* Add "Requires: audit-rules" for audit package
* Remove preun/postun handling of audit-rules.service
- Update to 4.0
- Drop python2 support
- Drop auvirt and autrace programs
- Drop SysVinit support
- Require the use of the 5.0 or later kernel headers
- New README.md file
- Rewrite legacy service functions in terms of systemctl
- Consolidate and update end of event detection to a common function
- Split off rule loading from auditd.service into audit-rules.service
- Refactor libaudit.h to split out logging functions and record numbers
- Speed up aureport --summary reports
- Limit libaudit python bindings to logging functions
- Add a metrics function for auparse
- Change auditctl to use pidfd_send_signal for signaling auditd
- Adjust watches to optimize syscalls hooked when watch file access
- Drop nispom rules
- Add intepretations for fsconfig, fsopen, fsmount, & move_mount
- Many code fixups (cgzones)
- Update syscall and interpretation tables to the 6.8 kernel
(from v3.1.2)
- When processing a run level change, make auditd exit
- In auditd, fix return code when rules added in immutable mode
- In auparse, when files are given, also consider EUID for access
- Auparse now interprets unnamed/anonymous sockets (Enzo Matsumiya)
- Disable Python bindings from setting rules due to swig bug (S. Trofimovich)
- Update all lookup tables for the 6.5 kernel
- Don't be as paranoid about auditctl -R file permissions
- In ausearch, correct subject/object search to be an and if both are given
- Adjust formats for 64 bit time_t
- Fix segfault in python bindings around the feed API
- Add feed_has_data, get_record_num, and get/goto_field_num to python bindings
- Update spec:
* Move rules-related files into new subpackage `audit-rules':
* Files moved:
- /sbin/auditctl, /sbin/augenrules,
/etc/audit/{audit.rules,rules.d/audit.rules,audit-stop.rules}
- manpages for auditctl, augenrules, and audit.rules
- /etc/audit is now owned by `audit-rules' as well
* Add new file /usr/lib/systemd/system/audit-rules.service
* Remove in-house create-augenrules-service.patch that generated
augenrules.service systemd unit service
* Remove ownership of /usr/share/audit
* Create /usr/share/audit-rules directory on %install
* Remove audit-userspace-517-compat.patch (fixed upstream)
* Remove libev-werror.patch (fixed upstream)
* Remove audit-allow-manual-stop.patch (fixed upstream)
* Add fix-auparse-test.patch (downstream):
Upstream tests uses a static value (42) for 'gdm' uid/gid (based
on Fedora values, apparently). Replace these occurrences with
'unknown(123456)'
* Replace '--with-python' with '--with-python3' on %configure
* Remove autrace and auvirt references (upstream)
* Replace README with README.md
- Drop `--enable-systemd' from %configure as SysV-style scripts
aren't supported in upstream since
113ae191758c ("Drop support for SysVinit")
OBS-URL: https://build.opensuse.org/package/show/security/audit?expand=0&rev=155
* Includes fixes since v3.1.1
* Enhance support for newer (5.0+) kernels
- Update spec:
* Move rules-related files into new subpackage `audit-rules':
* Files moved:
- /sbin/auditctl, /sbin/augenrules,
/etc/audit/{audit.rules,rules.d/audit.rules,audit-stop.rules}
- manpages for auditctl, augenrules, and audit.rules
- /etc/audit is now owned by `audit-rules' as well
* Add new file /usr/lib/systemd/system/audit-rules.service
* Remove in-house create-augenrules-service.patch that generated
augenrules.service systemd unit service
* Remove ownership of /usr/share/audit
* Create /usr/share/audit-rules directory on %install
* Remove audit-userspace-517-compat.patch (fixed upstream)
* Remove libev-werror.patch (fixed upstream)
* Remove audit-allow-manual-stop.patch (fixed upstream)
* Add fix-auparse-test.patch (downstream):
Upstream tests uses a static value (42) for 'gdm' uid/gid (based
on Fedora values, apparently). Replace these occurrences with
'unknown(123456)'
* Replace '--with-python' with '--with-python3' on %configure
* Remove autrace and auvirt references (upstream)
* Replace README with README.md
- Drop `--enable-systemd' from %configure as SysV-style scripts
aren't supported in upstream since
113ae191758c ("Drop support for SysVinit")
- Update to 4.0
* Includes fixes since v3.1.1
* Enhance support for newer (5.0+) kernels
- Update spec:
* Add fix-auparse-test.patch (downstream):
Upstream tests uses a static value (42) for 'gdm' uid/gid (based
on Fedora values, apparently). Replace these occurrences with
'unknown(123456)'
* Replace '--with-python' with '--with-python3' on %configure
* Add new headers 'audit_logging.h' and 'audit-records.h' for
audit-devel
TODO: fix build for SLE/Leap
OBS-URL: https://build.opensuse.org/package/show/security/audit?expand=0&rev=153
- Update to 3.1.1:
* Add user friendly keywords for signals to auditctl
* In ausearch, parse up URINGOP and DM_CTRL records
* Harden auparse to better handle corrupt logs
* Fix a CFLAGS propogation problem in the common directory
* Move the audispd af_unix plugin to a standalone program
- Update to 3.1.1:
* Add user friendly keywords for signals to auditctl
* In ausearch, parse up URINGOP and DM_CTRL records
* Harden auparse to better handle corrupt logs
* Fix a CFLAGS propogation problem in the common directory
* Move the audispd af_unix plugin to a standalone program
OBS-URL: https://build.opensuse.org/request/show/1096509
OBS-URL: https://build.opensuse.org/package/show/security/audit?expand=0&rev=148
- Update to 3.1:
* Disable ProtectControlGroups in auditd.service by default
* Fix rule checking for exclude filter
* Make audit_rule_syscallbyname_data work correctly outside of auditctl
* Add new record types
* Add io_uring support
* Add support for new FANOTIFY record fields
* Add keyword, this-hour, to ausearch/report start/end options
* Add Requires.private to audit.pc file
* Try to interpret OPENAT2 fields correctly
- Update to 3.1:
* Disable ProtectControlGroups in auditd.service by default
* Fix rule checking for exclude filter
* Make audit_rule_syscallbyname_data work correctly outside of auditctl
* Add new record types
* Add io_uring support
* Add support for new FANOTIFY record fields
* Add keyword, this-hour, to ausearch/report start/end options
* Add Requires.private to audit.pc file
* Try to interpret OPENAT2 fields correctly
OBS-URL: https://build.opensuse.org/request/show/1066846
OBS-URL: https://build.opensuse.org/package/show/security/audit?expand=0&rev=145
- Enable build for ARM (32-bit)
- Update to version 3.0.9:
* In auditd, release the async flush lock on stop
* Don't allow auditd to log directly into /var/log when log_group is non-zero
* Cleanup krb5 memory leaks on error paths
* Update auditd.cron to use auditctl --signal
* In auparse, if too many fields, realloc array bigger (Paul Wolneykien)
* In auparse, special case kernel module name interpretation
* If overflow_action is ignore, don't treat as an error
(3.0.8)
* Add gcc function attributes for access and allocation
* Add some more man pages (MIZUTA Takeshi)
* In auditd, change the reinitializing of the plugin queue
* Fix path normalization in auparse (Sergio Correia)
* In libaudit, handle ECONNREFUSED for network uid/gid lookups (Enzo Matsumiya)
* In audisp-remote, fix hang with disk_low_action=suspend (Enzo Matsumiya)
* Drop ProtectHome from auditd.service as it interferes with rules
(3.0.7)
* Add support for the OPENAT2 record type (Richard Guy Briggs)
* In auditd, close the logging file descriptor when logging is suspended
* Update the capabilities lookup table to match 5.16 kernel
* Improve interpretation of renamat & faccessat family of syscalls
* Update syscall table for the 5.16 kernel
* Reduce dependency from initscripts to initscripts-service
- Refresh patches (context adjusment):
* audit-allow-manual-stop.patch
* audit-ausearch-do-not-require-tclass.patch
* audit-no-gss.patch
* enable-stop-rules.patch
* fix-hardened-service.patch
* harden_auditd.service.patch
- Remove patches (fixed by version update):
* libaudit-fix-unhandled-ECONNREFUSED-from-getpwnam-25.patch
* audisp-remote-fix-hang-with-disk_low_action-suspend-.patch
- Enable build for ARM (32-bit)
- Update to version 3.0.9:
* In auditd, release the async flush lock on stop
* Don't allow auditd to log directly into /var/log when log_group is non-zero
* Cleanup krb5 memory leaks on error paths
* Update auditd.cron to use auditctl --signal
* In auparse, if too many fields, realloc array bigger (Paul Wolneykien)
* In auparse, special case kernel module name interpretation
* If overflow_action is ignore, don't treat as an error
(3.0.8)
* Add gcc function attributes for access and allocation
* Add some more man pages (MIZUTA Takeshi)
* In auditd, change the reinitializing of the plugin queue
* Fix path normalization in auparse (Sergio Correia)
* In libaudit, handle ECONNREFUSED for network uid/gid lookups (Enzo Matsumiya)
* In audisp-remote, fix hang with disk_low_action=suspend (Enzo Matsumiya)
* Drop ProtectHome from auditd.service as it interferes with rules
(3.0.7)
* Add support for the OPENAT2 record type (Richard Guy Briggs)
* In auditd, close the logging file descriptor when logging is suspended
* Update the capabilities lookup table to match 5.16 kernel
* Improve interpretation of renamat & faccessat family of syscalls
* Update syscall table for the 5.16 kernel
* Reduce dependency from initscripts to initscripts-service
- Refresh patches (context adjusment):
* audit-allow-manual-stop.patch
* audit-ausearch-do-not-require-tclass.patch
* audit-no-gss.patch
* enable-stop-rules.patch
* fix-hardened-service.patch
* harden_auditd.service.patch
- Remove patches (fixed by version update):
* libaudit-fix-unhandled-ECONNREFUSED-from-getpwnam-25.patch
* audisp-remote-fix-hang-with-disk_low_action-suspend-.patch
OBS-URL: https://build.opensuse.org/request/show/1043243
OBS-URL: https://build.opensuse.org/package/show/security/audit?expand=0&rev=141
- Update to version 3.0.6:
* fixes a segfault on some SELINUX_ERR records
* makes IPX packet interpretation dependent on the ipx header
file existing
* adds b32/b64 support to ausyscall
* adds support for armv8l
* fixes auditctl list of syscalls on PPC
* auditd.service now restarts auditd under some conditions
- Update to version 3.0.6:
* fixes a segfault on some SELINUX_ERR records
* makes IPX packet interpretation dependent on the ipx header
file existing
* adds b32/b64 support to ausyscall
* adds support for armv8l
* fixes auditctl list of syscalls on PPC
* auditd.service now restarts auditd under some conditions
OBS-URL: https://build.opensuse.org/request/show/930154
OBS-URL: https://build.opensuse.org/package/show/security/audit?expand=0&rev=133
- Create separate service for augenrules (bsc#1191614, bsc#1181400)
* add create-augenrules-service.patch
Remove ReadWritePaths=/etc/audit from auditd.service, also removes
augenrules call from ExecStartPost.
Create augenrules.service with the ReadWritePaths directive above.
This makes /etc/audit only accessible by augenrules.service and
let auditd.service (and daemon) to be sandboxed again.
- Update audit-secondary.spec to accomodate the new service file.
OBS-URL: https://build.opensuse.org/request/show/925195
OBS-URL: https://build.opensuse.org/package/show/security/audit?expand=0&rev=131
- Fix hardened auditd.service (bsc#1181400)
* add fix-hardened-service.patch
Make /etc/audit read-write from the service.
Remove PrivateDevices=true to expose /dev/* to auditd.service.
