From 7e1b0e83b816985d641fcba464c6d05e8ec241408cba91d30cf05f5ee34bb8ea Mon Sep 17 00:00:00 2001 From: Enzo Matsumiya Date: Mon, 19 Dec 2022 19:54:31 +0000 Subject: [PATCH] Accepting request 1043243 from home:ematsumiya:branches:security - Enable build for ARM (32-bit) - Update to version 3.0.9: * In auditd, release the async flush lock on stop * Don't allow auditd to log directly into /var/log when log_group is non-zero * Cleanup krb5 memory leaks on error paths * Update auditd.cron to use auditctl --signal * In auparse, if too many fields, realloc array bigger (Paul Wolneykien) * In auparse, special case kernel module name interpretation * If overflow_action is ignore, don't treat as an error (3.0.8) * Add gcc function attributes for access and allocation * Add some more man pages (MIZUTA Takeshi) * In auditd, change the reinitializing of the plugin queue * Fix path normalization in auparse (Sergio Correia) * In libaudit, handle ECONNREFUSED for network uid/gid lookups (Enzo Matsumiya) * In audisp-remote, fix hang with disk_low_action=suspend (Enzo Matsumiya) * Drop ProtectHome from auditd.service as it interferes with rules (3.0.7) * Add support for the OPENAT2 record type (Richard Guy Briggs) * In auditd, close the logging file descriptor when logging is suspended * Update the capabilities lookup table to match 5.16 kernel * Improve interpretation of renamat & faccessat family of syscalls * Update syscall table for the 5.16 kernel * Reduce dependency from initscripts to initscripts-service - Refresh patches (context adjusment): * audit-allow-manual-stop.patch * audit-ausearch-do-not-require-tclass.patch * audit-no-gss.patch * enable-stop-rules.patch * fix-hardened-service.patch * harden_auditd.service.patch - Remove patches (fixed by version update): * libaudit-fix-unhandled-ECONNREFUSED-from-getpwnam-25.patch * audisp-remote-fix-hang-with-disk_low_action-suspend-.patch - Enable build for ARM (32-bit) - Update to version 3.0.9: * In auditd, release the async flush lock on stop * Don't allow auditd to log directly into /var/log when log_group is non-zero * Cleanup krb5 memory leaks on error paths * Update auditd.cron to use auditctl --signal * In auparse, if too many fields, realloc array bigger (Paul Wolneykien) * In auparse, special case kernel module name interpretation * If overflow_action is ignore, don't treat as an error (3.0.8) * Add gcc function attributes for access and allocation * Add some more man pages (MIZUTA Takeshi) * In auditd, change the reinitializing of the plugin queue * Fix path normalization in auparse (Sergio Correia) * In libaudit, handle ECONNREFUSED for network uid/gid lookups (Enzo Matsumiya) * In audisp-remote, fix hang with disk_low_action=suspend (Enzo Matsumiya) * Drop ProtectHome from auditd.service as it interferes with rules (3.0.7) * Add support for the OPENAT2 record type (Richard Guy Briggs) * In auditd, close the logging file descriptor when logging is suspended * Update the capabilities lookup table to match 5.16 kernel * Improve interpretation of renamat & faccessat family of syscalls * Update syscall table for the 5.16 kernel * Reduce dependency from initscripts to initscripts-service - Refresh patches (context adjusment): * audit-allow-manual-stop.patch * audit-ausearch-do-not-require-tclass.patch * audit-no-gss.patch * enable-stop-rules.patch * fix-hardened-service.patch * harden_auditd.service.patch - Remove patches (fixed by version update): * libaudit-fix-unhandled-ECONNREFUSED-from-getpwnam-25.patch * audisp-remote-fix-hang-with-disk_low_action-suspend-.patch OBS-URL: https://build.opensuse.org/request/show/1043243 OBS-URL: https://build.opensuse.org/package/show/security/audit?expand=0&rev=141 --- audit-3.0.9.tar.gz | 3 ++ audit-allow-manual-stop.patch | 10 +++--- audit-ausearch-do-not-require-tclass.patch | 8 +++-- audit-no-gss.patch | 8 +++-- audit-secondary.changes | 38 ++++++++++++++++++++ audit-secondary.spec | 7 ++-- audit.changes | 40 +++++++++++++++++++++- audit.spec | 5 ++- create-augenrules-service.patch | 37 ++++++++++---------- enable-stop-rules.patch | 8 ++--- fix-hardened-service.patch | 8 +++-- harden_auditd.service.patch | 10 +++--- 12 files changed, 138 insertions(+), 44 deletions(-) create mode 100644 audit-3.0.9.tar.gz diff --git a/audit-3.0.9.tar.gz b/audit-3.0.9.tar.gz new file mode 100644 index 0000000..3595002 --- /dev/null +++ b/audit-3.0.9.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:fd9570444df1573a274ca8ba23590082298a083cfc0618138957f590e845bc78 +size 1210655 diff --git a/audit-allow-manual-stop.patch b/audit-allow-manual-stop.patch index 01399fe..82663c3 100644 --- a/audit-allow-manual-stop.patch +++ b/audit-allow-manual-stop.patch @@ -11,13 +11,15 @@ SUSE since we lack the ability to use a custom stop/restart init.d/auditd.service | 1 - 1 file changed, 1 deletion(-) ---- a/init.d/auditd.service -+++ b/init.d/auditd.service -@@ -11,7 +11,6 @@ +Index: audit-3.0.9/init.d/auditd.service +=================================================================== +--- audit-3.0.9.orig/init.d/auditd.service ++++ audit-3.0.9/init.d/auditd.service +@@ -11,7 +11,6 @@ After=local-fs.target systemd-tmpfiles-s Before=sysinit.target shutdown.target ##Before=shutdown.target Conflicts=shutdown.target -RefuseManualStop=yes ConditionKernelCommandLine=!audit=0 - Documentation=man:auditd(8) https://github.com/linux-audit/audit-documentation + ConditionKernelCommandLine=!audit=off diff --git a/audit-ausearch-do-not-require-tclass.patch b/audit-ausearch-do-not-require-tclass.patch index 251860c..91c8fe7 100644 --- a/audit-ausearch-do-not-require-tclass.patch +++ b/audit-ausearch-do-not-require-tclass.patch @@ -9,9 +9,11 @@ Signed-off-by: Tony Jones src/ausearch-parse.c | 18 ++++++++---------- 1 file changed, 8 insertions(+), 10 deletions(-) ---- a/src/ausearch-parse.c -+++ b/src/ausearch-parse.c -@@ -2061,17 +2061,15 @@ other_avc: +Index: audit-3.0.9/src/ausearch-parse.c +=================================================================== +--- audit-3.0.9.orig/src/ausearch-parse.c ++++ audit-3.0.9/src/ausearch-parse.c +@@ -2062,17 +2062,15 @@ other_avc: // Now get the class...its at the end, so we do things different str = strstr(term, "tclass="); diff --git a/audit-no-gss.patch b/audit-no-gss.patch index 10c50af..feadd9c 100644 --- a/audit-no-gss.patch +++ b/audit-no-gss.patch @@ -9,8 +9,10 @@ but need manual removal here. init.d/auditd.conf | 3 --- 1 file changed, 3 deletions(-) ---- a/init.d/auditd.conf -+++ b/init.d/auditd.conf +Index: audit-3.0.9/init.d/auditd.conf +=================================================================== +--- audit-3.0.9.orig/init.d/auditd.conf ++++ audit-3.0.9/init.d/auditd.conf @@ -30,8 +30,6 @@ tcp_max_per_addr = 1 ##tcp_client_ports = 1024-65535 tcp_client_max_idle = 0 @@ -18,5 +20,5 @@ but need manual removal here. -krb5_principal = auditd -##krb5_key_file = /etc/audit/audit.key distribute_network = no - q_depth = 1200 + q_depth = 2000 overflow_action = SYSLOG diff --git a/audit-secondary.changes b/audit-secondary.changes index 8456660..5a41a9b 100644 --- a/audit-secondary.changes +++ b/audit-secondary.changes @@ -1,3 +1,41 @@ +------------------------------------------------------------------- +Thu Dec 15 19:17:35 UTC 2022 - Enzo Matsumiya + +- Enable build for ARM (32-bit) +- Update to version 3.0.9: + * In auditd, release the async flush lock on stop + * Don't allow auditd to log directly into /var/log when log_group is non-zero + * Cleanup krb5 memory leaks on error paths + * Update auditd.cron