pool/audit
SHA256
2
0
Fork 2
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
118 Commits 2 Branches 0 Tags 3.2 MiB
09b88829e8
Commit Graph

118 Commits

This Branch
This Branch
All Branches
Author SHA256 Message Date
Enzo Matsumiya
09b88829e8 Accepting request 920348 from home:ematsumiya:branches:security 
- Fix hardened auditd.service (bsc#1181400)
  * add fix-hardened-service.patch
    Make /etc/audit read-write from the service.
    Remove PrivateDevices=true to expose /dev/* to auditd.service.
- Enable stop rules for audit.service (cf. bsc#1190227)
  * add enable-stop-rules.patch
- Change default log_format from ENRICHED to RAW (bsc#1190500):
  * add change-default-log_format.patch (SUSE-specific patch)
- Update to version 3.0.5:
  * In auditd, flush uid/gid caches when user/group added/deleted/modified
  * Fixed various issues when dealing with corrupted logs
  * In auditd, check if log_file is valid before closing handle
- Include fixed from 3.0.4:
  * Apply performance speedups to auparse library
  * Optimize rule loading in auditctl
  * Fix an auparse memory leak caused by glibc-2.33 by replacing realpath
  * Update syscall table to the 5.14 kernel
  * Fixed various issues when dealing with corrupted logs
- Update to version 3.0.5:
  * In auditd, flush uid/gid caches when user/group added/deleted/modified
  * Fixed various issues when dealing with corrupted logs
  * In auditd, check if log_file is valid before closing handle
- Include fixed from 3.0.4:
  * Apply performance speedups to auparse library
  * Optimize rule loading in auditctl
  * Fix an auparse memory leak caused by glibc-2.33 by replacing realpath
  * Update syscall table to the 5.14 kernel
  * Fixed various issues when dealing with corrupted logs

OBS-URL: https://build.opensuse.org/request/show/920348
OBS-URL: https://build.opensuse.org/package/show/security/audit?expand=0&rev=129
 2021-09-20 16:14:05 +00:00
Marcus Meissner
0e616b4165 - harden_auditd.service.patch: automatic hardening applied to systemd 
services

OBS-URL: https://build.opensuse.org/package/show/security/audit?expand=0&rev=128
 2021-08-16 13:36:30 +00:00
Marcus Meissner
127262eccc Accepting request 911452 from home:jsegitz:branches:systemdhardening:security 
Automatic systemd hardening effort by the security team. This has not been tested. For details please see https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort

OBS-URL: https://build.opensuse.org/request/show/911452
OBS-URL: https://build.opensuse.org/package/show/security/audit?expand=0&rev=127
 2021-08-16 13:21:17 +00:00
Marcus Meissner
d083951a31 - use https source urls 
OBS-URL: https://build.opensuse.org/package/show/security/audit?expand=0&rev=126
 2021-08-03 15:56:57 +00:00
Marcus Meissner
ebf7ab7764 - use https source urls 
OBS-URL: https://build.opensuse.org/package/show/security/audit?expand=0&rev=125
 2021-08-03 15:56:42 +00:00
Marcus Meissner
97e319769c Accepting request 909447 from home:ematsumiya:branches:security 
- Update to version 3.0.3:
  * Dont interpret audit netlink groups unless AUDIT_NLGRP_MAX is defined
  * Add support for AUDIT_RESP_ORIGIN_UNBLOCK_TIMED to ids
  * Change auparse_feed_has_data in auparse to include incomplete events
  * Auditd, stop linking against -lrt
  * Add ProtectHome and RestrictRealtime to auditd.service
  * In auditd, read up to 3 netlink packets in a row
  * In auditd, do not validate path to plugin unless active
  * In auparse, only emit config errors when AUPARSE_DEBUG env variable exists

OBS-URL: https://build.opensuse.org/request/show/909447
OBS-URL: https://build.opensuse.org/package/show/security/audit?expand=0&rev=124
 2021-08-01 14:31:28 +00:00
Enzo Matsumiya
5810f8940b Accepting request 900606 from home:ematsumiya:branches:security 
- Adjust audit.spec and audit-secondary.spec to support new version
- Include fix for libev
  * add libev-werror.patch

- Update to version 3.0.2
- In audispd-statsd pluging, use struct sockaddr_storage (Ville Heikkinen)
- Optionally interpret auid in auditctl -l
- Update some syscall argument interpretations
- In auditd, do not allow spaces in the hostname name format
- Big documentation cleanup (MIZUTA Takeshi)
- Update syscall table to the 5.12 kernel
- Update the auparse normalizer for new event types
- Fix compiler warnings in ids subsystem
- Block a couple signals from flush & reconfigure threads
- In auditd, don't wait on flush thread when exiting
- Output error message if the path of input files are too long ausearch/report

Included fixes from 3.0.1
- Update syscall table to the 5.11 kernel
- Add new --eoe-timeout option to ausearch and aureport (Burn Alting)
- Only enable periodic timers when listening on the network
- Upgrade libev to 4.33
- Add auparse_new_buffer function to auparse library
- Use the select libev backend unless aggregating events
- Add sudoers to some base audit rules
- Update the auparse normalizer for some new syscalls and event types

Included fixes from 3.0
- Generate checkpoint file even when no results are returned (Burn Alting)
- Fix log file creation when file logging is disabled entirely (Vlad Glagolev)
- Convert auparse_test to run with python3 (Tomáš Chvátal)
- Drop support for prelude
- Adjust backlog_wait_time in rules to the kernel default (#1482848)
- Remove ids key syntax checking of rules in auditctl
- Use SIGCONT to dump auditd internal state (#1504251)
- Fix parsing of virtual timestamp fields in ausearch_expression (#1515903)
- Fix parsing of uid & success for ausearch
- Add support for not equal operator in audit by executable (Ondrej Mosnacek)
- Hide lru symbols in auparse
- Add systemd process protections
- Fix aureport summary time range reporting
- Allow unlimited retries on startup for remote logging
- Add queue_depth to remote logging stats and increase default queue_depth size
- Fix segfault on shutdown
- Merge auditd and audispd code
- Close on execute init_pipe fd (#1587995)
- Breakout audisp syslog plugin to be standalone program
- Create a common internal library to reduce code
- Move all audispd config files under /etc/audit/
- Move audispd.conf settings into auditd.conf
- Add queue depth statistics to internal state dump report
- Add network statistics to internal state dump report
- SIGUSR now also restarts queue processing if its suspended
- Update lookup tables for the 4.18 kernel
- Add auparse_normalizer support for SOFTWARE_UPDATE event
- Add 30-ospp-v42.rules to meet new Common Criteria requirements
- Deprecate enable_krb and replace with transport config opt for remote logging
- Mark netlabel events as simple events so that get processed quicker
- When auditd is reconfiguring, only SIGHUP plugins with valid pid (#1614833)
- In aureport, fix segfault in file report
- Add auparse_normalizer support for labeled networking events
- Fix memory leak in audisp-remote plugin when using krb5 transport. (#1622194)
- In ausearch/auparse, event aging is off by a second
- In ausearch/auparse, correct event ordering to process oldest first
- Migrate auparse python test to python3
- auparse_reset was not clearing everything it should
- Add support for AUDIT_MAC_CALIPSO_ADD, AUDIT_MAC_CALIPSO_DEL events
- In ausearch/report, lightly parse selinux portion of USER_AVC events
- Add bpf syscall command argument interpretation to auparse
- In ausearch/report, limit record size when malformed
- Port af_unix plugin to libev
- In auditd, fix extract_type function for network originating events
- In auditd, calculate right size and location for network originating events
- Make legacy script wait for auditd to terminate (#1643567)
- Treat all network originating events as VER2 so dispatcher doesn't format it
- If an event has a node name make it VER2 so dispatcher doesnt format it
- In audisp-remote do an initial connection attempt (#1625156)
- In auditd, allow expression of space left as a percentage (#1650670)
- On PPC64LE systems, only allow 64 bit rules (#1462178)
- Make some parts of auditd state report optional based on config
- Update to libev-4.25
- Fix ausearch when checkpointing a single file (Burn Alting)
- Fix scripting in 31-privileged.rules wrt filecap (#1662516)
- In ausearch, do not checkpt if stdin is input source
- In libev, remove __cold__ attribute for functions to allow proper hardening
- Add tests to configure.ac for openldap support
- Make systemd support files use /run rather than /var/run (Christian Hesse)
- Fix minor memory leak in auditd kerberos credentials code
- Allow exclude and user filter by executable name (Ondrej Mosnacek)
- Fix auditd regression where keep_logs is limited by rotate_logs 2 file test
- In ausearch/report fix --end to use midnight time instead of now (#1671338)
- Add substitue functions for strndupa & rawmemchr
- Fix memleak in auparse caused by corrected event ordering
- Fix legacy reload script to reload audit rules when daemon is reloaded
- Support for unescaping in trusted messages (Dmitry Voronin)
- In auditd, use standard template for DEAMON events (Richard Guy Briggs)
- In aureport, fix segfault for malformed USER_CMD events
- Add exe field to audit_log_user_command in libaudit
- In auditctl support filter on socket address families (Richard Guy Briggs)
- Deprecate support for Alpha & IA64 processors
- If space_left_action is rotate, allow it every time (#1718444)
- In auparse, drop standalone EOE events
- Add milliseconds column for ausearch extra time csv format
- Fix aureport first event reporting when no start given
- In audisp-remote, add new config item for startup connection errors
- Remove dependency on chkconfig
- Install rules to /usr/share/audit/sample-rules/
- Split up ospp rules to make SCAP scanning easier (#1746018)
- In audisp-syslog, support interpreting records (#1497279)
- Audit USER events now sends msg as name value pair
- Add support for AUDIT_BPF event
- Auditd should not process AUDIT_REPLACE events
- Update syscall tables to the 5.5 kernel
- Improve personality interpretation by using PERS_MASK
- Speedup ausearch/report parsing RAW logging format by caching uid/name lookup
- Change auparse python bindings to shared object (Issue #121)
- Add error messages for watch permissions
- If audit rules file doesn't exist log error message instead of info message
- Revise error message for unmatched options in auditctl
- In audisp-remote, fixup remote endpoint disappearin in ascii format
- Add backlog_wait_time_actual reporting / resetting to auditctl (Max Englander)
- In auditctl, add support for sending a signal to auditd

- Removes audit-fno-common.patch: fixed in upstream
- Removes audit-python3.patch: fixed in upstream

OBS-URL: https://build.opensuse.org/request/show/900606
OBS-URL: https://build.opensuse.org/package/show/security/audit?expand=0&rev=122
 2021-06-17 14:59:32 +00:00
Enzo Matsumiya
51c3a9728b Accepting request 900442 from home:ematsumiya:branches:security 
- Adjust audit.spec and audit-secondary.spec to support new version
- Include fix for libev
  * add libev-werror.patch

- Update to version 3.0.2
- In audispd-statsd pluging, use struct sockaddr_storage (Ville Heikkinen)
- Optionally interpret auid in auditctl -l
- Update some syscall argument interpretations
- In auditd, do not allow spaces in the hostname name format
- Big documentation cleanup (MIZUTA Takeshi)
- Update syscall table to the 5.12 kernel
- Update the auparse normalizer for new event types
- Fix compiler warnings in ids subsystem
- Block a couple signals from flush & reconfigure threads
- In auditd, don't wait on flush thread when exiting
- Output error message if the path of input files are too long ausearch/report

