalls hooked when watch file access + - Drop nispom rules + - Add intepretations for fsconfig, fsopen, fsmount, & move_mount + - Many code fixups (cgzones) + - Update syscall and interpretation tables to the 6.8 kernel + (from v3.1.2) + - When processing a run level change, make auditd exit + - In auditd, fix return code when rules added in immutable mode + - In auparse, when files are given, also consider EUID for access + - Auparse now interprets unnamed/anonymous sockets (Enzo Matsumiya) + - Disable Python bindings from setting rules due to swig bug (S. Trofimovich) + - Update all lookup tables for the 6.5 kernel + - Don't be as paranoid about auditctl -R file permissions + - In ausearch, correct subject/object search to be an and if both are given + - Adjust formats for 64 bit time_t + - Fix segfault in python bindings around the feed API + - Add feed_has_data, get_record_num, and get/goto_field_num to python bindings + +- Update spec: + * Move rules-related files into new subpackage `audit-rules': + * Files moved: + - /sbin/auditctl, /sbin/augenrules, + /etc/audit/{audit.rules,rules.d/audit.rules,audit-stop.rules} + - manpages for auditctl, augenrules, and audit.rules + - /etc/audit is now owned by `audit-rules' as well + * Add new file /usr/lib/systemd/system/audit-rules.service + * Remove in-house create-augenrules-service.patch that generated + augenrules.service systemd unit service + * Remove ownership of /usr/share/audit + * Create /usr/share/audit-rules directory on %install + * Remove audit-userspace-517-compat.patch (fixed upstream) + * Remove libev-werror.patch (fixed upstream) + * Remove audit-allow-manual-stop.patch (fixed upstream) + * Add fix-auparse-test.patch (downstream): + Upstream tests uses a static value (42) for 'gdm' uid/gid (based + on Fedora values, apparently). Replace these occurrences with + 'unknown(123456)' + * Replace '--with-python' with '--with-python3' on %configure + * Remove autrace and auvirt references (upstream) + * Replace README with README.md +- Drop `--enable-systemd' from %configure as SysV-style scripts + aren't supported in upstream since + 113ae191758c ("Drop support for SysVinit") + ------------------------------------------------------------------- Mon Aug 5 08:50:50 UTC 2024 - Thorsten Kukuk diff --git a/audit-secondary.spec b/audit-secondary.spec index 6140594..b9fc07b 100644 --- a/audit-secondary.spec +++ b/audit-secondary.spec @@ -22,7 +22,7 @@ # The seperation is required to minimize unnecessary build cycles. %define _name audit Name: audit-secondary -Version: 3.1.1 +Version: 4.0 Release: 0 Summary: Linux kernel audit subsystem utilities License: GPL-2.0-or-later @@ -32,16 +32,13 @@ Source0: https://people.redhat.com/sgrubb/audit/%{_name}-%{version}.tar.g Source1: system-group-audit.conf Patch1: audit-plugins-path.patch Patch2: audit-no-gss.patch -Patch3: audit-allow-manual-stop.patch -Patch4: audit-ausearch-do-not-require-tclass.patch -Patch5: change-default-log_group.patch -Patch6: libev-werror.patch -Patch7: harden_auditd.service.patch -Patch8: change-default-log_format.patch -Patch9: fix-hardened-service.patch -Patch10: enable-stop-rules.patch -Patch11: create-augenrules-service.patch -Patch12: audit-userspace-517-compat.patch +Patch3: audit-ausearch-do-not-require-tclass.patch +Patch4: change-default-log_group.patch +Patch5: harden_auditd.service.patch +Patch6: change-default-log_format.patch +Patch7: fix-hardened-service.patch +Patch8: enable-stop-rules.patch +Patch9: fix-auparse-test.patch BuildRequires: audit-devel = %{version} BuildRequires: autoconf >= 2.12 BuildRequires: kernel-headers >= 2.6.30 @@ -71,6 +68,7 @@ Summary: User Space Tools for Kernel Auditing License: LGPL-2.1-or-later Group: System/Monitoring Requires: %{_name}-libs = %{version} +Requires: %{_name}-rules = %{version} Requires: coreutils Requires: group(audit) %{?systemd_ordering} @@ -80,10 +78,19 @@ The audit package contains the user space utilities for storing and processing the audit records generated by the audit subsystem in the Linux kernel. +%package -n audit-rules +Summary: Rules and utilities for