Accepting request 1329353 from security

OBS-URL: https://build.opensuse.org/request/show/1329353
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/audit?expand=0&rev=110

audit-allow-manual-stop.patch

@@ -11,13 +11,12 @@ SUSE since we lack the ability to use a custom stop/restart
  init.d/auditd.service |    1 -
  1 file changed, 1 deletion(-)
 
---- a/init.d/auditd.service
-+++ b/init.d/auditd.service
-@@ -14,7 +14,6 @@ After=local-fs.target systemd-tmpfiles-s
+--- audit-4.0.2.orig/init.d/auditd.service.in   2024-08-08 19:40:19.000000000 +0200
++++ audit-4.0.2/init.d/auditd.service.in        2025-06-12 12:09:00.612234841 +0200
+@@ -21,7 +21,6 @@
  Before=sysinit.target shutdown.target
- ##Before=shutdown.target
+ #Before=shutdown.target
  Conflicts=shutdown.target
 -RefuseManualStop=yes
- 
+
  Documentation=man:auditd(8) https://github.com/linux-audit/audit-documentation
- 

audit-secondary.changes

@@ -1,3 +1,40 @@
+-------------------------------------------------------------------
+Mon Jan 26 12:11:06 UTC 2026 - Callum Farmer <gmbr3@opensuse.org>
+
+- Move all /var/spool, /var/log directories to systemd-tmpfiles
+
+-------------------------------------------------------------------
+Tue Jun 10 14:24:47 UTC 2025 - Wolfgang Frisch <wolfgang.frisch@suse.com>
+
+- Refresh systemd service patches:
+  - audit-allow-manual-stop.patch
+  - auditd.service-fix-plugin-termination.patch
+  - enable-stop-rules.patch
+  - fix-hardened-service.patch
+  - harden_auditd.service.patch
+
+- Update to 4.0.2
+  - Fix musl C builds
+  - Many code cleanups (Yugend)
+  - Use atomic variables if available for signal related flags
+  - Dont rotate audit logs when auditd is in debug mode
+  - Fix a couple memory leaks on error paths
+  - Correct output when displaying rules with exe/path/dir (Attila Lakatos)
+  - Fix auparse lookup test to not use the system libaupaurse
+  - Improve auparse metrics
+  - Update auparse normalizer for recent syscalls
+  - Make status report uniform
+
+- Update to 4.0.1
+  - Update TRUSTED_APP interpretation to look for known fields
+  - In auditd plugins, allow variable amount of arguments (Attila Lakatos)
+  - Fix augenrules to work correctly when kernel is in immutable mode
+  - Add ausearch_cur_event to auparse library (Attila Lakatos)
+  - Add audisp-filter plugin (Attila Lakatos)
+  - Improve sorting speed of aureport --summary reports
+  - auditd & audit-rules.service pick up paths automatically (Laurent Bigonville)
+  - Update auparse normalizer for new syscalls
+
 -------------------------------------------------------------------
 Fri Oct  4 16:06:06 UTC 2024 - Enzo Matsumiya <ematsumiya@suse.com>
 

audit-secondary.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package audit-secondary
 #
-# Copyright (c) 2024 SUSE LLC
+# Copyright (c) 2025 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -22,7 +22,7 @@
 # The seperation is required to minimize unnecessary build cycles.
 %define 	_name audit
 Name:           audit-secondary
-Version:        4.0
+Version:        4.0.2
 Release:        0
 Summary:        Linux kernel audit subsystem utilities
 License:        GPL-2.0-or-later
@@ -30,6 +30,7 @@ Group:          System/Monitoring
 URL:            https://people.redhat.com/sgrubb/audit/
 Source0:        https://people.redhat.com/sgrubb/audit/%{_name}-%{version}.tar.gz
 Source1:        system-group-audit.conf
+Source2:        audit.tmpfiles
 Patch1:         audit-plugins-path.patch
 Patch2:         audit-no-gss.patch
 Patch3:         audit-ausearch-do-not-require-tclass.patch
@@ -222,6 +223,7 @@ done
 ln -s service %{buildroot}%{_sbindir}/rcauditd
 %endif
 chmod 0644 %{buildroot}%{_unitdir}/auditd.service
+install -Dm0644 %{SOURCE2} %{buildroot}%{_tmpfilesdir}/audit.conf
 