Included fixes from 3.0.1
- Update syscall table to the 5.11 kernel
- Add new --eoe-timeout option to ausearch and aureport (Burn Alting)
- Only enable periodic timers when listening on the network
- Upgrade libev to 4.33
- Add auparse_new_buffer function to auparse library
- Use the select libev backend unless aggregating events
- Add sudoers to some base audit rules
- Update the auparse normalizer for some new syscalls and event types

Included fixes from 3.0
- Generate checkpoint file even when no results are returned (Burn Alting)
- Fix log file creation when file logging is disabled entirely (Vlad Glagolev)
- Convert auparse_test to run with python3 (Tomáš Chvátal)
- Drop support for prelude
- Adjust backlog_wait_time in rules to the kernel default (#1482848)
- Remove ids key syntax checking of rules in auditctl
- Use SIGCONT to dump auditd internal state (#1504251)
- Fix parsing of virtual timestamp fields in ausearch_expression (#1515903)
- Fix parsing of uid & success for ausearch
- Add support for not equal operator in audit by executable (Ondrej Mosnacek)
- Hide lru symbols in auparse
- Add systemd process protections
- Fix aureport summary time range reporting
- Allow unlimited retries on startup for remote logging
- Add queue_depth to remote logging stats and increase default queue_depth size
- Fix segfault on shutdown
- Merge auditd and audispd code
- Close on execute init_pipe fd (#1587995)
- Breakout audisp syslog plugin to be standalone program
- Create a common internal library to reduce code
- Move all audispd config files under /etc/audit/
- Move audispd.conf settings into auditd.conf
- Add queue depth statistics to internal state dump report
- Add network statistics to internal state dump report
- SIGUSR now also restarts queue processing if its suspended
- Update lookup tables for the 4.18 kernel
- Add auparse_normalizer support for SOFTWARE_UPDATE event
- Add 30-ospp-v42.rules to meet new Common Criteria requirements
- Deprecate enable_krb and replace with transport config opt for remote logging
- Mark netlabel events as simple events so that get processed quicker
- When auditd is reconfiguring, only SIGHUP plugins with valid pid (#1614833)
- In aureport, fix segfault in file report
- Add auparse_normalizer support for labeled networking events
- Fix memory leak in audisp-remote plugin when using krb5 transport. (#1622194)
- In ausearch/auparse, event aging is off by a second
- In ausearch/auparse, correct event ordering to process oldest first
- Migrate auparse python test to python3
- auparse_reset was not clearing everything it should
- Add support for AUDIT_MAC_CALIPSO_ADD, AUDIT_MAC_CALIPSO_DEL events
- In ausearch/report, lightly parse selinux portion of USER_AVC events
- Add bpf syscall command argument interpretation to auparse
- In ausearch/report, limit record size when malformed
- Port af_unix plugin to libev
- In auditd, fix extract_type function for network originating events
- In auditd, calculate right size and location for network originating events
- Make legacy script wait for auditd to terminate (#1643567)
- Treat all network originating events as VER2 so dispatcher doesn't format it
- If an event has a node name make it VER2 so dispatcher doesnt format it
- In audisp-remote do an initial connection attempt (#1625156)
- In auditd, allow expression of space left as a percentage (#1650670)
- On PPC64LE systems, only allow 64 bit rules (#1462178)
- Make some parts of auditd state report optional based on config
- Update to libev-4.25
- Fix ausearch when checkpointing a single file (Burn Alting)
- Fix scripting in 31-privileged.rules wrt filecap (#1662516)
- In ausearch, do not checkpt if stdin is input source
- In libev, remove __cold__ attribute for functions to allow proper hardening
- Add tests to configure.ac for openldap support
- Make systemd support files use /run rather than /var/run (Christian Hesse)
- Fix minor memory leak in auditd kerberos credentials code
- Allow exclude and user filter by executable name (Ondrej Mosnacek)
- Fix auditd regression where keep_logs is limited by rotate_logs 2 file test
- In ausearch/report fix --end to use midnight time instead of now (#1671338)
- Add substitue functions for strndupa & rawmemchr
- Fix memleak in auparse caused by corrected event ordering
- Fix legacy reload script to reload audit rules when daemon is reloaded
- Support for unescaping in trusted messages (Dmitry Voronin)
- In auditd, use standard template for DEAMON events (Richard Guy Briggs)
- In aureport, fix segfault for malformed USER_CMD events
- Add exe field to audit_log_user_command in libaudit
- In auditctl support filter on socket address families (Richard Guy Briggs)
- Deprecate support for Alpha & IA64 processors
- If space_left_action is rotate, allow it every time (#1718444)
- In auparse, drop standalone EOE events
- Add milliseconds column for ausearch extra time csv format
- Fix aureport first event reporting when no start given
- In audisp-remote, add new config item for startup connection errors
- Remove dependency on chkconfig
- Install rules to /usr/share/audit/sample-rules/
- Split up ospp rules to make SCAP scanning easier (#1746018)
- In audisp-syslog, support interpreting records (#1497279)
- Audit USER events now sends msg as name value pair
- Add support for AUDIT_BPF event
- Auditd should not process AUDIT_REPLACE events
- Update syscall tables to the 5.5 kernel
- Improve personality interpretation by using PERS_MASK
- Speedup ausearch/report parsing RAW logging format by caching uid/name lookup
- Change auparse python bindings to shared object (Issue #121)
- Add error messages for watch permissions
- If audit rules file doesn't exist log error message instead of info message
- Revise error message for unmatched options in auditctl
- In audisp-remote, fixup remote endpoint disappearin in ascii format
- Add backlog_wait_time_actual reporting / resetting to auditctl (Max Englander)
- In auditctl, add support for sending a signal to auditd

- Removes audit-fno-common.patch: fixed in upstream
- Removes audit-python3.patch: fixed in upstream

OBS-URL: https://build.opensuse.org/request/show/900442
OBS-URL: https://build.opensuse.org/package/show/security/audit?expand=0&rev=121
 2021-06-16 18:07:14 +00:00
Enzo Matsumiya
827fffa884 Accepting request 900437 from home:ematsumiya:branches:security 
Mention libev patch in changelogs

OBS-URL: https://build.opensuse.org/request/show/900437
OBS-URL: https://build.opensuse.org/package/show/security/audit?expand=0&rev=120
 2021-06-16 17:29:54 +00:00
Enzo Matsumiya
0ee158a589 Accepting request 900434 from home:ematsumiya:branches:security 
- Adjust spec files to support new version
- Include one fix for libev

- Update to version 3.0.2
- In audispd-statsd pluging, use struct sockaddr_storage (Ville Heikkinen)
- Optionally interpret auid in auditctl -l
- Update some syscall argument interpretations
- In auditd, do not allow spaces in the hostname name format
- Big documentation cleanup (MIZUTA Takeshi)
- Update syscall table to the 5.12 kernel
- Update the auparse normalizer for new event types
- Fix compiler warnings in ids subsystem
- Block a couple signals from flush & reconfigure threads
- In auditd, don't wait on flush thread when exiting
- Output error message if the path of input files are too long ausearch/report

Included fixes from 3.0.1
- Update syscall table to the 5.11 kernel
- Add new --eoe-timeout option to ausearch and aureport (Burn Alting)
- Only enable periodic timers when listening on the network
- Upgrade libev to 4.33
- Add auparse_new_buffer function to auparse library
- Use the select libev backend unless aggregating events
- Add sudoers to some base audit rules
- Update the auparse normalizer for some new syscalls and event types

Included fixes from 3.0
- Generate checkpoint file even when no results are returned (Burn Alting)
- Fix log file creation when file logging is disabled entirely (Vlad Glagolev)
- Convert auparse_test to run with python3 (Tomáš Chvátal)
- Drop support for prelude
- Adjust backlog_wait_time in rules to the kernel default (#1482848)
- Remove ids key syntax checking of rules in auditctl
- Use SIGCONT to dump auditd internal state (#1504251)
- Fix parsing of virtual timestamp fields in ausearch_expression (#1515903)
- Fix parsing of uid & success for ausearch
- Add support for not equal operator in audit by executable (Ondrej Mosnacek)
- Hide lru symbols in auparse
- Add systemd process protections
- Fix aureport summary time range reporting
- Allow unlimited retries on startup for remote logging
- Add queue_depth to remote logging stats and increase default queue_depth size
- Fix segfault on shutdown
- Merge auditd and audispd code
- Close on execute init_pipe fd (#1587995)
- Breakout audisp syslog plugin to be standalone program
- Create a common internal library to reduce code
- Move all audispd config files under /etc/audit/
- Move audispd.conf settings into auditd.conf
- Add queue depth statistics to internal state dump report
- Add network statistics to internal state dump report
- SIGUSR now also restarts queue processing if its suspended
- Update lookup tables for the 4.18 kernel
- Add auparse_normalizer support for SOFTWARE_UPDATE event
- Add 30-ospp-v42.rules to meet new Common Criteria requirements
- Deprecate enable_krb and replace with transport config opt for remote logging
- Mark netlabel events as simple events so that get processed quicker
- When auditd is reconfiguring, only SIGHUP plugins with valid pid (#1614833)
- In aureport, fix segfault in file report
- Add auparse_normalizer support for labeled networking events
- Fix memory leak in audisp-remote plugin when using krb5 transport. (#1622194)
- In ausearch/auparse, event aging is off by a second
- In ausearch/auparse, correct event ordering to process oldest first
- Migrate auparse python test to python3
- auparse_reset was not clearing everything it should
- Add support for AUDIT_MAC_CALIPSO_ADD, AUDIT_MAC_CALIPSO_DEL events
- In ausearch/report, lightly parse selinux portion of USER_AVC events
- Add bpf syscall command argument interpretation to auparse
- In ausearch/report, limit record size when malformed
- Port af_unix plugin to libev
- In auditd, fix extract_type function for network originating events
- In auditd, calculate right size and location for network originating events
- Make legacy script wait for auditd to terminate (#1643567)
- Treat all network originating events as VER2 so dispatcher doesn't format it
- If an event has a node name make it VER2 so dispatcher doesnt format it
- In audisp-remote do an initial connection attempt (#1625156)
- In auditd, allow expression of space left as a percentage (#1650670)
- On PPC64LE systems, only allow 64 bit rules (#1462178)
- Make some parts of auditd state report optional based on config
- Update to libev-4.25
- Fix ausearch when checkpointing a single file (Burn Alting)
- Fix scripting in 31-privileged.rules wrt filecap (#1662516)
- In ausearch, do not checkpt if stdin is input source
- In libev, remove __cold__ attribute for functions to allow proper hardening
- Add tests to configure.ac for openldap support
- Make systemd support files use /run rather than /var/run (Christian Hesse)
- Fix minor memory leak in auditd kerberos credentials code
- Allow exclude and user filter by executable name (Ondrej Mosnacek)
- Fix auditd regression where keep_logs is limited by rotate_logs 2 file test
- In ausearch/report fix --end to use midnight time instead of now (#1671338)
- Add substitue functions for strndupa & rawmemchr
- Fix memleak in auparse caused by corrected event ordering
- Fix legacy reload script to reload audit rules when daemon is reloaded
- Support for unescaping in trusted messages (Dmitry Voronin)
- In auditd, use standard template for DEAMON events (Richard Guy Briggs)
- In aureport, fix segfault for malformed USER_CMD events
- Add exe field to audit_log_user_command in libaudit
- In auditctl support filter on socket address families (Richard Guy Briggs)
- Deprecate support for Alpha & IA64 processors
- If space_left_action is rotate, allow it every time (#1718444)
- In auparse, drop standalone EOE events
- Add milliseconds column for ausearch extra time csv format
- Fix aureport first event reporting when no start given
- In audisp-remote, add new config item for startup connection errors
- Remove dependency on chkconfig
- Install rules to /usr/share/audit/sample-rules/
- Split up ospp rules to make SCAP scanning easier (#1746018)
- In audisp-syslog, support interpreting records (#1497279)
- Audit USER events now sends msg as name value pair
- Add support for AUDIT_BPF event
- Auditd should not process AUDIT_REPLACE events
- Update syscall tables to the 5.5 kernel
- Improve personality interpretation by using PERS_MASK
- Speedup ausearch/report parsing RAW logging format by caching uid/name lookup
- Change auparse python bindings to shared object (Issue #121)
- Add error messages for watch permissions
- If audit rules file doesn't exist log error message instead of info message
- Revise error message for unmatched options in auditctl
- In audisp-remote, fixup remote endpoint disappearin in ascii format
- Add backlog_wait_time_actual reporting / resetting to auditctl (Max Englander)
- In auditctl, add support for sending a signal to auditd