audit +License: LGPL-2.1-or-later +Recommends: audit = %{version}-%{release} + +%description -n audit-rules +The audit rules package contains the rules and utilities to load audit rules. + %package -n system-group-audit Summary: System group 'audit' License: LGPL-2.1-or-later Group: System/Fhs +BuildArch: noarch %sysusers_requires %description -n system-group-audit @@ -148,7 +155,6 @@ export LDFLAGS="-Wl,-z,relro,-z,now" %ifarch arm --with-arm \ %endif - --enable-systemd \ --libexecdir=%{_libexecdir}/%{_name} \ --with-apparmor \ --with-libwrap \ @@ -162,7 +168,8 @@ export LDFLAGS="-Wl,-z,relro,-z,now" %sysusers_generate_pre %{SOURCE1} audit system-group-audit.conf %install -%make_install +# Set $PYTHON3 here so py-compile works correctly on distros that doesn't ship /usr/bin/python +%make_install PYTHON3=$(realpath %__python3) mkdir -p %{buildroot}%{_localstatedir}/log/audit/ touch %{buildroot}%{_localstatedir}/log/audit/audit.log @@ -173,6 +180,7 @@ install -m 0644 %{SOURCE1} %{buildroot}%{_sysusersdir}/ # post copy runs mkdir -p %{buildroot}%{_sysconfdir}/%{_name}/ mkdir -p %{buildroot}%{_sysconfdir}/%{_name}/rules.d/ +mkdir -p %{buildroot}%{_datadir}/%{_name}-rules touch %{buildroot}%{_sysconfdir}/{auditd.conf,audit.rules} %{buildroot}%{_sysconfdir}/audit/auditd.conf # On platforms with 32 & 64 bit libs, we need to coordinate the timestamp touch -r ./audit.spec %{buildroot}%{_sysconfdir}/libaudit.conf @@ -201,7 +209,7 @@ rm -rf %{buildroot}/%{_mandir}/man3 #USR-MERGE %if 0%{?suse_version} < 1550 mkdir %{buildroot}/sbin/ -for prog in auditctl auditd ausearch autrace aureport augenrules; do +for prog in auditctl auditd ausearch aureport augenrules; do ln -s %{_sbindir}/$prog %{buildroot}/sbin/$prog done %endif @@ -211,7 +219,6 @@ done ln -s service %{buildroot}%{_sbindir}/rcauditd %endif chmod 0644 %{buildroot}%{_unitdir}/auditd.service -chmod 0644 %{buildroot}%{_unitdir}/augenrules.service %check %make_build check @@ -228,78 +235,101 @@ elif [ ! -f %{_sysconfdir}/audit/audit.rules ]; then cp %{_sysconfdir}/audit/rules.d/audit.rules %{_sysconfdir}/audit/audit.rules fi %service_add_post auditd.service -%service_add_post augenrules.service +%service_add_post audit-rules.service + +%post -n audit-rules +%systemd_post audit-rules.service +# Copy default rules into place on new installation +files=`ls /etc/audit/rules.d/ 2>/dev/null | wc -w` +if [ "$files" -eq 0 ] ; then + touch %{_sysconfdir}/audit.rules + install -m 0600 %{_datadir}/audit-rules/10-no-audit.rules %{_sysconfdir}/%{_name}/rules.d/audit.rules + # Make the new rules active + augenrules --load +fi %pre -n audit %service_add_pre auditd.service -%service_add_pre augenrules.service + +%pre -n audit-rules +%service_add_pre audit-rules.service %pre -n system-group-audit -f audit.pre %preun -n audit %service_del_preun auditd.service -%service_del_preun augenrules.service + +%preun -n audit-rules +# If uninstalling, delete the rules loaded in the kernel +if [ $1 -eq 0 ]; then + auditctl -D > /dev/null 2>&1 +fi +%service_del_preun audit-rules.service %postun -n audit %service_del_postun auditd.service -%service_del_postun augenrules.service + +%postun -n audit-rules +%service_del_postun audit-rules.service %files -n audit %license COPYING -%doc README ChangeLog init.d/auditd.cron -%attr(644,root,root) %{_mandir}/man8/auditctl.8.gz +%doc README.md ChangeLog init.d/auditd.cron %attr(644,root,root) %{_mandir}/man8/auditd.8.gz %attr(644,root,root) %{_mandir}/man8/aureport.8.gz %attr(644,root,root) %{_mandir}/man8/ausearch.8.gz -%attr(644,root,root) %{_mandir}/man8/autrace.8.gz %attr(644,root,root) %{_mandir}/man8/aulast.8.gz %attr(644,root,root) %{_mandir}/man8/aulastlog.8.gz %attr(644,root,root) %{_mandir}/man8/ausyscall.8.gz -%attr(644,root,root) %{_mandir}/man7/audit.rules.7.gz %attr(644,root,root) %{_mandir}/man5/auditd.conf.5.gz %attr(644,root,root) %{_mandir}/man5/ausearch-expression.5.gz -%attr(644,root,root) %{_mandir}/man8/auvirt.8.gz -%attr(644,root,root) %{_mandir}/man8/augenrules.8.gz %attr(644,root,root) %{_mandir}/man8/audisp-af_unix.8.gz %if 0%{?suse_version} < 1550 -/sbin/auditctl /sbin/auditd /sbin/ausearch -/sbin/autrace -/sbin/augenrules /sbin/aureport %endif -%attr(750,root,root) %{_sbindir}/auditctl %attr(750,root,root) %{_sbindir}/auditd %attr(755,root,root) %{_sbindir}/ausearch -%attr(750,root,root) %{_sbindir}/autrace -%attr(750,root,root) %{_sbindir}/augenrules %attr(750,root,root) %{_sbindir}/audisp-syslog %attr(755,root,root) %{_bindir}/aulast %attr(755,root,root) %{_bindir}/aulastlog %attr(755,root,root) %{_bindir}/ausyscall %attr(755,root,root) %{_sbindir}/aureport %attr(755,root,root) %{_sbindir}/audisp-af_unix -%attr(755,root,root) %{_bindir}/auvirt %dir %attr(750,root,root) %{_sysconfdir}/audit -%attr(750,root,root) %dir %{_sysconfdir}/audit/plugins.d +%dir %attr(750,root,root) %{_sysconfdir}/audit/plugins.d %config(noreplace) %attr(640,root,root) %{_sysconfdir}/audit/plugins.d/af_unix.conf %config(noreplace) %attr(640,root,root) %{_sysconfdir}/audit/plugins.d/syslog.conf %ghost %{_sysconfdir}/auditd.conf -%ghost %{_sysconfdir}/audit.rules %config(noreplace) %attr(640,root,root) %{_sysconfdir}/audit/auditd.conf -%dir %attr(750,root,root) %{_sysconfdir}/audit/rules.d -%config(noreplace) %attr(640,root,root) %{_sysconfdir}/audit/rules.d/audit.rules -%config(noreplace) %attr(640,root,root) %{_sysconfdir}/audit/audit-stop.rules %dir %attr(750,root,audit) %{_localstatedir}/log/audit %ghost %config(noreplace) %attr(640,root,audit) %{_localstatedir}/log/audit/audit.log %dir %attr(700,root,root) %{_localstatedir}/spool/audit %{_unitdir}/auditd.service -%{_unitdir}/augenrules.service %if 0%{?suse_version} < 1550 %{_sbindir}/rcauditd %endif -%{_datadir}/audit/ + +%files -n audit-rules +%dir %attr(755,root,root) %{_datadir}/audit-rules +%attr(644,root,root) %{_datadir}/audit-rules/* +%attr(644,root,root) %{_mandir}/man8/auditctl.8.gz +%attr(644,root,root) %{_mandir}/man8/augenrules.8.gz +%attr(644,root,root) %{_mandir}/man7/audit.rules.7.gz +%if 0%{?suse_version} < 1550 +/sbin/auditctl +/sbin/augenrules +%endif +%attr(750,root,root) %{_sbindir}/auditctl +%attr(750,root,root) %{_sbindir}/augenrules +%attr(644,root,root) %{_unitdir}/audit-rules.service +%dir %attr(750,root,root) %{_sysconfdir}/audit +%ghost %{_sysconfdir}/audit.rules +%dir %attr(750,root,root) %{_sysconfdir}/audit/rules.d +%ghost %config(noreplace) %attr(640,root,root) %{_sysconfdir}/audit/rules.d/audit.rules +%ghost %config(noreplace) %attr(640,root,root) %{_sysconfdir}/audit/audit.rules +%config(noreplace) %attr(640,root,root) %{_sysconfdir}/audit/audit-stop.rules %files -n system-group-audit %{_sysusersdir}/system-group-audit.conf @@ -308,12 +338,13 @@ fi %files -n python2-audit %attr(755,root,root) %{python2_sitearch}/_audit.so %attr(755,root,root) %{python2_sitearch}/auparse.so -%{python2_sitearch}/audit.py* +%attr(644,root,root) %{python2_sitearch}/audit.py* %endif %if %{with python3} %files -n python3-audit %attr(755,root,root) %{python3_sitearch}/* +%attr(644,root,root) %{python3_sitearch}/audit.py* %endif %files -n audit-audispd-plugins diff --git a/audit-userspace-517-compat.patch b/audit-userspace-517-compat.patch deleted file mode 100644 index 6d3b72e..0000000 --- a/audit-userspace-517-compat.patch +++ /dev/null @@ -1,38 +0,0 @@ -From: Sergei Trofimovich -Date: Wed, 23 Mar 2022 07:27:05 +0000 -Subject: [PATCH] auditswig.i: avoid setter generation for audit_rule_data::buf -References: https://github.com/linux-audit/audit-userspace/issues/252 -Git-commit: https://github.com/linux-audit/audit-userspace/pull/253/commits/beed138222421a2eb4212d83cb889404bd7efc49 -Git-repo: [if different from https://github.com/linux-audit/audit-userspace.git] -Patch-mainline: submitted for review upstream - -As it's a flexible array generated code was never safe to use. -With kernel's https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=ed98ea2128b6fd83bce13716edf8f5fe6c47f574 -change it's a build failure now: - - audit> audit_wrap.c:5010:15: error: invalid use of flexible array member - audit> 5010 | arg1->buf = (char [])(char *)memcpy(malloc((size)*sizeof(char)), (const char *)(arg2), sizeof(char)*(size)); - audit> | ^ - -Let's avoid setter generation