pool/audit
SHA256
2
0
Fork 2
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/audit?expand=0&rev=1

Browse Source
This commit is contained in:
OBS User unknown 2007-01-15 22:51:54 +00:00 committed by Git OBS Bridge
commit ea9f17caea
15 changed files with 1095 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
.gitattributes vendored Normal file
View File

@ -0,0 +1,23 @@
## Default LFS
*.7z filter=lfs diff=lfs merge=lfs -text
*.bsp filter=lfs diff=lfs merge=lfs -text
*.bz2 filter=lfs diff=lfs merge=lfs -text
*.gem filter=lfs diff=lfs merge=lfs -text
*.gz filter=lfs diff=lfs merge=lfs -text
*.jar filter=lfs diff=lfs merge=lfs -text
*.lz filter=lfs diff=lfs merge=lfs -text
*.lzma filter=lfs diff=lfs merge=lfs -text
*.obscpio filter=lfs diff=lfs merge=lfs -text
*.oxt filter=lfs diff=lfs merge=lfs -text
*.pdf filter=lfs diff=lfs merge=lfs -text
*.png filter=lfs diff=lfs merge=lfs -text
*.rpm filter=lfs diff=lfs merge=lfs -text
*.tbz filter=lfs diff=lfs merge=lfs -text
*.tbz2 filter=lfs diff=lfs merge=lfs -text
*.tgz filter=lfs diff=lfs merge=lfs -text
*.ttf filter=lfs diff=lfs merge=lfs -text
*.txz filter=lfs diff=lfs merge=lfs -text
*.whl filter=lfs diff=lfs merge=lfs -text
*.xz filter=lfs diff=lfs merge=lfs -text
*.zip filter=lfs diff=lfs merge=lfs -text
*.zst filter=lfs diff=lfs merge=lfs -text

1
.gitignore vendored Normal file
View File

@ -0,0 +1 @@
.osc

8
README-BEFORE-ADDING-PATCHES Normal file
View File

@ -0,0 +1,8 @@
All patches need to have a patch description header similar to what is used in
kernel cvs.
Clear description of problem.
Buzilla entry if applicable.
Indication as to whether patch was upstreamed.
Patches added without this will be reverted. Thanks.

3
audit-1.2.9.tar.bz2 Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:0995cdda8aeb4cd1126427d78fcc44aa6bf84e578f15fad0074ffbb9ac609339
size 193190

49
audit-auparse_missing_return.patch Normal file
View File

@ -0,0 +1,49 @@
From: tonyj@suse.de
References: none
Patch-upstream: no
Disable unused functions which are tripping the abuild garbage return code
detection.
--- audit-1.2.6/auparse/auparse.c.xx 2006-08-31 21:24:46.000000000 +0200
+++ audit-1.2.6/auparse/auparse.c 2006-08-31 21:30:48.000000000 +0200
@@ -177,6 +177,7 @@
}
+#if 0
time_t auparse_get_time(auparse_state_t *au)
{
}
@@ -190,6 +191,7 @@
unsigned long auparse_get_serial(auparse_state_t *au)
{
}
+#endif /* not used, disable to avoid abuild garbage return error */
const char *auparse_get_node(auparse_state_t *au)
@@ -198,9 +200,11 @@
}
+#if 0
int auparse_timestamp_compare(event_t *e1, event_t *e2)
{
}
+#endif /* not used, disable to avoid abuild garbage return error */
/* Functions that traverse records in the same event */
@@ -260,9 +264,11 @@
}
+#if 0
int auparse_get_field_int(auparse_state_t *au)
{
}
+#endif /* not used, disable to avoid abuild garbage return error */
const char *auparse_interpret_field(auparse_state_t *au)

20
audit-change-paths.patch Normal file
View File

@ -0,0 +1,20 @@
From: tonyj@suse.de
References: unknown
Upstream: no
Change paths.
1) Since libstdc++ is in /usr, audispd must move also
2) Change location of audit config file to /etc
--- audit-1.2.6/init.d/auditd.conf.xx 2006-08-31 18:18:11.000000000 +0200
+++ audit-1.2.6/init.d/auditd.conf 2006-08-31 18:19:00.000000000 +0200
@@ -8,7 +8,7 @@
flush = INCREMENTAL
freq = 20
num_logs = 4
-dispatcher = /sbin/audispd
+#dispatcher = /usr/sbin/audispd
disp_qos = lossy
max_log_file = 5
max_log_file_action = ROTATE

