# # spec file for package audit (Version 1.6.8) # # Copyright (c) 2008 SUSE LINUX Products GmbH, Nuernberg, Germany. # This file and all modifications and additions to the pristine # package are under the same license as the package itself. # # Please submit bugfixes or comments via http://bugs.opensuse.org/ # # norootforbuild Name: audit BuildRequires: gcc-c++ openldap2-devel Summary: User Space Tools for 2.6 Kernel Auditing Version: 1.6.8 Release: 1 License: GPL v2 or later Group: System/Monitoring Url: http://people.redhat.com/sgrubb/audit/ Source0: %{name}-%{version}.tar.gz Source1: auditd.init Source2: auditd.sysconfig Patch0: audit-no_sca.patch Patch1: audit-no_python.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build Requires: %{name}-libs = %{version}-%{release} PreReq: %insserv_prereq %fillup_prereq %description The audit package contains the user space utilities for storing and processing the audit records generated by the audit subsystem in the Linux 2.6 kernel. Authors: -------- Steve Grubb %package libs Summary: Dynamic library for libaudit License: GPL v2 or later Group: System/Monitoring %description libs The audit-libs package contains the dynamic libraries needed for applications to use the audit framework. Authors: -------- Steve Grubb %package devel Summary: Header files and static library for libaudit License: LGPL v2.1 or later Group: System/Monitoring Requires: %{name}-libs = %{version}-%{release} %description devel The audit-devel package contains the static libraries and header files needed for developing applications that need to use the audit framework libraries. Authors: -------- Steve Grubb %package -n audit-audispd-plugins Summary: Default plugins for the audit dispatcher License: GPL v2 or later Group: System/Monitoring Requires: %{name} = %{version}-%{release} Requires: %{name}-libs = %{version}-%{release} Requires: openldap2 %description -n audit-audispd-plugins The audit-audispd-plugins package contains plugin components for the audit dispatcher (audispd). Authors: -------- Steve Grubb %prep rm -rf audisp/plugins/zos-remote/policy rm -rf audisp/plugins/prelude %setup -q %patch0 -p1 %patch1 -p1 %build aclocal && autoconf && autoheader && automake export CFLAGS="%{optflags} -fno-strict-aliasing" export CXXFLAGS="$CFLAGS" ./configure --prefix=%{_prefix} --sbindir=/sbin --mandir=%{_mandir} --libdir=/%{_lib} --sysconfdir=/etc --libexecdir=%{_prefix}/lib/%{name} --with-apparmor pushd src/mt make libaudit.h popd make %install mkdir -p $RPM_BUILD_ROOT/{sbin,etc/{sysconfig,audispd/plugins.d,init.d}} mkdir -p $RPM_BUILD_ROOT/usr/sbin mkdir -p $RPM_BUILD_ROOT/%{_mandir}/{man5,man8} mkdir -p $RPM_BUILD_ROOT/%{_lib}/security make DESTDIR=$RPM_BUILD_ROOT install mkdir -p $RPM_BUILD_ROOT/%{_includedir} mkdir -p $RPM_BUILD_ROOT/%{_libdir} # We manually install this since Makefile doesn't install -m 0644 lib/libaudit.h $RPM_BUILD_ROOT/%{_includedir} # This winds up in the wrong place when libtool is involved rm $RPM_BUILD_ROOT/%{_lib}/libaudit.so $RPM_BUILD_ROOT/%{_lib}/libauparse.so ln -sf /%{_lib}/libaudit.so.0 $RPM_BUILD_ROOT%{_libdir}/libaudit.so ln -sf /%{_lib}/libauparse.so.0 $RPM_BUILD_ROOT%{_libdir}/libauparse.so mv $RPM_BUILD_ROOT/%{_lib}/libaudit.a $RPM_BUILD_ROOT/%{_lib}/libauparse.a $RPM_BUILD_ROOT%{_libdir} rm $RPM_BUILD_ROOT/%{_lib}/libaudit.la $RPM_BUILD_ROOT/%{_lib}/libauparse.la mkdir -p $RPM_BUILD_ROOT/var/adm/fillup-templates cp %{SOURCE2} $RPM_BUILD_ROOT/var/adm/fillup-templates/sysconfig.auditd # delete redhat script, use ours rm -rf $RPM_BUILD_ROOT/etc/sysconfig/auditd rm -rf $RPM_BUILD_ROOT/etc/init.d/auditd rm -rf $RPM_BUILD_ROOT/etc/rc.d/init.d install -c -m 755 %{SOURCE1} $RPM_BUILD_ROOT/etc/init.d/auditd ln -s /etc/init.d/auditd $RPM_BUILD_ROOT/sbin/rcauditd mkdir -p $RPM_BUILD_ROOT/var/log/audit/ touch $RPM_BUILD_ROOT/var/log/audit/audit.log # Cleanup plugins # audispd-zos-remote uses ldap which is in /usr/lib so move to /usr/sbin mv $RPM_BUILD_ROOT/sbin/audispd-zos-remote $RPM_BUILD_ROOT/usr/sbin/audispd-zos-remote # we don't package prelude rm -f $RPM_BUILD_ROOT/usr/share/man/man8/audisp-prelude.8 # For %ghost below, so that old location files will still be there when # %post copy runs touch $RPM_BUILD_ROOT/etc/{auditd.conf,audit.rules} # On platforms with 32 & 64 bit libs, we need to coordinate the timestamp touch -r ./audit.spec $RPM_BUILD_ROOT/etc/libaudit.conf %clean rm -rf $RPM_BUILD_ROOT %post libs -p /sbin/ldconfig %postun libs -p /sbin/ldconfig %post %{fillup_and_insserv -yn auditd auditd} # Save existing audit files if any (from old location) if [ -f /etc/auditd.conf ]; then mv /etc/audit/auditd.conf /etc/audit/auditd.conf.new mv /etc/auditd.conf /etc/audit/auditd.conf fi if [ -f /etc/audit.rules ]; then mv /etc/audit/audit.rules /etc/audit/audit.rules.new mv /etc/audit.rules /etc/audit/audit.rules fi %preun %stop_on_removal auditd %postun %restart_on_update auditd %{insserv_cleanup} %files libs %defattr(-,root,root) /%{_lib}/libaudit.* /%{_lib}/libauparse.* %config(noreplace) %attr(640,root,root) /etc/libaudit.conf %files devel %defattr(-,root,root) %doc contrib/skeleton.c contrib/plugin %{_libdir}/libaudit.* %{_libdir}/libauparse.* %{_includedir}/libaudit.h %{_includedir}/auparse.h %{_includedir}/auparse-defs.h %{_mandir}/man3/* %files %defattr(-,root,root,-) %doc README COPYING ChangeLog contrib/capp.rules contrib/nispom.rules contrib/lspp.rules init.d/auditd.cron %attr(644,root,root) %{_mandir}/man8/audispd.8.gz %attr(644,root,root) %{_mandir}/man8/auditctl.8.gz %attr(644,root,root) %{_mandir}/man8/auditd.8.gz %attr(644,root,root) %{_mandir}/man8/aureport.8.gz %attr(644,root,root) %{_mandir}/man8/ausearch.8.gz %attr(644,root,root) %{_mandir}/man8/autrace.8.gz %attr(644,root,root) %{_mandir}/man8/aulastlog.8.gz %attr(644,root,root) %{_mandir}/man5/auditd.conf.5.gz %attr(644,root,root) %{_mandir}/man5/audispd.conf.5.gz %attr(750,root,root) /sbin/auditctl %attr(750,root,root) /sbin/auditd %attr(755,root,root) /sbin/ausearch %attr(750,root,root) /sbin/rcauditd %attr(750,root,root) /sbin/autrace %attr(750,root,root) /sbin/audispd %attr(750,root,root) /sbin/aulastlog %attr(755,root,root) /sbin/aureport /etc/init.d/auditd %dir %attr(750,root,root) /etc/audit %attr(750,root,root) %dir /etc/audisp %attr(750,root,root) %dir /etc/audisp/plugins.d %config(noreplace) %attr(640,root,root) /etc/audisp/plugins.d/af_unix.conf %ghost /etc/auditd.conf %ghost /etc/audit.rules %config(noreplace) %attr(640,root,root) /etc/audit/auditd.conf %config(noreplace) %attr(640,root,root) /etc/audit/audit.rules %config(noreplace) %attr(640,root,root) /etc/audisp/audispd.conf /var/adm/fillup-templates/sysconfig.auditd %dir %attr(700,root,root) /var/log/audit %ghost %config(noreplace) /var/log/audit/audit.log %files -n audit-audispd-plugins %defattr(-,root,root,-) %attr(640,root,root) /etc/audisp/plugins.d/syslog.conf %attr(644,root,root) %{_mandir}/man8/audispd-zos-remote.8.gz %attr(644,root,root) %{_mandir}/man5/zos-remote.conf.5.gz %config(noreplace) %attr(640,root,root) /etc/audisp/plugins.d/audispd-zos-remote.conf %config(noreplace) %attr(640,root,root) /etc/audisp/zos-remote.conf %attr(750,root,root) /usr/sbin/audispd-zos-remote %changelog * Tue Mar 04 2008 tonyj@suse.de - Update from 1.6.2 to 1.6.8. Start building audispd-plugins rpm. Redhat changelog follows: * Thu Feb 14 2008 Steve Grubb 1.6.8-1 - Update for gcc 4.3 - Cleanup descriptors in audispd before running plugin - Fix 'recent' keyword for aureport/search - Fix SE Linux policy for zos_remote plugin - Add event type for group password authentication attempts - Couple of updates to the translation tables - Add detection of failed group authentication to audisp-prelude * Thu Jan 31 2008 Steve Grubb 1.6.7-1 - In ausearch/report, prefer -if to stdin - In ausearch/report, add new command line option --input-logs (#428860) - Updated audisp-prelude based on feedback from prelude-devel - Added prelude alert for promiscuous socket being opened - Added prelude alert for SE Linux policy enforcement changes - Added prelude alerts for Forbidden Login Locations and Time - Applied patch to auparse fixing error handling of searching by interpreted value (Miloslav Trmac) * Sat Jan 19 2008 Steve Grubb 1.6.6-1 - Add prelude IDS plugin for IDMEF alerts - Add --user option to aulastlog command - Use desktop-file-install for system-config-audit * Mon Jan 07 2008 Steve Grubb 1.6.5-1 - Add more errno strings for exit codes in auditctl - Fix config parser to allow either 0640 or 0600 for audit logs (#427062) - Check for audit log being writable by owner in auditd - If auditd logging was suspended, it can be resumed with SIGUSR2 (#251639) - Updated CAPP, LSPP, and NISPOM rules for new capabilities - Added aulastlog utility * Sat Dec 29 2007 Steve Grubb 1.6.4-1 - fchmod of log file was on wrong variable (#426934) - Allow use of errno strings for exit codes in audit rules * Thu Dec 27 2007 Steve Grubb 1.6.3-1 - Add kernel release string to DEAMON_START events - Fix keep_logs when num_logs option disabled (#325561) - Fix auparse to handle node fields for syscall records - Update system-config-audit to version 0.4.5 (Miloslav Trmac) - Add keyword week-ago to aureport & ausearch start/end times - Fix audit log permissions on rotate. If group is root 0400, otherwise 0440 - Add RACF zos remote audispd plugin (Klaus Kiwi) - Add event queue overflow action to audispd * Wed Oct 31 2007 tonyj@suse.de - Incorporate 1 more Redhat fixe post 1.6.2 - Go back to 10.2 behaviour wrt to starting in disabled state. This time using patch submitted upstream, fix for #Bug 333739 * Thu Oct 11 2007 tonyj@suse.de - Upgrade to 1.6.2 Plus two bugs discovered in Fedora, will be fixed in 1.6.3 * Wed Jul 25 2007 tonyj@suse.de - Upgrade to 1.5.5 Correct bug in audit_make_equivalent function (Al Viro) Local: add AppArmor audit ID (upstream in 1.5.6) don't build RedHat system-config-audit * Thu Jul 12 2007 tonyj@suse.de - Upgrade to 1.5.4 Add feed interface to auparse library (John Dennis) Apply patch to libauparse for unresolved symbols (#241178) Apply patch to add line numbers for file events in libauparse (John Dennis) Change seresults to seresult in libauparse (John Dennis) Add unit32_t definition to swig (#244210) Add support for directory auditing Update acct field to be escaped - Fix for #280487 "%%ghost /var/log/audit/audit.log will remove the logfile" * Mon May 07 2007 rguenther@suse.de - Drop pkg-config BuildRequires introduced by last change. * Wed May 02 2007 tonyj@suse.de - Upgrade to 1.5.3. Drop AUDITD_DISABLE_CONTEXTS from audit sysconfig * Wed Nov 29 2006 tonyj@suse.de - Upgrade to 1.2.9 (drop several patches which are now