- Remove audit-fno-common.patch: fixed in upstream
- Remove audit-python3.patch: fixed in upstream

old: security/audit
new: home:ematsumiya:branches:security/audit rev None
Index: audit-no-gss.patch
===================================================================
--- audit-no-gss.patch (revision 118)
+++ audit-no-gss.patch (revision 17)
@@ -11,11 +11,12 @@
 
 --- a/init.d/auditd.conf
 +++ b/init.d/auditd.conf
-@@ -30,7 +30,4 @@ tcp_listen_queue = 5
- tcp_max_per_addr = 1
+@@ -30,8 +30,6 @@ tcp_max_per_addr = 1
  ##tcp_client_ports = 1024-65535
  tcp_client_max_idle = 0
--enable_krb5 = no
+ transport = TCP
 -krb5_principal = auditd
 -##krb5_key_file = /etc/audit/audit.key
  distribute_network = no
+ q_depth = 400
+ overflow_action = SYSLOG
Index: audit-plugins-path.patch
===================================================================
--- audit-plugins-path.patch (revision 118)
+++ audit-plugins-path.patch (revision 17)
@@ -5,19 +5,8 @@
 Adjust location of plugins built by audit-secondary.  These should never have
 been in /sbin plus some (for SUSE) require lib dependancies on /usr/lib
 
---- audit-1.7.2/audisp/plugins/prelude/au-prelude.conf.orig	2008-04-23 11:56:11.946681000 +0200
-+++ audit-1.7.2/audisp/plugins/prelude/au-prelude.conf	2008-04-23 11:56:22.789827000 +0200
-@@ -5,7 +5,7 @@
- 
- active = no
- direction = out
--path = /sbin/audisp-prelude
-+path = /usr/sbin/audisp-prelude
- type = always
- #args =
- format = string
---- audit-1.7.2/audisp/plugins/remote/au-remote.conf.orig	2008-04-23 11:56:11.976660000 +0200
-+++ audit-1.7.2/audisp/plugins/remote/au-remote.conf	2008-04-23 11:56:30.958657000 +0200
+--- a/audisp/plugins/remote/au-remote.conf
++++ b/audisp/plugins/remote/au-remote.conf
 @@ -5,7 +5,7 @@
  
  active = no
@@ -27,8 +16,8 @@
  type = always
  #args =
  format = string
---- audit-1.7.2/audisp/plugins/zos-remote/audispd-zos-remote.conf.orig	2008-04-23 11:56:11.993637000 +0200
-+++ audit-1.7.2/audisp/plugins/zos-remote/audispd-zos-remote.conf	2008-04-23 11:56:40.533070000 +0200
+--- a/audisp/plugins/zos-remote/audispd-zos-remote.conf
++++ b/audisp/plugins/zos-remote/audispd-zos-remote.conf
 @@ -8,7 +8,7 @@
  
  active = no
@@ -36,5 +25,5 @@
 -path = /sbin/audispd-zos-remote
 +path = /usr/sbin/audispd-zos-remote
  type = always 
- args = /etc/audisp/zos-remote.conf
+ args = /etc/audit/zos-remote.conf
  format = string
Index: audit-secondary.changes
===================================================================
--- audit-secondary.changes (revision 118)
+++ audit-secondary.changes (revision 17)
@@ -1,4 +1,129 @@
 -------------------------------------------------------------------
+Mon Jun 14 20:54:49 CEST 2021 - Enzo Matsumiya <ematsumiya@suse.com>
+
+- Update to version 3.0.2
+- In audispd-statsd pluging, use struct sockaddr_storage (Ville Heikkinen)
+- Optionally interpret auid in auditctl -l
+- Update some syscall argument interpretations
+- In auditd, do not allow spaces in the hostname name format
+- Big documentation cleanup (MIZUTA Takeshi)
+- Update syscall table to the 5.12 kernel
+- Update the auparse normalizer for new event types
+- Fix compiler warnings in ids subsystem
+- Block a couple signals from flush & reconfigure threads
+- In auditd, don't wait on flush thread when exiting
+- Output error message if the path of input files are too long ausearch/report
+
+Included fixes from 3.0.1
+- Update syscall table to the 5.11 kernel
+- Add new --eoe-timeout option to ausearch and aureport (Burn Alting)
+- Only enable periodic timers when listening on the network
+- Upgrade libev to 4.33
+- Add auparse_new_buffer function to auparse library
+- Use the select libev backend unless aggregating events
+- Add sudoers to some base audit rules
+- Update the auparse normalizer for some new syscalls and event types
+
+Included fixes from 3.0
+- Generate checkpoint file even when no results are returned (Burn Alting)
+- Fix log file creation when file logging is disabled entirely (Vlad Glagolev)
+- Convert auparse_test to run with python3 (Tomáš Chvátal)
+- Drop support for prelude
+- Adjust backlog_wait_time in rules to the kernel default (#1482848)
+- Remove ids key syntax checking of rules in auditctl
+- Use SIGCONT to dump auditd internal state (#1504251)
+- Fix parsing of virtual timestamp fields in ausearch_expression (#1515903)
+- Fix parsing of uid & success for ausearch
+- Add support for not equal operator in audit by executable (Ondrej Mosnacek)
+- Hide lru symbols in auparse
+- Add systemd process protections
+- Fix aureport summary time range reporting
+- Allow unlimited retries on startup for remote logging
+- Add queue_depth to remote logging stats and increase default queue_depth size
+- Fix segfault on shutdown
+- Merge auditd and audispd code
+- Close on execute init_pipe fd (#1587995)
+- Breakout audisp syslog plugin to be standalone program
+- Create a common internal library to reduce code
+- Move all audispd config files under /etc/audit/
+- Move audispd.conf settings into auditd.conf
+- Add queue depth statistics to internal state dump report
+- Add network statistics to internal state dump report
+- SIGUSR now also restarts queue processing if its suspended
+- Update lookup tables for the 4.18 kernel
+- Add auparse_normalizer support for SOFTWARE_UPDATE event
+- Add 30-ospp-v42.rules to meet new Common Criteria requirements
+- Deprecate enable_krb and replace with transport config opt for remote logging
+- Mark netlabel events as simple events so that get processed quicker
+- When auditd is reconfiguring, only SIGHUP plugins with valid pid (#1614833)
+- In aureport, fix segfault in file report
+- Add auparse_normalizer support for labeled networking events
+- Fix memory leak in audisp-remote plugin when using krb5 transport. (#1622194)
+- In ausearch/auparse, event aging is off by a second
+- In ausearch/auparse, correct event ordering to process oldest first
+- Migrate auparse python test to python3
+- auparse_reset was not clearing everything it should
+- Add support for AUDIT_MAC_CALIPSO_ADD, AUDIT_MAC_CALIPSO_DEL events
+- In ausearch/report, lightly parse selinux portion of USER_AVC events
+- Add bpf syscall command argument interpretation to auparse
+- In ausearch/report, limit record size when malformed
+- Port af_unix plugin to libev
+- In auditd, fix extract_type function for network originating events
+- In auditd, calculate right size and location for network originating events
+- Make legacy script wait for auditd to terminate (#1643567)
+- Treat all network originating events as VER2 so dispatcher doesn't format it
+- If an event has a node name make it VER2 so dispatcher doesnt format it
+- In audisp-remote do an initial connection attempt (#1625156)
+- In auditd, allow expression of space left as a percentage (#1650670)
+- On PPC64LE systems, only allow 64 bit rules (#1462178)
+- Make some parts of auditd state report optional based on config
+- Update to libev-4.25
+- Fix ausearch when checkpointing a single file (Burn Alting)
+- Fix scripting in 31-privileged.rules wrt filecap (#1662516)
+- In ausearch, do not checkpt if stdin is input source
+- In libev, remove __cold__ attribute for functions to allow proper hardening
+- Add tests to configure.ac for openldap support
+- Make systemd support files use /run rather than /var/run (Christian Hesse)
+- Fix minor memory leak in auditd kerberos credentials code
+- Allow exclude and user filter by executable name (Ondrej Mosnacek)
+- Fix auditd regression where keep_logs is limited by rotate_logs 2 file test
+- In ausearch/report fix --end to use midnight time instead of now (#1671338)
+- Add substitue functions for strndupa & rawmemchr
+- Fix memleak in auparse caused by corrected event ordering
+- Fix legacy reload script to reload audit rules when daemon is reloaded
+- Support for unescaping in trusted messages (Dmitry Voronin)
+- In auditd, use standard template for DEAMON events (Richard Guy Briggs)
+- In aureport, fix segfault for malformed USER_CMD events
+- Add exe field to audit_log_user_command in libaudit
+- In auditctl support filter on socket address families (Richard Guy Briggs)
+- Deprecate support for Alpha & IA64 processors
+- If space_left_action is rotate, allow it every time (#1718444)
+- In auparse, drop standalone EOE events
+- Add milliseconds column for ausearch extra time csv format
+- Fix aureport first event reporting when no start given
+- In audisp-remote, add new config item for startup connection errors
+- Remove dependency on chkconfig
+- Install rules to /usr/share/audit/sample-rules/
+- Split up ospp rules to make SCAP scanning easier (#1746018)
+- In audisp-syslog, support interpreting records (#1497279)
+- Audit USER events now sends msg as name value pair
+- Add support for AUDIT_BPF event
+- Auditd should not process AUDIT_REPLACE events
+- Update syscall tables to the 5.5 kernel
+- Improve personality interpretation by using PERS_MASK
+- Speedup ausearch/report parsing RAW logging format by caching uid/name lookup
+- Change auparse python bindings to shared object (Issue #121)
+- Add error messages for watch permissions
+- If audit rules file doesn't exist log error message instead of info message
+- Revise error message for unmatched options in auditctl
+- In audisp-remote, fixup remote endpoint disappearin in ascii format
+- Add backlog_wait_time_actual reporting / resetting to auditctl (Max Englander)
+- In auditctl, add support for sending a signal to auditd
+
+- Removes audit-fno-common.patch: fixed in upstream
+- Removes audit-python3.patch: fixed in upstream
+
+-------------------------------------------------------------------
 Mon Feb  1 18:13:18 UTC 2021 - Dominique Leuenberger <dimstar@opensuse.org>
 
 - Do not explicitly provide group(audit) in system-users-audit:
@@ -24,7 +149,7 @@
 -------------------------------------------------------------------
 Mon Jan 13 17:39:03 UTC 2020 - Tony Jones <tonyj@suse.com>
 
