From 405fcdff1b1a1ae30e6cdbdf237fe8a822124a6335390f644b0a856f56be7ffb Mon Sep 17 00:00:00 2001 From: Wolfgang Frisch Date: Wed, 1 Mar 2023 11:19:17 +0000 Subject: [PATCH 1/5] Accepting request 1066846 from home:polslinux:branches:security - Update to 3.1: * Disable ProtectControlGroups in auditd.service by default * Fix rule checking for exclude filter * Make audit_rule_syscallbyname_data work correctly outside of auditctl * Add new record types * Add io_uring support * Add support for new FANOTIFY record fields * Add keyword, this-hour, to ausearch/report start/end options * Add Requires.private to audit.pc file * Try to interpret OPENAT2 fields correctly - Update to 3.1: * Disable ProtectControlGroups in auditd.service by default * Fix rule checking for exclude filter * Make audit_rule_syscallbyname_data work correctly outside of auditctl * Add new record types * Add io_uring support * Add support for new FANOTIFY record fields * Add keyword, this-hour, to ausearch/report start/end options * Add Requires.private to audit.pc file * Try to interpret OPENAT2 fields correctly OBS-URL: https://build.opensuse.org/request/show/1066846 OBS-URL: https://build.opensuse.org/package/show/security/audit?expand=0&rev=145 --- audit-3.0.9.tar.gz | 3 --- audit-3.1.tar.gz | 3 +++ audit-secondary.changes | 14 ++++++++++++++ audit-secondary.spec | 2 +- audit.changes | 14 ++++++++++++++ audit.spec | 2 +- 6 files changed, 33 insertions(+), 5 deletions(-) delete mode 100644 audit-3.0.9.tar.gz create mode 100644 audit-3.1.tar.gz diff --git a/audit-3.0.9.tar.gz b/audit-3.0.9.tar.gz deleted file mode 100644 index 3595002..0000000 --- a/audit-3.0.9.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:fd9570444df1573a274ca8ba23590082298a083cfc0618138957f590e845bc78 -size 1210655 diff --git a/audit-3.1.tar.gz b/audit-3.1.tar.gz new file mode 100644 index 0000000..cd3b8e8 --- /dev/null +++ b/audit-3.1.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:b5cf3cdabb2786c08b1de3599a3b1a547e55f7a9f9c1eb2078f5b44cf44e8378 +size 1215931 diff --git a/audit-secondary.changes b/audit-secondary.changes index f1c1137..9e2ca83 100644 --- a/audit-secondary.changes +++ b/audit-secondary.changes @@ -1,3 +1,17 @@ +------------------------------------------------------------------- +Mon Feb 20 14:13:06 UTC 2023 - Paolo Stivanin + +- Update to 3.1: + * Disable ProtectControlGroups in auditd.service by default + * Fix rule checking for exclude filter + * Make audit_rule_syscallbyname_data work correctly outside of auditctl + * Add new record types + * Add io_uring support + * Add support for new FANOTIFY record fields + * Add keyword, this-hour, to ausearch/report start/end options + * Add Requires.private to audit.pc file + * Try to interpret OPENAT2 fields correctly + ------------------------------------------------------------------- Tue Dec 27 10:21:56 UTC 2022 - Ludwig Nussel diff --git a/audit-secondary.spec b/audit-secondary.spec index 1315a16..33e6dcd 100644 --- a/audit-secondary.spec +++ b/audit-secondary.spec @@ -22,7 +22,7 @@ # The seperation is required to minimize unnecessary build cycles. %define _name audit Name: audit-secondary -Version: 3.0.9 +Version: 3.1 Release: 0 Summary: Linux kernel audit subsystem utilities License: GPL-2.0-or-later diff --git a/audit.changes b/audit.changes index 22981df..13454bd 100644 --- a/audit.changes +++ b/audit.changes @@ -1,3 +1,17 @@ +------------------------------------------------------------------- +Mon Feb 20 14:12:55 UTC 2023 - Paolo Stivanin + +- Update to 3.1: + * Disable ProtectControlGroups in auditd.service by default + * Fix rule checking for exclude filter + * Make audit_rule_syscallbyname_data work correctly outside of auditctl + * Add new record types + * Add io_uring