to use auditctl --signal + * In auparse, if too many fields, realloc array bigger (Paul Wolneykien) + * In auparse, special case kernel module name interpretation + * If overflow_action is ignore, don't treat as an error + (3.0.8) + * Add gcc function attributes for access and allocation + * Add some more man pages (MIZUTA Takeshi) + * In auditd, change the reinitializing of the plugin queue + * Fix path normalization in auparse (Sergio Correia) + * In libaudit, handle ECONNREFUSED for network uid/gid lookups (Enzo Matsumiya) + * In audisp-remote, fix hang with disk_low_action=suspend (Enzo Matsumiya) + * Drop ProtectHome from auditd.service as it interferes with rules + (3.0.7) + * Add support for the OPENAT2 record type (Richard Guy Briggs) + * In auditd, close the logging file descriptor when logging is suspended + * Update the capabilities lookup table to match 5.16 kernel + * Improve interpretation of renamat & faccessat family of syscalls + * Update syscall table for the 5.16 kernel + * Reduce dependency from initscripts to initscripts-service +- Refresh patches (context adjusment): + * audit-allow-manual-stop.patch + * audit-ausearch-do-not-require-tclass.patch + * audit-no-gss.patch + * enable-stop-rules.patch + * fix-hardened-service.patch + * harden_auditd.service.patch +- Remove patches (fixed by version update): + * libaudit-fix-unhandled-ECONNREFUSED-from-getpwnam-25.patch + * audisp-remote-fix-hang-with-disk_low_action-suspend-.patch + ------------------------------------------------------------------- Mon Apr 11 20:44:34 UTC 2022 - Jan Engelhardt diff --git a/audit-secondary.spec b/audit-secondary.spec index fb309b1..4481040 100644 --- a/audit-secondary.spec +++ b/audit-secondary.spec @@ -22,7 +22,7 @@ # The seperation is required to minimize unnecessary build cycles. %define _name audit Name: audit-secondary -Version: 3.0.6 +Version: 3.0.9 Release: 0 Summary: Linux kernel audit subsystem utilities License: GPL-2.0-or-later @@ -42,8 +42,6 @@ Patch9: fix-hardened-service.patch Patch10: enable-stop-rules.patch Patch11: create-augenrules-service.patch Patch12: audit-userspace-517-compat.patch -Patch13: audisp-remote-fix-hang-with-disk_low_action-suspend-.patch -Patch14: libaudit-fix-unhandled-ECONNREFUSED-from-getpwnam-25.patch BuildRequires: audit-devel = %{version} BuildRequires: autoconf >= 2.12 BuildRequires: kernel-headers >= 2.6.30 @@ -146,6 +144,9 @@ export LDFLAGS="-Wl,-z,relro,-z,now" %configure \ %ifarch aarch64 --with-aarch64 \ +%endif +%ifarch arm + --with-arm \ %endif --enable-systemd \ --libexecdir=%{_libexecdir}/%{_name} \ diff --git a/audit.changes b/audit.changes index b59e61a..22981df 100644 --- a/audit.changes +++ b/audit.changes @@ -1,3 +1,41 @@ +------------------------------------------------------------------- +Thu Dec 15 19:17:35 UTC 2022 - Enzo Matsumiya + +- Enable build for ARM (32-bit) +- Update to version 3.0.9: + * In auditd, release the async flush lock on stop + * Don't allow auditd to log directly into /var/log when log_group is non-zero + * Cleanup krb5 memory leaks on error paths + * Update auditd.cron to use auditctl --signal + * In auparse, if too many fields, realloc array bigger (Paul Wolneykien) + * In auparse, special case kernel module name interpretation + * If overflow_action is ignore, don't treat as an error + (3.0.8) + * Add gcc function attributes for access and allocation + * Add some more man pages (MIZUTA Takeshi) + * In auditd, change the reinitializing of the plugin queue + * Fix path normalization in auparse (Sergio Correia) + * In libaudit, handle ECONNREFUSED for network uid/gid lookups (Enzo Matsumiya) + * In audisp-remote, fix hang with disk_low_action=suspend (Enzo Matsumiya) + * Drop ProtectHome from auditd.service as it