-- Update to version 2.6.5:
+- Update to version 2.8.5:
   * Fix segfault on shutdown
   * Fix hang on startup (#1587995)
   * Add sleep to script to dump state so file is ready when needed
Index: audit-secondary.spec
===================================================================
--- audit-secondary.spec (revision 118)
+++ audit-secondary.spec (revision 17)
@@ -22,7 +22,7 @@
 # The seperation is required to minimize unnecessary build cycles.
 %define 	_name audit
 Name:           audit-secondary
-Version:        2.8.5
+Version:        3.0.2
 Release:        0
 Summary:        Linux kernel audit subsystem utilities
 License:        GPL-2.0-or-later
@@ -34,9 +34,8 @@
 Patch2:         audit-no-gss.patch
 Patch3:         audit-allow-manual-stop.patch
 Patch4:         audit-ausearch-do-not-require-tclass.patch
-Patch5:         audit-python3.patch
-Patch6:         audit-fno-common.patch
-Patch7:         change-default-log_group.patch
+Patch5:         change-default-log_group.patch
+Patch6:         libev-werror.patch
 BuildRequires:  audit-devel = %{version}
 BuildRequires:  autoconf >= 2.12
 BuildRequires:  gcc-c++
@@ -55,6 +54,7 @@
 BuildRequires:  sysuser-tools
 BuildRequires:  tcpd-devel
 BuildRequires:  pkgconfig(libcap-ng)
+Provides:       bundled(libev) = 4.33
 
 %description
 The audit package contains the user space utilities for storing and
@@ -127,14 +127,13 @@
 %patch4 -p1
 %patch5 -p1
 %patch6 -p1
-%patch7 -p1
 
 %if %{without python2} && %{with python3}
 # Fix python env call in tests if we only have Python3.
 # If both versions are present, python2 bindings are preferred by the tests and
 # unconditionally using /usr/bin/python3 breaks the tests
 # Probably the correct solution is to run the tests twice if both are present.
-sed -i -e 's:#!/usr/bin/env python:#!/usr/bin/python3:g' auparse/test/auparse_test.py
+perl -i -lpe 's{#!/usr/bin/env python\S+}{#!/usr/bin/python3}' auparse/test/auparse_test.py
 %endif
 
 %build
@@ -144,15 +143,18 @@
 export LDFLAGS="-Wl,-z,relro,-z,now"
 # no krb support (omit --enable-gssapi-krb5=yes), see audit-no-gss.patch
 %configure \
+%ifarch aarch64
+	--with-aarch64 \
+%endif
 	--enable-systemd \
 	--libexecdir=%{_libexecdir}/%{_name} \
 	--with-apparmor \
 	--with-libwrap \
 	--with-libcap-ng=yes \
-%ifarch aarch64
-	--with-aarch64 \
-%endif
-	--disable-static
+	--disable-static \
+	%{?_with_python3} \
+	%{?_without_python}
+
 make %{?_smp_mflags}
 
 %sysusers_generate_pre %{SOURCE1} audit
@@ -197,7 +199,7 @@
 #USR-MERGE
 %if !0%{?usrmerged}
 mkdir %{buildroot}/sbin/
-for prog in auditctl auditd ausearch autrace audispd aureport augenrules; do
+for prog in auditctl auditd ausearch autrace aureport augenrules; do
   ln -s %{_sbindir}/$prog %{buildroot}/sbin/$prog
 done
 %endif
@@ -235,8 +237,7 @@
 
 %files -n audit
 %license COPYING
-%doc README ChangeLog rules/[0-9]* rules/README-rules init.d/auditd.cron
-%attr(644,root,root) %{_mandir}/man8/audispd.8.gz
+%doc README ChangeLog rules init.d/auditd.cron
 %attr(644,root,root) %{_mandir}/man8/auditctl.8.gz
 %attr(644,root,root) %{_mandir}/man8/auditd.8.gz
 %attr(644,root,root) %{_mandir}/man8/aureport.8.gz
@@ -247,7 +248,6 @@
 %attr(644,root,root) %{_mandir}/man8/ausyscall.8.gz
 %attr(644,root,root) %{_mandir}/man7/audit.rules.7.gz
 %attr(644,root,root) %{_mandir}/man5/auditd.conf.5.gz
-%attr(644,root,root) %{_mandir}/man5/audispd.conf.5.gz
 %attr(644,root,root) %{_mandir}/man5/ausearch-expression.5.gz
 %attr(644,root,root) %{_mandir}/man8/auvirt.8.gz
 %attr(644,root,root) %{_mandir}/man8/augenrules.8.gz
@@ -256,7 +256,6 @@
 /sbin/auditd
 /sbin/ausearch
 /sbin/autrace
-/sbin/audispd
 /sbin/augenrules
 /sbin/aureport
 %endif
@@ -265,29 +264,28 @@
 %attr(755,root,root) %{_sbindir}/ausearch
 %attr(750,root,root) %{_sbindir}/autrace
 %attr(750,root,root) %{_sbindir}/augenrules
-%attr(750,root,root) %{_sbindir}/audispd
+%attr(750,root,root) %{_sbindir}/audisp-syslog
 %attr(755,root,root) %{_bindir}/aulast
 %attr(755,root,root) %{_bindir}/aulastlog
 %attr(755,root,root) %{_bindir}/ausyscall
 %attr(755,root,root) %{_sbindir}/aureport
 %attr(755,root,root) %{_bindir}/auvirt
 %dir %attr(750,root,root) %{_sysconfdir}/audit
-%attr(750,root,root) %dir %{_sysconfdir}/audisp
-%attr(750,root,root) %dir %{_sysconfdir}/audisp/plugins.d
-%config(noreplace) %attr(640,root,root) %{_sysconfdir}/audisp/plugins.d/af_unix.conf
-%config(noreplace) %attr(640,root,root) %{_sysconfdir}/audisp/plugins.d/syslog.conf
+%attr(750,root,root) %dir %{_sysconfdir}/audit/plugins.d
+%config(noreplace) %attr(640,root,root) %{_sysconfdir}/audit/plugins.d/af_unix.conf
+%config(noreplace) %attr(640,root,root) %{_sysconfdir}/audit/plugins.d/syslog.conf
 %ghost %{_sysconfdir}/auditd.conf
 %ghost %{_sysconfdir}/audit.rules
 %config(noreplace) %attr(640,root,root) %{_sysconfdir}/audit/auditd.conf
 %dir %attr(750,root,root) %{_sysconfdir}/audit/rules.d
 %config(noreplace) %attr(640,root,root) %{_sysconfdir}/audit/rules.d/audit.rules
-%config(noreplace) %attr(640,root,root) %{_sysconfdir}/audisp/audispd.conf
 %config(noreplace) %attr(640,root,root) %{_sysconfdir}/audit/audit-stop.rules
 %dir %attr(750,root,audit) %{_localstatedir}/log/audit
 %ghost %config(noreplace) %attr(640,root,audit) %{_localstatedir}/log/audit/audit.log
 %dir %attr(700,root,root) %{_localstatedir}/spool/audit
 %{_unitdir}/auditd.service
 %{_sbindir}/rcauditd
+%{_datadir}/audit/
 
 %files -n system-group-audit
 %{_sysusersdir}/system-group-audit.conf
@@ -301,23 +299,24 @@
 
 %if %{with python3}
 %files -n python3-audit
-%attr(755,root,root) %{python3_sitearch}/_audit.so
-%attr(755,root,root) %{python3_sitearch}/auparse.so
-%{python3_sitearch}/audit.py*
+%defattr(-,root,root,-)
+%attr(755,root,root) %{python3_sitearch}/*
 %endif
 
 %files -n audit-audispd-plugins
 %attr(644,root,root) %{_mandir}/man8/audispd-zos-remote.8.gz
 %attr(644,root,root) %{_mandir}/man5/zos-remote.conf.5.gz
 %attr(644,root,root) %{_mandir}/man5/audisp-remote.conf.5.gz
+%attr(644,root,root) %{_mandir}/man5/auditd-plugins.5.gz
 %attr(644,root,root) %{_mandir}/man8/audisp-remote.8.gz
-%attr(750,root,root) %dir %{_sysconfdir}/audisp
-%attr(750,root,root) %dir %{_sysconfdir}/audisp/plugins.d
-%config(noreplace) %attr(640,root,root) %{_sysconfdir}/audisp/plugins.d/audispd-zos-remote.conf
-%config(noreplace) %attr(640,root,root) %{_sysconfdir}/audisp/zos-remote.conf
+%attr(644,root,root) %{_mandir}/man8/audisp-syslog.8.gz
+%attr(750,root,root) %dir %{_sysconfdir}/audit
+%attr(750,root,root) %dir %{_sysconfdir}/audit/plugins.d
+%config(noreplace) %attr(640,root,root) %{_sysconfdir}/audit/plugins.d/audispd-zos-remote.conf
+%config(noreplace) %attr(640,root,root) %{_sysconfdir}/audit/zos-remote.conf
 %attr(750,root,root) %{_sbindir}/audisp-remote
 %attr(750,root,root) %{_sbindir}/audispd-zos-remote
-%config(noreplace) %attr(640,root,root) %{_sysconfdir}/audisp/audisp-remote.conf
-%config(noreplace) %attr(640,root,root) %{_sysconfdir}/audisp/plugins.d/au-remote.conf
+%config(noreplace) %attr(640,root,root) %{_sysconfdir}/audit/audisp-remote.conf
+%config(noreplace) %attr(640,root,root) %{_sysconfdir}/audit/plugins.d/au-remote.conf
 