 %check
 %make_build check
@@ -308,10 +310,11 @@ fi
 %config(noreplace) %attr(640,root,root) %{_sysconfdir}/audit/plugins.d/syslog.conf
 %ghost %{_sysconfdir}/auditd.conf
 %config(noreplace) %attr(640,root,root) %{_sysconfdir}/audit/auditd.conf
-%dir %attr(750,root,audit) %{_localstatedir}/log/audit
-%ghost %config(noreplace) %attr(640,root,audit) %{_localstatedir}/log/audit/audit.log
-%dir %attr(700,root,root) %{_localstatedir}/spool/audit
+%ghost %dir %attr(0750,root,audit) %{_localstatedir}/log/audit
+%ghost %config(noreplace) %attr(0640,root,audit) %{_localstatedir}/log/audit/audit.log
+%ghost %dir %attr(0700,root,root) %{_localstatedir}/spool/audit
 %{_unitdir}/auditd.service
+%{_tmpfilesdir}/audit.conf
 %if 0%{?suse_version} < 1550
 %{_sbindir}/rcauditd
 %endif
@@ -359,13 +362,17 @@ fi
 %attr(644,root,root) %{_mandir}/man5/auditd-plugins.5.gz
 %attr(644,root,root) %{_mandir}/man8/audisp-remote.8.gz
 %attr(644,root,root) %{_mandir}/man8/audisp-syslog.8.gz
+%attr(644,root,root) %{_mandir}/man8/audisp-filter.8.gz
 %attr(750,root,root) %dir %{_sysconfdir}/audit
 %attr(750,root,root) %dir %{_sysconfdir}/audit/plugins.d
 %config(noreplace) %attr(640,root,root) %{_sysconfdir}/audit/plugins.d/audispd-zos-remote.conf
 %config(noreplace) %attr(640,root,root) %{_sysconfdir}/audit/zos-remote.conf
 %attr(750,root,root) %{_sbindir}/audisp-remote
 %attr(750,root,root) %{_sbindir}/audispd-zos-remote
+%attr(750,root,root) %{_sbindir}/audisp-filter
 %config(noreplace) %attr(640,root,root) %{_sysconfdir}/audit/audisp-remote.conf
 %config(noreplace) %attr(640,root,root) %{_sysconfdir}/audit/plugins.d/au-remote.conf
+%config(noreplace) %attr(640,root,root) %{_sysconfdir}/audit/audisp-filter.conf
+%config(noreplace) %attr(640,root,root) %{_sysconfdir}/audit/plugins.d/filter.conf
 
 %changelog

audit.changes

@@ -1,3 +1,35 @@
+-------------------------------------------------------------------
+Tue Jun 10 14:23:54 UTC 2025 - Wolfgang Frisch <wolfgang.frisch@suse.com>
+
+- Refresh systemd service patches:
+  - audit-allow-manual-stop.patch
+  - auditd.service-fix-plugin-termination.patch
+  - enable-stop-rules.patch
+  - fix-hardened-service.patch
+  - harden_auditd.service.patch
+
+- Update to 4.0.2
+  - Fix musl C builds
+  - Many code cleanups (Yugend)
+  - Use atomic variables if available for signal related flags
+  - Dont rotate audit logs when auditd is in debug mode
+  - Fix a couple memory leaks on error paths
+  - Correct output when displaying rules with exe/path/dir (Attila Lakatos)
+  - Fix auparse lookup test to not use the system libaupaurse
+  - Improve auparse metrics
+  - Update auparse normalizer for recent syscalls
+  - Make status report uniform
+
+- Update to 4.0.1
+  - Update TRUSTED_APP interpretation to look for known fields
+  - In auditd plugins, allow variable amount of arguments (Attila Lakatos)
+  - Fix augenrules to work correctly when kernel is in immutable mode
+  - Add ausearch_cur_event to auparse library (Attila Lakatos)
+  - Add audisp-filter plugin (Attila Lakatos)
+  - Improve sorting speed of aureport --summary reports
+  - auditd & audit-rules.service pick up paths automatically (Laurent Bigonville)
+  - Update auparse normalizer for new syscalls
+
 -------------------------------------------------------------------
 Fri Oct  4 16:04:56 UTC 2024 - Enzo Matsumiya <ematsumiya@suse.com>
 

audit.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package audit
 #
-# Copyright (c) 2024 SUSE LLC
+# Copyright (c) 2025 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -23,7 +23,7 @@
 %endif
 
