From 90ef868a13b95c655695d68dcbc0160553c684b35be706265d09122e1870a0f4 Mon Sep 17 00:00:00 2001 From: Marcus Meissner Date: Sun, 29 Sep 2024 09:40:50 +0000 Subject: [PATCH] - Update audit-secondary.spec: * Add "Requires: audit-rules" for audit package * Remove preun/postun handling of audit-rules.service - Update to 4.0 - Drop python2 support - Drop auvirt and autrace programs - Drop SysVinit support - Require the use of the 5.0 or later kernel headers - New README.md file - Rewrite legacy service functions in terms of systemctl - Consolidate and update end of event detection to a common function - Split off rule loading from auditd.service into audit-rules.service - Refactor libaudit.h to split out logging functions and record numbers - Speed up aureport --summary reports - Limit libaudit python bindings to logging functions - Add a metrics function for auparse - Change auditctl to use pidfd_send_signal for signaling auditd - Adjust watches to optimize syscalls hooked when watch file access - Drop nispom rules - Add intepretations for fsconfig, fsopen, fsmount, & move_mount - Many code fixups (cgzones) - Update syscall and interpretation tables to the 6.8 kernel (from v3.1.2) - When processing a run level change, make auditd exit - In auditd, fix return code when rules added in immutable mode - In auparse, when files are given, also consider EUID for access - Auparse now interprets unnamed/anonymous sockets (Enzo Matsumiya) - Disable Python bindings from setting rules due to swig bug (S. Trofimovich) - Update all lookup tables for the 6.5 kernel - Don't be as paranoid about auditctl -R file permissions - In ausearch, correct subject/object search to be an and if both are given - Adjust formats for 64 bit time_t - Fix segfault in python bindings around the feed API - Add feed_has_data, get_record_num, and get/goto_field_num to python bindings - Update spec: * Move rules-related files into new subpackage `audit-rules': * Files moved: - /sbin/auditctl, /sbin/augenrules, /etc/audit/{audit.rules,rules.d/audit.rules,audit-stop.rules} - manpages for auditctl, augenrules, and audit.rules - /etc/audit is now owned by `audit-rules' as well * Add new file /usr/lib/systemd/system/audit-rules.service * Remove in-house create-augenrules-service.patch that generated augenrules.service systemd unit service * Remove ownership of /usr/share/audit * Create /usr/share/audit-rules directory on %install * Remove audit-userspace-517-compat.patch (fixed upstream) * Remove libev-werror.patch (fixed upstream) * Remove audit-allow-manual-stop.patch (fixed upstream) * Add fix-auparse-test.patch (downstream): Upstream tests uses a static value (42) for 'gdm' uid/gid (based on Fedora values, apparently). Replace these occurrences with 'unknown(123456)' * Replace '--with-python' with '--with-python3' on %configure * Remove autrace and auvirt references (upstream) * Replace README with README.md - Drop `--enable-systemd' from %configure as SysV-style scripts aren't supported in upstream since 113ae191758c ("Drop support for SysVinit") OBS-URL: https://build.opensuse.org/package/show/security/audit?expand=0&rev=155 --- audit-secondary.changes | 41 ++++++++++++++++++++++++++++++++++++++--- audit-secondary.spec | 3 +-- audit.changes | 34 +++++++++++++++++++++++++++++++--- 3 files changed, 70 insertions(+), 8 deletions(-) diff --git a/audit-secondary.changes b/audit-secondary.changes index 41f3ee4..97000ad 100644 --- a/audit-secondary.changes +++ b/audit-secondary.changes @@ -1,9 +1,44 @@ ------------------------------------------------------------------- -Mon Sep 9 14:33:29 UTC 2024 - Enzo Matsumiya +Thu Sep 26 16:51:29 UTC 2024 - Enzo Matsumiya + +- Update audit-secondary.spec: + * Add "Requires: audit-rules" for audit package + * Remove preun/postun handling of audit-rules.service + +------------------------------------------------------------------- +Tue Sep 17 18:23:15 UTC 2024 - Enzo Matsumiya - Update to 4.0 - * Includes fixes since v3.1.1 - * Enhance support for newer (5.0+) kernels + - Drop python2 support + - Drop auvirt and autrace programs + - Drop SysVinit support + - Require the use of the 5.0 or later kernel headers + - New README.md file + - Rewrite legacy service functions in terms of systemctl + - Consolidate