 %changelog
Index: audit.changes
===================================================================
--- audit.changes (revision 118)
+++ audit.changes (revision 17)
@@ -1,4 +1,129 @@
 -------------------------------------------------------------------
+Mon Jun 14 20:54:49 CEST 2021 - Enzo Matsumiya <ematsumiya@suse.com>
+
+- Update to version 3.0.2
+- In audispd-statsd pluging, use struct sockaddr_storage (Ville Heikkinen)
+- Optionally interpret auid in auditctl -l
+- Update some syscall argument interpretations
+- In auditd, do not allow spaces in the hostname name format
+- Big documentation cleanup (MIZUTA Takeshi)
+- Update syscall table to the 5.12 kernel
+- Update the auparse normalizer for new event types
+- Fix compiler warnings in ids subsystem
+- Block a couple signals from flush & reconfigure threads
+- In auditd, don't wait on flush thread when exiting
+- Output error message if the path of input files are too long ausearch/report
+
+Included fixes from 3.0.1
+- Update syscall table to the 5.11 kernel
+- Add new --eoe-timeout option to ausearch and aureport (Burn Alting)
+- Only enable periodic timers when listening on the network
+- Upgrade libev to 4.33
+- Add auparse_new_buffer function to auparse library
+- Use the select libev backend unless aggregating events
+- Add sudoers to some base audit rules
+- Update the auparse normalizer for some new syscalls and event types
+
+Included fixes from 3.0
+- Generate checkpoint file even when no results are returned (Burn Alting)
+- Fix log file creation when file logging is disabled entirely (Vlad Glagolev)
+- Convert auparse_test to run with python3 (Tomáš Chvátal)
+- Drop support for prelude
+- Adjust backlog_wait_time in rules to the kernel default (#1482848)
+- Remove ids key syntax checking of rules in auditctl
+- Use SIGCONT to dump auditd internal state (#1504251)
+- Fix parsing of virtual timestamp fields in ausearch_expression (#1515903)
+- Fix parsing of uid & success for ausearch
+- Add support for not equal operator in audit by executable (Ondrej Mosnacek)
+- Hide lru symbols in auparse
+- Add systemd process protections
+- Fix aureport summary time range reporting
+- Allow unlimited retries on startup for remote logging
+- Add queue_depth to remote logging stats and increase default queue_depth size
+- Fix segfault on shutdown
+- Merge auditd and audispd code
+- Close on execute init_pipe fd (#1587995)
+- Breakout audisp syslog plugin to be standalone program
+- Create a common internal library to reduce code
+- Move all audispd config files under /etc/audit/
+- Move audispd.conf settings into auditd.conf
+- Add queue depth statistics to internal state dump report
+- Add network statistics to internal state dump report
+- SIGUSR now also restarts queue processing if its suspended
+- Update lookup tables for the 4.18 kernel
+- Add auparse_normalizer support for SOFTWARE_UPDATE event
+- Add 30-ospp-v42.rules to meet new Common Criteria requirements
+- Deprecate enable_krb and replace with transport config opt for remote logging
+- Mark netlabel events as simple events so that get processed quicker
+- When auditd is reconfiguring, only SIGHUP plugins with valid pid (#1614833)
+- In aureport, fix segfault in file report
+- Add auparse_normalizer support for labeled networking events
+- Fix memory leak in audisp-remote plugin when using krb5 transport. (#1622194)
+- In ausearch/auparse, event aging is off by a second
+- In ausearch/auparse, correct event ordering to process oldest first
+- Migrate auparse python test to python3
+- auparse_reset was not clearing everything it should
+- Add support for AUDIT_MAC_CALIPSO_ADD, AUDIT_MAC_CALIPSO_DEL events
+- In ausearch/report, lightly parse selinux portion of USER_AVC events
+- Add bpf syscall command argument interpretation to auparse
+- In ausearch/report, limit record size when malformed
+- Port af_unix plugin to libev
+- In auditd, fix extract_type function for network originating events
+- In auditd, calculate right size and location for network originating events
+- Make legacy script wait for auditd to terminate (#1643567)
+- Treat all network originating events as VER2 so dispatcher doesn't format it
+- If an event has a node name make it VER2 so dispatcher doesnt format it
+- In audisp-remote do an initial connection attempt (#1625156)
+- In auditd, allow expression of space left as a percentage (#1650670)
+- On PPC64LE systems, only allow 64 bit rules (#1462178)
+- Make some parts of auditd state report optional based on config
+- Update to libev-4.25
+- Fix ausearch when checkpointing a single file (Burn Alting)
+- Fix scripting in 31-privileged.rules wrt filecap (#1662516)
+- In ausearch, do not checkpt if stdin is input source
+- In libev, remove __cold__ attribute for functions to allow proper hardening
+- Add tests to configure.ac for openldap support
+- Make systemd support files use /run rather than /var/run (Christian Hesse)
+- Fix minor memory leak in auditd kerberos credentials code
+- Allow exclude and user filter by executable name (Ondrej Mosnacek)
+- Fix auditd regression where keep_logs is limited by rotate_logs 2 file test
+- In ausearch/report fix --end to use midnight time instead of now (#1671338)
+- Add substitue functions for strndupa & rawmemchr
+- Fix memleak in auparse caused by corrected event ordering
+- Fix legacy reload script to reload audit rules when daemon is reloaded
+- Support for unescaping in trusted messages (Dmitry Voronin)
+- In auditd, use standard template for DEAMON events (Richard Guy Briggs)
+- In aureport, fix segfault for malformed USER_CMD events
+- Add exe field to audit_log_user_command in libaudit
+- In auditctl support filter on socket address families (Richard Guy Briggs)
+- Deprecate support for Alpha & IA64 processors
+- If space_left_action is rotate, allow it every time (#1718444)
+- In auparse, drop standalone EOE events
+- Add milliseconds column for ausearch extra time csv format
+- Fix aureport first event reporting when no start given
+- In audisp-remote, add new config item for startup connection errors
+- Remove dependency on chkconfig
+- Install rules to /usr/share/audit/sample-rules/
+- Split up ospp rules to make SCAP scanning easier (#1746018)
+- In audisp-syslog, support interpreting records (#1497279)
+- Audit USER events now sends msg as name value pair
+- Add support for AUDIT_BPF event
+- Auditd should not process AUDIT_REPLACE events
+- Update syscall tables to the 5.5 kernel
+- Improve personality interpretation by using PERS_MASK
+- Speedup ausearch/report parsing RAW logging format by caching uid/name lookup
+- Change auparse python bindings to shared object (Issue #121)
+- Add error messages for watch permissions
+- If audit rules file doesn't exist log error message instead of info message
+- Revise error message for unmatched options in auditctl
+- In audisp-remote, fixup remote endpoint disappearin in ascii format
+- Add backlog_wait_time_actual reporting / resetting to auditctl (Max Englander)
+- In auditctl, add support for sending a signal to auditd
+
+- Remove audit-fno-common.patch: fixed in upstream
+- Remove audit-python3.patch: fixed in upstream
+
+-------------------------------------------------------------------
 Wed Dec  2 11:49:28 UTC 2020 - Alexander Bergmann <abergmann@suse.com>
 
 - Enable Aarch64 processor support. (bsc#1179515 bsc#1179806) 
@@ -12,7 +137,7 @@
 -------------------------------------------------------------------
 Mon Jan 13 17:39:03 UTC 2020 - Tony Jones <tonyj@suse.com>
 
-- Update to version 2.6.5:
+- Update to version 2.8.5:
   * Fix segfault on shutdown
   * Fix hang on startup (#1587995)
   * Add sleep to script to dump state so file is ready when needed
Index: audit.spec
===================================================================
--- audit.spec (revision 118)
+++ audit.spec (revision 17)
@@ -17,7 +17,7 @@
 
 
 Name:           audit
-Version:        2.8.5
+Version:        3.0.2
 Release:        0
 Summary:        Linux kernel audit subsystem utilities
 License:        GPL-2.0-or-later
@@ -35,6 +35,7 @@
 BuildRequires:  tcpd-devel
 Requires:       libaudit1 = %{version}
 Requires:       libauparse0 = %{version}
+Provides:       bundled(libev) = 4.33
 
 %description
 The audit package contains the user space utilities for storing and
@@ -79,27 +80,30 @@
 
 %build
 autoreconf -fi
+cp INSTALL.tmp INSTALl
 export CFLAGS="%{optflags} -fno-strict-aliasing"
 export CXXFLAGS="$CFLAGS"
 export LDFLAGS="-Wl,-z,relro,-z,now"
 # no krb support (omit --enable-gssapi-krb5=yes), see audit-no-gss.patch
 %configure \
+%ifarch aarch64
+	--with-aarch64 \
+%endif
 	--enable-systemd \
 	--libexecdir=%{_libexecdir}/%{name} \
 	--with-apparmor \
-	--with-libwrap \
-	--without-libcap-ng \
+	--with-libcap-ng=no \
 	--disable-static \
-	--without-python \
-%ifarch aarch64
-       --with-aarch64 \
-%endif
+	--with-python=no \
 	--disable-zos-remote
+
+make %{?_smp_mflags} -C common
 make %{?_smp_mflags} -C lib
 make %{?_smp_mflags} -C auparse
 make %{?_smp_mflags} -C docs
 
 %install
+%make_install -C common
 %make_install -C lib
 %make_install -C auparse
 %make_install -C docs
@@ -134,7 +138,7 @@
 %{_libdir}/libauparse.so.*
 