support + * Add support for new FANOTIFY record fields + * Add keyword, this-hour, to ausearch/report start/end options + * Add Requires.private to audit.pc file + * Try to interpret OPENAT2 fields correctly + ------------------------------------------------------------------- Thu Dec 15 19:17:35 UTC 2022 - Enzo Matsumiya diff --git a/audit.spec b/audit.spec index ac8a617..402630a 100644 --- a/audit.spec +++ b/audit.spec @@ -17,7 +17,7 @@ Name: audit -Version: 3.0.9 +Version: 3.1 Release: 0 Summary: Linux kernel audit subsystem utilities License: GPL-2.0-or-later From 28591f1543caa8066479353ffa7f1ca3a042449248943323f1ca9ae903741cd6 Mon Sep 17 00:00:00 2001 From: Enzo Matsumiya Date: Mon, 20 Mar 2023 19:59:00 +0000 Subject: [PATCH 2/5] Accepting request 1073295 from home:gbelinassi - Enable livepatching on main library on x86_64. We are enabling livepatching support on this library because SAP Hana link against it. OBS-URL: https://build.opensuse.org/request/show/1073295 OBS-URL: https://build.opensuse.org/package/show/security/audit?expand=0&rev=146 --- audit.changes | 5 +++++ audit.spec | 36 ++++++++++++++++++++++++++++++++++++ 2 files changed, 41 insertions(+) diff --git a/audit.changes b/audit.changes index 13454bd..20ad631 100644 --- a/audit.changes +++ b/audit.changes @@ -1,3 +1,8 @@ +------------------------------------------------------------------- +Mon Mar 20 14:53:26 UTC 2023 - Giuliano Belinassi + +- Enable livepatching on main library on x86_64. + ------------------------------------------------------------------- Mon Feb 20 14:12:55 UTC 2023 - Paolo Stivanin diff --git a/audit.spec b/audit.spec index 402630a..aa32ebd 100644 --- a/audit.spec +++ b/audit.spec @@ -16,6 +16,12 @@ # +%ifarch x86_64 +%bcond_without livepatching +%else +%bcond_with livepatching +%endif + Name: audit Version: 3.1 Release: 0 @@ -79,6 +85,9 @@ libraries. %build autoreconf -fi export CFLAGS="%{optflags} -fno-strict-aliasing" +%if %{with livepatching} +export CFLAGS="$CFLAGS -fpatchable-function-entry=16,14 -fdump-ipa-clones" +%endif export CXXFLAGS="$CFLAGS" export LDFLAGS="-Wl,-z,relro,-z,now" # no krb support (omit --enable-gssapi-krb5=yes), see audit-no-gss.patch @@ -102,6 +111,33 @@ export LDFLAGS="-Wl,-z,relro,-z,now" %make_build -C auparse %make_build -C docs +%if %{with livepatching} +# Workaround bsc#1208721: remove _patchable_function_entry from static libs. +find . -name "*.a" -exec \ + objcopy --remove-section "__patchable_function_entries" {} \; + +%define tar_basename audit-livepatch-%{version}-%{release} +%define tar_package_name %{tar_basename}.%{_arch}.tar.xz +%define clones_dest_dir %{tar_basename}/%{_arch} + +# Ipa-clones are files generated by gcc which logs changes made across +# functions, and we need to know such changes to build livepatches +# correctly. These files are intended to be used by the livepatch +# developers and may be retrieved by using `osc getbinaries`. +# +# Create ipa-clones destination folder and move clones there. +mkdir -p ipa-clones/%{clones_dest_dir} +find . -name "*.ipa-clones" ! -empty \ + -exec cp -t ipa-clones/%{clones_dest_dir} --parents {} + + +# Create tarball with ipa-clones. +tar -cJf %{tar_package_name} -C ipa-clones \ + --owner root --group root --sort name %{tar_basename} + +# Copy tarball to the OTHER folder to store it as artifact. +cp %{tar_package_name} %{_topdir}/OTHER +%endif + %install %make_install -C common %make_install -C lib From e8c281ed5c167dd4c1bc6e58c5b6af9e38d3b88a3af029602ce937e287962346 Mon Sep 17 00:00:00 2001 From: Wolfgang Frisch Date: Wed, 10 May 2023 09:07:42 +0000 Subject: [PATCH 3/5] Accepting request 1084694 from home:fcrozat:branches:security - Add _multibuild to define additional spec files as additional flavors. Eliminates