102
audit-disable-syscall-contexts.patch Normal file
View File

@ -0,0 +1,102 @@
From: sbeattie@suse.de
References: 172154
Upstream: no
Disable syscall audit context creation by default.
This patch needs to be reevaluated in light of kernel performance improvements
to audit comitted around ~2.6.18
--- audit-1.2.6/src/auditd.c.xx 2006-07-27 19:06:08.000000000 +0200
+++ audit-1.2.6/src/auditd.c 2006-08-31 20:02:57.000000000 +0200
@@ -36,6 +36,7 @@
#include <sys/wait.h>
#include <fcntl.h>
#include <pthread.h>
+#include <getopt.h>
#include "libaudit.h"
#include "auditd-config.h"
@@ -69,7 +70,7 @@
*/
static void usage(void)
{
- puts("Usage: auditd [ -f ]");
+ puts("Usage: auditd [ -f ] [ -n ]");
exit(2);
}
@@ -281,18 +282,28 @@
struct rlimit limit;
int hup_info_requested = 0, usr1_info_requested = 0;
int i;
+ int opt_foreground = 0;
+ int opt_enabled = 1;
+ int c;
/* Get params && set mode */
- if (argc > 2)
- usage();
- if (argc == 2) {
- if (strcmp(argv[1], "-f") == 0) {
- config.daemonize = D_FOREGROUND;
- set_aumessage_mode(MSG_STDERR, DBG_YES);
- } else
+ while ((c = getopt(argc, argv, "fn")) != -1) {
+ switch (c) {
+ case 'f':
+ opt_foreground = 1;
+ break;
+ case 'n':
+ opt_enabled = 0;
+ break;
+ default:
usage();
+ }
}
- else {
+
+ if (opt_foreground) {
+ config.daemonize = D_FOREGROUND;
+ set_aumessage_mode(MSG_STDERR, DBG_YES);
+ } else {
config.daemonize = D_BACKGROUND;
set_aumessage_mode(MSG_SYSLOG, DBG_NO);
(void) umask( umask( 077 ) | 022 );
@@ -429,7 +440,7 @@
tell_parent(SUCCESS);
/* Enable auditing just in case it was off */
- if (audit_set_enabled(fd, 1) < 0) {
+ if (audit_set_enabled(fd, opt_enabled) < 0) {
char emsg[DEFAULT_BUF_SZ];
snprintf(emsg, sizeof(emsg),
"auditd error halt, auid=%u pid=%d res=failed",
@@ -558,6 +569,7 @@
/* Write message to log that we are going down */
int rc;
+ audit_set_enabled(fd, 0);
rc = audit_request_signal_info(fd);
if (rc > 0) {
struct audit_reply trep;
--- audit-1.2.6/docs/auditd.8.xx 2006-04-06 23:21:14.000000000 +0200
+++ audit-1.2.6/docs/auditd.8 2006-08-31 20:02:47.000000000 +0200
@@ -4,6 +4,7 @@
.SH SYNOPSIS
.B auditd
[ \fI-f \fR]
+[ \fI-n \fR]
.SH DESCRIPTION
auditd is the userspace component to the Linux Auditing System. It's responsible for writing audit records to the disk. Viewing the logs is done with the
.B ausearch
@@ -18,6 +19,10 @@
.TP
\fB\-f\fR
leave the audit daemon in the foreground for debugging. Messages also go to stderr rather than the audit log.
+.TP
+\fB-n\fR
+start the audit daemon, but do not enabled system call auditing in the kernel.
+This can be done separately by using \fBauditctl -e\fR.
.SH SIGNALS
\fB\SIGHUP\fR
causes auditd to reconfigure. This means that auditd re-reads the configuration file. If there are no syntax errors, it will proceed to implement the requested changes. If the reconfigure is successful, a DAEMON_CONFIG event is recorded in the logs. If not successful, error handling is controlled by space_left_action, admin_space_left_action, disk_full_action, and disk_error_action parameters in auditd.conf.

21
audit-libs-python.changes Normal file
View File

@ -0,0 +1,21 @@
-------------------------------------------------------------------
Wed Nov 29 02:47:22 CET 2006 - tonyj@suse.de
- Upgrade to 1.2.9 (drop several patches which are now upstream)
- /usr/sbin/audispd now packaged by audit-libs-python
-------------------------------------------------------------------
Sun Nov 5 00:45:21 CET 2006 - ro@suse.de
- fix requires
-------------------------------------------------------------------
Thu Aug 31 22:57:52 CEST 2006 - tonyj@suse.de
- Upgrade to 1.2.6-1
-------------------------------------------------------------------
Wed Aug 16 16:19:20 CEST 2006 - cthiel@suse.de
- split off package