 %files -n audit-devel
-%doc contrib/skeleton.c contrib/plugin
+%doc contrib/plugin
 %{_libdir}/libaudit.so
 %{_libdir}/libauparse.so
 %{_includedir}/libaudit.h
Index: change-default-log_group.patch
===================================================================
--- change-default-log_group.patch (revision 118)
+++ change-default-log_group.patch (revision 17)
@@ -16,6 +16,6 @@
  log_file = /var/log/audit/audit.log
 -log_group = root
 +log_group = audit
- log_format = RAW
+ log_format = ENRICHED
  flush = INCREMENTAL_ASYNC
  freq = 50
Index: audit-3.0.2.tar.gz
===================================================================
Binary file audit-3.0.2.tar.gz (revision 17) added
Index: libev-werror.patch
===================================================================
--- libev-werror.patch (added)
+++ libev-werror.patch (revision 17)
@@ -0,0 +1,26 @@
+From: Jan Engelhardt <jengelh@inai.de>
+Date: 2021-06-02 16:18:03.256597842 +0200
+
+Cherry-pick http://cvs.schmorp.de/libev/ev_iouring.c?view=log&r1=1.25
+to fix some terrible code.
+
+[   50s] ev_iouring.c: In function 'iouring_sqe_submit':
+[   50s] ev_iouring.c:300:1: error: no return statement in function returning non-void [-Werror=return-type]
+
+---
+ src/libev/ev_iouring.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+Index: audit-3.0.1/src/libev/ev_iouring.c
+===================================================================
+--- audit-3.0.1.orig/src/libev/ev_iouring.c
++++ audit-3.0.1/src/libev/ev_iouring.c
+@@ -287,7 +287,7 @@ iouring_sqe_get (EV_P)
+ }
+ 
+ inline_size
+-struct io_uring_sqe *
++void
+ iouring_sqe_submit (EV_P_ struct io_uring_sqe *sqe)
+ {
+   unsigned idx = sqe - EV_SQES;
Index: audit-2.8.5.tar.gz
===================================================================
Binary file audit-2.8.5.tar.gz (revision 118) deleted
Index: audit-fno-common.patch
===================================================================
--- audit-fno-common.patch (revision 118)
+++ audit-fno-common.patch (deleted)
@@ -1,24 +0,0 @@
-From: Tony Jones <tonyj@suse.de>
-Subject: Resolve errors when compiling with -fno-common
-Git-commmit: 017e6c6ab95df55f34e339d2139def83e5dada1f
-References: bsc#1160384
-Upsteam: pending
-
-Header definitios need to be external when building with -fno-common (which
-is default in GCC 10).
-
-Fixes: ff25054df7ed
-Signed-off-by: Tony Jones <tonyj@suse.de>
-
---- a/src/ausearch-common.h
-+++ b/src/ausearch-common.h
-@@ -50,7 +50,7 @@ extern pid_t event_pid;
- extern int event_exact_match;
- extern uid_t event_uid, event_euid, event_loginuid;
- extern const char *event_tuid, *event_teuid, *event_tauid;
--slist *event_node_list;
-+extern slist *event_node_list;
- extern const char *event_comm;
- extern const char *event_filename;
- extern const char *event_hostname;
-
Index: audit-python3.patch
===================================================================
--- audit-python3.patch (revision 118)
+++ audit-python3.patch (deleted)
@@ -1,292 +0,0 @@
-From: Tomas Chvatal <tchvatal@suse.com>
-Date: Wed Feb  7 09:26:35 UTC 2018
-Subject: Convert tests to run under python3
-References: https://github.com/linux-audit/audit-userspace/pull/39
-Patch-mainline: no; pending with maintainer
-
-Adjust auparse_test to run with python3 and python2
-
-Index: audit-2.8.1/auparse/test/auparse_test.py
-===================================================================
---- audit-2.8.1.orig/auparse/test/auparse_test.py
-+++ audit-2.8.1/auparse/test/auparse_test.py
-@@ -1,5 +1,7 @@
- #!/usr/bin/env python
- 
-+from __future__ import print_function
-+
- import os
- srcdir = os.getenv('srcdir')
- 
-@@ -30,29 +32,29 @@ def walk_test(au):
-     au.reset()
-     while True:
-         if not au.first_record():
--            print "Error getting first record"
-+            print("Error getting first record")
-             sys.exit(1)
- 
--        print "event %d has %d records" % (event_cnt, au.get_num_records())
-+        print("event %d has %d records" % (event_cnt, au.get_num_records()))
- 
-         record_cnt = 1
-         while True:
--            print "    record %d of type %d(%s) has %d fields" % \
-+            print("    record %d of type %d(%s) has %d fields" % \
-                   (record_cnt,
-                    au.get_type(), audit.audit_msg_type_to_name(au.get_type()),
--                   au.get_num_fields())
--            print "    line=%d file=%s" % (au.get_line_number(), au.get_filename())
-+                   au.get_num_fields()))
-+            print("    line=%d file=%s" % (au.get_line_number(), au.get_filename()))
-             event = au.get_timestamp()
-             if event is None:
--                print "Error getting timestamp - aborting"
-+                print("Error getting timestamp - aborting")
-                 sys.exit(1)
- 
--            print "    event time: %d.%d:%d, host=%s" % (event.sec, event.milli, event.serial, none_to_null(event.host))
-+            print("    event time: %d.%d:%d, host=%s" % (event.sec, event.milli, event.serial, none_to_null(event.host)))
-             au.first_field()
-             while True:
--                print "        %s=%s (%s)" % (au.get_field_name(), au.get_field_str(), au.interpret_field())
-+                print("        %s=%s (%s)" % (au.get_field_name(), au.get_field_str(), au.interpret_field()))
-                 if not au.next_field(): break
--            print
-+            print("")
-             record_cnt += 1
-             if not au.next_record(): break
-         event_cnt += 1
-@@ -62,25 +64,25 @@ def walk_test(au):
- def light_test(au):
-     while True:
-         if not au.first_record():
--            print "Error getting first record"
-+            print("Error getting first record")
-             sys.exit(1)
- 
--        print "event has %d records" % (au.get_num_records())
-+        print("event has %d records" % (au.get_num_records()))
- 
-         record_cnt = 1
-         while True:
--            print "    record %d of type %d(%s) has %d fields" % \
-+            print("    record %d of type %d(%s) has %d fields" % \
-                   (record_cnt,
-                    au.get_type(), audit.audit_msg_type_to_name(au.get_type()),
--                   au.get_num_fields())
--            print "    line=%d file=%s" % (au.get_line_number(), au.get_filename())
-+                   au.get_num_fields()))
-+            print("    line=%d file=%s" % (au.get_line_number(), au.get_filename()))
-             event = au.get_timestamp()
-             if event is None:
--                print "Error getting timestamp - aborting"
-+                print("Error getting timestamp - aborting")
-                 sys.exit(1)
- 
--            print "    event time: %d.%d:%d, host=%s" % (event.sec, event.milli, event.serial, none_to_null(event.host))
--            print
-+            print("    event time: %d.%d:%d, host=%s" % (event.sec, event.milli, event.serial, none_to_null(event.host)))
-+            print("")
-             record_cnt += 1
-             if not au.next_record(): break
-         if not au.parse_next_event(): break
-@@ -97,9 +99,9 @@ def simple_search(au, source, where):
-     au.search_add_item("auid", "=", val, auparse.AUSEARCH_RULE_CLEAR)
-     au.search_set_stop(where)
-     if not au.search_next_event():
--        print "Error searching for auid"
-+        print("Error searching for auid")
-     else:
--        print "Found %s = %s" % (au.get_field_name(), au.get_field_str())
-+        print("Found %s = %s" % (au.get_field_name(), au.get_field_str()))
- 
- def compound_search(au, how):
-     au = auparse.AuParser(auparse.AUSOURCE_FILE, srcdir + "/test.log");
-@@ -115,119 +117,119 @@ def compound_search(au, how):
- 
-     au.search_set_stop(auparse.AUSEARCH_STOP_FIELD)
-     if not au.search_next_event():
--        print "Error searching for auid"
-+        print("Error searching for auid")
-     else:
--        print "Found %s = %s" % (au.get_field_name(), au.get_field_str())
-+        print("Found %s = %s" % (au.get_field_name(), au.get_field_str()))
- 
- def feed_callback(au, cb_event_type, event_cnt):
-     if cb_event_type == auparse.AUPARSE_CB_EVENT_READY:
-         if not au.first_record():
--            print "Error getting first record"
-+            print("Error getting first record")
-             sys.exit(1)
- 
--        print "event %d has %d records" % (event_cnt[0], au.get_num_records())
-+        print("event %d has %d records" % (event_cnt[0], au.get_num_records()))
- 
-         record_cnt = 1
-         while True:
--            print "    record %d of type %d(%s) has %d fields" % \
-+            print("    record %d of type %d(%s) has %d fields" % \
-                   (record_cnt,
-                    au.get_type(), audit.audit_msg_type_to_name(au.get_type()),
--                   au.get_num_fields())
--            print "    line=%d file=%s" % (au.get_line_number(), au.get_filename())
-+                   au.get_num_fields()))
-+            print("    line=%d file=%s" % (au.get_line_number(), au.get_filename()))
-             event = au.get_timestamp()
-             if event is None:
--                print "Error getting timestamp - aborting"
-+                print("Error getting timestamp - aborting")
-                 sys.exit(1)
- 
--            print "    event time: %d.%d:%d, host=%s" % (event.sec, event.milli, event.serial, none_to_null(event.host))
-+            print("    event time: %d.%d:%d, host=%s" % (event.sec, event.milli, event.serial, none_to_null(event.host)))
-             au.first_field()
-             while True:
--                print "        %s=%s (%s)" % (au.get_field_name(), au.get_field_str(), au.interpret_field())
-+                print("        %s=%s (%s)" % (au.get_field_name(), au.get_field_str(), au.interpret_field()))
-                 if not au.next_field(): break
--            print
-+            print("")
-             record_cnt += 1
-             if not au.next_record(): break
-         event_cnt[0] += 1
- 
- au = auparse.AuParser(auparse.AUSOURCE_BUFFER_ARRAY, buf)
- 
--print "Starting Test 1, iterate..."
-+print("Starting Test 1, iterate...")
- while au.parse_next_event():
-     if au.find_field("auid"):
--        print "%s=%s" % (au.get_field_name(), au.get_field_str())
--        print "interp auid=%s" % (au.interpret_field())
-+        print("%s=%s" % (au.get_field_name(), au.get_field_str()))
-+        print("interp auid=%s" % (au.interpret_field()))
-     else:
--        print "Error iterating to auid"
--print "Test 1 Done\n"
-+        print("Error iterating to auid")
-+print("Test 1 Done\n")
- 
- # Reset, now lets go to beginning and walk the list manually */
--print "Starting Test 2, walk events, records, and fields..."
-+print("Starting Test 2, walk events, records, and fields...")
- au.reset()
- walk_test(au)
--print "Test 2 Done\n"
-+print("Test 2 Done\n")
- 
- # Reset, now lets go to beginning and walk the list manually */
--print "Starting Test 3, walk events, records of 1 buffer..."
-+print("Starting Test 3, walk events, records of 1 buffer...")
- au = auparse.AuParser(auparse.AUSOURCE_BUFFER, buf[1])
- au.reset()
- light_test(au);
--print "Test 3 Done\n"
-+print("Test 3 Done\n")
- 
--print "Starting Test 4, walk events, records of 1 file..."
-+print("Starting Test 4, walk events, records of 1 file...")
- au = auparse.AuParser(auparse.AUSOURCE_FILE, srcdir + "/test.log");
- walk_test(au); 
--print "Test 4 Done\n"
-+print("Test 4 Done\n")
- 
--print "Starting Test 5, walk events, records of 2 files..."
-+print("Starting Test 5, walk events, records of 2 files...")
- au = auparse.AuParser(auparse.AUSOURCE_FILE_ARRAY, files);
- walk_test(au);
--print "Test 5 Done\n"
-+print("Test 5 Done\n")
- 
--print "Starting Test 6, search..."
-+print("Starting Test 6, search...")
- au = auparse.AuParser(auparse.AUSOURCE_BUFFER_ARRAY, buf)
- au.search_add_item("auid", "=", "500", auparse.AUSEARCH_RULE_CLEAR)
- au.search_set_stop(auparse.AUSEARCH_STOP_EVENT)
- if au.search_next_event():
--    print "Error search found something it shouldn't have"
-+    print("Error search found something it shouldn't have")
- else:
--    print "auid = 500 not found...which is correct"
-+    print("auid = 500 not found...which is correct")
- au.search_clear()
- au = auparse.AuParser(auparse.AUSOURCE_BUFFER_ARRAY, buf)
- #au.search_add_item("auid", "exists", None, auparse.AUSEARCH_RULE_CLEAR)
- au.search_add_item("auid", "exists", "", auparse.AUSEARCH_RULE_CLEAR)
- au.search_set_stop(auparse.AUSEARCH_STOP_EVENT)
- if not au.search_next_event():
--    print "Error searching for existence of auid"
--print "auid exists...which is correct"
--print "Testing BUFFER_ARRAY, stop on field"
-+    print("Error searching for existence of auid")
-+print("auid exists...which is correct")
-+print("Testing BUFFER_ARRAY, stop on field")
- simple_search(au, auparse.AUSOURCE_BUFFER_ARRAY, auparse.AUSEARCH_STOP_FIELD)
--print "Testing BUFFER_ARRAY, stop on record"
-+print("Testing BUFFER_ARRAY, stop on record")
- simple_search(au, auparse.AUSOURCE_BUFFER_ARRAY, auparse.AUSEARCH_STOP_RECORD)
--print "Testing BUFFER_ARRAY, stop on event"
-+print("Testing BUFFER_ARRAY, stop on event")
- simple_search(au, auparse.AUSOURCE_BUFFER_ARRAY, auparse.AUSEARCH_STOP_EVENT)
--print "Testing test.log, stop on field"
-+print("Testing test.log, stop on field")
- simple_search(au, auparse.AUSOURCE_FILE, auparse.AUSEARCH_STOP_FIELD)
--print "Testing test.log, stop on record"
-+print("Testing test.log, stop on record")
- simple_search(au, auparse.AUSOURCE_FILE, auparse.AUSEARCH_STOP_RECORD)
--print "Testing test.log, stop on event"
-+print("Testing test.log, stop on event")
- simple_search(au, auparse.AUSOURCE_FILE, auparse.AUSEARCH_STOP_EVENT)
--print "Test 6 Done\n"
-+print("Test 6 Done\n")
- 
--print "Starting Test 7, compound search..."
-+print("Starting Test 7, compound search...")
- au = auparse.AuParser(auparse.AUSOURCE_BUFFER_ARRAY, buf)
- compound_search(au, auparse.AUSEARCH_RULE_AND)
- compound_search(au, auparse.AUSEARCH_RULE_OR)
--print "Test 7 Done\n"
-+print("Test 7 Done\n")
- 
--print "Starting Test 8, regex search..."
-+print("Starting Test 8, regex search...")
- au = auparse.AuParser(auparse.AUSOURCE_BUFFER_ARRAY, buf)
--print "Doing regex match...\n"
-+print("Doing regex match...\n")
- au = auparse.AuParser(auparse.AUSOURCE_BUFFER_ARRAY, buf)
--print "Test 8 Done\n"
-+print("Test 8 Done\n")
- 
- # Note: this should match Test 2 exactly
- # Note: this should match Test 2 exactly
--print "Starting Test 9, buffer feed..."
-+print("Starting Test 9, buffer feed...")
- au = auparse.AuParser(auparse.AUSOURCE_FEED);
- event_cnt = 1
- au.add_callback(feed_callback, [event_cnt])
-@@ -241,10 +243,10 @@ for s in buf:
-         beg += chunk_len
-         au.feed(data)
- au.flush_feed()
--print "Test 9 Done\n"
-+print("Test 9 Done\n")
- 
- # Note: this should match Test 4 exactly
--print "Starting Test 10, file feed..."
-+print("Starting Test 10, file feed...")
- au = auparse.AuParser(auparse.AUSOURCE_FEED);
- event_cnt = 1
- au.add_callback(feed_callback, [event_cnt])
-@@ -254,9 +256,9 @@ while True:
-     if not data: break
-     au.feed(data)
- au.flush_feed()
--print "Test 10 Done\n"
-+print("Test 10 Done\n")
- 
--print "Finished non-admin tests\n"
-+print("Finished non-admin tests\n")
- 
- au = None
- sys.exit(0)

OBS-URL: https://build.opensuse.org/request/show/900434
OBS-URL: https://build.opensuse.org/package/show/security/audit?expand=0&rev=119
 2021-06-16 17:16:06 +00:00
Marcus Meissner
e1db8b24d2 Accepting request 868443 from home:dimstar:Factory 
- Do not explicitly provide group(audit) in system-users-audit:
  this is automatically handled by rpm/providers.