entirely. - -Closes: https://github.com/linux-audit/audit-userspace/issues/252 ---- - bindings/swig/src/auditswig.i | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/bindings/swig/src/auditswig.i b/bindings/swig/src/auditswig.i -index 21aafca31..9a2c5661d 100644 ---- a/bindings/swig/src/auditswig.i -+++ b/bindings/swig/src/auditswig.i -@@ -39,6 +39,10 @@ signed - #define __attribute(X) /*nothing*/ - typedef unsigned __u32; - typedef unsigned uid_t; -+/* Sidestep SWIG's limitation of handling c99 Flexible arrays by not: -+ * generating setters against them: https://github.com/swig/swig/issues/1699 -+ */ -+%ignore audit_rule_data::buf; - %include "/usr/include/linux/audit.h" - #define __extension__ /*nothing*/ - %include diff --git a/audit.changes b/audit.changes index c05a79e..fb9ecfe 100644 --- a/audit.changes +++ b/audit.changes @@ -1,3 +1,47 @@ +------------------------------------------------------------------- +Tue Sep 17 18:20:58 UTC 2024 - Enzo Matsumiya + +- Update to 4.0 + - Drop python2 support + - Drop auvirt and autrace programs + - Drop SysVinit support + - Require the use of the 5.0 or later kernel headers + - New README.md file + - Rewrite legacy service functions in terms of systemctl + - Consolidate and update end of event detection to a common function + - Split off rule loading from auditd.service into audit-rules.service + - Refactor libaudit.h to split out logging functions and record numbers + - Speed up aureport --summary reports + - Limit libaudit python bindings to logging functions + - Add a metrics function for auparse + - Change auditctl to use pidfd_send_signal for signaling auditd + - Adjust watches to optimize syscalls hooked when watch file access + - Drop nispom rules + - Add intepretations for fsconfig, fsopen, fsmount, & move_mount + - Many code fixups (cgzones) + - Update syscall and interpretation tables to the 6.8 kernel + (from v3.1.2) + - When processing a run level change, make auditd exit + - In auditd, fix return code when rules added in immutable mode + - In auparse, when files are given, also consider EUID for access + - Auparse now interprets unnamed/anonymous sockets (Enzo Matsumiya) + - Disable Python bindings from setting rules due to swig bug (S. Trofimovich) + - Update all lookup tables for the 6.5 kernel + - Don't be as paranoid about auditctl -R file permissions + - In ausearch, correct subject/object search to be an and if both are given + - Adjust formats for 64 bit time_t + - Fix segfault in python bindings around the feed API + - Add feed_has_data, get_record_num, and get/goto_field_num to python bindings + +- Update spec: + * Add fix-auparse-test.patch (downstream): + Upstream tests uses a static value (42) for 'gdm' uid/gid (based + on Fedora values, apparently). Replace these occurrences with + 'unknown(123456)' + * Replace '--with-python' with '--with-python3' on %configure + * Add new headers 'audit_logging.h' and 'audit-records.h' for + audit-devel + ------------------------------------------------------------------- Mon Jul 3 08:33:52 UTC 2023 - Paolo Stivanin diff --git a/audit.spec b/audit.spec index b8069e2..0771252 100644 --- a/audit.spec +++ b/audit.spec @@ -23,7 +23,7 @@ %endif Name: audit -Version: 3.1.1 +Version: 4.0 Release: 0 Summary: Linux kernel audit subsystem utilities License: GPL-2.0-or-later @@ -33,6 +33,7 @@ Source0: https://people.redhat.com/sgrubb/audit/%{name}-%{version}.tar.gz Source1: baselibs.conf Source2: README-BEFORE-ADDING-PATCHES Patch0: change-default-log_group.patch +Patch1: fix-auparse-test.patch BuildRequires: autoconf >= 2.12 BuildRequires: kernel-headers >= 2.6.30 BuildRequires: libtool @@ -98,12 +99,11 @@ export LDFLAGS="-Wl,-z,relro,-z,now" %ifarch arm --with-arm \ %endif - --enable-systemd \ --libexecdir=%{_libexecdir}/%{name} \ --with-apparmor \ --with-libcap-ng=no \ --disable-static \ - --with-python=no \ + --with-python3=no \ --disable-zos-remote %make_build -C common @@ -178,6 +178,8 @@ find %{buildroot} -type f -name "*.la" -delete -print %{_libdir}/libaudit.so %{_libdir}/libauparse.so %{_includedir}/libaudit.h +%{_includedir}/audit_logging.h +%{_includedir}/audit-records.h %{_includedir}/auparse.h %{_includedir}/auparse-defs.h %{_mandir}/man3/* diff --git a/create-augenrules-service.patch b/create-augenrules-service.patch deleted file mode 100644 index 3064bc1..0000000 --- a/create-augenrules-service.patch +++ /dev/null @@ -1,97 +0,0 @@ -Index: audit-3.1.1/init.d/augenrules.service -=================================================================== ---- /dev/null -+++ audit-3.1.1/init.d/augenrules.service -@@ -0,0 +1,29 @@ -+[Unit] -+Description=auditd rules generation -+After=auditd.service -+Documentation=man:augenrules(8) -+ -+[Service] -+Type=oneshot -+## NOTE: augenrules expect any rules to be added to /etc/audit/rules.d/ -+ExecStart=/sbin/augenrules --load -+# We need RemainAfterExit=true so augenrules is called again -+# in case auditd.service is restarted. -+RemainAfterExit=true -+ -+### Security Settings ### -+MemoryDenyWriteExecute=true -+LockPersonality=true -+ProtectControlGroups=true -+ProtectKernelModules=true -+ProtectHome=true -+RestrictRealtime=true -+# for details please see -+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort -+ProtectSystem=full -+PrivateDevices=true -+ProtectHostname=true -+ProtectClock=true -+ProtectKernelTunables=true -+ProtectKernelLogs=true -+ReadWritePaths=/etc/audit -Index: audit-3.1.1/init.d/auditd.service -=================================================================== ---- audit-3.1.1.orig/init.d/auditd.service -+++ audit-3.1.1/init.d/auditd.service -@@ -15,15 +15,16 @@ ConditionKernelCommandLine=!audit=0 - ConditionKernelCommandLine=!audit=off - - Documentation=man:auditd(8) https://github.com/linux-audit/audit-documentation -+Requires=augenrules.service -+# This unit clears rules on stop, so make sure that augenrules runs again -+PropagatesStopTo=augenrules.service - - [Service] - Type=forking - PIDFile=/run/auditd.pid - ExecStart=/sbin/auditd --## To not use augenrules, copy this file to /etc/systemd/system/auditd.service --## and comment/delete the next line and uncomment the auditctl line. --## NOTE: augenrules expect any rules to be added to /etc/audit/rules.d/ --ExecStartPost=-/sbin/augenrules --load -+## To not use augenrules: copy this file to /etc/systemd/system/auditd.service, -+## uncomment the next line, and comment the Requires=augenrules.service above. - #ExecStartPost=-/sbin/auditctl -R /etc/audit/audit.rules - # By default we clear the rules on exit. To disable this, comment - # the next line after copying the file to /etc/systemd/system/auditd.service -@@ -47,7 +48,6 @@ ProtectClock=true - ProtectKernelTunables=true - ProtectKernelLogs=true - # end of automatic additions --ReadWritePaths=/etc/audit - - [Install] - WantedBy=multi-user.target -Index: audit-3.1.1/init.d/Makefile.am -=================================================================== ---- audit-3.1.1.orig/init.d/Makefile.am -+++ audit-3.1.1/init.d/Makefile.am -@@ -26,7 +26,8 @@ EXTRA_DIST = auditd.init auditd.service - auditd.cron libaudit.conf auditd.condrestart \ - auditd.reload auditd.restart auditd.resume \ - auditd.rotate auditd.state auditd.stop \ -- audit-stop.rules augenrules audit-functions -+ audit-stop.rules augenrules audit-functions \ -+ augenrules.service - libconfig = libaudit.conf - if ENABLE_SYSTEMD - initdir = /usr/lib/systemd/system -@@ -54,6 +55,7 @@ if ENABLE_SYSTEMD - mkdir -p ${DESTDIR}${legacydir} - mkdir -p ${DESTDIR}${libexecdir} - $(INSTALL_SCRIPT) -D -m 644 ${srcdir}/auditd.service ${DESTDIR}${initdir} -+ $(INSTALL_SCRIPT) -D -m 644 ${srcdir}/augenrules.service ${DESTDIR}${initdir} - $(INSTALL_SCRIPT) -D -m 750 ${srcdir}/auditd.rotate ${DESTDIR}${legacydir}/rotate - $(INSTALL_SCRIPT) -D -m 750 ${srcdir}/auditd.resume ${DESTDIR}${legacydir}/resume - $(INSTALL_SCRIPT) -D -m 750 ${srcdir}/auditd.reload ${DESTDIR}${legacydir}/reload -@@ -72,6 +74,7 @@ uninstall-hook: - rm ${DESTDIR}${sysconfdir}/${libconfig} - if ENABLE_SYSTEMD - rm ${DESTDIR}${initdir}/auditd.service -+ rm ${DESTDIR}${initdir}/augenrules.service - rm ${DESTDIR}${legacydir}/rotate - rm ${DESTDIR}${legacydir}/resume - rm ${DESTDIR}${legacydir}/reload