upstream) - Move to using /etc/audit directory for config files * Thu Aug 31 2006 tonyj@suse.de - Upgrade to 1.2.6-1 * Sat Aug 26 2006 olh@suse.de - do not define __KERNEL__ in userland apps - remove unused sys/syscall.h include * Wed Aug 16 2006 cthiel@suse.de - split audit into audit and audit-libs-python * Fri May 05 2006 sbeattie@suse.de - disable syscall audit context creation by default #172154 * Mon Mar 20 2006 meissner@suse.de - Do not print a misleading errormessage when audit is not compiled into the kernel. #152733 * Mon Mar 06 2006 meissner@suse.de - On kernels without auditing, which report ECONNREFUSED, do not output stuff to stderr on startup. #152733 * Sat Feb 25 2006 kukuk@suse.de - Fix moving of devel libraries, don't install .la file * Wed Feb 22 2006 meissner@suse.de - moved libaudit.so symlink to /usr/lib and to -devel package, as requested by Thorsten. * Fri Feb 17 2006 meissner@suse.de - check sendto() return against -1 (error with errno set). * Wed Jan 25 2006 mls@suse.de - converted neededforbuild to BuildRequires * Wed Jan 25 2006 ro@suse.de - fix fillup call since filename != packagename * Tue Jan 24 2006 ro@suse.de - do not skip fillup in postinstall * Mon Jan 23 2006 dreynolds@suse.de - Modified inssrv macro args to enable on boot * Wed Jan 18 2006 tonyj@suse.de - Add support for AppArmor (submitted upstream for 1.1.4) * Fri Jan 13 2006 meissner@suse.de - Updated to 1.1.3. - Moved audispd to /usr/sbin since it uses /usr/lib/libstdc++ - Updated sysconfig snippet. * Tue Nov 08 2005 meissner@suse.de - upgraded to 1.0.12. * Fri Nov 04 2005 kukuk@suse.de - Update to 1.0.9. * Wed Oct 12 2005 meissner@suse.de - upgraded to 1.0.6. ptrdift patch now solved upstream. * Wed Oct 05 2005 meissner@suse.de - Upgraded to 1.0.5 * Wed Oct 05 2005 dmueller@suse.de - add norootforbuild * Mon Sep 26 2005 meissner@suse.de - Upgraded to 1.0.4. - Make rate & backlog 32 bit unsigned int in auditctl - In auditctl, if -F arch is given with -t option, don't require list - Update auditd man page - Add size check to audit_send - Update message for audit_open failure when kernel doesn't support audit * Tue Aug 23 2005 meissner@suse.de - Upgraded to 1.0.3 bugfix release: - adjust file perms of newly created log file in auditd - fix 2 memory leaks and an out of bounds access in auditd - fix case where auditd was closing netlink descriptor too early - fix watch rules not to take field arguments in auditctl - fix bug where inode, devmajor, devminor, exit, and success fields in auditctl rules were not getting the correct value stored * Wed Aug 17 2005 meissner@suse.de - Added /var/log/audit directory and ghost audit.log #105131 * Wed Aug 10 2005 meissner@suse.de - Upgraded to 1.0.2 * Thu Aug 04 2005 meissner@suse.de - Upgraded to 1.0.1. * Mon Jul 11 2005 meissner@suse.de - Update to version 0.9.16. * Tue Jun 21 2005 meissner@suse.de - Update to version 0.9.10. * Fri Jun 17 2005 meissner@suse.de - Update to version 0.9.7. * Thu Jun 16 2005 kukuk@suse.de - Update to version 0.9.5 * Tue Jun 14 2005 ro@suse.de - make it build with current includes * Tue May 31 2005 meissner@suse.de - Upgraded to 0.9. * Fri May 13 2005 meissner@suse.de - upgraded to 0.6.8 * Tue Apr 19 2005 meissner@suse.de - Upgraded to 0.6.11. * Fri Apr 15 2005 pth@suse.de - Make libaudit.h define pgoff_t by itself. - Fix a minor warning. * Wed Mar 30 2005 meissner@suse.de - Upgraded to 0.6.9. * Fri Mar 04 2005 meissner@suse.de - Upgraded to 0.6.5. * Thu Mar 03 2005 meissner@suse.de - initial package of auditd for new kernel auditing system.