- Enable Aarch64 processor support. (bsc#1179515 bsc#1179806)

OBS-URL: https://build.opensuse.org/request/show/868443
OBS-URL: https://build.opensuse.org/package/show/security/audit?expand=0&rev=117
 2021-02-02 15:17:31 +00:00
Marcus Meissner
d19eedf2c5 Accepting request 867563 from home:ematsumiya:branches:security 
- Create new "audit" group for read access to logs (bsc#1178154)
  * add change-default-log_group.patch
  * update audit-secondary.spec

OBS-URL: https://build.opensuse.org/request/show/867563
OBS-URL: https://build.opensuse.org/package/show/security/audit?expand=0&rev=116
 2021-01-30 08:05:50 +00:00
Marcus Meissner
da2300c646 - Enable Aarch64 processor support. (bsc#1179515 bsc#1179806) 
- Enable Aarch64 processor support. (bsc#1179515 bsc#1179806)

OBS-URL: https://build.opensuse.org/package/show/security/audit?expand=0&rev=114
 2020-12-09 10:00:48 +00:00
Enzo Matsumiya
07903acdf1 Accepting request 849560 from home:lnussel:usrmove 
- prepare usrmerge (boo#1029961)

OBS-URL: https://build.opensuse.org/request/show/849560
OBS-URL: https://build.opensuse.org/package/show/security/audit?expand=0&rev=112
 2020-11-27 13:40:00 +00:00
Enzo Matsumiya
005741884e - Fix specfile to require libauparse0 and libaudit1 after splitting 
audit-libs (bsc#1172295)

OBS-URL: https://build.opensuse.org/package/show/security/audit?expand=0&rev=110
 2020-06-01 17:13:53 +00:00
Tony Jones
74524fcb73 - Update to version 2.6.5: 
* Fix segfault on shutdown
  * Fix hang on startup (#1587995)
  * Add sleep to script to dump state so file is ready when needed
  * Add auparse_normalizer support for SOFTWARE_UPDATE event
  * Mark netlabel events as simple events so that get processed quicker
  * When audispd is reconfiguring, only SIGHUP plugins with valid pid (#1614833)
  * Add 30-ospp-v42.rules to meet new Common Criteria requirements
  * Update lookup tables for the 4.18 kernel
  * In aureport, fix segfault in file report
  * Add auparse_normalizer support for labeled networking events
  * Fix memory leak in audisp-remote plugin when using krb5 transport. (#1622194)
  * Event aging is off by a second
  * In ausearch/auparse, correct event ordering to process oldest first
  * auparse_reset was not clearing everything it should
  * Add support for AUDIT_MAC_CALIPSO_ADD, AUDIT_MAC_CALIPSO_DEL events
  * In ausearch/report, lightly parse selinux portion of USER_AVC events
  * In ausearch/report, limit record size when malformed
  * In auditd, fix extract_type function for network originating events
  * In auditd, calculate right size and location for network originating events
  * Treat all network originating events as VER2 so dispatcher doesn't format it
  * In audisp-remote do an initial connection attempt (#1625156)
  * In auditd, allow expression of space left as a percentage (#1650670)
  * On PPC64LE systems, only allow 64 bit rules (#1462178)
  * Make some parts of auditd state report optional based on config
  * Fix ausearch when checkpointing a single file (Burn Alting)
  * Fix scripting in 31-privileged.rules wrt filecap (#1662516)
  * In ausearch, do not checkpt if stdin is input source
  * In libev, remove __cold__ attribute for functions to allow proper hardening
  * Add tests to configure.ac for openldap support

OBS-URL: https://build.opensuse.org/package/show/security/audit?expand=0&rev=108
 2020-01-16 20:02:22 +00:00
Tony Jones
4971d594a2 osc copypac from project:security package:audit revision:105 
OBS-URL: https://build.opensuse.org/package/show/security/audit?expand=0&rev=107
 2019-10-18 17:26:13 +00:00
Tony Jones
a026abd994 Accepting request 739736 from home:RBrownSUSE:branches:security 
Remove obsolete Groups tag (fate#326485)

OBS-URL: https://build.opensuse.org/request/show/739736
OBS-URL: https://build.opensuse.org/package/show/security/audit?expand=0&rev=106
 2019-10-17 14:14:02 +00:00
Lars Vogdt
c90af7d388 Accepting request 687275 from home:jengelh:sct 
- Reduce scriptlets' hard dependency on systemd.
- Make use of some %make_install.

OBS-URL: https://build.opensuse.org/request/show/687275
OBS-URL: https://build.opensuse.org/package/show/security/audit?expand=0&rev=104
 2019-06-08 16:58:52 +00:00
Tony Jones
f7b3eda238 Accepting request 618655 from home:1Antoine1:branches:security 
- Update to version 2.8.4:
  * Generate checkpoint file even when not results are returned
    (Burn Alting).
  * Fix log file creation when file logging is disabled entirely
    (Vlad Glagolev).
  * Use SIGCONT to dump auditd internal state (rh#1504251).
  * Fix parsing of virtual timestamp fields in ausearch_expression
    (rh#1515903).
  * Fix parsing of uid & success for ausearch.
  * Hide lru symbols in auparse.
  * Fix aureport summary time range reporting.
  * Allow unlimited retries on startup for remote logging.
  * Add queue_depth to remote logging stats and increase default
    queue_depth size.
- Update to version 2.8.3:
  * Correct msg function name in lru debug code.
  * Fix a segfault in auditd when dns resolution isn't available.
  * Make a reload legacy service for auditd.
  * In auparse python bindings, expose some new types that were
    missing.
  * In normalizer, pickup subject kind for user_login events.
  * Fix interpretation of unknown ioctcmds (rh#1540507).
  * Add ANOM_LOGIN_SERVICE, RESP_ORIGIN_BLOCK, &
    RESP_ORIGIN_BLOCK_TIMED events.
  * In auparse_normalize for USER_LOGIN events, map acct for
    subj_kind.
  * Fix logging of IPv6 addresses in DAEMON_ACCEPT events
    (rh#1534748).
  * Do not rotate auditd logs when num_logs < 2 (brozs).
- Update to version 2.8.4:
  * Generate checkpoint file even when not results are returned
    (Burn Alting).
  * Fix log file creation when file logging is disabled entirely
    (Vlad Glagolev).
  * Use SIGCONT to dump auditd internal state (rh#1504251).
  * Fix parsing of virtual timestamp fields in ausearch_expression
    (rh#1515903).
  * Fix parsing of uid & success for ausearch.
  * Hide lru symbols in auparse.
  * Fix aureport summary time range reporting.
  * Allow unlimited retries on startup for remote logging.
  * Add queue_depth to remote logging stats and increase default
    queue_depth size.
- Update to version 2.8.3:
  * Correct msg function name in lru debug code.
  * Fix a segfault in auditd when dns resolution isn't available.
  * Make a reload legacy service for auditd.
  * In auparse python bindings, expose some new types that were
    missing.
  * In normalizer, pickup subject kind for user_login events.
  * Fix interpretation of unknown ioctcmds (rh#1540507).
  * Add ANOM_LOGIN_SERVICE, RESP_ORIGIN_BLOCK, &
    RESP_ORIGIN_BLOCK_TIMED events.
  * In auparse_normalize for USER_LOGIN events, map acct for
    subj_kind.
  * Fix logging of IPv6 addresses in DAEMON_ACCEPT events
    (rh#1534748).
  * Do not rotate auditd logs when num_logs < 2 (brozs).

OBS-URL: https://build.opensuse.org/request/show/618655
OBS-URL: https://build.opensuse.org/package/show/security/audit?expand=0&rev=102
 2018-06-28 01:17:18 +00:00
Marcus Rueckert
6975dcd5ff Accepting request 593188 from home:kukuk:branches:security 
- Use %license instead of %doc [bsc#1082318]

OBS-URL: https://build.opensuse.org/request/show/593188
OBS-URL: https://build.opensuse.org/package/show/security/audit?expand=0&rev=101
 2018-04-11 13:58:54 +00:00
Tony Jones
e57cf5edeb Accepting request 588034 from home:jones_tony:branches:security 
- Change openldap dependency to client only (bsc#1085003)
- Resolve issue with previous change if both Python2 and Python3 are
  present, tests were failing as python2 bindings are preferred in this
  case.
- Update header in audit-python3.patch
- Update patch guidelines in README-BEFORE-ADDING-PATCHES

OBS-URL: https://build.opensuse.org/request/show/588034
OBS-URL: https://build.opensuse.org/package/show/security/audit?expand=0&rev=99
 2018-03-16 23:10:56 +00:00
Tony Jones
7176e3c394 Accepting request 580988 from openSUSE:Factory:Staging:O 
- Add patch to fix test run without python2 interpreter:
  * audit-python3.patch
- Update to 2.8.2 release:
  * Update tables for 4.14 kernel
  * Fixup ipv6 server side binding
  * AVC report from aureport was missing result column header (#1511606)
  * Add SOFTWARE_UPDATE event
  * In ausearch/report pickup any path and new-disk fields as a file
  * Fix value returned by auditctl --reset-lost (Richard Guy Briggs)
  * In auparse, fix expr_create_timestamp_comparison_ex to be numeric field
  * Fix building on old systems without linux/fanotify.h
  * Fix shell portability issues reported by shellcheck
  * Auditd validate_email should not use gethostbyname

- Add patch to fix test run without python2 interpreter:
  * audit-python3.patch
- Update to 2.8.2 release:
  * Update tables for 4.14 kernel
  * Fixup ipv6 server side binding
  * AVC report from aureport was missing result column header (#1511606)
  * Add SOFTWARE_UPDATE event
  * In ausearch/report pickup any path and new-disk fields as a file
  * Fix value returned by auditctl --reset-lost (Richard Guy Briggs)
  * In auparse, fix expr_create_timestamp_comparison_ex to be numeric field
  * Fix building on old systems without linux/fanotify.h
  * Fix shell portability issues reported by shellcheck
  * Auditd validate_email should not use gethostbyname