the need for source package links in OBS. - Add _multibuild to define additional spec files as additional flavors. Eliminates the need for source package links in OBS. OBS-URL: https://build.opensuse.org/request/show/1084694 OBS-URL: https://build.opensuse.org/package/show/security/audit?expand=0&rev=147 --- _multibuild | 4 ++++ audit-secondary.changes | 7 +++++++ audit.changes | 7 +++++++ 3 files changed, 18 insertions(+) create mode 100644 _multibuild diff --git a/_multibuild b/_multibuild new file mode 100644 index 0000000..831aaf6 --- /dev/null +++ b/_multibuild @@ -0,0 +1,4 @@ + + audit-secondary + + diff --git a/audit-secondary.changes b/audit-secondary.changes index 9e2ca83..856d99f 100644 --- a/audit-secondary.changes +++ b/audit-secondary.changes @@ -1,3 +1,10 @@ +------------------------------------------------------------------- +Thu May 4 12:58:06 UTC 2023 - Frederic Crozat + +- Add _multibuild to define additional spec files as additional + flavors. + Eliminates the need for source package links in OBS. + ------------------------------------------------------------------- Mon Feb 20 14:13:06 UTC 2023 - Paolo Stivanin diff --git a/audit.changes b/audit.changes index 20ad631..96a0231 100644 --- a/audit.changes +++ b/audit.changes @@ -1,3 +1,10 @@ +------------------------------------------------------------------- +Thu May 4 12:58:06 UTC 2023 - Frederic Crozat + +- Add _multibuild to define additional spec files as additional + flavors. + Eliminates the need for source package links in OBS. + ------------------------------------------------------------------- Mon Mar 20 14:53:26 UTC 2023 - Giuliano Belinassi From d1358f4337c1e36835fcd1b29beb2b3fae32226b0f035d12f17b4a35591aaf81 Mon Sep 17 00:00:00 2001 From: Wolfgang Frisch Date: Mon, 3 Jul 2023 14:59:58 +0000 Subject: [PATCH 4/5] Accepting request 1096509 from home:polslinux:branches:security - Update to 3.1.1: * Add user friendly keywords for signals to auditctl * In ausearch, parse up URINGOP and DM_CTRL records * Harden auparse to better handle corrupt logs * Fix a CFLAGS propogation problem in the common directory * Move the audispd af_unix plugin to a standalone program - Update to 3.1.1: * Add user friendly keywords for signals to auditctl * In ausearch, parse up URINGOP and DM_CTRL records * Harden auparse to better handle corrupt logs * Fix a CFLAGS propogation problem in the common directory * Move the audispd af_unix plugin to a standalone program OBS-URL: https://build.opensuse.org/request/show/1096509 OBS-URL: https://build.opensuse.org/package/show/security/audit?expand=0&rev=148 --- audit-3.1.1.tar.gz | 3 +++ audit-3.1.tar.gz | 3 --- audit-ausearch-do-not-require-tclass.patch | 8 ++++---- audit-secondary.changes | 10 ++++++++++ audit-secondary.spec | 2 +- audit.changes | 10 ++++++++++ audit.spec | 2 +- create-augenrules-service.patch | 18 +++++++++--------- fix-hardened-service.patch | 8 ++++---- harden_auditd.service.patch | 10 +++++----- 10 files changed, 47 insertions(+), 27 deletions(-) create mode 100644 audit-3.1.1.tar.gz delete mode 100644 audit-3.1.tar.gz diff --git a/audit-3.1.1.tar.gz b/audit-3.1.1.tar.gz new file mode 100644 index 0000000..16cf0d9 --- /dev/null +++ b/audit-3.1.1.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:46e46b37623cce09e6ee134e78d668afc34f4e1c870c853ef12e4193078cfe87 +size 1218111 diff --git a/audit-3.1.tar.gz b/audit-3.1.tar.gz deleted file mode 100644 index cd3b8e8..0000000 --- a/audit-3.1.