diff --git a/enable-stop-rules.patch b/enable-stop-rules.patch index 5ef0d37..20da051 100644 --- a/enable-stop-rules.patch +++ b/enable-stop-rules.patch @@ -11,18 +11,19 @@ Disable audit when auditd.service stops, so kauditd stops logging/running. Signed-off-by: Enzo Matsumiya -Index: audit-3.0.9/init.d/auditd.service -=================================================================== ---- audit-3.0.9.orig/init.d/auditd.service -+++ audit-3.0.9/init.d/auditd.service -@@ -25,9 +25,9 @@ ExecStart=/sbin/auditd - ## NOTE: augenrules expect any rules to be added to /etc/audit/rules.d/ - ExecStartPost=-/sbin/augenrules --load - #ExecStartPost=-/sbin/auditctl -R /etc/audit/audit.rules --# By default we don't clear the rules on exit. To enable this, uncomment +--- + init.d/auditd.service | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/init.d/auditd.service ++++ b/init.d/auditd.service +@@ -22,6 +22,10 @@ Documentation=man:auditd(8) https://gith + Type=forking + PIDFile=/run/auditd.pid + ExecStart=/sbin/auditd ++ExecStartPost=-/sbin/augenrules --load +# By default we clear the rules on exit. To disable this, comment - # the next line after copying the file to /etc/systemd/system/auditd.service --#ExecStopPost=/sbin/auditctl -R /etc/audit/audit-stop.rules ++# the next line after copying the file to /etc/systemd/system/auditd.service +ExecStopPost=/sbin/auditctl -R /etc/audit/audit-stop.rules Restart=on-failure # Do not restart for intentional exits. See EXIT CODES section in auditd(8). diff --git a/fix-auparse-test.patch b/fix-auparse-test.patch new file mode 100644 index 0000000..5c0826f --- /dev/null +++ b/fix-auparse-test.patch @@ -0,0 +1,223 @@ +--- + auparse/test/auparse_test.c | 2 +- + auparse/test/auparse_test.py | 2 +- + auparse/test/auparse_test.ref | 18 +++++++++--------- + auparse/test/auparse_test.ref.py | 18 +++++++++--------- + auparse/test/test.log | 4 ++-- + auparse/test/test2.log | 4 ++-- + 6 files changed, 24 insertions(+), 24 deletions(-) + +--- a/auparse/test/auparse_test.c ++++ b/auparse/test/auparse_test.c +@@ -162,7 +162,7 @@ void compound_search(ausearch_rule_t how + exit(1); + } + } else { +- if (ausearch_add_item(au, "auid", "=", "42", ++ if (ausearch_add_item(au, "auid", "=", "123456", + AUSEARCH_RULE_CLEAR)){ + printf("ausearch_add_item 4 error - %s\n", + strerror(errno)); +--- a/auparse/test/auparse_test.py ++++ b/auparse/test/auparse_test.py +@@ -112,7 +112,7 @@ def compound_search(au, how): + au.search_add_item("pid", "=", "13015", how) + au.search_add_item("type", "=", "USER_START", how) + else: +- au.search_add_item("auid", "=", "42", auparse.AUSEARCH_RULE_CLEAR) ++ au.search_add_item("auid", "=", "123456", auparse.AUSEARCH_RULE_CLEAR) + # should stop on this one + au.search_add_item("auid", "=", "0", how) + au.search_add_item("auid", "=", "500", how) +--- a/auparse/test/auparse_test.ref ++++ b/auparse/test/auparse_test.ref +@@ -188,7 +188,7 @@ event 4 has 3 records + uid=0 (root) + subj=system_u:system_r:init_t:s0 (system_u:system_r:init_t:s0) + old-auid=4294967295 (unset) +- auid=42 (gdm) ++ auid=123456 (unknown(123456)) + tty=(none) ((none)) + old-ses=4294967295 (4294967295) + ses=1 (1) +@@ -209,7 +209,7 @@ event 4 has 3 records + items=0 (0) + ppid=1 (1) + pid=2288 (2288) +- auid=42 (gdm) ++ auid=123456 (unknown(123456)) + uid=0 (root) + gid=0 (root) + euid=0 (root) +@@ -389,7 +389,7 @@ event 4 has 3 records + uid=0 (root) + subj=system_u:system_r:init_t:s0 (system_u:system_r:init_t:s0) + old-auid=4294967295 (unset) +- auid=42 (gdm) ++ auid=123456 (unknown(123456)) + tty=(none) ((none)) + old-ses=4294967295 (4294967295) + ses=1 (1) +@@ -410,7 +410,7 @@ event 4 has 3 records + items=0 (0) + ppid=1 (1) + pid=2288 (2288) +- auid=42 (gdm) ++ auid=123456 (unknown(123456)) + uid=0 (root) + gid=0 (root) + euid=0 (root) +@@ -587,7 +587,7 @@ event 11 has 3 records + uid=0 (root) + subj=system_u:system_r:init_t:s0 (system_u:system_r:init_t:s0) + old-auid=4294967295 (unset) +- auid=42 (gdm) ++ auid=123456 (unknown(123456)) + tty=(none) ((none)) + old-ses=4294967295 (4294967295) + ses=1 (1) +@@ -608,7 +608,7 @@ event 