OBS-URL: https://build.opensuse.org/request/show/580988
OBS-URL: https://build.opensuse.org/package/show/security/audit?expand=0&rev=98
 2018-03-01 21:24:42 +00:00
Marcus Meissner
c3b4f0e839 - reverted -j1 force ppc specific only 
OBS-URL: https://build.opensuse.org/package/show/security/audit?expand=0&rev=97
 2018-02-22 11:00:36 +00:00
Marcus Meissner
c2369388d3 Accepting request 573323 from home:michel_mno:branches:security 
- force -j1 for PowerPC make check to avoid build failure
  (lookup_test.o: file not recognized: File truncated)

OBS-URL: https://build.opensuse.org/request/show/573323
OBS-URL: https://build.opensuse.org/package/show/security/audit?expand=0&rev=96
 2018-02-19 07:17:33 +00:00
Tony Jones
b1e7f92a48 Accepting request 566726 from home:scarabeus_iv:branches:security 
- Add conditions around python plugins to allow us to conditionalize
  them in enviroment without python2

OBS-URL: https://build.opensuse.org/request/show/566726
OBS-URL: https://build.opensuse.org/package/show/security/audit?expand=0&rev=94
 2018-01-17 21:04:11 +00:00
Marcus Meissner
32adeb8614 Accepting request 540272 from home:pluskalm:branches:security 
- Rename python binding packages to match current python packaging
  standards
- Update python build dependencies to resolve future split of
  python2/3

OBS-URL: https://build.opensuse.org/request/show/540272
OBS-URL: https://build.opensuse.org/package/show/security/audit?expand=0&rev=92
 2017-11-09 17:04:53 +00:00
Marcus Meissner
1ded129a42 Accepting request 539420 from home:avindra 
- Update to version 2.8.1. See audit.spec (libaudit1) for upstream
  changelog
- Remove audit-implicit-writev.patch (fixed upstream across 2
  commits)
  * 3b30db20ad983274989ce9a522120c3c225436b3
  * 07132c22314e9abbe64d1031fd8734243285bb3f
- Cleanup with spec-cleaner
- Update to version 2.8.1 release (includes 2.8 and 2.7.8 changes)
  * many features added to auparse_normalize
  * cli option added to auditd and audispd for setting config dir
  * in auditd, restore the umask after creating a log file
  * option added to auditd for skipping email verification
-  Full changelog: http://people.redhat.com/sgrubb/audit/ChangeLog

OBS-URL: https://build.opensuse.org/request/show/539420
OBS-URL: https://build.opensuse.org/package/show/security/audit?expand=0&rev=91
 2017-11-09 13:54:55 +00:00
Marcus Meissner
757d4f4e1d Accepting request 517517 from home:dimstar:Factory 
include sys/uio.h for writev, fixes build failure in Staging:C https://build.opensuse.org/build/openSUSE:Factory:Staging:C:DVD/standard/x86_64/audit-secondary/_log

OBS-URL: https://build.opensuse.org/request/show/517517
OBS-URL: https://build.opensuse.org/package/show/security/audit?expand=0&rev=89
 2017-08-21 05:39:17 +00:00
Marcus Meissner
f336e4b06a Accepting request 512289 from home:jengelh:branches:security 
- Rectify RPM groups, diversify descriptions.
- Remove mentions of static libraries because they are not built.

OBS-URL: https://build.opensuse.org/request/show/512289
OBS-URL: https://build.opensuse.org/package/show/security/audit?expand=0&rev=87
 2017-08-03 08:14:13 +00:00
Tony Jones
e3d31e63b6 Accepting request 511710 from home:jones_tony:branches:security 
OBS-URL: https://build.opensuse.org/request/show/511710
OBS-URL: https://build.opensuse.org/package/show/security/audit?expand=0&rev=85
 2017-07-20 20:07:48 +00:00
Marcus Meissner
8bfd2e643e Accepting request 383289 from home:scarabeus_iv:branches:security 
- Create folder for the m4 file from previous commit to avoid install
  failure

OBS-URL: https://build.opensuse.org/request/show/383289
OBS-URL: https://build.opensuse.org/package/show/security/audit?expand=0&rev=83
 2016-04-04 09:18:16 +00:00
Tony Jones
e700ce1264 Accepting request 382986 from home:scarabeus_iv:branches:security 
- Version update to 2.5. See audit.spec (libaudit1) for upstream
  changelog
- Cleanup with spec-cleaner
- Sort out bit /sbin /usr/sbin/ installation
- Install the rules as documentation
- Remove needless %py_requires from python subpkgs

- Version update to 2.5 release
- Refresh two patches and README to contain SUSE and not SuSE
  * audit-allow-manual-stop.patch
  * audit-plugins-path.patch
- Cleanup with spec-cleaner and do not use subshells but rather use
  -C parameter of make
- Install m4 file to the devel package

OBS-URL: https://build.opensuse.org/request/show/382986
OBS-URL: https://build.opensuse.org/package/show/security/audit?expand=0&rev=82
 2016-04-01 16:36:15 +00:00
Marcus Meissner
23489d2c18 Accepting request 347165 from home:posophe:branches:security 
little fix

OBS-URL: https://build.opensuse.org/request/show/347165
OBS-URL: https://build.opensuse.org/package/show/security/audit?expand=0&rev=80
 2015-12-03 14:45:33 +00:00
Tony Jones
b5e111de83 OBS-URL: https://build.opensuse.org/package/show/security/audit?expand=0&rev=79 2015-09-04 22:54:46 +00:00
Tony Jones
7a17f4104f Accepting request 329223 from home:jones_tony:branches:security 
OBS-URL: https://build.opensuse.org/request/show/329223
OBS-URL: https://build.opensuse.org/package/show/security/audit?expand=0&rev=78
 2015-09-04 22:09:27 +00:00
Tony Jones
35ac1a5f73 Accepting request 283377 from security 
revert to r75

OBS-URL: https://build.opensuse.org/request/show/283377
OBS-URL: https://build.opensuse.org/package/show/security/audit?expand=0&rev=77
 2015-01-29 20:31:09 +00:00
Tony Jones
42d7928102 Accepting request 283367 from home:fdmanana:branches:security 
- Teach ausearch to filter AppArmor events (Fate#317726).
  Added patch file audit-ausearch-filter-apparmor-events.patch

OBS-URL: https://build.opensuse.org/request/show/283367
OBS-URL: https://build.opensuse.org/package/show/security/audit?expand=0&rev=76
 2015-01-29 19:21:15 +00:00
Jan Matejka
74ea258675 - Update to version 2.4.1 
Changelog 2.4.1
  - Make python3 support easier
  - Add support for ppc64le (Tony Jones)
  - Add some translations for a1 of ioctl system calls
  - Add command & virtualization reports to aureport
  - Update aureport config report for new events
  - Add account modification summary report to aureport
  - Add GRP_MGMT and GRP_CHAUTHTOK event types
  - Correct aureport account change reports
  - Add integrity event report to aureport
  - Add config change summary report to aureport
  - Adjust some syslogging level settings in audispd
  - Improve parsing performance in everything
  - When ausearch outputs a line, use the previously parsed values (Burn Alting)
  - Improve searching and interpreting groups in events
  - Fully interpret the proctitle field in auparse
  - Correct libaudit and auditctl support for kernel features
  - Add support for backlog_time_wait setting via auditctl
  - Update syscall tables for the 3.18 kernel
  - Ignore DNS failure for email validation in auditd (#1138674)
  - Allow rotate as action for space_left and disk_full in auditd.conf
  - Correct login summary report of aureport
  - Auditctl syscalls can be comma separated list now
  - Update rules for new subsystems and capabilities
- Drop patch audit-add-ppc64le-mach-support.patch (already upstream)

OBS-URL: https://build.opensuse.org/package/show/security/audit?expand=0&rev=74
 2014-11-26 16:13:05 +00:00
Tony Jones
a550638087 Accepting request 247315 from home:jones_tony:branches:security 
OBS-URL: https://build.opensuse.org/request/show/247315
OBS-URL: https://build.opensuse.org/package/show/security/audit?expand=0&rev=72
 2014-09-02 23:07:21 +00:00
Marcus Meissner
42c1e24684 Accepting request 244848 from home:elvigia:branches:security 
- If the system has been booted with audit=0 in the kernel cmdline
  auditd.service must refrain from starting as the relevant kernel
  subsystem will be permanently disabled.
  add patch: auditd-donot-start-if-kernel-cmdline-disabled.patch

OBS-URL: https://build.opensuse.org/request/show/244848
OBS-URL: https://build.opensuse.org/package/show/security/audit?expand=0&rev=70
 2014-08-21 13:31:20 +00:00
Tony Jones
0251e93f2b Accepting request 240711 from home:jones_tony:branches:security 
OBS-URL: https://build.opensuse.org/request/show/240711
OBS-URL: https://build.opensuse.org/package/show/security/audit?expand=0&rev=68
 2014-07-11 21:01:21 +00:00
Tony Jones
27566ad836 Accepting request 230410 from home:jones_tony:branches:security 
OBS-URL: https://build.opensuse.org/request/show/230410
OBS-URL: https://build.opensuse.org/package/show/security/audit?expand=0&rev=66
 2014-04-16 22:35:54 +00:00
Tony Jones
998e45611f Accepting request 227625 from home:elvigia:branches:security 
- fix systemd warning: 
  "Configuration file /usr/lib/systemd/system/auditd.service 
  is marked world-inaccessible. 
  This has no effect as configuration data is accessible 
  via APIs without restrictions"
* indeed restricting access to unit files using filesystem
  permissions is non-sense.

OBS-URL: https://build.opensuse.org/request/show/227625
OBS-URL: https://build.opensuse.org/package/show/security/audit?expand=0&rev=64
 2014-03-26 19:47:19 +00:00
Tony Jones
c0de89a52c Accepting request 224270 from home:jones_tony:branches:security 
OBS-URL: https://build.opensuse.org/request/show/224270
OBS-URL: https://build.opensuse.org/package/show/security/audit?expand=0&rev=62
 2014-02-28 18:39:10 +00:00
Tony Jones
b30a3d0a5f Accepting request 221023 from home:jones_tony:branches:security 
OBS-URL: https://build.opensuse.org/request/show/221023
OBS-URL: https://build.opensuse.org/package/show/security/audit?expand=0&rev=60
 2014-02-05 16:51:31 +00:00
Tony Jones
87bc3dd49c Accepting request 209366 from home:jones_tony:branches:security 
OBS-URL: https://build.opensuse.org/request/show/209366
OBS-URL: https://build.opensuse.org/package/show/security/audit?expand=0&rev=58
 2013-12-04 07:41:29 +00:00
Tony Jones
ca9983ce34 Accepting request 209349 from home:jones_tony:branches:security 
OBS-URL: https://build.opensuse.org/request/show/209349
OBS-URL: https://build.opensuse.org/package/show/security/audit?expand=0&rev=57
 2013-12-03 22:28:29 +00:00
Marcus Meissner
369b484525 Accepting request 201890 from home:cboltz:branches:security 
- (re-)add rcauditd as symlink to /usr/sbin/service
("rcauditd" was lost while moving to auditd.service)

Please forward to Factory and 13.1

OBS-URL: https://build.opensuse.org/request/show/201890
OBS-URL: https://build.opensuse.org/package/show/security/audit?expand=0&rev=55
 2013-10-03 11:03:22 +00:00
Stephan Kulow
2db0c57f70 - remove libcap-ng too from audit.spec as it's only needed for plugins 
(and libcap-ng itself needs python to build bindings)

OBS-URL: https://build.opensuse.org/package/show/security/audit?expand=0&rev=53
 2013-06-28 09:31:27 +00:00