93
audit-libs-python.spec Normal file
View File

@ -0,0 +1,93 @@
#
# spec file for package audit-libs-python (Version 1.2.9)
#
# Copyright (c) 2006 SUSE LINUX Products GmbH, Nuernberg, Germany.
# This file and all modifications and additions to the pristine
# package are under the same license as the package itself.
#
# Please submit bugfixes or comments via http://bugs.opensuse.org/
#
# norootforbuild
Name: audit-libs-python
%define _name audit
BuildRequires: audit-devel gcc-c++ python-devel swig
Summary: Python bindings for libaudit
Version: 1.2.9
Release: 2
License: GNU General Public License (GPL)
Group: System/Monitoring
URL: http://people.redhat.com/sgrubb/audit/
Source0: audit-%{version}.tar.bz2
Patch0: audit-change-paths.patch
Patch1: audit-disable-syscall-contexts.patch
Patch2: audit-auparse_missing_return.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
Requires: audit-libs = %( echo `rpm -q --queryformat '%{VERSION}-%{RELEASE}' audit-libs`)
PreReq: %insserv_prereq %fillup_prereq
%description
The audit-libs-python package contains the bindings so that libaudit
can be used by python.
Authors:
--------
Steve Grubb <sgrubb@redhat.com>
%prep
%setup -q -n audit-%{version}
%patch0 -p1
%patch1 -p1
%patch2 -p1
%build
autoreconf -fv --install
export CFLAGS="%{optflags} -fno-strict-aliasing"
export CXXFLAGS="$CFLAGS"
./configure --prefix=%{_prefix} --sbindir=/sbin --mandir=%{_mandir} --libdir=/%{_lib} --sysconfdir=/etc --with-apparmor
pushd src/mt
make libaudit.h
popd
make
%install
make DESTDIR=$RPM_BUILD_ROOT install -C swig
make DESTDIR=$RPM_BUILD_ROOT install -C audisp LIBDIR=$RPM_BUILD_ROOT/%{_libdir}/python%{py_ver}/site-packages
mkdir $RPM_BUILD_ROOT/usr/sbin
mv $RPM_BUILD_ROOT/sbin/audispd $RPM_BUILD_ROOT/usr/sbin/audispd
rm -f $RPM_BUILD_ROOT/%{_libdir}/python%{py_ver}/site-packages/_audit.a
rm -f $RPM_BUILD_ROOT/%{_libdir}/python%{py_ver}/site-packages/_audit.la
%clean
rm -rf $RPM_BUILD_ROOT
%post
if [ -f /etc/audit/auditd.conf ]; then
tmp=`mktemp /etc/audit/auditd-post.$$`
if [ -n $tmp ]; then
sed 's|^#dispatcher|dispatcher|g' /etc/audit/auditd.conf > $tmp && \
cat $tmp > /etc/audit/auditd.conf
rm -f $tmp
fi
fi
%files
%defattr(-,root,root,-)
%attr(750,root,root) /usr/sbin/audispd
%{_libdir}/python%{py_ver}/site-packages/_audit.so
%{_libdir}/python%{py_ver}/site-packages/audit.py*
%{_libdir}/python%{py_ver}/site-packages/AuditMsg.py*
%changelog -n audit-libs-python
* Wed Nov 29 2006 - tonyj@suse.de
- Upgrade to 1.2.9 (drop several patches which are now upstream)
- /usr/sbin/audispd now packaged by audit-libs-python
* Sun Nov 05 2006 - ro@suse.de
- fix requires
* Thu Aug 31 2006 - tonyj@suse.de
- Upgrade to 1.2.6-1
* Wed Aug 16 2006 - cthiel@suse.de
- split off package

41
audit-no_python.patch Normal file
View File

@ -0,0 +1,41 @@
From: tonyj@suse.de
Date: unknown
Upstream: no
This patch is used by audit.spec to disable use of Python.
Necessary Python files are built seperately by audit-libs-python.spec
(make -C swig ; make -C auditsp)
--- audit-1.2.6/configure.ac.xx 2006-07-13 23:02:17.000000000 +0200
+++ audit-1.2.6/configure.ac 2006-08-31 20:52:49.000000000 +0200
@@ -39,7 +39,7 @@
AM_INIT_AUTOMAKE
AM_PROG_LIBTOOL
AC_SUBST(LIBTOOL_DEPS)
-AM_PATH_PYTHON(2.4)
+#AM_PATH_PYTHON(2.4)
echo .
echo Checking for programs
@@ -105,7 +105,8 @@
if test x$use_apparmor != xno ; then
AC_DEFINE(WITH_APPARMOR,1,[Define if you want to enable AppArmor events.])fi
-AC_OUTPUT(Makefile lib/Makefile auparse/Makefile src/Makefile src/mt/Makefile swig/Makefile docs/Makefile init.d/Makefile)
+#AC_OUTPUT(Makefile lib/Makefile auparse/Makefile src/Makefile src/mt/Makefile swig/Makefile docs/Makefile init.d/Makefile)
+AC_OUTPUT(Makefile lib/Makefile auparse/Makefile src/Makefile src/mt/Makefile docs/Makefile init.d/Makefile)
echo .
echo "
--- audit-1.2.6/Makefile.am.xx 2006-07-13 22:24:35.000000000 +0200
+++ audit-1.2.6/Makefile.am 2006-08-31 20:52:49.000000000 +0200
@@ -22,7 +22,8 @@
#
#SUBDIRS = lib auparse src/mt src audisp audisp/tests swig init.d docs
-SUBDIRS = lib src/mt src audisp swig init.d docs
+#SUBDIRS = lib src/mt src audisp swig init.d docs
+SUBDIRS = lib src/mt src init.d docs
EXTRA_DIST = ChangeLog AUTHORS NEWS README sample.rules contrib/capp.rules contrib/lspp.rules contrib/skeleton.c README-install audit.spec
CONFIG_CLEAN_FILES = Makefile.in aclocal.m4* config.h.* configure debug*.list config/*