- Enable stop rules for audit.service (cf. bsc#1190227)
* add enable-stop-rules.patch
- Change default log_format from ENRICHED to RAW (bsc#1190500):
* add change-default-log_format.patch (SUSE-specific patch)
- Update to version 3.0.5:
* In auditd, flush uid/gid caches when user/group added/deleted/modified
* Fixed various issues when dealing with corrupted logs
* In auditd, check if log_file is valid before closing handle
- Include fixed from 3.0.4:
* Apply performance speedups to auparse library
* Optimize rule loading in auditctl
* Fix an auparse memory leak caused by glibc-2.33 by replacing realpath
* Update syscall table to the 5.14 kernel
* Fixed various issues when dealing with corrupted logs
- Update to version 3.0.5:
* In auditd, flush uid/gid caches when user/group added/deleted/modified
* Fixed various issues when dealing with corrupted logs
* In auditd, check if log_file is valid before closing handle
- Include fixed from 3.0.4:
* Apply performance speedups to auparse library
* Optimize rule loading in auditctl
* Fix an auparse memory leak caused by glibc-2.33 by replacing realpath
* Update syscall table to the 5.14 kernel
* Fixed various issues when dealing with corrupted logs
OBS-URL: https://build.opensuse.org/request/show/920348
OBS-URL: https://build.opensuse.org/package/show/security/audit?expand=0&rev=129
- Update to version 3.0.3:
* Dont interpret audit netlink groups unless AUDIT_NLGRP_MAX is defined
* Add support for AUDIT_RESP_ORIGIN_UNBLOCK_TIMED to ids
* Change auparse_feed_has_data in auparse to include incomplete events
* Auditd, stop linking against -lrt
* Add ProtectHome and RestrictRealtime to auditd.service
* In auditd, read up to 3 netlink packets in a row
* In auditd, do not validate path to plugin unless active
* In auparse, only emit config errors when AUPARSE_DEBUG env variable exists
- use https source urls
- Update to version 3.0.3:
* Dont interpret audit netlink groups unless AUDIT_NLGRP_MAX is defined
* Add support for AUDIT_RESP_ORIGIN_UNBLOCK_TIMED to ids
* Change auparse_feed_has_data in auparse to include incomplete events
* Auditd, stop linking against -lrt
* Add ProtectHome and RestrictRealtime to auditd.service
* In auditd, read up to 3 netlink packets in a row
* In auditd, do not validate path to plugin unless active
* In auparse, only emit config errors when AUPARSE_DEBUG env variable exists
- use https source urls
OBS-URL: https://build.opensuse.org/request/show/910030
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/audit?expand=0&rev=95
- Update to version 3.0.3:
* Dont interpret audit netlink groups unless AUDIT_NLGRP_MAX is defined
* Add support for AUDIT_RESP_ORIGIN_UNBLOCK_TIMED to ids
* Change auparse_feed_has_data in auparse to include incomplete events
* Auditd, stop linking against -lrt
* Add ProtectHome and RestrictRealtime to auditd.service
* In auditd, read up to 3 netlink packets in a row
* In auditd, do not validate path to plugin unless active
* In auparse, only emit config errors when AUPARSE_DEBUG env variable exists
OBS-URL: https://build.opensuse.org/request/show/909447
OBS-URL: https://build.opensuse.org/package/show/security/audit?expand=0&rev=124
- Adjust audit.spec and audit-secondary.spec to support new version
- Include fix for libev
* add libev-werror.patch
- Update to version 3.0.2
- In audispd-statsd pluging, use struct sockaddr_storage (Ville Heikkinen)
- Optionally interpret auid in auditctl -l
- Update some syscall argument interpretations
- In auditd, do not allow spaces in the hostname name format
- Big documentation cleanup (MIZUTA Takeshi)
- Update syscall table to the 5.12 kernel
- Update the auparse normalizer for new event types
- Fix compiler warnings in ids subsystem
- Block a couple signals from flush & reconfigure threads
- In auditd, don't wait on flush thread when exiting
- Output error message if the path of input files are too long ausearch/report
Included fixes from 3.0.1
- Update syscall table to the 5.11 kernel
- Add new --eoe-timeout option to ausearch and aureport (Burn Alting)
- Only enable periodic timers when listening on the network
- Upgrade libev to 4.33
- Add auparse_new_buffer function to auparse library
- Use the select libev backend unless aggregating events
- Add sudoers to some base audit rules
- Update the auparse normalizer for some new syscalls and event types
Included fixes from 3.0
- Generate checkpoint file even when no results are returned (Burn Alting)
- Fix log file creation when file logging is disabled entirely (Vlad Glagolev)
- Convert auparse_test to run with python3 (Tomáš Chvátal)
- Drop support for prelude
- Adjust backlog_wait_time in rules to the kernel default (#1482848)
- Remove ids key syntax checking of rules in auditctl
- Use SIGCONT to dump auditd internal state (#1504251)
- Fix parsing of virtual timestamp fields in ausearch_expression (#1515903)
- Fix parsing of uid & success for ausearch
- Add support for not equal operator in audit by executable (Ondrej Mosnacek)
- Hide lru symbols in auparse
- Add systemd process protections
- Fix aureport summary time range reporting
- Allow unlimited retries on startup for remote logging
- Add queue_depth to remote logging stats and increase default queue_depth size
- Fix segfault on shutdown
- Merge auditd and audispd code
- Close on execute init_pipe fd (#1587995)
- Breakout audisp syslog plugin to be standalone program
- Create a common internal library to reduce code
- Move all audispd config files under /etc/audit/
- Move audispd.conf settings into auditd.conf
- Add queue depth statistics to internal state dump report
- Add network statistics to internal state dump report
- SIGUSR now also restarts queue processing if its suspended
- Update lookup tables for the 4.18 kernel
- Add auparse_normalizer support for SOFTWARE_UPDATE event
- Add 30-ospp-v42.rules to meet new Common Criteria requirements
- Deprecate enable_krb and replace with transport config opt for remote logging
- Mark netlabel events as simple events so that get processed quicker
- When auditd is reconfiguring, only SIGHUP plugins with valid pid (#1614833)
- In aureport, fix segfault in file report
- Add auparse_normalizer support for labeled networking events
- Fix memory leak in audisp-remote plugin when using krb5 transport. (#1622194)
- In ausearch/auparse, event aging is off by a second
- In ausearch/auparse, correct event ordering to process oldest first
- Migrate auparse python test to python3
- auparse_reset was not clearing everything it should
- Add support for AUDIT_MAC_CALIPSO_ADD, AUDIT_MAC_CALIPSO_DEL events
- In ausearch/report, lightly parse selinux portion of USER_AVC events
- Add bpf syscall command argument interpretation to auparse
- In ausearch/report, limit record size when malformed
- Port af_unix plugin to libev
- In auditd, fix extract_type function for network originating events
- In auditd, calculate right size and location for network originating events
- Make legacy script wait for auditd to terminate (#1643567)
- Treat all network originating events as VER2 so dispatcher doesn't format it
- If an event has a node name make it VER2 so dispatcher doesnt format it
- In audisp-remote do an initial connection attempt (#1625156)
- In auditd, allow expression of space left as a percentage (#1650670)
- On PPC64LE systems, only allow 64 bit rules (#1462178)
- Make some parts of auditd state report optional based on config
- Update to libev-4.25
- Fix ausearch when checkpointing a single file (Burn Alting)
- Fix scripting in 31-privileged.rules wrt filecap (#1662516)
- In ausearch, do not checkpt if stdin is input source
- In libev, remove __cold__ attribute for functions to allow proper hardening
- Add tests to configure.ac for openldap support
- Make systemd support files use /run rather than /var/run (Christian Hesse)
- Fix minor memory leak in auditd kerberos credentials code
- Allow exclude and user filter by executable name (Ondrej Mosnacek)
- Fix auditd regression where keep_logs is limited by rotate_logs 2 file test
- In ausearch/report fix --end to use midnight time instead of now (#1671338)
- Add substitue functions for strndupa & rawmemchr
- Fix memleak in auparse caused by corrected event ordering
- Fix legacy reload script to reload audit rules when daemon is reloaded
- Support for unescaping in trusted messages (Dmitry Voronin)
- In auditd, use standard template for DEAMON events (Richard Guy Briggs)
- In aureport, fix segfault for malformed USER_CMD events
- Add exe field to audit_log_user_command in libaudit
- In auditctl support filter on socket address families (Richard Guy Briggs)
- Deprecate support for Alpha & IA64 processors
- If space_left_action is rotate, allow it every time (#1718444)
- In auparse, drop standalone EOE events
- Add milliseconds column for ausearch extra time csv format
- Fix aureport first event reporting when no start given
- In audisp-remote, add new config item for startup connection errors
- Remove dependency on chkconfig
- Install rules to /usr/share/audit/sample-rules/
- Split up ospp rules to make SCAP scanning easier (#1746018)
- In audisp-syslog, support interpreting records (#1497279)
- Audit USER events now sends msg as name value pair
- Add support for AUDIT_BPF event
- Auditd should not process AUDIT_REPLACE events
- Update syscall tables to the 5.5 kernel
- Improve personality interpretation by using PERS_MASK
- Speedup ausearch/report parsing RAW logging format by caching uid/name lookup
- Change auparse python bindings to shared object (Issue #121)
- Add error messages for watch permissions
- If audit rules file doesn't exist log error message instead of info message
- Revise error message for unmatched options in auditctl
- In audisp-remote, fixup remote endpoint disappearin in ascii format
- Add backlog_wait_time_actual reporting / resetting to auditctl (Max Englander)
- In auditctl, add support for sending a signal to auditd
- Removes audit-fno-common.patch: fixed in upstream
- Removes audit-python3.patch: fixed in upstream
OBS-URL: https://build.opensuse.org/request/show/900606
OBS-URL: https://build.opensuse.org/package/show/security/audit?expand=0&rev=122
- Adjust audit.spec and audit-secondary.spec to support new version
- Include fix for libev
* add libev-werror.patch
- Update to version 3.0.2
- In audispd-statsd pluging, use struct sockaddr_storage (Ville Heikkinen)
- Optionally interpret auid in auditctl -l
- Update some syscall argument interpretations
- In auditd, do not allow spaces in the hostname name format
- Big documentation cleanup (MIZUTA Takeshi)
- Update syscall table to the 5.12 kernel
- Update the auparse normalizer for new event types
- Fix compiler warnings in ids subsystem
- Block a couple signals from flush & reconfigure threads
- In auditd, don't wait on flush thread when exiting
- Output error message if the path of input files are too long ausearch/report
Included fixes from 3.0.1
- Update syscall table to the 5.11 kernel
- Add new --eoe-timeout option to ausearch and aureport (Burn Alting)
- Only enable periodic timers when listening on the network
- Upgrade libev to 4.33
- Add auparse_new_buffer function to auparse library
- Use the select libev backend unless aggregating events
- Add sudoers to some base audit rules
- Update the auparse normalizer for some new syscalls and event types
Included fixes from 3.0
- Generate checkpoint file even when no results are returned (Burn Alting)
- Fix log file creation when file logging is disabled entirely (Vlad Glagolev)
- Convert auparse_test to run with python3 (Tomáš Chvátal)
- Drop support for prelude