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:b5cf3cdabb2786c08b1de3599a3b1a547e55f7a9f9c1eb2078f5b44cf44e8378 -size 1215931 diff --git a/audit-ausearch-do-not-require-tclass.patch b/audit-ausearch-do-not-require-tclass.patch index 91c8fe7..532a6c2 100644 --- a/audit-ausearch-do-not-require-tclass.patch +++ b/audit-ausearch-do-not-require-tclass.patch @@ -9,11 +9,11 @@ Signed-off-by: Tony Jones src/ausearch-parse.c | 18 ++++++++---------- 1 file changed, 8 insertions(+), 10 deletions(-) -Index: audit-3.0.9/src/ausearch-parse.c +Index: audit-3.1.1/src/ausearch-parse.c =================================================================== ---- audit-3.0.9.orig/src/ausearch-parse.c -+++ audit-3.0.9/src/ausearch-parse.c -@@ -2062,17 +2062,15 @@ other_avc: +--- audit-3.1.1.orig/src/ausearch-parse.c ++++ audit-3.1.1/src/ausearch-parse.c +@@ -2075,17 +2075,15 @@ other_avc: // Now get the class...its at the end, so we do things different str = strstr(term, "tclass="); diff --git a/audit-secondary.changes b/audit-secondary.changes index 856d99f..9fb2020 100644 --- a/audit-secondary.changes +++ b/audit-secondary.changes @@ -1,3 +1,13 @@ +------------------------------------------------------------------- +Mon Jul 3 08:34:22 UTC 2023 - Paolo Stivanin + +- Update to 3.1.1: + * Add user friendly keywords for signals to auditctl + * In ausearch, parse up URINGOP and DM_CTRL records + * Harden auparse to better handle corrupt logs + * Fix a CFLAGS propogation problem in the common directory + * Move the audispd af_unix plugin to a standalone program + ------------------------------------------------------------------- Thu May 4 12:58:06 UTC 2023 - Frederic Crozat diff --git a/audit-secondary.spec b/audit-secondary.spec index 33e6dcd..4db7b59 100644 --- a/audit-secondary.spec +++ b/audit-secondary.spec @@ -22,7 +22,7 @@ # The seperation is required to minimize unnecessary build cycles. %define _name audit Name: audit-secondary -Version: 3.1 +Version: 3.1.1 Release: 0 Summary: Linux kernel audit subsystem utilities License: GPL-2.0-or-later diff --git a/audit.changes b/audit.changes index 96a0231..c05a79e 100644 --- a/audit.changes +++ b/audit.changes @@ -1,3 +1,13 @@ +------------------------------------------------------------------- +Mon Jul 3 08:33:52 UTC 2023 - Paolo Stivanin + +- Update to 3.1.1: + * Add user friendly keywords for signals to auditctl + * In ausearch, parse up URINGOP and DM_CTRL records + * Harden auparse to better handle corrupt logs + * Fix a CFLAGS propogation problem in the common directory + * Move the audispd af_unix plugin to a standalone program + ------------------------------------------------------------------- Thu May 4 12:58:06 UTC 2023 - Frederic Crozat diff --git a/audit.spec b/audit.spec index aa32ebd..5bf9cb0 100644 --- a/audit.spec +++ b/audit.spec @@ -23,7 +23,7 @@ %endif Name: audit -Version: 3.1 +Version: 3.1.1 Release: 0 Summary: Linux kernel audit subsystem utilities License: GPL-2.0-or-later diff --git a/create-augenrules-service.patch b/create-augenrules-service.patch index 72c8745..3064bc1 100644 --- a/create-augenrules-service.patch +++ b/create-augenrules-service.patch @@ -1,7 +1,7 @@ -Index: audit-3.0.9/init.d/augenrules.service +Index: audit-3.1.1/init.d/augenrules.service =================================================================== --- /dev/null -+++ audit-3.0.9/init.d/augenrules.service ++++ audit-3.1.1/init.d/augenrules.service @@ -0,0 +1,29 @@ +[Unit] +Description=auditd rules generation @@ -32,10 +32,10 @@ Index: audit-3.0.9/init.d/augenrules.service +ProtectKernelTunables=true +ProtectKernelLogs=true +ReadWritePaths=/etc/audit -Index: audit-3.0.9/init.d/auditd.service +Index: audit-3.1.1/init.d/auditd.service =================================================================== ---- audit-3.0.9.orig/init.d/auditd.service -+++ audit-3.0.9/init.d/auditd.service +--- audit-3.1.1.orig/init.d/auditd.service ++++ audit-3.1.1/init.d/auditd.service @@ -15,15 +15,16 @@ ConditionKernelCommandLine=!audit=0 ConditionKernelCommandLine=!audit=off @@ -57,7 +57,7 @@ Index: audit-3.0.9/init.d/auditd.service #ExecStartPost=-/sbin/auditctl -R /etc/audit/audit.rules # By default we clear the rules on exit. To disable this, comment # the next line after copying the file to /etc/systemd/system/auditd.service -@@ -46,7 +47,6 @@ ProtectClock=true +@@ -47,7 +48,6 @@ ProtectClock=true ProtectKernelTunables=true ProtectKernelLogs=true # end of automatic additions @@ -65,10 +65,10 @@ Index: audit-3.0.9/init.d/auditd.service [Install] WantedBy=multi-user.target -Index: audit-3.0.9/init.d/Makefile.am +Index: audit-3.1.1/init.d/Makefile.am =================================================================== ---- audit-3.0.9.orig/init.d/Makefile.am -+++ audit-3.0.9/init.d/Makefile.am +--- audit-3.1.1.orig/init.d/Makefile.am ++++ audit-3.1.1/init.d/Makefile.am @@ -26,7 +26,8 @@ EXTRA_DIST = auditd.init auditd.service auditd.cron libaudit.conf auditd.condrestart \ auditd.reload auditd.restart auditd.resume \ diff --git a/fix-hardened-service.patch b/fix-hardened-service.patch index 0fe1648..c7325be 100644 --- a/fix-hardened-service.patch +++ b/fix-hardened-service.patch @@ -12,11 +12,11 @@ Also remove PrivateDevices=true so /dev/* are exposed to auditd. Signed-off-by: Enzo Matsumiya -Index: audit-3.0.9/init.d/auditd.service +Index: audit-3.1.1/init.d/auditd.service =================================================================== ---- audit-3.0.9.orig/init.d/auditd.service -+++ audit-3.0.9/init.d/auditd.service -@@ -41,12 +41,12 @@ RestrictRealtime=true +--- audit-3.1.1.orig/init.d/auditd.service ++++ audit-3.1.1/init.d/auditd.service +@@ -42,12 +42,12 @@ RestrictRealtime=true # added automatically, for details please see # https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort ProtectSystem=full diff --git a/harden_auditd.service.patch b/harden_auditd.service.patch index 3e3ad0f..4eff294 100644 --- a/harden_auditd.service.patch +++ b/harden_auditd.service.patch @@ -1,9 +1,9 @@ -Index: audit-3.0.9/init.d/auditd.service +Index: audit-3.1.1/init.d/auditd.service =================================================================== ---- audit-3.0.9.orig/init.d/auditd.service -+++ audit-3.0.9/init.d/auditd.service -@@ -38,6 +38,15 @@ LockPersonality=true - ProtectControlGroups=true +--- audit-3.1.1.orig/init.d/auditd.service ++++ audit-3.1.1/init.d/auditd.service +@@ -39,6 +39,15 @@ LockPersonality=true + #ProtectControlGroups=true ProtectKernelModules=true RestrictRealtime=true +# added automatically, for details please see From 8569642ef730134eb6c72a9782cdec2f502384b0fa6ee13d4aeadccb8f9fcbd3 Mon Sep 17 00:00:00 2001 From: Enzo Matsumiya Date: Thu, 13 Jul 2023 15:26:56 +0000 Subject: [PATCH 5/5] Accepting request 1097513 from home:polslinux:branches:security fix audit-secondary OBS-URL: https://build.opensuse.org/request/show/1097513 OBS-URL: https://build.opensuse.org/package/show/security/audit?expand=0&rev=149 --- audit-secondary.spec | 2 ++ 1 file changed, 2 insertions(+) diff --git a/audit-secondary.spec b/audit-secondary.spec index 4db7b59..e22b655 100644 --- a/audit-secondary.spec +++ b/audit-secondary.spec @@ -258,6 +258,7 @@ fi %attr(644,root,root) %{_mandir}/man5/ausearch-expression.5.gz %attr(644,root,root) %{_mandir}/man8/auvirt.8.gz %attr(644,root,root) %{_mandir}/man8/augenrules.8.gz +%attr(644,root,root) %{_mandir}/man8/audisp-af_unix.8.gz %if 0%{?suse_version} < 1550 /sbin/auditctl /sbin/auditd @@ -276,6 +277,7 @@ fi %attr(755,root,root) %{_bindir}/aulastlog %attr(755,root,root) %{_bindir}/ausyscall %attr(755,root,root) %{_sbindir}/aureport +%attr(755,root,root) %{_sbindir}/audisp-af_unix %attr(755,root,root) %{_bindir}/auvirt %dir %attr(750,root,root) %{_sysconfdir}/audit %attr(750,root,root) %dir %{_sysconfdir}/audit/plugins.d