209
audit.changes Normal file
View File

@ -0,0 +1,209 @@
-------------------------------------------------------------------
Wed Nov 29 02:46:08 CET 2006 - tonyj@suse.de
- Upgrade to 1.2.9 (drop several patches which are now upstream)
- Move to using /etc/audit directory for config files
-------------------------------------------------------------------
Thu Aug 31 22:57:52 CEST 2006 - tonyj@suse.de
- Upgrade to 1.2.6-1
-------------------------------------------------------------------
Sat Aug 26 09:01:50 CEST 2006 - olh@suse.de
- do not define __KERNEL__ in userland apps
- remove unused sys/syscall.h include
-------------------------------------------------------------------
Wed Aug 16 15:42:58 CEST 2006 - cthiel@suse.de
- split audit into audit and audit-libs-python
-------------------------------------------------------------------
Fri May 5 21:05:40 CEST 2006 - sbeattie@suse.de
- disable syscall audit context creation by default #172154
-------------------------------------------------------------------
Mon Mar 20 16:18:29 CET 2006 - meissner@suse.de
- Do not print a misleading errormessage when audit
is not compiled into the kernel. #152733
-------------------------------------------------------------------
Mon Mar 6 14:21:06 CET 2006 - meissner@suse.de
- On kernels without auditing, which report ECONNREFUSED,
do not output stuff to stderr on startup. #152733
-------------------------------------------------------------------
Sat Feb 25 09:55:48 CET 2006 - kukuk@suse.de
- Fix moving of devel libraries, don't install .la file
-------------------------------------------------------------------
Wed Feb 22 15:10:44 CET 2006 - meissner@suse.de
- moved libaudit.so symlink to /usr/lib and to -devel package,
as requested by Thorsten.
-------------------------------------------------------------------
Fri Feb 17 19:56:14 CET 2006 - meissner@suse.de
- check sendto() return against -1 (error with errno set).
-------------------------------------------------------------------
Wed Jan 25 21:34:31 CET 2006 - mls@suse.de
- converted neededforbuild to BuildRequires
-------------------------------------------------------------------
Wed Jan 25 12:09:31 CET 2006 - ro@suse.de
- fix fillup call since filename != packagename
-------------------------------------------------------------------
Tue Jan 24 19:01:52 CET 2006 - ro@suse.de
- do not skip fillup in postinstall
-------------------------------------------------------------------
Mon Jan 23 08:54:33 CET 2006 - dreynolds@suse.de
- Modified inssrv macro args to enable on boot
-------------------------------------------------------------------
Wed Jan 18 21:33:21 CET 2006 - tonyj@suse.de
- Add support for AppArmor (submitted upstream for 1.1.4)
-------------------------------------------------------------------
Fri Jan 13 11:35:57 CET 2006 - meissner@suse.de
- Updated to 1.1.3.
- Moved audispd to /usr/sbin since it uses /usr/lib/libstdc++
- Updated sysconfig snippet.
-------------------------------------------------------------------
Tue Nov 8 11:32:45 CET 2005 - meissner@suse.de
- upgraded to 1.0.12.
-------------------------------------------------------------------
Fri Nov 4 12:41:35 CET 2005 - kukuk@suse.de
- Update to 1.0.9.
-------------------------------------------------------------------
Wed Oct 12 17:24:55 CEST 2005 - meissner@suse.de
- upgraded to 1.0.6. ptrdift patch now solved upstream.
-------------------------------------------------------------------
Wed Oct 5 15:17:05 CEST 2005 - meissner@suse.de
- Upgraded to 1.0.5
-------------------------------------------------------------------
Wed Oct 5 12:00:38 CEST 2005 - dmueller@suse.de
- add norootforbuild
-------------------------------------------------------------------
Mon Sep 26 11:40:27 CEST 2005 - meissner@suse.de
- Upgraded to 1.0.4.
- Make rate & backlog 32 bit unsigned int in auditctl
- In auditctl, if -F arch is given with -t option, don't require list
- Update auditd man page
- Add size check to audit_send
- Update message for audit_open failure when kernel doesn't support audit
-------------------------------------------------------------------
Tue Aug 23 14:07:44 CEST 2005 - meissner@suse.de
- Upgraded to 1.0.3 bugfix release:
- adjust file perms of newly created log file in auditd
- fix 2 memory leaks and an out of bounds access in auditd
- fix case where auditd was closing netlink descriptor too early
- fix watch rules not to take field arguments in auditctl
- fix bug where inode, devmajor, devminor, exit, and success fields in auditctl
rules were not getting the correct value stored
-------------------------------------------------------------------
Wed Aug 17 14:19:29 CEST 2005 - meissner@suse.de
- Added /var/log/audit directory and ghost audit.log #105131
-------------------------------------------------------------------
Wed Aug 10 13:37:56 CEST 2005 - meissner@suse.de
- Upgraded to 1.0.2
-------------------------------------------------------------------
Thu Aug 4 11:20:00 CEST 2005 - meissner@suse.de
- Upgraded to 1.0.1.
-------------------------------------------------------------------
Mon Jul 11 14:47:38 CEST 2005 - meissner@suse.de
- Update to version 0.9.16.
-------------------------------------------------------------------
Tue Jun 21 08:38:17 CEST 2005 - meissner@suse.de
- Update to version 0.9.10.
-------------------------------------------------------------------
Fri Jun 17 11:21:42 CEST 2005 - meissner@suse.de
- Update to version 0.9.7.
-------------------------------------------------------------------
Thu Jun 16 14:51:48 CEST 2005 - kukuk@suse.de
- Update to version 0.9.5
-------------------------------------------------------------------
Tue Jun 14 01:30:20 CEST 2005 - ro@suse.de
- make it build with current includes
-------------------------------------------------------------------
Tue May 31 14:15:30 CEST 2005 - meissner@suse.de
- Upgraded to 0.9.
-------------------------------------------------------------------
Fri May 13 13:08:41 CEST 2005 - meissner@suse.de
- upgraded to 0.6.8
-------------------------------------------------------------------
Tue Apr 19 10:39:54 CEST 2005 - meissner@suse.de
- Upgraded to 0.6.11.
-------------------------------------------------------------------
Fri Apr 15 17:52:43 CEST 2005 - pth@suse.de
- Make libaudit.h define pgoff_t by itself.
- Fix a minor warning.
-------------------------------------------------------------------
Wed Mar 30 17:58:32 CEST 2005 - meissner@suse.de
- Upgraded to 0.6.9.
-------------------------------------------------------------------
Fri Mar 4 11:23:29 CET 2005 - meissner@suse.de
- Upgraded to 0.6.5.
-------------------------------------------------------------------
Thu Mar 3 14:59:36 CET 2005 - meissner@suse.de
- initial package of auditd for new kernel auditing system.