- Adjust backlog_wait_time in rules to the kernel default (#1482848)
- Remove ids key syntax checking of rules in auditctl
- Use SIGCONT to dump auditd internal state (#1504251)
- Fix parsing of virtual timestamp fields in ausearch_expression (#1515903)
- Fix parsing of uid & success for ausearch
- Add support for not equal operator in audit by executable (Ondrej Mosnacek)
- Hide lru symbols in auparse
- Add systemd process protections
- Fix aureport summary time range reporting
- Allow unlimited retries on startup for remote logging
- Add queue_depth to remote logging stats and increase default queue_depth size
- Fix segfault on shutdown
- Merge auditd and audispd code
- Close on execute init_pipe fd (#1587995)
- Breakout audisp syslog plugin to be standalone program
- Create a common internal library to reduce code
- Move all audispd config files under /etc/audit/
- Move audispd.conf settings into auditd.conf
- Add queue depth statistics to internal state dump report
- Add network statistics to internal state dump report
- SIGUSR now also restarts queue processing if its suspended
- Update lookup tables for the 4.18 kernel
- Add auparse_normalizer support for SOFTWARE_UPDATE event
- Add 30-ospp-v42.rules to meet new Common Criteria requirements
- Deprecate enable_krb and replace with transport config opt for remote logging
- Mark netlabel events as simple events so that get processed quicker
- When auditd is reconfiguring, only SIGHUP plugins with valid pid (#1614833)
- In aureport, fix segfault in file report
- Add auparse_normalizer support for labeled networking events
- Fix memory leak in audisp-remote plugin when using krb5 transport. (#1622194)
- In ausearch/auparse, event aging is off by a second
- In ausearch/auparse, correct event ordering to process oldest first
- Migrate auparse python test to python3
- auparse_reset was not clearing everything it should
- Add support for AUDIT_MAC_CALIPSO_ADD, AUDIT_MAC_CALIPSO_DEL events
- In ausearch/report, lightly parse selinux portion of USER_AVC events
- Add bpf syscall command argument interpretation to auparse
- In ausearch/report, limit record size when malformed
- Port af_unix plugin to libev
- In auditd, fix extract_type function for network originating events
- In auditd, calculate right size and location for network originating events
- Make legacy script wait for auditd to terminate (#1643567)
- Treat all network originating events as VER2 so dispatcher doesn't format it
- If an event has a node name make it VER2 so dispatcher doesnt format it
- In audisp-remote do an initial connection attempt (#1625156)
- In auditd, allow expression of space left as a percentage (#1650670)
- On PPC64LE systems, only allow 64 bit rules (#1462178)
- Make some parts of auditd state report optional based on config
- Update to libev-4.25
- Fix ausearch when checkpointing a single file (Burn Alting)
- Fix scripting in 31-privileged.rules wrt filecap (#1662516)
- In ausearch, do not checkpt if stdin is input source
- In libev, remove __cold__ attribute for functions to allow proper hardening
- Add tests to configure.ac for openldap support
- Make systemd support files use /run rather than /var/run (Christian Hesse)
- Fix minor memory leak in auditd kerberos credentials code
- Allow exclude and user filter by executable name (Ondrej Mosnacek)
- Fix auditd regression where keep_logs is limited by rotate_logs 2 file test
- In ausearch/report fix --end to use midnight time instead of now (#1671338)
- Add substitue functions for strndupa & rawmemchr
- Fix memleak in auparse caused by corrected event ordering
- Fix legacy reload script to reload audit rules when daemon is reloaded
- Support for unescaping in trusted messages (Dmitry Voronin)
- In auditd, use standard template for DEAMON events (Richard Guy Briggs)
- In aureport, fix segfault for malformed USER_CMD events
- Add exe field to audit_log_user_command in libaudit
- In auditctl support filter on socket address families (Richard Guy Briggs)
- Deprecate support for Alpha & IA64 processors
- If space_left_action is rotate, allow it every time (#1718444)
- In auparse, drop standalone EOE events
- Add milliseconds column for ausearch extra time csv format
- Fix aureport first event reporting when no start given
- In audisp-remote, add new config item for startup connection errors
- Remove dependency on chkconfig
- Install rules to /usr/share/audit/sample-rules/
- Split up ospp rules to make SCAP scanning easier (#1746018)
- In audisp-syslog, support interpreting records (#1497279)
- Audit USER events now sends msg as name value pair
- Add support for AUDIT_BPF event
- Auditd should not process AUDIT_REPLACE events
- Update syscall tables to the 5.5 kernel
- Improve personality interpretation by using PERS_MASK
- Speedup ausearch/report parsing RAW logging format by caching uid/name lookup
- Change auparse python bindings to shared object (Issue #121)
- Add error messages for watch permissions
- If audit rules file doesn't exist log error message instead of info message
- Revise error message for unmatched options in auditctl
- In audisp-remote, fixup remote endpoint disappearin in ascii format
- Add backlog_wait_time_actual reporting / resetting to auditctl (Max Englander)
- In auditctl, add support for sending a signal to auditd
- Removes audit-fno-common.patch: fixed in upstream
- Removes audit-python3.patch: fixed in upstream
OBS-URL: https://build.opensuse.org/request/show/900442
OBS-URL: https://build.opensuse.org/package/show/security/audit?expand=0&rev=121
- Adjust spec files to support new version
- Include one fix for libev
- Update to version 3.0.2
- In audispd-statsd pluging, use struct sockaddr_storage (Ville Heikkinen)
- Optionally interpret auid in auditctl -l
- Update some syscall argument interpretations
- In auditd, do not allow spaces in the hostname name format
- Big documentation cleanup (MIZUTA Takeshi)
- Update syscall table to the 5.12 kernel
- Update the auparse normalizer for new event types
- Fix compiler warnings in ids subsystem
- Block a couple signals from flush & reconfigure threads
- In auditd, don't wait on flush thread when exiting
- Output error message if the path of input files are too long ausearch/report
Included fixes from 3.0.1
- Update syscall table to the 5.11 kernel
- Add new --eoe-timeout option to ausearch and aureport (Burn Alting)
- Only enable periodic timers when listening on the network
- Upgrade libev to 4.33
- Add auparse_new_buffer function to auparse library
- Use the select libev backend unless aggregating events
- Add sudoers to some base audit rules
- Update the auparse normalizer for some new syscalls and event types
Included fixes from 3.0
- Generate checkpoint file even when no results are returned (Burn Alting)
- Fix log file creation when file logging is disabled entirely (Vlad Glagolev)
- Convert auparse_test to run with python3 (Tomáš Chvátal)
- Drop support for prelude
- Adjust backlog_wait_time in rules to the kernel default (#1482848)
- Remove ids key syntax checking of rules in auditctl
- Use SIGCONT to dump auditd internal state (#1504251)
- Fix parsing of virtual timestamp fields in ausearch_expression (#1515903)
- Fix parsing of uid & success for ausearch
- Add support for not equal operator in audit by executable (Ondrej Mosnacek)
- Hide lru symbols in auparse
- Add systemd process protections
- Fix aureport summary time range reporting
- Allow unlimited retries on startup for remote logging
- Add queue_depth to remote logging stats and increase default queue_depth size
- Fix segfault on shutdown
- Merge auditd and audispd code
- Close on execute init_pipe fd (#1587995)
- Breakout audisp syslog plugin to be standalone program
- Create a common internal library to reduce code
- Move all audispd config files under /etc/audit/
- Move audispd.conf settings into auditd.conf
- Add queue depth statistics to internal state dump report
- Add network statistics to internal state dump report
- SIGUSR now also restarts queue processing if its suspended
- Update lookup tables for the 4.18 kernel
- Add auparse_normalizer support for SOFTWARE_UPDATE event
- Add 30-ospp-v42.rules to meet new Common Criteria requirements
- Deprecate enable_krb and replace with transport config opt for remote logging
- Mark netlabel events as simple events so that get processed quicker
- When auditd is reconfiguring, only SIGHUP plugins with valid pid (#1614833)
- In aureport, fix segfault in file report
- Add auparse_normalizer support for labeled networking events
- Fix memory leak in audisp-remote plugin when using krb5 transport. (#1622194)
- In ausearch/auparse, event aging is off by a second
- In ausearch/auparse, correct event ordering to process oldest first
- Migrate auparse python test to python3
- auparse_reset was not clearing everything it should
- Add support for AUDIT_MAC_CALIPSO_ADD, AUDIT_MAC_CALIPSO_DEL events
- In ausearch/report, lightly parse selinux portion of USER_AVC events
- Add bpf syscall command argument interpretation to auparse
- In ausearch/report, limit record size when malformed
- Port af_unix plugin to libev
- In auditd, fix extract_type function for network originating events
- In auditd, calculate right size and location for network originating events
- Make legacy script wait for auditd to terminate (#1643567)
- Treat all network originating events as VER2 so dispatcher doesn't format it
- If an event has a node name make it VER2 so dispatcher doesnt format it
- In audisp-remote do an initial connection attempt (#1625156)
- In auditd, allow expression of space left as a percentage (#1650670)
- On PPC64LE systems, only allow 64 bit rules (#1462178)
- Make some parts of auditd state report optional based on config
- Update to libev-4.25
- Fix ausearch when checkpointing a single file (Burn Alting)
- Fix scripting in 31-privileged.rules wrt filecap (#1662516)
- In ausearch, do not checkpt if stdin is input source
- In libev, remove __cold__ attribute for functions to allow proper hardening
- Add tests to configure.ac for openldap support
- Make systemd support files use /run rather than /var/run (Christian Hesse)
- Fix minor memory leak in auditd kerberos credentials code
- Allow exclude and user filter by executable name (Ondrej Mosnacek)
- Fix auditd regression where keep_logs is limited by rotate_logs 2 file test
- In ausearch/report fix --end to use midnight time instead of now (#1671338)
- Add substitue functions for strndupa & rawmemchr
- Fix memleak in auparse caused by corrected event ordering
- Fix legacy reload script to reload audit rules when daemon is reloaded
- Support for unescaping in trusted messages (Dmitry Voronin)
- In auditd, use standard template for DEAMON events (Richard Guy Briggs)
- In aureport, fix segfault for malformed USER_CMD events
- Add exe field to audit_log_user_command in libaudit
- In auditctl support filter on socket address families (Richard Guy Briggs)
- Deprecate support for Alpha & IA64 processors
- If space_left_action is rotate, allow it every time (#1718444)
- In auparse, drop standalone EOE events
- Add milliseconds column for ausearch extra time csv format
- Fix aureport first event reporting when no start given
- In audisp-remote, add new config item for startup connection errors
- Remove dependency on chkconfig
- Install rules to /usr/share/audit/sample-rules/
- Split up ospp rules to make SCAP scanning easier (#1746018)
- In audisp-syslog, support interpreting records (#1497279)
- Audit USER events now sends msg as name value pair
- Add support for AUDIT_BPF event
- Auditd should not process AUDIT_REPLACE events
- Update syscall tables to the 5.5 kernel
- Improve personality interpretation by using PERS_MASK
- Speedup ausearch/report parsing RAW logging format by caching uid/name lookup
- Change auparse python bindings to shared object (Issue #121)
- Add error messages for watch permissions
- If audit rules file doesn't exist log error message instead of info message
- Revise error message for unmatched options in auditctl
- In audisp-remote, fixup remote endpoint disappearin in ascii format
- Add backlog_wait_time_actual reporting / resetting to auditctl (Max Englander)
- In auditctl, add support for sending a signal to auditd
- Remove audit-fno-common.patch: fixed in upstream
- Remove audit-python3.patch: fixed in upstream
old: security/audit
new: home:ematsumiya:branches:security/audit rev None
Index: audit-no-gss.patch
===================================================================
--- audit-no-gss.patch (revision 118)
+++ audit-no-gss.patch (revision 17)
@@ -11,11 +11,12 @@
--- a/init.d/auditd.conf
+++ b/init.d/auditd.conf
-@@ -30,7 +30,4 @@ tcp_listen_queue = 5
- tcp_max_per_addr = 1
+@@ -30,8 +30,6 @@ tcp_max_per_addr = 1
##tcp_client_ports = 1024-65535
tcp_client_max_idle = 0
--enable_krb5 = no
+ transport = TCP
-krb5_principal = auditd
-##krb5_key_file = /etc/audit/audit.key
distribute_network = no
+ q_depth = 400
+ overflow_action = SYSLOG
Index: audit-plugins-path.patch
===================================================================
--- audit-plugins-path.patch (revision 118)
+++ audit-plugins-path.patch (revision 17)
@@ -5,19 +5,8 @@
Adjust location of plugins built by audit-secondary. These should never have
been in /sbin plus some (for SUSE) require lib dependancies on /usr/lib
---- audit-1.7.2/audisp/plugins/prelude/au-prelude.conf.orig 2008-04-23 11:56:11.946681000 +0200
-+++ audit-1.7.2/audisp/plugins/prelude/au-prelude.conf 2008-04-23 11:56:22.789827000 +0200
-@@ -5,7 +5,7 @@
-
- active = no
- direction = out
--path = /sbin/audisp-prelude
-+path = /usr/sbin/audisp-prelude
- type = always
- #args =
- format = string
---- audit-1.7.2/audisp/plugins/remote/au-remote.conf.orig 2008-04-23 11:56:11.976660000 +0200
-+++ audit-1.7.2/audisp/plugins/remote/au-remote.conf 2008-04-23 11:56:30.958657000 +0200
+--- a/audisp/plugins/remote/au-remote.conf
++++ b/audisp/plugins/remote/au-remote.conf
@@ -5,7 +5,7 @@
active = no
@@ -27,8 +16,8 @@
type = always
#args =
format = string
---- audit-1.7.2/audisp/plugins/zos-remote/audispd-zos-remote.conf.orig 2008-04-23 11:56:11.993637000 +0200
-+++ audit-1.7.2/audisp/plugins/zos-remote/audispd-zos-remote.conf 2008-04-23 11:56:40.533070000 +0200
+--- a/audisp/plugins/zos-remote/audispd-zos-remote.conf
++++ b/audisp/plugins/zos-remote/audispd-zos-remote.conf
@@ -8,7 +8,7 @@
active = no
@@ -36,5 +25,5 @@
-path = /sbin/audispd-zos-remote
+path = /usr/sbin/audispd-zos-remote
type = always
- args = /etc/audisp/zos-remote.conf
+ args = /etc/audit/zos-remote.conf
format = string
Index: audit-secondary.changes
===================================================================
--- audit-secondary.changes (revision 118)
+++ audit-secondary.changes (revision 17)
@@ -1,4 +1,129 @@
-------------------------------------------------------------------
+Mon Jun 14 20:54:49 CEST 2021 - Enzo Matsumiya <ematsumiya@suse.com>
+
+- Update to version 3.0.2
+- In audispd-statsd pluging, use struct sockaddr_storage (Ville Heikkinen)
+- Optionally interpret auid in auditctl -l
+- Update some syscall argument interpretations
+- In auditd, do not allow spaces in the hostname name format
+- Big documentation cleanup (MIZUTA Takeshi)
+- Update syscall table to the 5.12 kernel
+- Update the auparse normalizer for new event types
+- Fix compiler warnings in ids subsystem
+- Block a couple signals from flush & reconfigure threads
+- In auditd, don't wait on flush thread when exiting
+- Output error message if the path of input files are too long ausearch/report
+
+Included fixes from 3.0.1
+- Update syscall table to the 5.11 kernel
+- Add new --eoe-timeout option to ausearch and aureport (Burn Alting)
+- Only enable periodic timers when listening on the network
+- Upgrade libev to 4.33
+- Add auparse_new_buffer function to auparse library
+- Use the select libev backend unless aggregating events
+- Add sudoers to some base audit rules
+- Update the auparse normalizer for some new syscalls and event types
+
+Included fixes from 3.0
+- Generate checkpoint file even when no results are returned (Burn Alting)
+- Fix log file creation when file logging is disabled entirely (Vlad Glagolev)
+- Convert auparse_test to run with python3 (Tomáš Chvátal)
+- Drop support for prelude
+- Adjust backlog_wait_time in rules to the kernel default (#1482848)
+- Remove ids key syntax checking of rules in auditctl
+- Use SIGCONT to dump auditd internal state (#1504251)
+- Fix parsing of virtual timestamp fields in ausearch_expression (#1515903)
+- Fix parsing of uid & success for ausearch
+- Add support for not equal operator in audit by executable (Ondrej Mosnacek)
+- Hide lru symbols in auparse
+- Add systemd process protections
+- Fix aureport summary time range reporting
+- Allow unlimited retries on startup for remote logging
+- Add queue_depth to remote logging stats and increase default queue_depth size
+- Fix segfault on shutdown
+- Merge auditd and audispd code
+- Close on execute init_pipe fd (#1587995)
+- Breakout audisp syslog plugin to be standalone program
+- Create a common internal library to reduce code
+- Move all audispd config files under /etc/audit/
+- Move audispd.conf settings into auditd.conf
+- Add queue depth statistics to internal state dump report
+- Add network statistics to internal state dump report
+- SIGUSR now also restarts queue processing if its suspended
+- Update lookup tables for the 4.18 kernel
+- Add auparse_normalizer support for SOFTWARE_UPDATE event
+- Add 30-ospp-v42.rules to meet new Common Criteria requirements
+- Deprecate enable_krb and replace with transport config opt for remote logging
+- Mark netlabel events as simple events so that get processed quicker
+- When auditd is reconfiguring, only SIGHUP plugins with valid pid (#1614833)
+- In aureport, fix segfault in file report
+- Add auparse_normalizer support for labeled networking events
+- Fix memory leak in audisp-remote plugin when using krb5 transport. (#1622194)
+- In ausearch/auparse, event aging is off by a second
+- In ausearch/auparse, correct event ordering to process oldest first
+- Migrate auparse python test to python3
+- auparse_reset was not clearing everything it should
+- Add support for AUDIT_MAC_CALIPSO_ADD, AUDIT_MAC_CALIPSO_DEL events
+- In ausearch/report, lightly parse selinux portion of USER_AVC events
+- Add bpf syscall command argument interpretation to auparse
+- In ausearch/report, limit record size when malformed
+- Port af_unix plugin to libev
+- In auditd, fix extract_type function for network originating events
+- In auditd, calculate right size and location for network originating events
+- Make legacy script wait for auditd to terminate (#1643567)
+- Treat all network originating events as VER2 so dispatcher doesn't format it
+- If an event has a node name make it VER2 so dispatcher doesnt format it
+- In audisp-remote do an initial connection attempt (#1625156)
+- In auditd, allow expression of space left as a percentage (#1650670)
+- On PPC64LE systems, only allow 64 bit rules (#1462178)
+- Make some parts of auditd state report optional based on config
+- Update to libev-4.25
+- Fix ausearch when checkpointing a single file (Burn Alting)
+- Fix scripting in 31-privileged.rules wrt filecap (#1662516)
+- In ausearch, do not checkpt if stdin is input source
+- In libev, remove __cold__ attribute for functions to allow proper hardening
+- Add tests to configure.ac for openldap support
+- Make systemd support files use /run rather than /var/run (Christian Hesse)
+- Fix minor memory leak in auditd kerberos credentials code
+- Allow exclude and user filter by executable name (Ondrej Mosnacek)
+- Fix auditd regression where keep_logs is limited by rotate_logs 2 file test
+- In ausearch/report fix --end to use midnight time instead of now (#1671338)
+- Add substitue functions for strndupa & rawmemchr
+- Fix memleak in auparse caused by corrected event ordering
+- Fix legacy reload script to reload audit rules when daemon is reloaded
+- Support for unescaping in trusted messages (Dmitry Voronin)
+- In auditd, use standard template for DEAMON events (Richard Guy Briggs)
+- In aureport, fix segfault for malformed USER_CMD events
+- Add exe field to audit_log_user_command in libaudit
+- In auditctl support filter on socket address families (Richard Guy Briggs)
+- Deprecate support for Alpha & IA64 processors
+- If space_left_action is rotate, allow it every time (#1718444)
+- In auparse, drop standalone EOE events
+- Add milliseconds column for ausearch extra time csv format
+- Fix aureport first event reporting when no start given
+- In audisp-remote, add new config item for startup connection errors
+- Remove dependency on chkconfig
+- Install rules to /usr/share/audit/sample-rules/
+- Split up ospp rules to make SCAP scanning easier (#1746018)
+- In audisp-syslog, support interpreting records (#1497279)
+- Audit USER events now sends msg as name value pair
+- Add support for AUDIT_BPF event
+- Auditd should not process AUDIT_REPLACE events
+- Update syscall tables to the 5.5 kernel
+- Improve personality interpretation by using PERS_MASK
+- Speedup ausearch/report parsing RAW logging format by caching uid/name lookup
+- Change auparse python bindings to shared object (Issue #121)
+- Add error messages for watch permissions
+- If audit rules file doesn't exist log error message instead of info message
+- Revise error message for unmatched options in auditctl
+- In audisp-remote, fixup remote endpoint disappearin in ascii format
+- Add backlog_wait_time_actual reporting / resetting to auditctl (Max Englander)
+- In auditctl, add support for sending a signal to auditd
+
+- Removes audit-fno-common.patch: fixed in upstream
+- Removes audit-python3.patch: fixed in upstream
+
+-------------------------------------------------------------------
Mon Feb 1 18:13:18 UTC 2021 - Dominique Leuenberger <dimstar@opensuse.org>
- Do not explicitly provide group(audit) in system-users-audit:
@@ -24,7 +149,7 @@
-------------------------------------------------------------------
Mon Jan 13 17:39:03 UTC 2020 - Tony Jones <tonyj@suse.com>
-- Update to version 2.6.5:
+- Update to version 2.8.5:
* Fix segfault on shutdown
* Fix hang on startup (#1587995)
* Add sleep to script to dump state so file is ready when needed
Index: audit-secondary.spec
===================================================================
--- audit-secondary.spec (revision 118)
+++ audit-secondary.spec (revision 17)
@@ -22,7 +22,7 @@
# The seperation is required to minimize unnecessary build cycles.
%define _name audit
Name: audit-secondary
-Version: 2.8.5
+Version: 3.0.2
Release: 0
Summary: Linux kernel audit subsystem utilities
License: GPL-2.0-or-later
@@ -34,9 +34,8 @@
Patch2: audit-no-gss.patch
Patch3: audit-allow-manual-stop.patch
Patch4: audit-ausearch-do-not-require-tclass.patch
-Patch5: audit-python3.patch
-Patch6: audit-fno-common.patch
-Patch7: change-default-log_group.patch
+Patch5: change-default-log_group.patch
+Patch6: libev-werror.patch
BuildRequires: audit-devel = %{version}
BuildRequires: autoconf >= 2.12
BuildRequires: gcc-c++
@@ -55,6 +54,7 @@
BuildRequires: sysuser-tools
BuildRequires: tcpd-devel
BuildRequires: pkgconfig(libcap-ng)
+Provides: bundled(libev) = 4.33
%description
The audit package contains the user space utilities for storing and
@@ -127,14 +127,13 @@
%patch4 -p1
%patch5 -p1
%patch6 -p1
-%patch7 -p1
%if %{without python2} && %{with python3}
# Fix python env call in tests if we only have Python3.
# If both versions are present, python2 bindings are preferred by the tests and
# unconditionally using /usr/bin/python3 breaks the tests
# Probably the correct solution is to run the tests twice if both are present.
-sed -i -e 's:#!/usr/bin/env python:#!/usr/bin/python3:g' auparse/test/auparse_test.py
+perl -i -lpe 's{#!/usr/bin/env python\S+}{#!/usr/bin/python3}' auparse/test/auparse_test.py
%endif
%build
@@ -144,15 +143,18 @@
export LDFLAGS="-Wl,-z,relro,-z,now"
# no krb support (omit --enable-gssapi-krb5=yes), see audit-no-gss.patch
%configure \
+%ifarch aarch64
+ --with-aarch64 \
+%endif
--enable-systemd \
--libexecdir=%{_libexecdir}/%{_name} \
--with-apparmor \
--with-libwrap \
--with-libcap-ng=yes \
-%ifarch aarch64
- --with-aarch64 \
-%endif
- --disable-static
+ --disable-static \
+ %{?_with_python3} \
+ %{?_without_python}
+
make %{?_smp_mflags}
%sysusers_generate_pre %{SOURCE1} audit
@@ -197,7 +199,7 @@
#USR-MERGE
%if !0%{?usrmerged}
mkdir %{buildroot}/sbin/
-for prog in auditctl auditd ausearch autrace audispd aureport augenrules; do
+for prog in auditctl auditd ausearch autrace aureport augenrules; do
ln -s %{_sbindir}/$prog %{buildroot}/sbin/$prog
done
%endif
@@ -235,8 +237,7 @@
%files -n audit
%license COPYING
-%doc README ChangeLog rules/[0-9]* rules/README-rules init.d/auditd.cron
-%attr(644,root,root) %{_mandir}/man8/audispd.8.gz
+%doc README ChangeLog rules init.d/auditd.cron
%attr(644,root,root) %{_mandir}/man8/auditctl.8.gz
%attr(644,root,root) %{_mandir}/man8/auditd.8.gz
%attr(644,root,root) %{_mandir}/man8/aureport.8.gz
@@ -247,7 +248,6 @@
%attr(644,root,root) %{_mandir}/man8/ausyscall.8.gz
%attr(644,root,root) %{_mandir}/man7/audit.rules.7.gz
%attr(644,root,root) %{_mandir}/man5/auditd.conf.5.gz
-%attr(644,root,root) %{_mandir}/man5/audispd.conf.5.gz
%attr(644,root,root) %{_mandir}/man5/ausearch-expression.5.gz
%attr(644,root,root) %{_mandir}/man8/auvirt.8.gz
%attr(644,root,root) %{_mandir}/man8/augenrules.8.gz
@@ -256,7 +256,6 @@
/sbin/auditd
/sbin/ausearch
/sbin/autrace
-/sbin/audispd
/sbin/augenrules
/sbin/aureport
%endif
@@ -265,29 +264,28 @@
%attr(755,root,root) %{_sbindir}/ausearch
%attr(750,root,root) %{_sbindir}/autrace
%attr(750,root,root) %{_sbindir}/augenrules
-%attr(750,root,root) %{_sbindir}/audispd
+%attr(750,root,root) %{_sbindir}/audisp-syslog
%attr(755,root,root) %{_bindir}/aulast
%attr(755,root,root) %{_bindir}/aulastlog
%attr(755,root,root) %{_bindir}/ausyscall
%attr(755,root,root) %{_sbindir}/aureport
%attr(755,root,root) %{_bindir}/auvirt
%dir %attr(750,root,root) %{_sysconfdir}/audit
-%attr(750,root,root) %dir %{_sysconfdir}/audisp
-%attr(750,root,root) %dir %{_sysconfdir}/audisp/plugins.d
-%config(noreplace) %attr(640,root,root) %{_sysconfdir}/audisp/plugins.d/af_unix.conf
-%config(noreplace) %attr(640,root,root) %{_sysconfdir}/audisp/plugins.d/syslog.conf
+%attr(750,root,root) %dir %{_sysconfdir}/audit/plugins.d
+%config(noreplace) %attr(640,root,root) %{_sysconfdir}/audit/plugins.d/af_unix.conf
+%config(noreplace) %attr(640,root,root) %{_sysconfdir}/audit/plugins.d/syslog.conf
%ghost %{_sysconfdir}/auditd.conf
%ghost %{_sysconfdir}/audit.rules
%config(noreplace) %attr(640,root,root) %{_sysconfdir}/audit/auditd.conf
%dir %attr(750,root,root) %{_sysconfdir}/audit/rules.d
%config(noreplace) %attr(640,root,root) %{_sysconfdir}/audit/rules.d/audit.rules
-%config(noreplace) %attr(640,root,root) %{_sysconfdir}/audisp/audispd.conf
%config(noreplace) %attr(640,root,root) %{_sysconfdir}/audit/audit-stop.rules
%dir %attr(750,root,audit) %{_localstatedir}/log/audit
%ghost %config(noreplace) %attr(640,root,audit) %{_localstatedir}/log/audit/audit.log
%dir %attr(700,root,root) %{_localstatedir}/spool/audit
%{_unitdir}/auditd.service
%{_sbindir}/rcauditd
+%{_datadir}/audit/
%files -n system-group-audit
%{_sysusersdir}/system-group-audit.conf
@@ -301,23 +299,24 @@
%if %{with python3}
%files -n python3-audit
-%attr(755,root,root) %{python3_sitearch}/_audit.so
-%attr(755,root,root) %{python3_sitearch}/auparse.so
-%{python3_sitearch}/audit.py*
+%defattr(-,root,root,-)
+%attr(755,root,root) %{python3_sitearch}/*
%endif
%files -n audit-audispd-plugins
%attr(644,root,root) %{_mandir}/man8/audispd-zos-remote.8.gz
%attr(644,root,root) %{_mandir}/man5/zos-remote.conf.5.gz
%attr(644,root,root) %{_mandir}/man5/audisp-remote.conf.5.gz
+%attr(644,root,root) %{_mandir}/man5/auditd-plugins.5.gz
%attr(644,root,root) %{_mandir}/man8/audisp-remote.8.gz
-%attr(750,root,root) %dir %{_sysconfdir}/audisp
-%attr(750,root,root) %dir %{_sysconfdir}/audisp/plugins.d
-%config(noreplace) %attr(640,root,root) %{_sysconfdir}/audisp/plugins.d/audispd-zos-remote.conf
-%config(noreplace) %attr(640,root,root) %{_sysconfdir}/audisp/zos-remote.conf
+%attr(644,root,root) %{_mandir}/man8/audisp-syslog.8.gz
+%attr(750,root,root) %dir %{_sysconfdir}/audit
+%attr(750,root,root) %dir %{_sysconfdir}/audit/plugins.d
+%config(noreplace) %attr(640,root,root) %{_sysconfdir}/audit/plugins.d/audispd-zos-remote.conf
+%config(noreplace) %attr(640,root,root) %{_sysconfdir}/audit/zos-remote.conf
%attr(750,root,root) %{_sbindir}/audisp-remote
%attr(750,root,root) %{_sbindir}/audispd-zos-remote
-%config(noreplace) %attr(640,root,root) %{_sysconfdir}/audisp/audisp-remote.conf
-%config(noreplace) %attr(640,root,root) %{_sysconfdir}/audisp/plugins.d/au-remote.conf
+%config(noreplace) %attr(640,root,root) %{_sysconfdir}/audit/audisp-remote.conf
+%config(noreplace) %attr(640,root,root) %{_sysconfdir}/audit/plugins.d/au-remote.conf
%changelog
Index: audit.changes
===================================================================
--- audit.changes (revision 118)
+++ audit.changes (revision 17)
@@ -1,4 +1,129 @@
-------------------------------------------------------------------
+Mon Jun 14 20:54:49 CEST 2021 - Enzo Matsumiya <ematsumiya@suse.com>
+
+- Update to version 3.0.2
+- In audispd-statsd pluging, use struct sockaddr_storage (Ville Heikkinen)
+- Optionally interpret auid in auditctl -l
+- Update some syscall argument interpretations
+- In auditd, do not allow spaces in the hostname name format
+- Big documentation cleanup (MIZUTA Takeshi)
+- Update syscall table to the 5.12 kernel
+- Update the auparse normalizer for new event types
+- Fix compiler warnings in ids subsystem
+- Block a couple signals from flush & reconfigure threads
+- In auditd, don't wait on flush thread when exiting
+- Output error message if the path of input files are too long ausearch/report
+
+Included fixes from 3.0.1
+- Update syscall table to the 5.11 kernel
+- Add new --eoe-timeout option to ausearch and aureport (Burn Alting)
+- Only enable periodic timers when listening on the network
+- Upgrade libev to 4.33
+- Add auparse_new_buffer function to auparse library
+- Use the select libev backend unless aggregating events
+- Add sudoers to some base audit rules
+- Update the auparse normalizer for some new syscalls and event types
+
+Included fixes from 3.0
+- Generate checkpoint file even when no results are returned (Burn Alting)
+- Fix log file creation when file logging is disabled entirely (Vlad Glagolev)
+- Convert auparse_test to run with python3 (Tomáš Chvátal)
+- Drop support for prelude
+- Adjust backlog_wait_time in rules to the kernel default (#1482848)
+- Remove ids key syntax checking of rules in auditctl
+- Use SIGCONT to dump auditd internal state (#1504251)
+- Fix parsing of virtual timestamp fields in ausearch_expression (#1515903)
+- Fix parsing of uid & success for ausearch
+- Add support for not equal operator in audit by executable (Ondrej Mosnacek)
+- Hide lru symbols in auparse
+- Add systemd process protections
+- Fix aureport summary time range reporting
+- Allow unlimited retries on startup for remote logging
+- Add queue_depth to remote logging stats and increase default queue_depth size
+- Fix segfault on shutdown
+- Merge auditd and audispd code
+- Close on execute init_pipe fd (#1587995)
+- Breakout audisp syslog plugin to be standalone program
+- Create a common internal library to reduce code
+- Move all audispd config files under /etc/audit/
+- Move audispd.conf settings into auditd.conf
+- Add queue depth statistics to internal state dump report
+- Add network statistics to internal state dump report
+- SIGUSR now also restarts queue processing if its suspended
+- Update lookup tables for the 4.18 kernel
+- Add auparse_normalizer support for SOFTWARE_UPDATE event
+- Add 30-ospp-v42.rules to meet new Common Criteria requirements
+- Deprecate enable_krb and replace with transport config opt for remote logging
+- Mark netlabel events as simple events so that get processed quicker
+- When auditd is reconfiguring, only SIGHUP plugins with valid pid (#1614833)
+- In aureport, fix segfault in file report
+- Add auparse_normalizer support for labeled networking events
+- Fix memory leak in audisp-remote plugin when using krb5 transport. (#1622194)
+- In ausearch/auparse, event aging is off by a second
+- In ausearch/auparse, correct event ordering to process oldest first
+- Migrate auparse python test to python3
+- auparse_reset was not clearing everything it should
+- Add support for AUDIT_MAC_CALIPSO_ADD, AUDIT_MAC_CALIPSO_DEL events
+- In ausearch/report, lightly parse selinux portion of USER_AVC events
+- Add bpf syscall command argument interpretation to auparse
+- In ausearch/report, limit record size when malformed
+- Port af_unix plugin to libev
+- In auditd, fix extract_type function for network originating events
+- In auditd, calculate right size and location for network originating events
+- Make legacy script wait for auditd to terminate (#1643567)
+- Treat all network originating events as VER2 so dispatcher doesn't format it
+- If an event has a node name make it VER2 so dispatcher doesnt format it
+- In audisp-remote do an initial connection attempt (#1625156)
+- In auditd, allow expression of space left as a percentage (#1650670)
+- On PPC64LE systems, only allow 64 bit rules (#1462178)
+- Make some parts of auditd state report optional based on config
+- Update to libev-4.25
+- Fix ausearch when checkpointing a single file (Burn Alting)
+- Fix scripting in 31-privileged.rules wrt filecap (#1662516)
+- In ausearch, do not checkpt if stdin is input source
+- In libev, remove __cold__ attribute for functions to allow proper hardening
+- Add tests to configure.ac for openldap support
+- Make systemd support files use /run rather than /var/run (Christian Hesse)
+- Fix minor memory leak in auditd kerberos credentials code
+- Allow exclude and user filter by executable name (Ondrej Mosnacek)
+- Fix auditd regression where keep_logs is limited by rotate_logs 2 file test
+- In ausearch/report fix --end to use midnight time instead of now (#1671338)
+- Add substitue functions for strndupa & rawmemchr
+- Fix memleak in auparse caused by corrected event ordering
+- Fix legacy reload script to reload audit rules when daemon is reloaded
+- Support for unescaping in trusted messages (Dmitry Voronin)
+- In auditd, use standard template for DEAMON events (Richard Guy Briggs)
+- In aureport, fix segfault for malformed USER_CMD events
+- Add exe field to audit_log_user_command in libaudit
+- In auditctl support filter on socket address families (Richard Guy Briggs)
+- Deprecate support for Alpha & IA64 processors
+- If space_left_action is rotate, allow it every time (#1718444)
+- In auparse, drop standalone EOE events
+- Add milliseconds column for ausearch extra time csv format
+- Fix aureport first event reporting when no start given
+- In audisp-remote, add new config item for startup connection errors
+- Remove dependency on chkconfig
+- Install rules to /usr/share/audit/sample-rules/
+- Split up ospp rules to make SCAP scanning easier (#1746018)
+- In audisp-syslog, support interpreting records (#1497279)
+- Audit USER events now sends msg as name value pair
+- Add support for AUDIT_BPF event
+- Auditd should not process AUDIT_REPLACE events
+- Update syscall tables to the 5.5 kernel
+- Improve personality interpretation by using PERS_MASK
+- Speedup ausearch/report parsing RAW logging format by caching uid/name lookup
+- Change auparse python bindings to shared object (Issue #121)
+- Add error messages for watch permissions
+- If audit rules file doesn't exist log error message instead of info message
+- Revise error message for unmatched options in auditctl
+- In audisp-remote, fixup remote endpoint disappearin in ascii format
+- Add backlog_wait_time_actual reporting / resetting to auditctl (Max Englander)
+- In auditctl, add support for sending a signal to auditd
+
+- Remove audit-fno-common.patch: fixed in upstream
+- Remove audit-python3.patch: fixed in upstream
+
+-------------------------------------------------------------------
Wed Dec 2 11:49:28 UTC 2020 - Alexander Bergmann <abergmann@suse.com>
- Enable Aarch64 processor support. (bsc#1179515 bsc#1179806)
@@ -12,7 +137,7 @@
-------------------------------------------------------------------
Mon Jan 13 17:39:03 UTC 2020 - Tony Jones <tonyj@suse.com>
-- Update to version 2.6.5:
+- Update to version 2.8.5:
* Fix segfault on shutdown
* Fix hang on startup (#1587995)
* Add sleep to script to dump state so file is ready when needed
Index: audit.spec
===================================================================
--- audit.spec (revision 118)
+++ audit.spec (revision 17)
@@ -17,7 +17,7 @@
Name: audit
-Version: 2.8.5
+Version: 3.0.2
Release: 0
Summary: Linux kernel audit subsystem utilities
License: GPL-2.0-or-later
@@ -35,6 +35,7 @@
BuildRequires: tcpd-devel
Requires: libaudit1 = %{version}
Requires: libauparse0 = %{version}
+Provides: bundled(libev) = 4.33
%description
The audit package contains the user space utilities for storing and
@@ -79,27 +80,30 @@
%build
autoreconf -fi
+cp INSTALL.tmp INSTALl
export CFLAGS="%{optflags} -fno-strict-aliasing"
export CXXFLAGS="$CFLAGS"
export LDFLAGS="-Wl,-z,relro,-z,now"
# no krb support (omit --enable-gssapi-krb5=yes), see audit-no-gss.patch
%configure \
+%ifarch aarch64
+ --with-aarch64 \
+%endif
--enable-systemd \
--libexecdir=%{_libexecdir}/%{name} \
--with-apparmor \
- --with-libwrap \
- --without-libcap-ng \
+ --with-libcap-ng=no \
--disable-static \
- --without-python \
-%ifarch aarch64
- --with-aarch64 \
-%endif
+ --with-python=no \
--disable-zos-remote
+
+make %{?_smp_mflags} -C common
make %{?_smp_mflags} -C lib
make %{?_smp_mflags} -C auparse
make %{?_smp_mflags} -C docs
%install
+%make_install -C common
%make_install -C lib
%make_install -C auparse
%make_install -C docs
@@ -134,7 +138,7 @@
%{_libdir}/libauparse.so.*
%files -n audit-devel
-%doc contrib/skeleton.c contrib/plugin
+%doc contrib/plugin
%{_libdir}/libaudit.so
%{_libdir}/libauparse.so
%{_includedir}/libaudit.h
Index: change-default-log_group.patch
===================================================================
--- change-default-log_group.patch (revision 118)
+++ change-default-log_group.patch (revision 17)
@@ -16,6 +16,6 @@
log_file = /var/log/audit/audit.log
-log_group = root
+log_group = audit
- log_format = RAW
+ log_format = ENRICHED
flush = INCREMENTAL_ASYNC
freq = 50
Index: audit-3.0.2.tar.gz
===================================================================
Binary file audit-3.0.2.tar.gz (revision 17) added
Index: libev-werror.patch
===================================================================
--- libev-werror.patch (added)
+++ libev-werror.patch (revision 17)
@@ -0,0 +1,26 @@
+From: Jan Engelhardt <jengelh@inai.de>
+Date: 2021-06-02 16:18:03.256597842 +0200
+
+Cherry-pick http://cvs.schmorp.de/libev/ev_iouring.c?view=log&r1=1.25
+to fix some terrible code.
+
+[ 50s] ev_iouring.c: In function 'iouring_sqe_submit':
+[ 50s] ev_iouring.c:300:1: error: no return statement in function returning non-void [-Werror=return-type]
+
+---
+ src/libev/ev_iouring.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+Index: audit-3.0.1/src/libev/ev_iouring.c
+===================================================================
+--- audit-3.0.1.orig/src/libev/ev_iouring.c
++++ audit-3.0.1/src/libev/ev_iouring.c
+@@ -287,7 +287,7 @@ iouring_sqe_get (EV_P)
+ }
+
+ inline_size
+-struct io_uring_sqe *
++void
+ iouring_sqe_submit (EV_P_ struct io_uring_sqe *sqe)
+ {
+ unsigned idx = sqe - EV_SQES;
Index: audit-2.8.5.tar.gz
===================================================================
Binary file audit-2.8.5.tar.gz (revision 118) deleted
Index: audit-fno-common.patch
===================================================================
--- audit-fno-common.patch (revision 118)
+++ audit-fno-common.patch (deleted)
@@ -1,24 +0,0 @@
-From: Tony Jones <tonyj@suse.de>
-Subject: Resolve errors when compiling with -fno-common
-Git-commmit: 017e6c6ab95df55f34e339d2139def83e5dada1f
-References: bsc#1160384
-Upsteam: pending
-
-Header definitios need to be external when building with -fno-common (which
-is default in GCC 10).
-
-Fixes: ff25054df7ed
-Signed-off-by: Tony Jones <tonyj@suse.de>
-
---- a/src/ausearch-common.h
-+++ b/src/ausearch-common.h
-@@ -50,7 +50,7 @@ extern pid_t event_pid;
- extern int event_exact_match;
- extern uid_t event_uid, event_euid, event_loginuid;
- extern const char *event_tuid, *event_teuid, *event_tauid;
--slist *event_node_list;
-+extern slist *event_node_list;
- extern const char *event_comm;
- extern const char *event_filename;
- extern const char *event_hostname;
-
Index: audit-python3.patch
===================================================================
--- audit-python3.patch (revision 118)
+++ audit-python3.patch (deleted)
@@ -1,292 +0,0 @@
-From: Tomas Chvatal <tchvatal@suse.com>
-Date: Wed Feb 7 09:26:35 UTC 2018
-Subject: Convert tests to run under python3
-References: https://github.com/linux-audit/audit-userspace/pull/39
-Patch-mainline: no; pending with maintainer
-
-Adjust auparse_test to run with python3 and python2
-
-Index: audit-2.8.1/auparse/test/auparse_test.py
-===================================================================
---- audit-2.8.1.orig/auparse/test/auparse_test.py
-+++ audit-2.8.1/auparse/test/auparse_test.py
-@@ -1,5 +1,7 @@
- #!/usr/bin/env python
-
-+from __future__ import print_function
-+
- import os
- srcdir = os.getenv('srcdir')
-
-@@ -30,29 +32,29 @@ def walk_test(au):
- au.reset()
- while True:
- if not au.first_record():
-- print "Error getting first record"
-+ print("Error getting first record")
- sys.exit(1)
-
-- print "event %d has %d records" % (event_cnt, au.get_num_records())
-+ print("event %d has %d records" % (event_cnt, au.get_num_records()))
-
- record_cnt = 1
- while True:
-- print " record %d of type %d(%s) has %d fields" % \
-+ print(" record %d of type %d(%s) has %d fields" % \
- (record_cnt,
- au.get_type(), audit.audit_msg_type_to_name(au.get_type()),
-- au.get_num_fields())
-- print " line=%d file=%s" % (au.get_line_number(), au.get_filename())
-+ au.get_num_fields()))
-+ print(" line=%d file=%s" % (au.get_line_number(), au.get_filename()))
- event = au.get_timestamp()
- if event is None:
-- print "Error getting timestamp - aborting"
-+ print("Error getting timestamp - aborting")
- sys.exit(1)
-
-- print " event time: %d.%d:%d, host=%s" % (event.sec, event.milli, event.serial, none_to_null(event.host))
-+ print(" event time: %d.%d:%d, host=%s" % (event.sec, event.milli, event.serial, none_to_null(event.host)))
- au.first_field()
- while True:
-- print " %s=%s (%s)" % (au.get_field_name(), au.get_field_str(), au.interpret_field())
-+ print(" %s=%s (%s)" % (au.get_field_name(), au.get_field_str(), au.interpret_field()))
- if not au.next_field(): break
-- print
-+ print("")
- record_cnt += 1
- if not au.next_record(): break
- event_cnt += 1
-@@ -62,25 +64,25 @@ def walk_test(au):
- def light_test(au):
- while True:
- if not au.first_record():
-- print "Error getting first record"
-+ print("Error getting first record")
- sys.exit(1)
-
-- print "event has %d records" % (au.get_num_records())
-+ print("event has %d records" % (au.get_num_records()))
-
- record_cnt = 1
- while True:
-- print " record %d of type %d(%s) has %d fields" % \
-+ print(" record %d of type %d(%s) has %d fields" % \
- (record_cnt,
- au.get_type(), audit.audit_msg_type_to_name(au.get_type()),
-- au.get_num_fields())
-- print " line=%d file=%s" % (au.get_line_number(), au.get_filename())
-+ au.get_num_fields()))
-+ print(" line=%d file=%s" % (au.get_line_number(), au.get_filename()))
- event = au.get_timestamp()
- if event is None:
-- print "Error getting timestamp - aborting"
-+ print("Error getting timestamp - aborting")
- sys.exit(1)
-
-- print " event time: %d.%d:%d, host=%s" % (event.sec, event.milli, event.serial, none_to_null(event.host))
-- print
-+ print(" event time: %d.%d:%d, host=%s" % (event.sec, event.milli, event.serial, none_to_null(event.host)))
-+ print("")
- record_cnt += 1
- if not au.next_record(): break
- if not au.parse_next_event(): break
-@@ -97,9 +99,9 @@ def simple_search(au, source, where):
- au.search_add_item("auid", "=", val, auparse.AUSEARCH_RULE_CLEAR)
- au.search_set_stop(where)
- if not au.search_next_event():
-- print "Error searching for auid"
-+ print("Error searching for auid")
- else:
-- print "Found %s = %s" % (au.get_field_name(), au.get_field_str())
-+ print("Found %s = %s" % (au.get_field_name(), au.get_field_str()))
-
- def compound_search(au, how):
- au = auparse.AuParser(auparse.AUSOURCE_FILE, srcdir + "/test.log");
-@@ -115,119 +117,119 @@ def compound_search(au, how):
-
- au.search_set_stop(auparse.AUSEARCH_STOP_FIELD)
- if not au.search_next_event():
-- print "Error searching for auid"
-+ print("Error searching for auid")
- else:
-- print "Found %s = %s" % (au.get_field_name(), au.get_field_str())
-+ print("Found %s = %s" % (au.get_field_name(), au.get_field_str()))
-
- def feed_callback(au, cb_event_type, event_cnt):
- if cb_event_type == auparse.AUPARSE_CB_EVENT_READY:
- if not au.first_record():
-- print "Error getting first record"
-+ print("Error getting first record")
- sys.exit(1)
-
-- print "event %d has %d records" % (event_cnt[0], au.get_num_records())
-+ print("event %d has %d records" % (event_cnt[0], au.get_num_records()))
-
- record_cnt = 1
- while True:
-- print " record %d of type %d(%s) has %d fields" % \
-+ print(" record %d of type %d(%s) has %d fields" % \
- (record_cnt,
- au.get_type(), audit.audit_msg_type_to_name(au.get_type()),
-- au.get_num_fields())
-- print " line=%d file=%s" % (au.get_line_number(), au.get_filename())
-+ au.get_num_fields()))
-+ print(" line=%d file=%s" % (au.get_line_number(), au.get_filename()))
- event = au.get_timestamp()
- if event is None:
-- print "Error getting timestamp - aborting"
-+ print("Error getting timestamp - aborting")
- sys.exit(1)
-
-- print " event time: %d.%d:%d, host=%s" % (event.sec, event.milli, event.serial, none_to_null(event.host))
-+ print(" event time: %d.%d:%d, host=%s" % (event.sec, event.milli, event.serial, none_to_null(event.host)))
- au.first_field()
- while True:
-- print " %s=%s (%s)" % (au.get_field_name(), au.get_field_str(), au.interpret_field())
-+ print(" %s=%s (%s)" % (au.get_field_name(), au.get_field_str(), au.interpret_field()))
- if not au.next_field(): break
-- print
-+ print("")
- record_cnt += 1
- if not au.next_record(): break
- event_cnt[0] += 1
-
- au = auparse.AuParser(auparse.AUSOURCE_BUFFER_ARRAY, buf)
-
--print "Starting Test 1, iterate..."
-+print("Starting Test 1, iterate...")
- while au.parse_next_event():
- if au.find_field("auid"):
-- print "%s=%s" % (au.get_field_name(), au.get_field_str())
-- print "interp auid=%s" % (au.interpret_field())
-+ print("%s=%s" % (au.get_field_name(), au.get_field_str()))
-+ print("interp auid=%s" % (au.interpret_field()))
- else:
-- print "Error iterating to auid"
--print "Test 1 Done\n"
-+ print("Error iterating to auid")
-+print("Test 1 Done\n")
-
- # Reset, now lets go to beginning and walk the list manually */
--print "Starting Test 2, walk events, records, and fields..."
-+print("Starting Test 2, walk events, records, and fields...")
- au.reset()
- walk_test(au)
--print "Test 2 Done\n"
-+print("Test 2 Done\n")
-
- # Reset, now lets go to beginning and walk the list manually */
--print "Starting Test 3, walk events, records of 1 buffer..."
-+print("Starting Test 3, walk events, records of 1 buffer...")
- au = auparse.AuParser(auparse.AUSOURCE_BUFFER, buf[1])
- au.reset()
- light_test(au);
--print "Test 3 Done\n"
-+print("Test 3 Done\n")
-
--print "Starting Test 4, walk events, records of 1 file..."
-+print("Starting Test 4, walk events, records of 1 file...")
- au = auparse.AuParser(auparse.AUSOURCE_FILE, srcdir + "/test.log");
- walk_test(au);
--print "Test 4 Done\n"
-+print("Test 4 Done\n")
-
--print "Starting Test 5, walk events, records of 2 files..."
-+print("Starting Test 5, walk events, records of 2 files...")
- au = auparse.AuParser(auparse.AUSOURCE_FILE_ARRAY, files);
- walk_test(au);
--print "Test 5 Done\n"
-+print("Test 5 Done\n")
-
--print "Starting Test 6, search..."
-+print("Starting Test 6, search...")
- au = auparse.AuParser(auparse.AUSOURCE_BUFFER_ARRAY, buf)
- au.search_add_item("auid", "=", "500", auparse.AUSEARCH_RULE_CLEAR)
- au.search_set_stop(auparse.AUSEARCH_STOP_EVENT)
- if au.search_next_event():
-- print "Error search found something it shouldn't have"
-+ print("Error search found something it shouldn't have")
- else:
-- print "auid = 500 not found...which is correct"
-+ print("auid = 500 not found...which is correct")
- au.search_clear()
- au = auparse.AuParser(auparse.AUSOURCE_BUFFER_ARRAY, buf)
- #au.search_add_item("auid", "exists", None, auparse.AUSEARCH_RULE_CLEAR)
- au.search_add_item("auid", "exists", "", auparse.AUSEARCH_RULE_CLEAR)
- au.search_set_stop(auparse.AUSEARCH_STOP_EVENT)
- if not au.search_next_event():
-- print "Error searching for existence of auid"
--print "auid exists...which is correct"
--print "Testing BUFFER_ARRAY, stop on field"
-+ print("Error searching for existence of auid")
-+print("auid exists...which is correct")
-+print("Testing BUFFER_ARRAY, stop on field")
- simple_search(au, auparse.AUSOURCE_BUFFER_ARRAY, auparse.AUSEARCH_STOP_FIELD)
--print "Testing BUFFER_ARRAY, stop on record"
-+print("Testing BUFFER_ARRAY, stop on record")
- simple_search(au, auparse.AUSOURCE_BUFFER_ARRAY, auparse.AUSEARCH_STOP_RECORD)
--print "Testing BUFFER_ARRAY, stop on event"
-+print("Testing BUFFER_ARRAY, stop on event")
- simple_search(au, auparse.AUSOURCE_BUFFER_ARRAY, auparse.AUSEARCH_STOP_EVENT)
--print "Testing test.log, stop on field"
-+print("Testing test.log, stop on field")
- simple_search(au, auparse.AUSOURCE_FILE, auparse.AUSEARCH_STOP_FIELD)
--print "Testing test.log, stop on record"
-+print("Testing test.log, stop on record")
- simple_search(au, auparse.AUSOURCE_FILE, auparse.AUSEARCH_STOP_RECORD)
--print "Testing test.log, stop on event"
-+print("Testing test.log, stop on event")
- simple_search(au, auparse.AUSOURCE_FILE, auparse.AUSEARCH_STOP_EVENT)
--print "Test 6 Done\n"
-+print("Test 6 Done\n")
-
--print "Starting Test 7, compound search..."
-+print("Starting Test 7, compound search...")
- au = auparse.AuParser(auparse.AUSOURCE_BUFFER_ARRAY, buf)
- compound_search(au, auparse.AUSEARCH_RULE_AND)
- compound_search(au, auparse.AUSEARCH_RULE_OR)
--print "Test 7 Done\n"
-+print("Test 7 Done\n")
-
--print "Starting Test 8, regex search..."
-+print("Starting Test 8, regex search...")
- au = auparse.AuParser(auparse.AUSOURCE_BUFFER_ARRAY, buf)
--print "Doing regex match...\n"
-+print("Doing regex match...\n")
- au = auparse.AuParser(auparse.AUSOURCE_BUFFER_ARRAY, buf)
--print "Test 8 Done\n"
-+print("Test 8 Done\n")
-
- # Note: this should match Test 2 exactly
- # Note: this should match Test 2 exactly
--print "Starting Test 9, buffer feed..."
-+print("Starting Test 9, buffer feed...")
- au = auparse.AuParser(auparse.AUSOURCE_FEED);
- event_cnt = 1
- au.add_callback(feed_callback, [event_cnt])
-@@ -241,10 +243,10 @@ for s in buf:
- beg += chunk_len
- au.feed(data)
- au.flush_feed()
--print "Test 9 Done\n"
-+print("Test 9 Done\n")
-
- # Note: this should match Test 4 exactly
--print "Starting Test 10, file feed..."
-+print("Starting Test 10, file feed...")
- au = auparse.AuParser(auparse.AUSOURCE_FEED);
- event_cnt = 1
- au.add_callback(feed_callback, [event_cnt])
-@@ -254,9 +256,9 @@ while True:
- if not data: break
- au.feed(data)
- au.flush_feed()
--print "Test 10 Done\n"
-+print("Test 10 Done\n")
-
--print "Finished non-admin tests\n"
-+print("Finished non-admin tests\n")
-
- au = None
- sys.exit(0)
OBS-URL: https://build.opensuse.org/request/show/900434
OBS-URL: https://build.opensuse.org/package/show/security/audit?expand=0&rev=119
* Fix segfault on shutdown
* Fix hang on startup (#1587995)
* Add sleep to script to dump state so file is ready when needed
* Add auparse_normalizer support for SOFTWARE_UPDATE event
* Mark netlabel events as simple events so that get processed quicker
* When audispd is reconfiguring, only SIGHUP plugins with valid pid (#1614833)
* Add 30-ospp-v42.rules to meet new Common Criteria requirements
* Update lookup tables for the 4.18 kernel
* In aureport, fix segfault in file report
* Add auparse_normalizer support for labeled networking events
* Fix memory leak in audisp-remote plugin when using krb5 transport. (#1622194)
* Event aging is off by a second
* In ausearch/auparse, correct event ordering to process oldest first
* auparse_reset was not clearing everything it should
* Add support for AUDIT_MAC_CALIPSO_ADD, AUDIT_MAC_CALIPSO_DEL events
* In ausearch/report, lightly parse selinux portion of USER_AVC events
* In ausearch/report, limit record size when malformed
* In auditd, fix extract_type function for network originating events
* In auditd, calculate right size and location for network originating events
* Treat all network originating events as VER2 so dispatcher doesn't format it
* In audisp-remote do an initial connection attempt (#1625156)
* In auditd, allow expression of space left as a percentage (#1650670)
* On PPC64LE systems, only allow 64 bit rules (#1462178)
* Make some parts of auditd state report optional based on config
* Fix ausearch when checkpointing a single file (Burn Alting)
* Fix scripting in 31-privileged.rules wrt filecap (#1662516)
* In ausearch, do not checkpt if stdin is input source
* In libev, remove __cold__ attribute for functions to allow proper hardening
* Add tests to configure.ac for openldap support
OBS-URL: https://build.opensuse.org/package/show/security/audit?expand=0&rev=108
- Update to version 2.8.4:
* Generate checkpoint file even when not results are returned
(Burn Alting).
* Fix log file creation when file logging is disabled entirely
(Vlad Glagolev).
* Use SIGCONT to dump auditd internal state (rh#1504251).
* Fix parsing of virtual timestamp fields in ausearch_expression
(rh#1515903).
* Fix parsing of uid & success for ausearch.
* Hide lru symbols in auparse.
* Fix aureport summary time range reporting.
* Allow unlimited retries on startup for remote logging.
* Add queue_depth to remote logging stats and increase default
queue_depth size.
- Update to version 2.8.3:
* Correct msg function name in lru debug code.
* Fix a segfault in auditd when dns resolution isn't available.
* Make a reload legacy service for auditd.
* In auparse python bindings, expose some new types that were
missing.
* In normalizer, pickup subject kind for user_login events.
* Fix interpretation of unknown ioctcmds (rh#1540507).
* Add ANOM_LOGIN_SERVICE, RESP_ORIGIN_BLOCK, &
RESP_ORIGIN_BLOCK_TIMED events.
* In auparse_normalize for USER_LOGIN events, map acct for
subj_kind.
* Fix logging of IPv6 addresses in DAEMON_ACCEPT events
(rh#1534748).
* Do not rotate auditd logs when num_logs < 2 (brozs).
- Update to version 2.8.4:
* Generate checkpoint file even when not results are returned
(Burn Alting).
* Fix log file creation when file logging is disabled entirely
(Vlad Glagolev).
* Use SIGCONT to dump auditd internal state (rh#1504251).
* Fix parsing of virtual timestamp fields in ausearch_expression
(rh#1515903).
* Fix parsing of uid & success for ausearch.
* Hide lru symbols in auparse.
* Fix aureport summary time range reporting.
* Allow unlimited retries on startup for remote logging.
* Add queue_depth to remote logging stats and increase default
queue_depth size.
- Update to version 2.8.3:
* Correct msg function name in lru debug code.
* Fix a segfault in auditd when dns resolution isn't available.
* Make a reload legacy service for auditd.
* In auparse python bindings, expose some new types that were
missing.
* In normalizer, pickup subject kind for user_login events.
* Fix interpretation of unknown ioctcmds (rh#1540507).
* Add ANOM_LOGIN_SERVICE, RESP_ORIGIN_BLOCK, &
RESP_ORIGIN_BLOCK_TIMED events.
* In auparse_normalize for USER_LOGIN events, map acct for
subj_kind.
* Fix logging of IPv6 addresses in DAEMON_ACCEPT events
(rh#1534748).
* Do not rotate auditd logs when num_logs < 2 (brozs).
