SHA256
1
0
forked from pool/audit
audit/enable-stop-rules.patch

25 lines
1.1 KiB
Diff
Raw Normal View History

Accepting request 920348 from home:ematsumiya:branches:security - Fix hardened auditd.service (bsc#1181400) * add fix-hardened-service.patch Make /etc/audit read-write from the service. Remove PrivateDevices=true to expose /dev/* to auditd.service. - Enable stop rules for audit.service (cf. bsc#1190227) * add enable-stop-rules.patch - Change default log_format from ENRICHED to RAW (bsc#1190500): * add change-default-log_format.patch (SUSE-specific patch) - Update to version 3.0.5: * In auditd, flush uid/gid caches when user/group added/deleted/modified * Fixed various issues when dealing with corrupted logs * In auditd, check if log_file is valid before closing handle - Include fixed from 3.0.4: * Apply performance speedups to auparse library * Optimize rule loading in auditctl * Fix an auparse memory leak caused by glibc-2.33 by replacing realpath * Update syscall table to the 5.14 kernel * Fixed various issues when dealing with corrupted logs - Update to version 3.0.5: * In auditd, flush uid/gid caches when user/group added/deleted/modified * Fixed various issues when dealing with corrupted logs * In auditd, check if log_file is valid before closing handle - Include fixed from 3.0.4: * Apply performance speedups to auparse library * Optimize rule loading in auditctl * Fix an auparse memory leak caused by glibc-2.33 by replacing realpath * Update syscall table to the 5.14 kernel * Fixed various issues when dealing with corrupted logs OBS-URL: https://build.opensuse.org/request/show/920348 OBS-URL: https://build.opensuse.org/package/show/security/audit?expand=0&rev=129
2021-09-20 18:14:05 +02:00
From: Enzo Matsumiya <ematsumiya@suse.de>
Subject: init.d/auditd.service: enable ExecStopPost directive in auditd.service
References: bsc#1190227
This has caused confusion for customers when relating stopping auditd service
is the same as stopping system auditing. This is completely understandable, but
it's by design, so kauditd can keep filling its queues for any other userspace
daemon to consume.
Disable audit when auditd.service stops, so kauditd stops logging/running.
Signed-off-by: Enzo Matsumiya <ematsumiya@suse.de>
--- a/init.d/auditd.service
+++ b/init.d/auditd.service
@@ -25,7 +25,7 @@ ExecStartPost=-/sbin/augenrules --load
#ExecStartPost=-/sbin/auditctl -R /etc/audit/audit.rules
# By default we don't clear the rules on exit. To enable this, uncomment
# the next line after copying the file to /etc/systemd/system/auditd.service
-#ExecStopPost=/sbin/auditctl -R /etc/audit/audit-stop.rules
+ExecStopPost=/sbin/auditctl -R /etc/audit/audit-stop.rules
Restart=on-failure
# Do not restart for intentional exits. See EXIT CODES section in auditd(8).
RestartPreventExitStatus=2 4 6