283
audit.spec Normal file
View File

@ -0,0 +1,283 @@
#
# spec file for package audit (Version 1.2.9)
#
# Copyright (c) 2006 SUSE LINUX Products GmbH, Nuernberg, Germany.
# This file and all modifications and additions to the pristine
# package are under the same license as the package itself.
#
# Please submit bugfixes or comments via http://bugs.opensuse.org/
#
# norootforbuild
Name: audit
BuildRequires: gcc-c++
Summary: User Space Tools for 2.6 Kernel Auditing
Version: 1.2.9
Release: 2
License: GNU General Public License (GPL)
Group: System/Monitoring
URL: http://people.redhat.com/sgrubb/audit/
Source0: %{name}-%{version}.tar.bz2
Source1: auditd.init
Source2: auditd.sysconfig
Patch0: audit-change-paths.patch
Patch1: audit-no_python.patch
Patch2: audit-disable-syscall-contexts.patch
Patch3: audit-auparse_missing_return.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
Requires: %{name}-libs = %{version}-%{release}
PreReq: %insserv_prereq %fillup_prereq
%description
The audit package contains the user space utilities for storing and
processing the audit records generated by the audit subsystem in the
Linux 2.6 kernel.
Authors:
--------
Steve Grubb <sgrubb@redhat.com>
%package libs
Summary: Dynamic library for libaudit
License: GNU General Public License (GPL)
Group: System/Monitoring
%description libs
The audit-libs package contains the dynamic libraries needed for
applications to use the audit framework.
Authors:
--------
Steve Grubb <sgrubb@redhat.com>
%package devel
Summary: Header files and static library for libaudit
License: GNU Library General Public License v. 2.0 and 2.1 (LGPL)
Group: System/Monitoring
Requires: %{name}-libs = %{version}-%{release}
%description devel
The audit-devel package contains the static libraries and header files
needed for developing applications that need to use the audit framework
libraries.
Authors:
--------
Steve Grubb <sgrubb@redhat.com>
%prep
%setup -q
%patch0 -p1
%patch1 -p1
%patch2 -p1
%patch3 -p1
%build
autoreconf -fv --install
export CFLAGS="%{optflags} -fno-strict-aliasing"
export CXXFLAGS="$CFLAGS"
./configure --prefix=%{_prefix} --sbindir=/sbin --mandir=%{_mandir} --libdir=/%{_lib} --sysconfdir=/etc --with-apparmor
pushd src/mt
make libaudit.h
popd
make
%install
mkdir -p $RPM_BUILD_ROOT/{sbin,etc/{sysconfig,init.d}}
mkdir -p $RPM_BUILD_ROOT/usr/sbin
mkdir -p $RPM_BUILD_ROOT/%{_mandir}/man8
mkdir -p $RPM_BUILD_ROOT/%{_lib}/security
make DESTDIR=$RPM_BUILD_ROOT install
mkdir -p $RPM_BUILD_ROOT/%{_includedir}
mkdir -p $RPM_BUILD_ROOT/%{_libdir}
# We manually install this since Makefile doesn't
install -m 0644 lib/libaudit.h $RPM_BUILD_ROOT/%{_includedir}
# This winds up in the wrong place when libtool is involved
# -- 11/06 -- temp disable libauparse
#rm $RPM_BUILD_ROOT/%{_lib}/libaudit.so $RPM_BUILD_ROOT/%{_lib}/libauparse.so
#ln -sf /%{_lib}/libaudit.so.0 $RPM_BUILD_ROOT%{_libdir}/libaudit.so
#ln -sf /%{_lib}/libauparse.so.0 $RPM_BUILD_ROOT%{_libdir}/libauparse.so
#mv $RPM_BUILD_ROOT/%{_lib}/libaudit.a $RPM_BUILD_ROOT/%{_lib}/libauparse.a $RPM_BUILD_ROOT%{_libdir}
#rm $RPM_BUILD_ROOT/%{_lib}/libaudit.la $RPM_BUILD_ROOT/%{_lib}/libauparse.la
# --
rm $RPM_BUILD_ROOT/%{_lib}/libaudit.so
# Link points to real /lib not buildroot /lib
ln -sf /%{_lib}/libaudit.so.0 $RPM_BUILD_ROOT%{_libdir}/libaudit.so
mv $RPM_BUILD_ROOT/%{_lib}/libaudit.a $RPM_BUILD_ROOT%{_libdir}
rm $RPM_BUILD_ROOT/%{_lib}/libaudit.la
mkdir -p $RPM_BUILD_ROOT/var/adm/fillup-templates
cp %{SOURCE2} $RPM_BUILD_ROOT/var/adm/fillup-templates/sysconfig.auditd
# delete redhat script, use ours
rm -rf $RPM_BUILD_ROOT/etc/sysconfig/auditd
rm -rf $RPM_BUILD_ROOT/etc/init.d/auditd
rm -rf $RPM_BUILD_ROOT/etc/rc.d/init.d
install -c -m 755 %{SOURCE1} $RPM_BUILD_ROOT/etc/init.d/auditd
ln -s /etc/init.d/auditd $RPM_BUILD_ROOT/sbin/rcauditd
mkdir -p $RPM_BUILD_ROOT/var/log/audit/
touch $RPM_BUILD_ROOT/var/log/audit/audit.log
# for %ghost below, so that old location files will still be there when
# %post copy runs
touch $RPM_BUILD_ROOT/etc/{auditd.conf,audit.rules}
%clean
rm -rf $RPM_BUILD_ROOT
%post libs -p /sbin/ldconfig
%postun libs -p /sbin/ldconfig
%post
%{fillup_and_insserv -yn auditd auditd}
# Save existing audit files if any (from old location)
if [ -f /etc/auditd.conf ]; then
mv /etc/audit/auditd.conf /etc/audit/auditd.conf.new
mv /etc/auditd.conf /etc/audit/auditd.conf
fi
if [ -f /etc/audit.rules ]; then
mv /etc/audit/audit.rules /etc/audit/audit.rules.new
mv /etc/audit.rules /etc/audit/audit.rules
fi
%preun
%stop_on_removal auditd
%postun
%restart_on_update auditd
%{insserv_cleanup}
%files libs
%defattr(-,root,root)