interferes with rules + (3.0.7) + * Add support for the OPENAT2 record type (Richard Guy Briggs) + * In auditd, close the logging file descriptor when logging is suspended + * Update the capabilities lookup table to match 5.16 kernel + * Improve interpretation of renamat & faccessat family of syscalls + * Update syscall table for the 5.16 kernel + * Reduce dependency from initscripts to initscripts-service +- Refresh patches (context adjusment): + * audit-allow-manual-stop.patch + * audit-ausearch-do-not-require-tclass.patch + * audit-no-gss.patch + * enable-stop-rules.patch + * fix-hardened-service.patch + * harden_auditd.service.patch +- Remove patches (fixed by version update): + * libaudit-fix-unhandled-ECONNREFUSED-from-getpwnam-25.patch + * audisp-remote-fix-hang-with-disk_low_action-suspend-.patch + ------------------------------------------------------------------- Mon Apr 11 20:45:33 UTC 2022 - Jan Engelhardt @@ -1013,8 +1051,8 @@ Mon May 11 17:20:28 CEST 2009 - tonyj@suse.de - Add --exit search option to ausearch - Fix parsing config file when kerberos is disabled -------------------------------------------------------------------- +------------------------------------------------------------------- Tue Apr 14 14:52:39 CEST 2009 - dmueller@suse.de - refresh patches diff --git a/audit.spec b/audit.spec index 5c6b237..4e077bb 100644 --- a/audit.spec +++ b/audit.spec @@ -17,7 +17,7 @@ Name: audit -Version: 3.0.6 +Version: 3.0.9 Release: 0 Summary: Linux kernel audit subsystem utilities License: GPL-2.0-or-later @@ -85,6 +85,9 @@ export LDFLAGS="-Wl,-z,relro,-z,now" %configure \ %ifarch aarch64 --with-aarch64 \ +%endif +%ifarch arm + --with-arm \ %endif --enable-systemd \ --libexecdir=%{_libexecdir}/%{name} \ diff --git a/create-augenrules-service.patch b/create-augenrules-service.patch index f876a69..72c8745 100644 --- a/create-augenrules-service.patch +++ b/create-augenrules-service.patch @@ -1,7 +1,7 @@ -Index: audit-3.0.6/init.d/augenrules.service +Index: audit-3.0.9/init.d/augenrules.service =================================================================== --- /dev/null -+++ audit-3.0.6/init.d/augenrules.service ++++ audit-3.0.9/init.d/augenrules.service @@ -0,0 +1,29 @@ +[Unit] +Description=auditd rules generation @@ -32,13 +32,13 @@ Index: audit-3.0.6/init.d/augenrules.service +ProtectKernelTunables=true +ProtectKernelLogs=true +ReadWritePaths=/etc/audit -Index: audit-3.0.6/init.d/auditd.service +Index: audit-3.0.9/init.d/auditd.service =================================================================== ---- audit-3.0.6.orig/init.d/auditd.service -+++ audit-3.0.6/init.d/auditd.service -@@ -13,15 +13,16 @@ Before=sysinit.target shutdown.target - Conflicts=shutdown.target - ConditionKernelCommandLine=!audit=0 +--- audit-3.0.9.orig/init.d/auditd.service ++++ audit-3.0.9/init.d/auditd.service +@@ -15,15 +15,16 @@ ConditionKernelCommandLine=!audit=0 + ConditionKernelCommandLine=!audit=off + Documentation=man:auditd(8) https://github.com/linux-audit/audit-documentation +Requires=augenrules.service +# This unit clears rules on stop, so make sure that augenrules runs again @@ -57,7 +57,7 @@ Index: audit-3.0.6/init.d/auditd.service #ExecStartPost=-/sbin/auditctl -R /etc/audit/audit.rules # By default we clear the rules on exit. To disable this, comment # the next line after copying the file to /etc/systemd/system/auditd.service -@@ -45,7 +46,6 @@ ProtectClock=true +@@ -46,7 +47,6 @@ ProtectClock=true ProtectKernelTunables=true ProtectKernelLogs=true # end of automatic additions @@ -65,28 +65,29 @@ Index: audit-3.0.6/init.d/auditd.service [Install] WantedBy=multi-user.target -Index: audit-3.0.6/init.d/Makefile.am +Index: audit-3.0.9/init.d/Makefile.am =================================================================== ---- audit-3.0.6.orig/init.d/Makefile.am -+++ audit-3.0.6/init.d/Makefile.am -@@ -26,7 +26,7 @@ EXTRA_DIST = auditd.init auditd.service +--- audit-3.0.9.orig/init.d/Makefile.am ++++ audit-3.0.9/init.d/Makefile.am +@@ -26,7 +26,8 @@ EXTRA_DIST = auditd.init auditd.service auditd.cron libaudit.conf auditd.condrestart \ auditd.reload auditd.restart auditd.resume \ auditd.rotate auditd.state auditd.stop \ -- audit-stop.rules augenrules -+ audit-stop.rules augenrules augenrules.service +- audit-stop.rules augenrules audit-functions ++ audit-stop.rules augenrules audit-functions \ ++ augenrules.service libconfig = libaudit.conf if ENABLE_SYSTEMD initdir = /usr/lib/systemd/system -@@ -53,6 +53,7 @@ if ENABLE_SYSTEMD - mkdir -p ${DESTDIR}${initdir} +@@ -54,6 +55,7 @@ if ENABLE_SYSTEMD mkdir -p ${DESTDIR}${legacydir} + mkdir -p ${DESTDIR}${libexecdir} $(INSTALL_SCRIPT) -D -m 644 ${srcdir}/auditd.service ${DESTDIR}${initdir} + $(INSTALL_SCRIPT) -D -m 644 ${srcdir}/augenrules.service ${DESTDIR}${initdir} $(INSTALL_SCRIPT) -D -m 750 ${srcdir}/auditd.rotate ${DESTDIR}${legacydir}/rotate $(INSTALL_SCRIPT) -D -m 750 ${srcdir}/auditd.resume ${DESTDIR}${legacydir}/resume $(INSTALL_SCRIPT) -D -m 750 ${srcdir}/auditd.reload ${DESTDIR}${legacydir}/reload -@@ -70,6 +71,7 @@ uninstall-hook: +@@ -72,6 +74,7 @@ uninstall-hook: rm ${DESTDIR}${sysconfdir}/${libconfig} if ENABLE_SYSTEMD rm ${DESTDIR}${initdir}/auditd.service diff --git a/enable-stop-rules.patch b/enable-stop-rules.patch index 9d405f0..5ef0d37 100644 --- a/enable-stop-rules.patch +++ b/enable-stop-rules.patch @@ -11,11 +11,11 @@ Disable audit when auditd.service stops, so kauditd stops logging/running. Signed-off-by: Enzo Matsumiya -Index: audit-3.0.6/init.d/auditd.service +Index: audit-3.0.9/init.d/auditd.service =================================================================== ---- audit-3.0.6.orig/init.d/auditd.service -+++ audit-3.0.6/init.d/auditd.service -@@ -23,9 +23,9 @@ ExecStart=/sbin/auditd +--- audit-3.0.9.orig/init.d/auditd.service ++++ audit-3.0.9/init.d/auditd.service +@@ -25,9 +25,9 @@ ExecStart=/sbin/auditd ## NOTE: augenrules expect any rules to be added to /etc/audit/rules.d/ ExecStartPost=-/sbin/augenrules --load #ExecStartPost=-/sbin/auditctl -R /etc/audit/audit.rules diff --git a/fix-hardened-service.patch b/fix-hardened-service.patch index 34f97c1..0fe1648 100644 --- a/fix-hardened-service.patch +++ b/fix-hardened-service.patch @@ -12,9 +12,11 @@ Also remove PrivateDevices=true so /dev/* are exposed to auditd. Signed-off-by: Enzo Matsumiya ---- a/init.d/auditd.service -+++ b/init.d/auditd.service -@@ -37,12 +37,12 @@ RestrictRealtime=true +Index: audit-3.0.9/init.d/auditd.service +=================================================================== +--- audit-3.0.9.orig/init.d/auditd.service ++++ audit-3.0.9/init.d/auditd.service +@@ -41,12 +41,12 @@ RestrictRealtime=true # added automatically, for details please see # https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort ProtectSystem=full diff --git a/harden_auditd.service.patch b/harden_auditd.service.patch index 8dc1528..3e3ad0f 100644 --- a/harden_auditd.service.patch +++ b/harden_auditd.service.patch @@ -1,8 +1,10 @@ ---- a/init.d/auditd.service -+++ b/init.d/auditd.service -@@ -34,6 +34,15 @@ ProtectControlGroups=true +Index: audit-3.0.9/init.d/auditd.service +=================================================================== +--- audit-3.0.9.orig/init.d/auditd.service ++++ audit-3.0.9/init.d/auditd.service +@@ -38,6 +38,15 @@ LockPersonality=true + ProtectControlGroups=true ProtectKernelModules=true - ProtectHome=true RestrictRealtime=true +# added automatically, for details please see +# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort