pool/audit
SHA256
2
0
Fork 2
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: pool:factory
Branches Tags
pool:factory
pool:devel
testing:factory
testing:main
..
compare: testing:main
Branches Tags
testing:factory
testing:main
pool:factory
pool:devel

No commits in common. "factory" and "main" have entirely different histories.
factory ... main

13 changed files with 231 additions and 480 deletions
Show Stats Expand all files Collapse all files

BIN
audit-3.1.1.tar.gz (Stored with Git LFS) Normal file
View File

Binary file not shown.

3
audit-4.0.tar.gz
View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:bf422d4126ab77a92a4c3ac39de5473f278dc3de35724d2518a48c7be15d54d8
size 1179876

12
audit-allow-manual-stop.patch
View File

@ -11,13 +11,15 @@ SUSE since we lack the ability to use a custom stop/restart
init.d/auditd.service | 1 -
1 file changed, 1 deletion(-)
--- a/init.d/auditd.service
+++ b/init.d/auditd.service
@@ -14,7 +14,6 @@ After=local-fs.target systemd-tmpfiles-s
Index: audit-3.0.9/init.d/auditd.service
===================================================================
--- audit-3.0.9.orig/init.d/auditd.service
+++ audit-3.0.9/init.d/auditd.service
@@ -11,7 +11,6 @@ After=local-fs.target systemd-tmpfiles-s
Before=sysinit.target shutdown.target
##Before=shutdown.target
Conflicts=shutdown.target
-RefuseManualStop=yes
Documentation=man:auditd(8) https://github.com/linux-audit/audit-documentation
ConditionKernelCommandLine=!audit=0
ConditionKernelCommandLine=!audit=off

86
audit-secondary.changes
View File

@ -1,89 +1,3 @@
-------------------------------------------------------------------
Fri Oct 4 16:06:06 UTC 2024 - Enzo Matsumiya <ematsumiya@suse.com>
- Update audit.spec (bsc#1231236):
* add requirement for 'awk' package
* move some %post logic from audit to audit-rules
-------------------------------------------------------------------
Wed Oct 2 11:15:07 UTC 2024 - Enzo Matsumiya <ematsumiya@suse.com>
- Readd audit-allow-manual-stop.patch (removed by mistake)
-------------------------------------------------------------------
Tue Oct 1 14:43:13 UTC 2024 - Enzo Matsumiya <ematsumiya@suse.com>
- Fix plugin termination when using systemd service units (bsc#1215377)
* add auditd.service-fix-plugin-termination.patch
-------------------------------------------------------------------
Thu Sep 26 16:51:29 UTC 2024 - Enzo Matsumiya <ematsumiya@suse.com>
- Update audit-secondary.spec:
* Add "Requires: audit-rules" for audit package
* Remove preun/postun handling of audit-rules.service
-------------------------------------------------------------------
Tue Sep 17 18:23:15 UTC 2024 - Enzo Matsumiya <ematsumiya@suse.com>
- Update to 4.0
- Drop python2 support
- Drop auvirt and autrace programs
- Drop SysVinit support
- Require the use of the 5.0 or later kernel headers
- New README.md file
- Rewrite legacy service functions in terms of systemctl
- Consolidate and update end of event detection to a common function
- Split off rule loading from auditd.service into audit-rules.service
- Refactor libaudit.h to split out logging functions and record numbers
- Speed up aureport --summary reports
- Limit libaudit python bindings to logging functions
- Add a metrics function for auparse
- Change auditctl to use pidfd_send_signal for signaling auditd
- Adjust watches to optimize syscalls hooked when watch file access
- Drop nispom rules
- Add intepretations for fsconfig, fsopen, fsmount, & move_mount
- Many code fixups (cgzones)
- Update syscall and interpretation tables to the 6.8 kernel
(from v3.1.2)
- When processing a run level change, make auditd exit
- In auditd, fix return code when rules added in immutable mode
- In auparse, when files are given, also consider EUID for access
- Auparse now interprets unnamed/anonymous sockets (Enzo Matsumiya)
- Disable Python bindings from setting rules due to swig bug (S. Trofimovich)
- Update all lookup tables for the 6.5 kernel
- Don't be as paranoid about auditctl -R file permissions
- In ausearch, correct subject/object search to be an and if both are given
- Adjust formats for 64 bit time_t
- Fix segfault in python bindings around the feed API
- Add feed_has_data, get_record_num, and get/goto_field_num to python bindings
- Update spec:
* Move rules-related files into new subpackage `audit-rules':
* Files moved:
- /sbin/auditctl, /sbin/augenrules,
/etc/audit/{audit.rules,rules.d/audit.rules,audit-stop.rules}
- manpages for auditctl, augenrules, and audit.rules
- /etc/audit is now owned by `audit-rules' as well
* Add new file /usr/lib/systemd/system/audit-rules.service
* Remove in-house create-augenrules-service.patch that generated
augenrules.service systemd unit service
* Remove ownership of /usr/share/audit
* Create /usr/share/audit-rules directory on %install
* Remove audit-userspace-517-compat.patch (fixed upstream)
* Remove libev-werror.patch (fixed upstream)
* Remove audit-allow-manual-stop.patch (fixed upstream)
* Add fix-auparse-test.patch (downstream):
Upstream tests uses a static value (42) for 'gdm' uid/gid (based
on Fedora values, apparently). Replace these occurrences with
'unknown(123456)'
* Replace '--with-python' with '--with-python3' on %configure
* Remove autrace and auvirt references (upstream)
* Replace README with README.md
- Drop `--enable-systemd' from %configure as SysV-style scripts
aren't supported in upstream since
113ae191758c ("Drop support for SysVinit")
-------------------------------------------------------------------
Mon Aug 5 08:50:50 UTC 2024 - Thorsten Kukuk <kukuk@suse.com>

128
audit-secondary.spec
View File

@ -22,7 +22,7 @@
# The seperation is required to minimize unnecessary build cycles.
%define _name audit
Name: audit-secondary
Version: 4.0
Version: 3.1.1
Release: 0
Summary: Linux kernel audit subsystem utilities
License: GPL-2.0-or-later
@ -32,15 +32,16 @@ Source0: https://people.redhat.com/sgrubb/audit/%{_name}-%{version}.tar.g
Source1: system-group-audit.conf
Patch1: audit-plugins-path.patch
Patch2: audit-no-gss.patch
Patch3: audit-ausearch-do-not-require-tclass.patch
Patch4: change-default-log_group.patch
Patch5: harden_auditd.service.patch
Patch6: change-default-log_format.patch
Patch7: fix-hardened-service.patch
Patch8: enable-stop-rules.patch
Patch9: fix-auparse-test.patch
Patch10: auditd.service-fix-plugin-termination.patch
Patch11: audit-allow-manual-stop.patch
Patch3: audit-allow-manual-stop.patch
Patch4: audit-ausearch-do-not-require-tclass.patch
Patch5: change-default-log_group.patch
Patch6: libev-werror.patch
Patch7: harden_auditd.service.patch
Patch8: change-default-log_format.patch
Patch9: fix-hardened-service.patch
Patch10: enable-stop-rules.patch
Patch11: create-augenrules-service.patch
Patch12: audit-userspace-517-compat.patch
BuildRequires: audit-devel = %{version}
BuildRequires: autoconf >= 2.12
BuildRequires: kernel-headers >= 2.6.30
@ -70,7 +71,6 @@ Summary: User Space Tools for Kernel Auditing
License: LGPL-2.1-or-later
Group: System/Monitoring
Requires: %{_name}-libs = %{version}
Requires: %{_name}-rules = %{version}
Requires: coreutils
Requires: group(audit)
%{?systemd_ordering}
@ -80,20 +80,10 @@ The audit package contains the user space utilities for storing and
processing the audit records generated by the audit subsystem in the
Linux kernel.
%package -n audit-rules
Summary: Rules and utilities for audit
License: LGPL-2.1-or-later
Requires: gawk
Recommends: audit = %{version}-%{release}
%description -n audit-rules
The audit rules package contains the rules and utilities to load audit rules.
%package -n system-group-audit
Summary: System group 'audit'
License: LGPL-2.1-or-later
Group: System/Fhs
BuildArch: noarch
%sysusers_requires
%description -n system-group-audit
@ -158,6 +148,7 @@ export LDFLAGS="-Wl,-z,relro,-z,now"
%ifarch arm
--with-arm \
%endif
--enable-systemd \
--libexecdir=%{_libexecdir}/%{_name} \
--with-apparmor \
--with-libwrap \
@ -171,8 +162,7 @@ export LDFLAGS="-Wl,-z,relro,-z,now"
%sysusers_generate_pre %{SOURCE1} audit system-group-audit.conf
%install
# Set $PYTHON3 here so py-compile works correctly on distros that doesn't ship /usr/bin/python
%make_install PYTHON3=$(realpath %__python3)
%make_install
mkdir -p %{buildroot}%{_localstatedir}/log/audit/
touch %{buildroot}%{_localstatedir}/log/audit/audit.log
@ -183,8 +173,7 @@ install -m 0644 %{SOURCE1} %{buildroot}%{_sysusersdir}/
# post copy runs
mkdir -p %{buildroot}%{_sysconfdir}/%{_name}/
mkdir -p %{buildroot}%{_sysconfdir}/%{_name}/rules.d/
mkdir -p %{buildroot}%{_datadir}/%{_name}-rules
touch %{buildroot}%{_sysconfdir}/audit/{auditd.conf,audit.rules}
touch %{buildroot}%{_sysconfdir}/{auditd.conf,audit.rules} %{buildroot}%{_sysconfdir}/audit/auditd.conf
# On platforms with 32 & 64 bit libs, we need to coordinate the timestamp
touch -r ./audit.spec %{buildroot}%{_sysconfdir}/libaudit.conf
# Starting with audit 2.5 no config is installed so start with no rules
@ -212,7 +201,7 @@ rm -rf %{buildroot}/%{_mandir}/man3
#USR-MERGE
%if 0%{?suse_version} < 1550
mkdir %{buildroot}/sbin/
for prog in auditctl auditd ausearch aureport augenrules; do
for prog in auditctl auditd ausearch autrace aureport augenrules; do
ln -s %{_sbindir}/$prog %{buildroot}/sbin/$prog
done
%endif
@ -222,119 +211,95 @@ done
ln -s service %{buildroot}%{_sbindir}/rcauditd
%endif
chmod 0644 %{buildroot}%{_unitdir}/auditd.service
chmod 0644 %{buildroot}%{_unitdir}/augenrules.service
%check
%make_build check
%post -n audit
# Save existing auditd.conf if any (from old locations)
# Save existing audit files if any (from old locations)
if [ -f %{_sysconfdir}/auditd.conf ]; then
mv %{_sysconfdir}/audit/auditd.conf %{_sysconfdir}/audit/auditd.conf.new
mv %{_sysconfdir}/auditd.conf %{_sysconfdir}/audit/auditd.conf
fi
%service_add_post auditd.service
%post -n audit-rules
if [ -f %{_sysconfdir}/audit.rules ]; then
# If /etc/audit.rules exists, move into the expected default place /etc/audit/audit.rules.
mv %{_sysconfdir}/audit.rules %{_sysconfdir}/%{_name}/audit.rules
else
# We only expect /etc/audit/audit.rules to exist. If it doesn't, augenrules --load will create
# it with the rules in /etc/audit/rules.d.
#
# If /etc/audit/rules.d is empty, copy the default rules file (no-rules).
files=`ls /etc/audit/rules.d/ 2>/dev/null | wc -w`
if [ "$files" -eq 0 ] ; then
touch %{_sysconfdir}/%{_name}/audit.rules
install -m 0600 %{_datadir}/audit-rules/10-no-audit.rules %{_sysconfdir}/%{_name}/rules.d/audit.rules
# Make the new rules active
fi
augenrules --load
mv %{_sysconfdir}/audit.rules %{_sysconfdir}/audit/audit.rules
elif [ ! -f %{_sysconfdir}/audit/audit.rules ]; then
cp %{_sysconfdir}/audit/rules.d/audit.rules %{_sysconfdir}/audit/audit.rules
fi
%service_add_post audit-rules.service
%service_add_post auditd.service
%service_add_post augenrules.service
%pre -n audit
%service_add_pre auditd.service
%pre -n audit-rules
%service_add_pre audit-rules.service
%service_add_pre augenrules.service
%pre -n system-group-audit -f audit.pre
%preun -n audit
%service_del_preun auditd.service
%preun -n audit-rules
# If uninstalling, delete the rules loaded in the kernel
if [ $1 -eq 0 ]; then
auditctl -D > /dev/null 2>&1
fi
%service_del_preun audit-rules.service
%service_del_preun augenrules.service
%postun -n audit
%service_del_postun auditd.service
%postun -n audit-rules
%service_del_postun audit-rules.service
%service_del_postun augenrules.service
%files -n audit
%license COPYING
%doc README.md ChangeLog init.d/auditd.cron
%doc README ChangeLog init.d/auditd.cron
%attr(644,root,root) %{_mandir}/man8/auditctl.8.gz
%attr(644,root,root) %{_mandir}/man8/auditd.8.gz
%attr(644,root,root) %{_mandir}/man8/aureport.8.gz
%attr(644,root,root) %{_mandir}/man8/ausearch.8.gz
%attr(644,root,root) %{_mandir}/man8/autrace.8.gz
%attr(644,root,root) %{_mandir}/man8/aulast.8.gz
%attr(644,root,root) %{_mandir}/man8/aulastlog.8.gz
%attr(644,root,root) %{_mandir}/man8/ausyscall.8.gz
%attr(644,root,root) %{_mandir}/man7/audit.rules.7.gz
%attr(644,root,root) %{_mandir}/man5/auditd.conf.5.gz
%attr(644,root,root) %{_mandir}/man5/ausearch-expression.5.gz
%attr(644,root,root) %{_mandir}/man8/auvirt.8.gz
%attr(644,root,root) %{_mandir}/man8/augenrules.8.gz
%attr(644,root,root) %{_mandir}/man8/audisp-af_unix.8.gz
%if 0%{?suse_version} < 1550
/sbin/auditctl
/sbin/auditd
/sbin/ausearch
/sbin/autrace
/sbin/augenrules
/sbin/aureport
%endif
%attr(750,root,root) %{_sbindir}/auditctl
%attr(750,root,root) %{_sbindir}/auditd
%attr(755,root,root) %{_sbindir}/ausearch
%attr(750,root,root) %{_sbindir}/autrace
%attr(750,root,root) %{_sbindir}/augenrules
%attr(750,root,root) %{_sbindir}/audisp-syslog
%attr(755,root,root) %{_bindir}/aulast
%attr(755,root,root) %{_bindir}/aulastlog
%attr(755,root,root) %{_bindir}/ausyscall
%attr(755,root,root) %{_sbindir}/aureport
%attr(755,root,root) %{_sbindir}/audisp-af_unix
%attr(755,root,root) %{_bindir}/auvirt
%dir %attr(750,root,root) %{_sysconfdir}/audit
%dir %attr(750,root,root) %{_sysconfdir}/audit/plugins.d
%attr(750,root,root) %dir %{_sysconfdir}/audit/plugins.d
%config(noreplace) %attr(640,root,root) %{_sysconfdir}/audit/plugins.d/af_unix.conf
%config(noreplace) %attr(640,root,root) %{_sysconfdir}/audit/plugins.d/syslog.conf
%ghost %{_sysconfdir}/auditd.conf
%ghost %{_sysconfdir}/audit.rules
%config(noreplace) %attr(640,root,root) %{_sysconfdir}/audit/auditd.conf
%dir %attr(750,root,root) %{_sysconfdir}/audit/rules.d
%config(noreplace) %attr(640,root,root) %{_sysconfdir}/audit/rules.d/audit.rules
%config(noreplace) %attr(640,root,root) %{_sysconfdir}/audit/audit-stop.rules
%dir %attr(750,root,audit) %{_localstatedir}/log/audit
%ghost %config(noreplace) %attr(640,root,audit) %{_localstatedir}/log/audit/audit.log
%dir %attr(700,root,root) %{_localstatedir}/spool/audit
%{_unitdir}/auditd.service
%{_unitdir}/augenrules.service
%if 0%{?suse_version} < 1550
%{_sbindir}/rcauditd
%endif
%files -n audit-rules
%dir %attr(755,root,root) %{_datadir}/audit-rules
%attr(644,root,root) %{_datadir}/audit-rules/*
%attr(644,root,root) %{_mandir}/man8/auditctl.8.gz
%attr(644,root,root) %{_mandir}/man8/augenrules.8.gz
%attr(644,root,root) %{_mandir}/man7/audit.rules.7.gz
%if 0%{?suse_version} < 1550
/sbin/auditctl
/sbin/augenrules
%endif
%attr(750,root,root) %{_sbindir}/auditctl
%attr(750,root,root) %{_sbindir}/augenrules
%attr(644,root,root) %{_unitdir}/audit-rules.service
%dir %attr(750,root,root) %{_sysconfdir}/audit
%ghost %{_sysconfdir}/audit.rules
%dir %attr(750,root,root) %{_sysconfdir}/audit/rules.d
%ghost %config(noreplace) %attr(640,root,root) %{_sysconfdir}/audit/rules.d/audit.rules
%ghost %config(noreplace) %attr(640,root,root) %{_sysconfdir}/audit/audit.rules
%config(noreplace) %attr(640,root,root) %{_sysconfdir}/audit/audit-stop.rules
%{_datadir}/audit/
%files -n system-group-audit
%{_sysusersdir}/system-group-audit.conf
@ -343,13 +308,12 @@ fi
%files -n python2-audit
%attr(755,root,root) %{python2_sitearch}/_audit.so
%attr(755,root,root) %{python2_sitearch}/auparse.so
%attr(644,root,root) %{python2_sitearch}/audit.py*
%{python2_sitearch}/audit.py*
%endif
%if %{with python3}
%files -n python3-audit
%attr(755,root,root) %{python3_sitearch}/*
%attr(644,root,root) %{python3_sitearch}/audit.py*
%endif
%files -n audit-audispd-plugins

38
audit-userspace-517-compat.patch Normal file
View File

@ -0,0 +1,38 @@
From: Sergei Trofimovich <slyich@gmail.com>
Date: Wed, 23 Mar 2022 07:27:05 +0000
Subject: [PATCH] auditswig.i: avoid setter generation for audit_rule_data::buf
References: https://github.com/linux-audit/audit-userspace/issues/252
Git-commit: https://github.com/linux-audit/audit-userspace/pull/253/commits/beed138222421a2eb4212d83cb889404bd7efc49
Git-repo: [if different from https://github.com/linux-audit/audit-userspace.git]
Patch-mainline: submitted for review upstream
As it's a flexible array generated code was never safe to use.
With kernel's https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=ed98ea2128b6fd83bce13716edf8f5fe6c47f574
change it's a build failure now:
audit> audit_wrap.c:5010:15: error: invalid use of flexible array member
audit> 5010 | arg1->buf = (char [])(char *)memcpy(malloc((size)*sizeof(char)), (const char *)(arg2), sizeof(char)*(size));
audit> | ^
Let's avoid setter generation entirely.
Closes: https://github.com/linux-audit/audit-userspace/issues/252
---
bindings/swig/src/auditswig.i | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/bindings/swig/src/auditswig.i b/bindings/swig/src/auditswig.i
index 21aafca31..9a2c5661d 100644
--- a/bindings/swig/src/auditswig.i
+++ b/bindings/swig/src/auditswig.i
@@ -39,6 +39,10 @@ signed
#define __attribute(X) /*nothing*/
typedef unsigned __u32;
typedef unsigned uid_t;
+/* Sidestep SWIG's limitation of handling c99 Flexible arrays by not:
+ * generating setters against them: https://github.com/swig/swig/issues/1699
+ */
+%ignore audit_rule_data::buf;
%include "/usr/include/linux/audit.h"
#define __extension__ /*nothing*/
%include <stdint.i>

49
audit.changes
View File

@ -1,52 +1,3 @@
-------------------------------------------------------------------
Fri Oct 4 16:04:56 UTC 2024 - Enzo Matsumiya <ematsumiya@suse.com>
- Update audit.spec: add requirement for 'awk' package (bsc#1231236)
-------------------------------------------------------------------
Tue Sep 17 18:20:58 UTC 2024 - Enzo Matsumiya <ematsumiya@suse.com>
- Update to 4.0
- Drop python2 support
- Drop auvirt and autrace programs
- Drop SysVinit support
- Require the use of the 5.0 or later kernel headers
- New README.md file
- Rewrite legacy service functions in terms of systemctl
- Consolidate and update end of event detection to a common function
- Split off rule loading from auditd.service into audit-rules.service
- Refactor libaudit.h to split out logging functions and record numbers
- Speed up aureport --summary reports
- Limit libaudit python bindings to logging functions
- Add a metrics function for auparse
- Change auditctl to use pidfd_send_signal for signaling auditd
- Adjust watches to optimize syscalls hooked when watch file access
- Drop nispom rules
- Add intepretations for fsconfig, fsopen, fsmount, & move_mount
- Many code fixups (cgzones)
- Update syscall and interpretation tables to the 6.8 kernel
(from v3.1.2)
- When processing a run level change, make auditd exit
- In auditd, fix return code when rules added in immutable mode
- In auparse, when files are given, also consider EUID for access
- Auparse now interprets unnamed/anonymous sockets (Enzo Matsumiya)
- Disable Python bindings from setting rules due to swig bug (S. Trofimovich)
- Update all lookup tables for the 6.5 kernel
- Don't be as paranoid about auditctl -R file permissions
- In ausearch, correct subject/object search to be an and if both are given
- Adjust formats for 64 bit time_t
- Fix segfault in python bindings around the feed API
- Add feed_has_data, get_record_num, and get/goto_field_num to python bindings
- Update spec:
* Add fix-auparse-test.patch (downstream):
Upstream tests uses a static value (42) for 'gdm' uid/gid (based
on Fedora values, apparently). Replace these occurrences with
'unknown(123456)'
* Replace '--with-python' with '--with-python3' on %configure
* Add new headers 'audit_logging.h' and 'audit-records.h' for
audit-devel
-------------------------------------------------------------------
Mon Jul 3 08:33:52 UTC 2023 - Paolo Stivanin <info@paolostivanin.com>

9
audit.spec
View File

@ -23,7 +23,7 @@
%endif
Name: audit
Version: 4.0
Version: 3.1.1
Release: 0
Summary: Linux kernel audit subsystem utilities
License: GPL-2.0-or-later
@ -33,13 +33,11 @@ Source0: https://people.redhat.com/sgrubb/audit/%{name}-%{version}.tar.gz
Source1: baselibs.conf
Source2: README-BEFORE-ADDING-PATCHES
Patch0: change-default-log_group.patch
Patch1: fix-auparse-test.patch
BuildRequires: autoconf >= 2.12
BuildRequires: kernel-headers >= 2.6.30
BuildRequires: libtool
BuildRequires: pkgconfig
BuildRequires: tcpd-devel
Requires: gawk
Requires: libaudit1 = %{version}
Requires: libauparse0 = %{version}
Provides: bundled(libev) = 4.33
@ -100,11 +98,12 @@ export LDFLAGS="-Wl,-z,relro,-z,now"
%ifarch arm
--with-arm \
%endif
--enable-systemd \
--libexecdir=%{_libexecdir}/%{name} \
--with-apparmor \
--with-libcap-ng=no \
--disable-static \
--with-python3=no \
--with-python=no \
--disable-zos-remote
%make_build -C common
@ -179,8 +178,6 @@ find %{buildroot} -type f -name "*.la" -delete -print
%{_libdir}/libaudit.so
%{_libdir}/libauparse.so
%{_includedir}/libaudit.h
%{_includedir}/audit_logging.h
%{_includedir}/audit-records.h
%{_includedir}/auparse.h
%{_includedir}/auparse-defs.h
%{_mandir}/man3/*

14
auditd.service-fix-plugin-termination.patch
View File

@ -1,14 +0,0 @@
---
init.d/auditd.service | 1 +
1 file changed, 1 insertion(+)
--- a/init.d/auditd.service
+++ b/init.d/auditd.service
@@ -29,6 +29,7 @@ ExecStopPost=/sbin/auditctl -R /etc/audi
Restart=on-failure
# Do not restart for intentional exits. See EXIT CODES section in auditd(8).
RestartPreventExitStatus=2 4 6
+KillMode=mixed
### Security Settings ###
MemoryDenyWriteExecute=true

97
create-augenrules-service.patch Normal file
View File

@ -0,0 +1,97 @@
Index: audit-3.1.1/init.d/augenrules.service
===================================================================
--- /dev/null
+++ audit-3.1.1/init.d/augenrules.service
@@ -0,0 +1,29 @@
+[Unit]
+Description=auditd rules generation
+After=auditd.service
+Documentation=man:augenrules(8)
+
+[Service]
+Type=oneshot
+## NOTE: augenrules expect any rules to be added to /etc/audit/rules.d/
+ExecStart=/sbin/augenrules --load
+# We need RemainAfterExit=true so augenrules is called again
+# in case auditd.service is restarted.
+RemainAfterExit=true
+
+### Security Settings ###
+MemoryDenyWriteExecute=true
+LockPersonality=true
+ProtectControlGroups=true
+ProtectKernelModules=true
+ProtectHome=true
+RestrictRealtime=true
+# for details please see
+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
+ProtectSystem=full
+PrivateDevices=true
+ProtectHostname=true
+ProtectClock=true
+ProtectKernelTunables=true
+ProtectKernelLogs=true
+ReadWritePaths=/etc/audit
Index: audit-3.1.1/init.d/auditd.service
===================================================================
--- audit-3.1.1.orig/init.d/auditd.service
+++ audit-3.1.1/init.d/auditd.service
@@ -15,15 +15,16 @@ ConditionKernelCommandLine=!audit=0
ConditionKernelCommandLine=!audit=off
Documentation=man:auditd(8) https://github.com/linux-audit/audit-documentation
+Requires=augenrules.service
+# This unit clears rules on stop, so make sure that augenrules runs again
+PropagatesStopTo=augenrules.service
[Service]
Type=forking
PIDFile=/run/auditd.pid
ExecStart=/sbin/auditd
-## To not use augenrules, copy this file to /etc/systemd/system/auditd.service
-## and comment/delete the next line and uncomment the auditctl line.
-## NOTE: augenrules expect any rules to be added to /etc/audit/rules.d/
-ExecStartPost=-/sbin/augenrules --load
+## To not use augenrules: copy this file to /etc/systemd/system/auditd.service,
+## uncomment the next line, and comment the Requires=augenrules.service above.
#ExecStartPost=-/sbin/auditctl -R /etc/audit/audit.rules
# By default we clear the rules on exit. To disable this, comment
# the next line after copying the file to /etc/systemd/system/auditd.service
@@ -47,7 +48,6 @@ ProtectClock=true
ProtectKernelTunables=true
ProtectKernelLogs=true
# end of automatic additions
-ReadWritePaths=/etc/audit
[Install]
WantedBy=multi-user.target
Index: audit-3.1.1/init.d/Makefile.am
===================================================================
--- audit-3.1.1.orig/init.d/Makefile.am
+++ audit-3.1.1/init.d/Makefile.am
@@ -26,7 +26,8 @@ EXTRA_DIST = auditd.init auditd.service
auditd.cron libaudit.conf auditd.condrestart \
auditd.reload auditd.restart auditd.resume \
auditd.rotate auditd.state auditd.stop \
- audit-stop.rules augenrules audit-functions
+ audit-stop.rules augenrules audit-functions \
+ augenrules.service
libconfig = libaudit.conf
if ENABLE_SYSTEMD
initdir = /usr/lib/systemd/system
@@ -54,6 +55,7 @@ if ENABLE_SYSTEMD
mkdir -p ${DESTDIR}${legacydir}
mkdir -p ${DESTDIR}${libexecdir}
$(INSTALL_SCRIPT) -D -m 644 ${srcdir}/auditd.service ${DESTDIR}${initdir}
+ $(INSTALL_SCRIPT) -D -m 644 ${srcdir}/augenrules.service ${DESTDIR}${initdir}
$(INSTALL_SCRIPT) -D -m 750 ${srcdir}/auditd.rotate ${DESTDIR}${legacydir}/rotate
$(INSTALL_SCRIPT) -D -m 750 ${srcdir}/auditd.resume ${DESTDIR}${legacydir}/resume
$(INSTALL_SCRIPT) -D -m 750 ${srcdir}/auditd.reload ${DESTDIR}${legacydir}/reload
@@ -72,6 +74,7 @@ uninstall-hook:
rm ${DESTDIR}${sysconfdir}/${libconfig}
if ENABLE_SYSTEMD
rm ${DESTDIR}${initdir}/auditd.service
+ rm ${DESTDIR}${initdir}/augenrules.service
rm ${DESTDIR}${legacydir}/rotate
rm ${DESTDIR}${legacydir}/resume
rm ${DESTDIR}${legacydir}/reload

23
enable-stop-rules.patch
View File

@ -11,19 +11,18 @@ Disable audit when auditd.service stops, so kauditd stops logging/running.
Signed-off-by: Enzo Matsumiya <ematsumiya@suse.de>
---
init.d/auditd.service | 4 ++++
1 file changed, 4 insertions(+)
--- a/init.d/auditd.service
+++ b/init.d/auditd.service
@@ -22,6 +22,10 @@ Documentation=man:auditd(8) https://gith
Type=forking
PIDFile=/run/auditd.pid
ExecStart=/sbin/auditd
+ExecStartPost=-/sbin/augenrules --load
Index: audit-3.0.9/init.d/auditd.service
===================================================================
--- audit-3.0.9.orig/init.d/auditd.service
+++ audit-3.0.9/init.d/auditd.service
@@ -25,9 +25,9 @@ ExecStart=/sbin/auditd
## NOTE: augenrules expect any rules to be added to /etc/audit/rules.d/
ExecStartPost=-/sbin/augenrules --load
#ExecStartPost=-/sbin/auditctl -R /etc/audit/audit.rules
-# By default we don't clear the rules on exit. To enable this, uncomment
+# By default we clear the rules on exit. To disable this, comment
+# the next line after copying the file to /etc/systemd/system/auditd.service
# the next line after copying the file to /etc/systemd/system/auditd.service
-#ExecStopPost=/sbin/auditctl -R /etc/audit/audit-stop.rules
+ExecStopPost=/sbin/auditctl -R /etc/audit/audit-stop.rules
Restart=on-failure
# Do not restart for intentional exits. See EXIT CODES section in auditd(8).

223
fix-auparse-test.patch
View File

@ -1,223 +0,0 @@
---
auparse/test/auparse_test.c | 2 +-
auparse/test/auparse_test.py | 2 +-
auparse/test/auparse_test.ref | 18 +++++++++---------
auparse/test/auparse_test.ref.py | 18 +++++++++---------
auparse/test/test.log | 4 ++--
auparse/test/test2.log | 4 ++--
6 files changed, 24 insertions(+), 24 deletions(-)
--- a/auparse/test/auparse_test.c
+++ b/auparse/test/auparse_test.c
@@ -162,7 +162,7 @@ void compound_search(ausearch_rule_t how
exit(1);
}
} else {
- if (ausearch_add_item(au, "auid", "=", "42",
+ if (ausearch_add_item(au, "auid", "=", "123456",
AUSEARCH_RULE_CLEAR)){
printf("ausearch_add_item 4 error - %s\n",
strerror(errno));
--- a/auparse/test/auparse_test.py
+++ b/auparse/test/auparse_test.py
@@ -112,7 +112,7 @@ def compound_search(au, how):
au.search_add_item("pid", "=", "13015", how)
au.search_add_item("type", "=", "USER_START", how)
else:
- au.search_add_item("auid", "=", "42", auparse.AUSEARCH_RULE_CLEAR)
+ au.search_add_item("auid", "=", "123456", auparse.AUSEARCH_RULE_CLEAR)
# should stop on this one
au.search_add_item("auid", "=", "0", how)
au.search_add_item("auid", "=", "500", how)
--- a/auparse/test/auparse_test.ref
+++ b/auparse/test/auparse_test.ref
@@ -188,7 +188,7 @@ event 4 has 3 records
uid=0 (root)
subj=system_u:system_r:init_t:s0 (system_u:system_r:init_t:s0)
old-auid=4294967295 (unset)
- auid=42 (gdm)
+ auid=123456 (unknown(123456))
tty=(none) ((none))
old-ses=4294967295 (4294967295)
ses=1 (1)
@@ -209,7 +209,7 @@ event 4 has 3 records
items=0 (0)
ppid=1 (1)
pid=2288 (2288)
- auid=42 (gdm)
+ auid=123456 (unknown(123456))
uid=0 (root)
gid=0 (root)
euid=0 (root)
@@ -389,7 +389,7 @@ event 4 has 3 records
uid=0 (root)
subj=system_u:system_r:init_t:s0 (system_u:system_r:init_t:s0)
old-auid=4294967295 (unset)
- auid=42 (gdm)
+ auid=123456 (unknown(123456))
tty=(none) ((none))
old-ses=4294967295 (4294967295)
ses=1 (1)
@@ -410,7 +410,7 @@ event 4 has 3 records
items=0 (0)
ppid=1 (1)
pid=2288 (2288)
- auid=42 (gdm)
+ auid=123456 (unknown(123456))
uid=0 (root)
gid=0 (root)
euid=0 (root)
@@ -587,7 +587,7 @@ event 11 has 3 records
uid=0 (root)
subj=system_u:system_r:init_t:s0 (system_u:system_r:init_t:s0)
old-auid=4294967295 (unset)
- auid=42 (gdm)
+ auid=123456 (unknown(123456))
tty=(none) ((none))
old-ses=4294967295 (4294967295)
ses=1 (1)
@@ -608,7 +608,7 @@ event 11 has 3 records
items=0 (0)
ppid=1 (1)
pid=2288 (2288)
- auid=42 (gdm)
+ auid=123456 (unknown(123456))
uid=0 (root)
gid=0 (root)
euid=0 (root)
@@ -699,7 +699,7 @@ Test 6 Done
Starting Test 7, compound search...
Found type = USER_START
-Found auid = 42
+Found auid = 123456
Test 7 Done
Starting Test 8, regex search...
@@ -874,7 +874,7 @@ event 4 has 3 records
uid=0 (root)
subj=system_u:system_r:init_t:s0 (system_u:system_r:init_t:s0)
old-auid=4294967295 (unset)
- auid=42 (gdm)
+ auid=123456 (unknown(123456))
tty=(none) ((none))
old-ses=4294967295 (4294967295)
ses=1 (1)
@@ -895,7 +895,7 @@ event 4 has 3 records
items=0 (0)
ppid=1 (1)
pid=2288 (2288)
- auid=42 (gdm)
+ auid=123456 (unknown(123456))
uid=0 (root)
gid=0 (root)
euid=0 (root)
--- a/auparse/test/auparse_test.ref.py
+++ b/auparse/test/auparse_test.ref.py
@@ -180,7 +180,7 @@ event 4 has 3 records
uid=0 (root)
subj=system_u:system_r:init_t:s0 (system_u:system_r:init_t:s0)
old-auid=4294967295 (unset)
- auid=42 (gdm)
+ auid=123456 (unknown(123456))
tty=(none) ((none))
old-ses=4294967295 (4294967295)
ses=1 (1)
@@ -201,7 +201,7 @@ event 4 has 3 records
items=0 (0)
ppid=1 (1)
pid=2288 (2288)
- auid=42 (gdm)
+ auid=123456 (unknown(123456))
uid=0 (root)
gid=0 (root)
euid=0 (root)
@@ -381,7 +381,7 @@ event 4 has 3 records
uid=0 (root)
subj=system_u:system_r:init_t:s0 (system_u:system_r:init_t:s0)
old-auid=4294967295 (unset)
- auid=42 (gdm)
+ auid=123456 (unknown(123456))
tty=(none) ((none))
old-ses=4294967295 (4294967295)
ses=1 (1)
@@ -402,7 +402,7 @@ event 4 has 3 records
items=0 (0)
ppid=1 (1)
pid=2288 (2288)
- auid=42 (gdm)
+ auid=123456 (unknown(123456))
uid=0 (root)
gid=0 (root)
euid=0 (root)
@@ -579,7 +579,7 @@ event 11 has 3 records
uid=0 (root)
subj=system_u:system_r:init_t:s0 (system_u:system_r:init_t:s0)
old-auid=4294967295 (unset)
- auid=42 (gdm)
+ auid=123456 (unknown(123456))
tty=(none) ((none))
old-ses=4294967295 (4294967295)
ses=1 (1)
@@ -600,7 +600,7 @@ event 11 has 3 records
items=0 (0)
ppid=1 (1)
pid=2288 (2288)
- auid=42 (gdm)
+ auid=123456 (unknown(123456))
uid=0 (root)
gid=0 (root)
euid=0 (root)
@@ -691,7 +691,7 @@ Test 6 Done
Starting Test 7, compound search...
Found type = USER_START
-Found auid = 42
+Found auid = 123456
Test 7 Done
Starting Test 8, regex search...
@@ -864,7 +864,7 @@ event 4 has 3 records
uid=0 (root)
subj=system_u:system_r:init_t:s0 (system_u:system_r:init_t:s0)
old-auid=4294967295 (unset)
- auid=42 (gdm)
+ auid=123456 (unknown(123456))
tty=(none) ((none))
old-ses=4294967295 (4294967295)
ses=1 (1)
@@ -885,7 +885,7 @@ event 4 has 3 records
items=0 (0)
ppid=1 (1)
pid=2288 (2288)
- auid=42 (gdm)
+ auid=123456 (unknown(123456))
uid=0 (root)
gid=0 (root)
euid=0 (root)
--- a/auparse/test/test2.log
+++ b/auparse/test/test2.log
@@ -4,8 +4,8 @@ type=CWD msg=audit(1170021493.977:283):
type=PATH msg=audit(1170021493.977:283): item=0 name="maildrop" inode=14911367 dev=03:07 mode=040730 ouid=890 ogid=891 rdev=00:00 obj=system_u:object_r:postfix_spool_maildrop_t:s0
type=USER_ACCT msg=audit(1170021601.340:284): user pid=13015 uid=0 auid=4294967295 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM: accounting acct=root : exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
type=CRED_ACQ msg=audit(1170021601.342:285): user pid=13015 uid=0 auid=4294967295 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM: setcred acct=root : exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
-type=LOGIN msg=audit(1170021601.343:286): pid=2288 uid=0 subj=system_u:system_r:init_t:s0 old-auid=4294967295 auid=42 tty=(none) old-ses=4294967295 ses=1 res=1
-type=SYSCALL msg=audit(1170021601.343:286): arch=c000003e syscall=1 success=yes exit=2 a0=8 a1=7fffa7aede20 a2=2 a3=0 items=0 ppid=1 pid=2288 auid=42 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="(systemd)" exe="/usr/lib/systemd/systemd" subj=system_u:system_r:init_t:s0 key=(null)
+type=LOGIN msg=audit(1170021601.343:286): pid=2288 uid=0 subj=system_u:system_r:init_t:s0 old-auid=4294967295 auid=123456 tty=(none) old-ses=4294967295 ses=1 res=1
+type=SYSCALL msg=audit(1170021601.343:286): arch=c000003e syscall=1 success=yes exit=2 a0=8 a1=7fffa7aede20 a2=2 a3=0 items=0 ppid=1 pid=2288 auid=123456 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="(systemd)" exe="/usr/lib/systemd/systemd" subj=system_u:system_r:init_t:s0 key=(null)
type=PROCTITLE msg=audit(1170021601.343:286): proctitle="(systemd)"
type=USER_START msg=audit(1170021601.344:287): user pid=13015 uid=0 auid=0 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM: session open acct=root : exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron res=success)'
type=CRED_DISP msg=audit(1170021601.364:288): user pid=13015 uid=0 auid=0 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM: setcred acct=root : exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron res=success)'
--- a/auparse/test/test.log
+++ b/auparse/test/test.log
@@ -4,8 +4,8 @@ type=CWD msg=audit(1170021493.977:293):
type=PATH msg=audit(1170021493.977:293): item=0 name="maildrop" inode=14911367 dev=03:07 mode=040730 ouid=890 ogid=891 rdev=00:00 obj=system_u:object_r:postfix_spool_maildrop_t:s0
type=USER_ACCT msg=audit(1170021601.340:294): user pid=13015 uid=0 auid=4294967295 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM: accounting acct=root : exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
type=CRED_ACQ msg=audit(1170021601.342:295): user pid=13015 uid=0 auid=4294967295 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM: setcred acct=root : exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
-type=LOGIN msg=audit(1170021601.343:296): pid=2288 uid=0 subj=system_u:system_r:init_t:s0 old-auid=4294967295 auid=42 tty=(none) old-ses=4294967295 ses=1 res=1
-type=SYSCALL msg=audit(1170021601.343:296): arch=c000003e syscall=1 success=yes exit=2 a0=8 a1=7fffa7aede20 a2=2 a3=0 items=0 ppid=1 pid=2288 auid=42 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="(systemd)" exe="/usr/lib/systemd/systemd" subj=system_u:system_r:init_t:s0 key=(null)
+type=LOGIN msg=audit(1170021601.343:296): pid=2288 uid=0 subj=system_u:system_r:init_t:s0 old-auid=4294967295 auid=123456 tty=(none) old-ses=4294967295 ses=1 res=1
+type=SYSCALL msg=audit(1170021601.343:296): arch=c000003e syscall=1 success=yes exit=2 a0=8 a1=7fffa7aede20 a2=2 a3=0 items=0 ppid=1 pid=2288 auid=123456 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="(systemd)" exe="/usr/lib/systemd/systemd" subj=system_u:system_r:init_t:s0 key=(null)
type=PROCTITLE msg=audit(1170021601.343:296): proctitle="(systemd)"
type=USER_START msg=audit(1170021601.344:297): user pid=13015 uid=0 auid=0 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM: session open acct=root : exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron res=success)'
type=CRED_DISP msg=audit(1170021601.364:298): user pid=13015 uid=0 auid=0 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM: setcred acct=root : exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron res=success)'

26
libev-werror.patch Normal file
View File

@ -0,0 +1,26 @@
From: Jan Engelhardt <jengelh@inai.de>
Date: 2021-06-02 16:18:03.256597842 +0200
Cherry-pick http://cvs.schmorp.de/libev/ev_iouring.c?view=log&r1=1.25
to fix some terrible code.
[ 50s] ev_iouring.c: In function 'iouring_sqe_submit':
[ 50s] ev_iouring.c:300:1: error: no return statement in function returning non-void [-Werror=return-type]
---
src/libev/ev_iouring.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
Index: audit-3.0.1/src/libev/ev_iouring.c
===================================================================
--- audit-3.0.1.orig/src/libev/ev_iouring.c
+++ audit-3.0.1/src/libev/ev_iouring.c
@@ -287,7 +287,7 @@ iouring_sqe_get (EV_P)
}
inline_size
-struct io_uring_sqe *
+void
iouring_sqe_submit (EV_P_ struct io_uring_sqe *sqe)
{
unsigned idx = sqe - EV_SQES;