/%{_lib}/libaudit.*
#/%{_lib}/libauparse.*
%config(noreplace) %attr(640,root,root) /etc/libaudit.conf
%files devel
%defattr(-,root,root)
%{_libdir}/libaudit.*
#%{_libdir}/libauparse.*
%{_includedir}/libaudit.h
%{_mandir}/man3/*
%files
%defattr(-,root,root,-)
%doc README COPYING ChangeLog sample.rules
%{_mandir}/man8/*
%attr(750,root,root) /sbin/auditctl
%attr(750,root,root) /sbin/auditd
%attr(750,root,root) /sbin/ausearch
%attr(750,root,root) /sbin/rcauditd
%attr(750,root,root) /sbin/autrace
%attr(750,root,root) /sbin/aureport
/etc/init.d/auditd
%dir %attr(750,root,root) /etc/audit
%ghost /etc/auditd.conf
%ghost /etc/audit.rules
%config(noreplace) %attr(640,root,root) /etc/audit/auditd.conf
%config(noreplace) %attr(640,root,root) /etc/audit/audit.rules
/var/adm/fillup-templates/sysconfig.auditd
%dir %attr(700,root,root) /var/log/audit
%ghost /var/log/audit/audit.log
%changelog -n audit
* Wed Nov 29 2006 - tonyj@suse.de
- Upgrade to 1.2.9 (drop several patches which are now upstream)
- Move to using /etc/audit directory for config files
* Thu Aug 31 2006 - tonyj@suse.de
- Upgrade to 1.2.6-1
* Sat Aug 26 2006 - olh@suse.de
- do not define __KERNEL__ in userland apps
- remove unused sys/syscall.h include
* Wed Aug 16 2006 - cthiel@suse.de
- split audit into audit and audit-libs-python
* Fri May 05 2006 - sbeattie@suse.de
- disable syscall audit context creation by default #172154
* Mon Mar 20 2006 - meissner@suse.de
- Do not print a misleading errormessage when audit
is not compiled into the kernel. #152733
* Mon Mar 06 2006 - meissner@suse.de
- On kernels without auditing, which report ECONNREFUSED,
do not output stuff to stderr on startup. #152733
* Sat Feb 25 2006 - kukuk@suse.de
- Fix moving of devel libraries, don't install .la file
* Wed Feb 22 2006 - meissner@suse.de
- moved libaudit.so symlink to /usr/lib and to -devel package,
as requested by Thorsten.
* Fri Feb 17 2006 - meissner@suse.de
- check sendto() return against -1 (error with errno set).
* Wed Jan 25 2006 - mls@suse.de
- converted neededforbuild to BuildRequires
* Wed Jan 25 2006 - ro@suse.de
- fix fillup call since filename != packagename
* Tue Jan 24 2006 - ro@suse.de
- do not skip fillup in postinstall
* Mon Jan 23 2006 - dreynolds@suse.de
- Modified inssrv macro args to enable on boot
* Wed Jan 18 2006 - tonyj@suse.de
- Add support for AppArmor (submitted upstream for 1.1.4)
* Fri Jan 13 2006 - meissner@suse.de
- Updated to 1.1.3.
- Moved audispd to /usr/sbin since it uses /usr/lib/libstdc++
- Updated sysconfig snippet.
* Tue Nov 08 2005 - meissner@suse.de
- upgraded to 1.0.12.
* Fri Nov 04 2005 - kukuk@suse.de
- Update to 1.0.9.
* Wed Oct 12 2005 - meissner@suse.de
- upgraded to 1.0.6. ptrdift patch now solved upstream.
* Wed Oct 05 2005 - meissner@suse.de
- Upgraded to 1.0.5
* Wed Oct 05 2005 - dmueller@suse.de
- add norootforbuild
* Mon Sep 26 2005 - meissner@suse.de
- Upgraded to 1.0.4.
- Make rate & backlog 32 bit unsigned int in auditctl
- In auditctl, if -F arch is given with -t option, don't require list
- Update auditd man page
- Add size check to audit_send
- Update message for audit_open failure when kernel doesn't support audit
* Tue Aug 23 2005 - meissner@suse.de
- Upgraded to 1.0.3 bugfix release:
- adjust file perms of newly created log file in auditd
- fix 2 memory leaks and an out of bounds access in auditd
- fix case where auditd was closing netlink descriptor too early
- fix watch rules not to take field arguments in auditctl
- fix bug where inode, devmajor, devminor, exit, and success fields in auditctl
rules were not getting the correct value stored
* Wed Aug 17 2005 - meissner@suse.de
- Added /var/log/audit directory and ghost audit.log #105131
* Wed Aug 10 2005 - meissner@suse.de
- Upgraded to 1.0.2
* Thu Aug 04 2005 - meissner@suse.de
- Upgraded to 1.0.1.
* Mon Jul 11 2005 - meissner@suse.de
- Update to version 0.9.16.
* Tue Jun 21 2005 - meissner@suse.de
- Update to version 0.9.10.
* Fri Jun 17 2005 - meissner@suse.de
- Update to version 0.9.7.
* Thu Jun 16 2005 - kukuk@suse.de
- Update to version 0.9.5
* Tue Jun 14 2005 - ro@suse.de
- make it build with current includes
* Tue May 31 2005 - meissner@suse.de
- Upgraded to 0.9.
* Fri May 13 2005 - meissner@suse.de
- upgraded to 0.6.8
* Tue Apr 19 2005 - meissner@suse.de
- Upgraded to 0.6.11.
* Fri Apr 15 2005 - pth@suse.de
- Make libaudit.h define pgoff_t by itself.
- Fix a minor warning.
* Wed Mar 30 2005 - meissner@suse.de
- Upgraded to 0.6.9.
* Fri Mar 04 2005 - meissner@suse.de
- Upgraded to 0.6.5.
* Thu Mar 03 2005 - meissner@suse.de
- initial package of auditd for new kernel auditing system.

207
auditd.init Normal file
View File

@ -0,0 +1,207 @@
#! /bin/sh
# Copyright (c) 1995-2004 SUSE Linux AG, Nuernberg, Germany.
# All rights reserved.
#
# Author: Kurt Garloff
# Please send feedback to http://www.suse.de/feedback/
#
# /etc/init.d/auditd
# and its symbolic link
# /(usr/)sbin/rcauditd
#
# Template system startup script for some example service/daemon auditd
#
# LSB compatible service control script; see http://www.linuxbase.org/spec/
#
# Note: This template uses functions rc_XXX defined in /etc/rc.status on
# UnitedLinux (UL) based Linux distributions. If you want to base your
# script on this template and ensure that it works on non UL based LSB
# compliant Linux distributions, you either have to provide the rc.status
# functions from UL or change the script to work without them.
#
### BEGIN INIT INFO
# Provides: auditd
# Required-Start: $syslog
# Should-Start:
# Required-Stop: $syslog
# Should-Stop:
# Default-Start: 3 5
# Default-Stop: 0 1 2 6
# Short-Description: auditd daemon providing core auditing services
# Description: Starts the auditing subsystem.
### END INIT INFO
#
# A registry has been set up to manage the init script namespace.
# http://www.lanana.org/
# Please use the names already registered or register one or use a
# vendor prefix.
# Check for missing binaries (stale symlinks should not happen)
# Note: Special treatment of stop for LSB conformance
AUDITD_BIN=/sbin/auditd
test -x $AUDITD_BIN || { echo "$AUDITD_BIN not installed";
if [ "$1" = "stop" ]; then exit 0;
else exit 5; fi; }
# Check for existence of needed config file and read it
AUDITD_CONFIG=/etc/sysconfig/auditd
test -r $AUDITD_CONFIG || { echo "$AUDITD_CONFIG not existing";
if [ "$1" = "stop" ]; then exit 0;
else exit 6; fi; }
# Read config
. $AUDITD_CONFIG
# Source LSB init functions
# providing start_daemon, killproc, pidofproc,
# log_success_msg, log_failure_msg and log_warning_msg.
# This is currently not used by UnitedLinux based distributions and
# not needed for init scripts for UnitedLinux only. If it is used,
# the functions from rc.status should not be sourced or used.
#. /lib/lsb/init-functions
# Shell functions sourced from /etc/rc.status:
# rc_check check and set local and overall rc status
# rc_status check and set local and overall rc status
# rc_status -v be verbose in local rc status and clear it afterwards
# rc_status -v -r ditto and clear both the local and overall rc status
# rc_status -s display "skipped" and exit with status 3
# rc_status -u display "unused" and exit with status 3
# rc_failed set local and overall rc status to failed
# rc_failed <num> set local and overall rc status to <num>
# rc_reset clear both the local and overall rc status
# rc_exit exit appropriate to overall rc status
# rc_active checks whether a service is activated by symlinks
# rc_splash arg sets the boot splash screen to arg (if active)
. /etc/rc.status
# Reset status of this service
rc_reset
# Return values acc. to LSB for all commands but status:
# 0 - success
# 1 - generic or unspecified error
# 2 - invalid or excess argument(s)
# 3 - unimplemented feature (e.g. "reload")
# 4 - user had insufficient privileges
# 5 - program is not installed
# 6 - program is not configured
# 7 - program is not running
# 8--199 - reserved (8--99 LSB, 100--149 distrib, 150--199 appl)
#
# Note that starting an already running service, stopping
# or restarting a not-running service as well as the restart
# with force-reload (in case signaling is not supported) are
# considered a success.
case "$1" in
start)
echo -n "Starting auditd "
if [ "$AUDITD_DISABLE_CONTEXTS" == "yes" ] ; then
EXTRAOPTIONS="$EXTRAOPTIONS -n"
fi
## Start daemon with startproc(8). If this fails
## the return value is set appropriately by startproc.
startproc $AUDITD_BIN $EXTRAOPTIONS
test -f /etc/audit/audit.rules && /sbin/auditctl -R /etc/audit/audit.rules >/dev/null
# Remember status and be verbose
rc_status -v
;;
stop)
echo -n "Shutting down auditd "
## Stop daemon with killproc(8) and if this fails
## killproc sets the return value according to LSB.
killproc -TERM $AUDITD_BIN
# Remember status and be verbose
rc_status -v
;;
try-restart|condrestart)
## Do a restart only if the service was active before.
## Note: try-restart is now part of LSB (as of 1.9).
## RH has a similar command named condrestart.
if test "$1" = "condrestart"; then
echo "${attn} Use try-restart ${done}(LSB)${attn} rather than condrestart ${warn}(RH)${norm}"
fi
$0 status
if test $? = 0; then
$0 restart
else
rc_reset # Not running is not a failure.
fi
# Remember status and be quiet
rc_status
;;
restart)
## Stop the service and regardless of whether it was
## running or not, start it again.
$0 stop
$0 start
# Remember status and be quiet
rc_status
;;
force-reload)
## Signal the daemon to reload its config. Most daemons
## do this on signal 1 (SIGHUP).
## If it does not support it, restart.
echo -n "Reload service AUDITD "
## if it supports it:
killproc -HUP $AUDITD_BIN
#touch /var/run/auditd.pid
rc_status -v
## Otherwise:
#$0 try-restart
#rc_status
;;
reload)
## Like force-reload, but if daemon does not support
## signaling, do nothing (!)
# If it supports signaling:
echo -n "Reload service auditd "
killproc -HUP $AUDITD_BIN
#touch /var/run/auditd.pid
rc_status -v
## Otherwise if it does not support reload:
#rc_failed 3
#rc_status -v
;;
status)
echo -n "Checking for service auditd "
## Check status with checkproc(8), if process is running
## checkproc will return with exit status 0.
# Return value is slightly different for the status command:
# 0 - service up and running
# 1 - service dead, but /var/run/ pid file exists
# 2 - service dead, but /var/lock/ lock file exists
# 3 - service not running (unused)
# 4 - service status unknown :-(
# 5--199 reserved (5--99 LSB, 100--149 distro, 150--199 appl.)
# NOTE: checkproc returns LSB compliant status values.
checkproc $AUDITD_BIN
# NOTE: rc_status knows that we called this init script with
# "status" option and adapts its messages accordingly.
rc_status -v
;;
probe)
## Optional: Probe for the necessity of a reload, print out the
## argument to this init script which is required for a reload.
## Note: probe is not (yet) part of LSB (as of 1.9)
test /etc/audit/auditd.conf -nt /var/run/auditd.pid && echo reload
;;
*)
echo "Usage: $0 {start|stop|status|try-restart|restart|force-reload|reload|probe}"
exit 1
;;
esac
rc_exit

35
auditd.sysconfig Normal file
View File

@ -0,0 +1,35 @@
## Path: System/Auditing
## Description: Auditing Options
## Type: string
## Default: auditd
## ServiceReload: auditd
## ServiceRestart: auditd
#
IDENT="auditd"
# Type: string
# Default: ""
# Add extra options here
EXTRAOPTIONS=""
#
## Type: string
## Default: "en_US"
#
# This is the locale information that audit uses. Its defaulted to en_US.
# To remove all locale information from audit's environment, set
# AUDITD_LANG to the empty string or the string "none".
AUDITD_LANG="en_US"
#
## Type: string
## Default: "yes"
#
# This option is used to determine if rules & watches should be deleted on
# shutdown. This is beneficial in most cases so that a watch doesn't linger
# on a drive that is being unmounted. If set to no, it will NOT be cleaned up.
AUDITD_CLEAN_STOP="yes"
#
## Type: yesno
## Default: yes
#
# This option disables syscall auditing by default. This can also be
# accomplished by auditctl -e.
AUDITD_DISABLE_CONTEXTS="yes"

0
ready Normal file
View File