and update end of event detection to a common function + - Split off rule loading from auditd.service into audit-rules.service + - Refactor libaudit.h to split out logging functions and record numbers + - Speed up aureport --summary reports + - Limit libaudit python bindings to logging functions + - Add a metrics function for auparse + - Change auditctl to use pidfd_send_signal for signaling auditd + - Adjust watches to optimize syscalls hooked when watch file access + - Drop nispom rules + - Add intepretations for fsconfig, fsopen, fsmount, & move_mount + - Many code fixups (cgzones) + - Update syscall and interpretation tables to the 6.8 kernel + (from v3.1.2) + - When processing a run level change, make auditd exit + - In auditd, fix return code when rules added in immutable mode + - In auparse, when files are given, also consider EUID for access + - Auparse now interprets unnamed/anonymous sockets (Enzo Matsumiya) + - Disable Python bindings from setting rules due to swig bug (S. Trofimovich) + - Update all lookup tables for the 6.5 kernel + - Don't be as paranoid about auditctl -R file permissions + - In ausearch, correct subject/object search to be an and if both are given + - Adjust formats for 64 bit time_t + - Fix segfault in python bindings around the feed API + - Add feed_has_data, get_record_num, and get/goto_field_num to python bindings - Update spec: * Move rules-related files into new subpackage `audit-rules': diff --git a/audit-secondary.spec b/audit-secondary.spec index 4c1fe4d..b9fc07b 100644 --- a/audit-secondary.spec +++ b/audit-secondary.spec @@ -68,6 +68,7 @@ Summary: User Space Tools for Kernel Auditing License: LGPL-2.1-or-later Group: System/Monitoring Requires: %{_name}-libs = %{version} +Requires: %{_name}-rules = %{version} Requires: coreutils Requires: group(audit) %{?systemd_ordering} @@ -257,7 +258,6 @@ fi %preun -n audit %service_del_preun auditd.service -%service_del_preun audit-rules.service %preun -n audit-rules # If uninstalling, delete the rules loaded in the kernel @@ -268,7 +268,6 @@ fi %postun -n audit %service_del_postun auditd.service -%service_del_postun audit-rules.service %postun -n audit-rules %service_del_postun audit-rules.service diff --git a/audit.changes b/audit.changes index 34542c5..fb9ecfe 100644 --- a/audit.changes +++ b/audit.changes @@ -1,9 +1,37 @@ ------------------------------------------------------------------- -Mon Sep 9 14:32:43 UTC 2024 - Enzo Matsumiya +Tue Sep 17 18:20:58 UTC 2024 - Enzo Matsumiya - Update to 4.0 - * Includes fixes since v3.1.1 - * Enhance support for newer (5.0+) kernels + - Drop python2 support + - Drop auvirt and autrace programs + - Drop SysVinit support + - Require the use of the 5.0 or later kernel headers + - New README.md file + - Rewrite legacy service functions in terms of systemctl + - Consolidate and update end of event detection to a common function + - Split off rule loading from auditd.service into audit-rules.service + - Refactor libaudit.h to split out logging functions and record numbers + - Speed up aureport --summary reports + - Limit libaudit python bindings to logging functions + - Add a metrics function for auparse + - Change auditctl to use pidfd_send_signal for signaling auditd + - Adjust watches to optimize syscalls hooked when watch file access + - Drop nispom rules + - Add intepretations for fsconfig, fsopen, fsmount, & move_mount + - Many code fixups (cgzones) + - Update syscall and interpretation tables to the 6.8 kernel + (from v3.1.2) + - When processing a run level change, make auditd exit + - In auditd, fix return code when rules added in immutable mode + - In auparse, when files are given, also consider EUID for access + - Auparse now interprets unnamed/anonymous sockets (Enzo Matsumiya) + - Disable Python bindings from setting rules due to swig bug (S. Trofimovich) + - Update all lookup tables for the 6.5 kernel + - Don't be as paranoid about auditctl -R file permissions + - In ausearch, correct subject/object search to be an and if both are given + - Adjust formats for 64 bit time_t + - Fix segfault in python bindings around the feed API + - Add feed_has_data, get_record_num, and get/goto_field_num to python bindings - Update spec: * Add fix-auparse-test.patch (downstream):