11 has 3 records + items=0 (0) + ppid=1 (1) + pid=2288 (2288) +- auid=42 (gdm) ++ auid=123456 (unknown(123456)) + uid=0 (root) + gid=0 (root) + euid=0 (root) +@@ -699,7 +699,7 @@ Test 6 Done + + Starting Test 7, compound search... + Found type = USER_START +-Found auid = 42 ++Found auid = 123456 + Test 7 Done + + Starting Test 8, regex search... +@@ -874,7 +874,7 @@ event 4 has 3 records + uid=0 (root) + subj=system_u:system_r:init_t:s0 (system_u:system_r:init_t:s0) + old-auid=4294967295 (unset) +- auid=42 (gdm) ++ auid=123456 (unknown(123456)) + tty=(none) ((none)) + old-ses=4294967295 (4294967295) + ses=1 (1) +@@ -895,7 +895,7 @@ event 4 has 3 records + items=0 (0) + ppid=1 (1) + pid=2288 (2288) +- auid=42 (gdm) ++ auid=123456 (unknown(123456)) + uid=0 (root) + gid=0 (root) + euid=0 (root) +--- a/auparse/test/auparse_test.ref.py ++++ b/auparse/test/auparse_test.ref.py +@@ -180,7 +180,7 @@ event 4 has 3 records + uid=0 (root) + subj=system_u:system_r:init_t:s0 (system_u:system_r:init_t:s0) + old-auid=4294967295 (unset) +- auid=42 (gdm) ++ auid=123456 (unknown(123456)) + tty=(none) ((none)) + old-ses=4294967295 (4294967295) + ses=1 (1) +@@ -201,7 +201,7 @@ event 4 has 3 records + items=0 (0) + ppid=1 (1) + pid=2288 (2288) +- auid=42 (gdm) ++ auid=123456 (unknown(123456)) + uid=0 (root) + gid=0 (root) + euid=0 (root) +@@ -381,7 +381,7 @@ event 4 has 3 records + uid=0 (root) + subj=system_u:system_r:init_t:s0 (system_u:system_r:init_t:s0) + old-auid=4294967295 (unset) +- auid=42 (gdm) ++ auid=123456 (unknown(123456)) + tty=(none) ((none)) + old-ses=4294967295 (4294967295) + ses=1 (1) +@@ -402,7 +402,7 @@ event 4 has 3 records + items=0 (0) + ppid=1 (1) + pid=2288 (2288) +- auid=42 (gdm) ++ auid=123456 (unknown(123456)) + uid=0 (root) + gid=0 (root) + euid=0 (root) +@@ -579,7 +579,7 @@ event 11 has 3 records + uid=0 (root) + subj=system_u:system_r:init_t:s0 (system_u:system_r:init_t:s0) + old-auid=4294967295 (unset) +- auid=42 (gdm) ++ auid=123456 (unknown(123456)) + tty=(none) ((none)) + old-ses=4294967295 (4294967295) + ses=1 (1) +@@ -600,7 +600,7 @@ event 11 has 3 records + items=0 (0) + ppid=1 (1) + pid=2288 (2288) +- auid=42 (gdm) ++ auid=123456 (unknown(123456)) + uid=0 (root) + gid=0 (root) + euid=0 (root) +@@ -691,7 +691,7 @@ Test 6 Done + + Starting Test 7, compound search... + Found type = USER_START +-Found auid = 42 ++Found auid = 123456 + Test 7 Done + + Starting Test 8, regex search... +@@ -864,7 +864,7 @@ event 4 has 3 records + uid=0 (root) + subj=system_u:system_r:init_t:s0 (system_u:system_r:init_t:s0) + old-auid=4294967295 (unset) +- auid=42 (gdm) ++ auid=123456 (unknown(123456)) + tty=(none) ((none)) + old-ses=4294967295 (4294967295) + ses=1 (1) +@@ -885,7 +885,7 @@ event 4 has 3 records + items=0 (0) + ppid=1 (1) + pid=2288 (2288) +- auid=42 (gdm) ++ auid=123456 (unknown(123456)) + uid=0 (root) + gid=0 (root) + euid=0 (root) +--- a/auparse/test/test2.log ++++ b/auparse/test/test2.log +@@ -4,8 +4,8 @@ type=CWD msg=audit(1170021493.977:283): + type=PATH msg=audit(1170021493.977:283): item=0 name="maildrop" inode=14911367 dev=03:07 mode=040730 ouid=890 ogid=891 rdev=00:00 obj=system_u:object_r:postfix_spool_maildrop_t:s0 + type=USER_ACCT msg=audit(1170021601.340:284): user pid=13015 uid=0 auid=4294967295 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM: accounting acct=root : exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success' + type=CRED_ACQ msg=audit(1170021601.342:285): user pid=13015 uid=0 auid=4294967295 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM: setcred acct=root : exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success' +-type=LOGIN msg=audit(1170021601.343:286): pid=2288 uid=0 subj=system_u:system_r:init_t:s0 old-auid=4294967295 auid=42 tty=(none) old-ses=4294967295 ses=1 res=1 +-type=SYSCALL msg=audit(1170021601.343:286): arch=c000003e syscall=1 success=yes exit=2 a0=8 a1=7fffa7aede20 a2=2 a3=0 items=0 ppid=1 pid=2288 auid=42 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="(systemd)" exe="/usr/lib/systemd/systemd" subj=system_u:system_r:init_t:s0 key=(null) ++type=LOGIN