OBS-URL: https://build.opensuse.org/request/show/618655
OBS-URL: https://build.opensuse.org/package/show/security/audit?expand=0&rev=102
- Add patch to fix test run without python2 interpreter:
* audit-python3.patch
- Update to 2.8.2 release:
* Update tables for 4.14 kernel
* Fixup ipv6 server side binding
* AVC report from aureport was missing result column header (#1511606)
* Add SOFTWARE_UPDATE event
* In ausearch/report pickup any path and new-disk fields as a file
* Fix value returned by auditctl --reset-lost (Richard Guy Briggs)
* In auparse, fix expr_create_timestamp_comparison_ex to be numeric field
* Fix building on old systems without linux/fanotify.h
* Fix shell portability issues reported by shellcheck
* Auditd validate_email should not use gethostbyname
- Add patch to fix test run without python2 interpreter:
* audit-python3.patch
- Update to 2.8.2 release:
* Update tables for 4.14 kernel
* Fixup ipv6 server side binding
* AVC report from aureport was missing result column header (#1511606)
* Add SOFTWARE_UPDATE event
* In ausearch/report pickup any path and new-disk fields as a file
* Fix value returned by auditctl --reset-lost (Richard Guy Briggs)
* In auparse, fix expr_create_timestamp_comparison_ex to be numeric field
* Fix building on old systems without linux/fanotify.h
* Fix shell portability issues reported by shellcheck
* Auditd validate_email should not use gethostbyname
OBS-URL: https://build.opensuse.org/request/show/580988
OBS-URL: https://build.opensuse.org/package/show/security/audit?expand=0&rev=98
- Update to version 2.8.1. See audit.spec (libaudit1) for upstream
changelog
- Remove audit-implicit-writev.patch (fixed upstream across 2
commits)
* 3b30db20ad983274989ce9a522120c3c225436b3
* 07132c22314e9abbe64d1031fd8734243285bb3f
- Cleanup with spec-cleaner
- Update to version 2.8.1 release (includes 2.8 and 2.7.8 changes)
* many features added to auparse_normalize
* cli option added to auditd and audispd for setting config dir
* in auditd, restore the umask after creating a log file
* option added to auditd for skipping email verification
- Full changelog: http://people.redhat.com/sgrubb/audit/ChangeLog
OBS-URL: https://build.opensuse.org/request/show/539420
OBS-URL: https://build.opensuse.org/package/show/security/audit?expand=0&rev=91
- Version update to 2.5. See audit.spec (libaudit1) for upstream
changelog
- Cleanup with spec-cleaner
- Sort out bit /sbin /usr/sbin/ installation
- Install the rules as documentation
- Remove needless %py_requires from python subpkgs
- Version update to 2.5 release
- Refresh two patches and README to contain SUSE and not SuSE
* audit-allow-manual-stop.patch
* audit-plugins-path.patch
- Cleanup with spec-cleaner and do not use subshells but rather use
-C parameter of make
- Install m4 file to the devel package
OBS-URL: https://build.opensuse.org/request/show/382986
OBS-URL: https://build.opensuse.org/package/show/security/audit?expand=0&rev=82
Changelog 2.4.1
- Make python3 support easier
- Add support for ppc64le (Tony Jones)
- Add some translations for a1 of ioctl system calls
- Add command & virtualization reports to aureport
- Update aureport config report for new events
- Add account modification summary report to aureport
- Add GRP_MGMT and GRP_CHAUTHTOK event types
- Correct aureport account change reports
- Add integrity event report to aureport
- Add config change summary report to aureport
- Adjust some syslogging level settings in audispd
- Improve parsing performance in everything
- When ausearch outputs a line, use the previously parsed values (Burn Alting)
- Improve searching and interpreting groups in events
- Fully interpret the proctitle field in auparse
- Correct libaudit and auditctl support for kernel features
- Add support for backlog_time_wait setting via auditctl
- Update syscall tables for the 3.18 kernel
- Ignore DNS failure for email validation in auditd (#1138674)
- Allow rotate as action for space_left and disk_full in auditd.conf
- Correct login summary report of aureport
- Auditctl syscalls can be comma separated list now
- Update rules for new subsystems and capabilities
- Drop patch audit-add-ppc64le-mach-support.patch (already upstream)
OBS-URL: https://build.opensuse.org/package/show/security/audit?expand=0&rev=74
- Eliminate build cycles. audit.spec now builds only libs/devel.
Remainder (including daemon) built from audit-secondary.spec
- Add patch 'audit-fix-implicit-defn.patch' to fix implicit definition
warning.
- remove libcap-ng too from audit.spec as it's only needed for plugins
(and libcap-ng itself needs python to build bindings)
- Eliminate build cycles. audit.spec now builds only libs/devel.
Remainder (including daemon) built from audit-secondary.spec
OBS-URL: https://build.opensuse.org/request/show/181250
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/audit?expand=0&rev=65
configure.ac to fix build with new automake
buildrequired and the lack of those requires causes a broken
configure script after autoreconf add pkgconfig(libcap-ng)
to both audit and audit-secondary, cap-ng is actually only
use in the latter.
OBS-URL: https://build.opensuse.org/package/show/security/audit?expand=0&rev=50
- Buildrequires cap-ng library
- --with-libcap-ng=yes has no effect if libcap-ng is not
buildrequired and the lack of those requires causes a broken
configure script after autoreconf add pkgconfig(libcap-ng)
to both audit and audit-secondary, cap-ng is actually only
use in the latter.
- Version 2.2.3
- Code cleanups
- In spec file, don't own lib64/audit
- Update man pages
- Aureport no longer reads auditd.conf when stdin is used
- Don't let systemd kill auditd if auditctl errors out
- Update syscall table for 3.7 and 3.8 kernels
- Add interpretation for setns and unshare syscalls
- Code cleanup (Tyler Hicks)
- Documentation cleanups (Laurent Bigonville)
- Add dirfd interpretation to the *at functions
- Add termination signal to clone flags interpretation
- Update stig.rules
- In auditctl, when listing rules don't print numeric value of dir fields
- Add support for rng resource type in auvirt
- Fix aulast bad login output (#922508)
- In ausearch, allow negative numbers for session and auid searches
- In audisp-remote, if disk_full_action is stop then stop sending (#908977) (forwarded request 161029 from elvigia)
OBS-URL: https://build.opensuse.org/request/show/161113
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/audit?expand=0&rev=63
- Buildrequires cap-ng library
- --with-libcap-ng=yes has no effect if libcap-ng is not
buildrequired and the lack of those requires causes a broken
configure script after autoreconf add pkgconfig(libcap-ng)
to both audit and audit-secondary, cap-ng is actually only
use in the latter.
- Version 2.2.3
- Code cleanups
- In spec file, don't own lib64/audit
- Update man pages
- Aureport no longer reads auditd.conf when stdin is used
- Don't let systemd kill auditd if auditctl errors out
- Update syscall table for 3.7 and 3.8 kernels
- Add interpretation for setns and unshare syscalls
- Code cleanup (Tyler Hicks)
- Documentation cleanups (Laurent Bigonville)
- Add dirfd interpretation to the *at functions
- Add termination signal to clone flags interpretation
- Update stig.rules
- In auditctl, when listing rules don't print numeric value of dir fields
- Add support for rng resource type in auvirt
- Fix aulast bad login output (#922508)
- In ausearch, allow negative numbers for session and auid searches
- In audisp-remote, if disk_full_action is stop then stop sending (#908977)
OBS-URL: https://build.opensuse.org/request/show/161029
OBS-URL: https://build.opensuse.org/package/show/security/audit?expand=0&rev=47
** Please send to 12.3 because starting the audit daemon is broken with systemd ****
- remove old tarball and update -secondary spec
- Audit 2.2.2 , the purpose of this update is too add compatibility
with systemd for 12.3
- In auditd, tcp_max_per_addr was allowing 1 more connection than specified
- In ausearch, fix matching of object records
- Auditctl was returning -1 when listing rules filtered on a key field
- Add interpretations for CAP_BLOCK_SUSPEND and CAP_COMPROMISE_KERNEL
- Add armv5tejl, armv5tel, armv6l and armv7l machine types (Nathaniel Husted)
- Updates for the 3.6 kernel
- Add auparse_feed_has_data function to libauparse
- Update audisp-prelude to use auparse_feed_has_data
- Add support to conditionally build auditd network listener (Tyler Hicks)
- In auditd, reset a flag after receiving USR1 signal info when rotating logs
- Add optional systemd init script support
- Add support for SECCOMP event type
- Don't interpret aN_len field in EXECVE records (#869555)
- In audisp-remote, do better job of draining queue
- Fix capability parsing in ausearch/auparse
- Interpret BPRM_FCAPS capability fields
- Add ANOM_LINK event type (forwarded request 150497 from elvigia)
OBS-URL: https://build.opensuse.org/request/show/150561
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/audit?expand=0&rev=61
** Please send to 12.3 because starting the audit daemon is broken with systemd ****
- remove old tarball and update -secondary spec
- Audit 2.2.2 , the purpose of this update is too add compatibility
with systemd for 12.3
- In auditd, tcp_max_per_addr was allowing 1 more connection than specified
- In ausearch, fix matching of object records
- Auditctl was returning -1 when listing rules filtered on a key field
- Add interpretations for CAP_BLOCK_SUSPEND and CAP_COMPROMISE_KERNEL
- Add armv5tejl, armv5tel, armv6l and armv7l machine types (Nathaniel Husted)
- Updates for the 3.6 kernel
- Add auparse_feed_has_data function to libauparse
- Update audisp-prelude to use auparse_feed_has_data
- Add support to conditionally build auditd network listener (Tyler Hicks)
- In auditd, reset a flag after receiving USR1 signal info when rotating logs
- Add optional systemd init script support
- Add support for SECCOMP event type
- Don't interpret aN_len field in EXECVE records (#869555)
- In audisp-remote, do better job of draining queue
- Fix capability parsing in ausearch/auparse
- Interpret BPRM_FCAPS capability fields
- Add ANOM_LINK event type
OBS-URL: https://build.opensuse.org/request/show/150497
OBS-URL: https://build.opensuse.org/package/show/security/audit?expand=0&rev=43
- Update to version 2.2.1, see audit's changes
- update to 2.2.1, upstream changelog:
2.2.1
- Add more interpretations in auparse for syscall parameters
- Add some interpretations to ausearch for syscall parameters
- In ausearch/report and auparse, allocate extra space for node names
- Update syscall tables for the 3.3.0 kernel
- Update libev to 4.0.4
- Reduce the size of some applications
- In auditctl, check usage against euid rather than uid
2.2
- Correct all rules for clock_settime
- Fix possible segfault in auparse library
- Handle malformed socket addresses better
- Improve performance in audit_log_user_message()
- Improve performance in writing to the log file in auditd
- Syscall update for accept4 and recvmmsg
- Update autrace resource usage mode syscall list
- Improved sample rules for recent syscalls
- Add some debug info to audisp-remote startup and shutdown
- Make compiling with Python optional
- In auditd, if disk_error_action is ignore, don't syslog anything
- Fix some memory leaks
- If audispd is stopping, don't restart children
- Add support in auditctl for shell escaped filenames (Alexander)
- Add search support for virt events (Marcelo Cerri)
- Update interpretation tables
- Sync auparse's auditd config parser with auditd's parser (forwarded request 137972 from coolo)
OBS-URL: https://build.opensuse.org/request/show/137974
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/audit?expand=0&rev=58
- Update to version 2.2.1, see audit's changes
- update to 2.2.1, upstream changelog:
2.2.1
- Add more interpretations in auparse for syscall parameters
- Add some interpretations to ausearch for syscall parameters
- In ausearch/report and auparse, allocate extra space for node names
- Update syscall tables for the 3.3.0 kernel
- Update libev to 4.0.4
- Reduce the size of some applications
- In auditctl, check usage against euid rather than uid
2.2
- Correct all rules for clock_settime
- Fix possible segfault in auparse library
- Handle malformed socket addresses better
- Improve performance in audit_log_user_message()
- Improve performance in writing to the log file in auditd
- Syscall update for accept4 and recvmmsg
- Update autrace resource usage mode syscall list
- Improved sample rules for recent syscalls
- Add some debug info to audisp-remote startup and shutdown
- Make compiling with Python optional
- In auditd, if disk_error_action is ignore, don't syslog anything
- Fix some memory leaks
- If audispd is stopping, don't restart children
- Add support in auditctl for shell escaped filenames (Alexander)
- Add search support for virt events (Marcelo Cerri)
- Update interpretation tables
- Sync auparse's auditd config parser with auditd's parser
OBS-URL: https://build.opensuse.org/request/show/137972
OBS-URL: https://build.opensuse.org/package/show/security/audit?expand=0&rev=39
Blocking a user prevents them from interacting with repositories, such as opening or commenting on pull requests or issues. Learn more about blocking a user.