 Name:           audit
-Version:        4.0
+Version:        4.0.2
 Release:        0
 Summary:        Linux kernel audit subsystem utilities
 License:        GPL-2.0-or-later

audit.tmpfiles

@@ -0,0 +1,3 @@
+d /var/log/audit 0750 root audit - -
+f /var/log/audit/audit.log 0640 root audit - -
+d /var/spool/audit 0700 root root - -

auditd.service-fix-plugin-termination.patch

@@ -2,13 +2,13 @@
  init.d/auditd.service |    1 +
  1 file changed, 1 insertion(+)
 
---- a/init.d/auditd.service
-+++ b/init.d/auditd.service
-@@ -29,6 +29,7 @@ ExecStopPost=/sbin/auditctl -R /etc/audi
+--- audit-4.0.2.orig/init.d/auditd.service.in   2024-08-08 19:40:19.000000000 +0200
++++ audit-4.0.2/init.d/auditd.service.in        2025-06-12 12:07:18.450305682 +0200
+@@ -32,6 +32,7 @@
  Restart=on-failure
- # Do not restart for intentional exits. See EXIT CODES section in auditd(8).
+ ## Do not restart for intentional exits. See EXIT CODES section in auditd(8).
  RestartPreventExitStatus=2 4 6
 +KillMode=mixed
- 
+
  ### Security Settings ###
  MemoryDenyWriteExecute=true

enable-stop-rules.patch

@@ -15,16 +15,16 @@ Signed-off-by: Enzo Matsumiya <ematsumiya@suse.de>
  init.d/auditd.service |    4 ++++
  1 file changed, 4 insertions(+)
 
---- a/init.d/auditd.service
-+++ b/init.d/auditd.service
-@@ -22,6 +22,10 @@ Documentation=man:auditd(8) https://gith
+--- audit-4.0.2.orig/init.d/auditd.service.in   2024-08-08 19:40:19.000000000 +0200
++++ audit-4.0.2/init.d/auditd.service.in        2025-06-12 12:04:22.896698211 +0200
+@@ -29,6 +29,10 @@
  Type=forking
- PIDFile=/run/auditd.pid
- ExecStart=/sbin/auditd
-+ExecStartPost=-/sbin/augenrules --load
+ PIDFile=@runstatedir@/auditd.pid
+ ExecStart=@sbindir@/auditd
++ExecStartPost=-@sbindir@/augenrules --load
 +# By default we clear the rules on exit. To disable this, comment
 +# the next line after copying the file to /etc/systemd/system/auditd.service
-+ExecStopPost=/sbin/auditctl -R /etc/audit/audit-stop.rules
++ExecStopPost=@sbindir@/auditctl -R /etc/audit/audit-stop.rules
  Restart=on-failure
- # Do not restart for intentional exits. See EXIT CODES section in auditd(8).
+ ## Do not restart for intentional exits. See EXIT CODES section in auditd(8).
  RestartPreventExitStatus=2 4 6

fix-hardened-service.patch

@@ -12,10 +12,10 @@ Also remove PrivateDevices=true so /dev/* are exposed to auditd.
 
 Signed-off-by: Enzo Matsumiya <ematsumiya@suse.de>
 
-Index: audit-3.1.1/init.d/auditd.service
+Index: audit-3.1.1/init.d/auditd.service.in
 ===================================================================
---- audit-3.1.1.orig/init.d/auditd.service
-+++ audit-3.1.1/init.d/auditd.service
+--- audit-3.1.1.orig/init.d/auditd.service.in
++++ audit-3.1.1/init.d/auditd.service.in
 @@ -42,12 +42,12 @@ RestrictRealtime=true
  # added automatically, for details please see
  # https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort

harden_auditd.service.patch

@@ -1,7 +1,7 @@
-Index: audit-3.1.1/init.d/auditd.service
+Index: audit-3.1.1/init.d/auditd.service.in
 ===================================================================
---- audit-3.1.1.orig/init.d/auditd.service
-+++ audit-3.1.1/init.d/auditd.service
+--- audit-3.1.1.orig/init.d/auditd.service.in
++++ audit-3.1.1/init.d/auditd.service.in
 @@ -39,6 +39,15 @@ LockPersonality=true
  #ProtectControlGroups=true
  ProtectKernelModules=true