msg=audit(1170021601.343:286): pid=2288 uid=0 subj=system_u:system_r:init_t:s0 old-auid=4294967295 auid=123456 tty=(none) old-ses=4294967295 ses=1 res=1 ++type=SYSCALL msg=audit(1170021601.343:286): arch=c000003e syscall=1 success=yes exit=2 a0=8 a1=7fffa7aede20 a2=2 a3=0 items=0 ppid=1 pid=2288 auid=123456 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="(systemd)" exe="/usr/lib/systemd/systemd" subj=system_u:system_r:init_t:s0 key=(null) + type=PROCTITLE msg=audit(1170021601.343:286): proctitle="(systemd)" + type=USER_START msg=audit(1170021601.344:287): user pid=13015 uid=0 auid=0 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM: session open acct=root : exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron res=success)' + type=CRED_DISP msg=audit(1170021601.364:288): user pid=13015 uid=0 auid=0 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM: setcred acct=root : exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron res=success)' +--- a/auparse/test/test.log ++++ b/auparse/test/test.log +@@ -4,8 +4,8 @@ type=CWD msg=audit(1170021493.977:293): + type=PATH msg=audit(1170021493.977:293): item=0 name="maildrop" inode=14911367 dev=03:07 mode=040730 ouid=890 ogid=891 rdev=00:00 obj=system_u:object_r:postfix_spool_maildrop_t:s0 + type=USER_ACCT msg=audit(1170021601.340:294): user pid=13015 uid=0 auid=4294967295 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM: accounting acct=root : exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success' + type=CRED_ACQ msg=audit(1170021601.342:295): user pid=13015 uid=0 auid=4294967295 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM: setcred acct=root : exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success' +-type=LOGIN msg=audit(1170021601.343:296): pid=2288 uid=0 subj=system_u:system_r:init_t:s0 old-auid=4294967295 auid=42 tty=(none) old-ses=4294967295 ses=1 res=1 +-type=SYSCALL msg=audit(1170021601.343:296): arch=c000003e syscall=1 success=yes exit=2 a0=8 a1=7fffa7aede20 a2=2 a3=0 items=0 ppid=1 pid=2288 auid=42 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="(systemd)" exe="/usr/lib/systemd/systemd" subj=system_u:system_r:init_t:s0 key=(null) ++type=LOGIN msg=audit(1170021601.343:296): pid=2288 uid=0 subj=system_u:system_r:init_t:s0 old-auid=4294967295 auid=123456 tty=(none) old-ses=4294967295 ses=1 res=1 ++type=SYSCALL msg=audit(1170021601.343:296): arch=c000003e syscall=1 success=yes exit=2 a0=8 a1=7fffa7aede20 a2=2 a3=0 items=0 ppid=1 pid=2288 auid=123456 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="(systemd)" exe="/usr/lib/systemd/systemd" subj=system_u:system_r:init_t:s0 key=(null) + type=PROCTITLE msg=audit(1170021601.343:296): proctitle="(systemd)" + type=USER_START msg=audit(1170021601.344:297): user pid=13015 uid=0 auid=0 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM: session open acct=root : exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron res=success)' + type=CRED_DISP msg=audit(1170021601.364:298): user pid=13015 uid=0 auid=0 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM: setcred acct=root : exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron res=success)' diff --git a/libev-werror.patch b/libev-werror.patch deleted file mode 100644 index 68b2467..0000000 --- a/libev-werror.patch +++ /dev/null @@ -1,26 +0,0 @@ -From: Jan Engelhardt -Date: 2021-06-02 16:18:03.256597842 +0200 - -Cherry-pick http://cvs.schmorp.de/libev/ev_iouring.c?view=log&r1=1.25 -to fix some terrible code. - -[ 50s] ev_iouring.c: In function 'iouring_sqe_submit': -[ 50s] ev_iouring.c:300:1: error: no return statement in function returning non-void [-Werror=return-type] - ---- - src/libev/ev_iouring.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -Index: audit-3.0.1/src/libev/ev_iouring.c -=================================================================== ---- audit-3.0.1.orig/src/libev/ev_iouring.c -+++ audit-3.0.1/src/libev/ev_iouring.c -@@ -287,7 +287,7 @@ iouring_sqe_get (EV_P) - } - - inline_size --struct io_uring_sqe * -+void - iouring_sqe_submit (EV_P_ struct io_uring_sqe *sqe) - { - unsigned idx = sqe - EV_SQES;