Wolfgang Frisch
42402f11b7
* Includes fixes since v3.1.1
* Enhance support for newer (5.0+) kernels
- Update spec:
* Move rules-related files into new subpackage `audit-rules':
* Files moved:
- /sbin/auditctl, /sbin/augenrules,
/etc/audit/{audit.rules,rules.d/audit.rules,audit-stop.rules}
- manpages for auditctl, augenrules, and audit.rules
- /etc/audit is now owned by `audit-rules' as well
* Add new file /usr/lib/systemd/system/audit-rules.service
* Remove in-house create-augenrules-service.patch that generated
augenrules.service systemd unit service
* Remove ownership of /usr/share/audit
* Create /usr/share/audit-rules directory on %install
* Remove audit-userspace-517-compat.patch (fixed upstream)
* Remove libev-werror.patch (fixed upstream)
* Remove audit-allow-manual-stop.patch (fixed upstream)
* Add fix-auparse-test.patch (downstream):
Upstream tests uses a static value (42) for 'gdm' uid/gid (based
on Fedora values, apparently). Replace these occurrences with
'unknown(123456)'
* Replace '--with-python' with '--with-python3' on %configure
* Remove autrace and auvirt references (upstream)
* Replace README with README.md
- Drop `--enable-systemd' from %configure as SysV-style scripts
aren't supported in upstream since
113ae191758c ("Drop support for SysVinit")
- Update to 4.0
* Includes fixes since v3.1.1
* Enhance support for newer (5.0+) kernels
- Update spec:
* Add fix-auparse-test.patch (downstream):
Upstream tests uses a static value (42) for 'gdm' uid/gid (based
on Fedora values, apparently). Replace these occurrences with
'unknown(123456)'
* Replace '--with-python' with '--with-python3' on %configure
* Add new headers 'audit_logging.h' and 'audit-records.h' for
audit-devel
TODO: fix build for SLE/Leap
OBS-URL: https://build.opensuse.org/package/show/security/audit?expand=0&rev=153
31 lines
1.1 KiB
Diff
31 lines
1.1 KiB
Diff
From: Enzo Matsumiya <ematsumiya@suse.de>
|
|
Subject: init.d/auditd.service: enable ExecStopPost directive in auditd.service
|
|
References: bsc#1190227
|
|
|
|
This has caused confusion for customers when relating stopping auditd service
|
|
is the same as stopping system auditing. This is completely understandable, but
|
|
it's by design, so kauditd can keep filling its queues for any other userspace
|
|
daemon to consume.
|
|
|
|
Disable audit when auditd.service stops, so kauditd stops logging/running.
|
|
|
|
Signed-off-by: Enzo Matsumiya <ematsumiya@suse.de>
|
|
|
|
---
|
|
init.d/auditd.service | 4 ++++
|
|
1 file changed, 4 insertions(+)
|
|
|
|
--- a/init.d/auditd.service
|
|
+++ b/init.d/auditd.service
|
|
@@ -22,6 +22,10 @@ Documentation=man:auditd(8) https://gith
|
|
Type=forking
|
|
PIDFile=/run/auditd.pid
|
|
ExecStart=/sbin/auditd
|
|
+ExecStartPost=-/sbin/augenrules --load
|
|
+# By default we clear the rules on exit. To disable this, comment
|
|
+# the next line after copying the file to /etc/systemd/system/auditd.service
|
|
+ExecStopPost=/sbin/auditctl -R /etc/audit/audit-stop.rules
|
|
Restart=on-failure
|
|
# Do not restart for intentional exits. See EXIT CODES section in auditd(8).
|
|
RestartPreventExitStatus=2 4 6
|