audit/fix-hardened-service.patch

From: Enzo Matsumiya <ematsumiya@suse.de>
Subject: init.d/auditd.service: make /etc/audit writable
References: bsc#1181400

systemd hardening effort (bsc#1181400) broke auditd.service when starting/
restarting it. This was because auditd couldn't save/create audit.rules from
/etc/audit/rules.d/* files.

Make /etc/audit writable for the service.

Also remove PrivateDevices=true so /dev/* are exposed to auditd.

Signed-off-by: Enzo Matsumiya <ematsumiya@suse.de>

--- a/init.d/auditd.service
+++ b/init.d/auditd.service
@@ -37,12 +37,12 @@ RestrictRealtime=true
 # added automatically, for details please see
 # https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
 ProtectSystem=full
-PrivateDevices=true
 ProtectHostname=true
 ProtectClock=true
 ProtectKernelTunables=true
 ProtectKernelLogs=true
 # end of automatic additions 
+ReadWritePaths=/etc/audit
 
 [Install]
 WantedBy=multi-user.target
Accepting request 920348 from home:ematsumiya:branches:security - Fix hardened auditd.service (bsc#1181400) * add fix-hardened-service.patch Make /etc/audit read-write from the service. Remove PrivateDevices=true to expose /dev/* to auditd.service. - Enable stop rules for audit.service (cf. bsc#1190227) * add enable-stop-rules.patch - Change default log_format from ENRICHED to RAW (bsc#1190500): * add change-default-log_format.patch (SUSE-specific patch) - Update to version 3.0.5: * In auditd, flush uid/gid caches when user/group added/deleted/modified * Fixed various issues when dealing with corrupted logs * In auditd, check if log_file is valid before closing handle - Include fixed from 3.0.4: * Apply performance speedups to auparse library * Optimize rule loading in auditctl * Fix an auparse memory leak caused by glibc-2.33 by replacing realpath * Update syscall table to the 5.14 kernel * Fixed various issues when dealing with corrupted logs - Update to version 3.0.5: * In auditd, flush uid/gid caches when user/group added/deleted/modified * Fixed various issues when dealing with corrupted logs * In auditd, check if log_file is valid before closing handle - Include fixed from 3.0.4: * Apply performance speedups to auparse library * Optimize rule loading in auditctl * Fix an auparse memory leak caused by glibc-2.33 by replacing realpath * Update syscall table to the 5.14 kernel * Fixed various issues when dealing with corrupted logs OBS-URL: https://build.opensuse.org/request/show/920348 OBS-URL: https://build.opensuse.org/package/show/security/audit?expand=0&rev=129 2021-09-20 18:14:05 +02:00			`From: Enzo Matsumiya <ematsumiya@suse.de>`
			`Subject: init.d/auditd.service: make /etc/audit writable`
			`References: bsc#1181400`

			`systemd hardening effort (bsc#1181400) broke auditd.service when starting/`
			`restarting it. This was because auditd couldn't save/create audit.rules from`
			`/etc/audit/rules.d/* files.`

			`Make /etc/audit writable for the service.`

			`Also remove PrivateDevices=true so /dev/* are exposed to auditd.`

			`Signed-off-by: Enzo Matsumiya <ematsumiya@suse.de>`

			`--- a/init.d/auditd.service`
			`+++ b/init.d/auditd.service`
			`@@ -37,12 +37,12 @@ RestrictRealtime=true`
			`# added automatically, for details please see`
			`# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort`
			`ProtectSystem=full`
			`-PrivateDevices=true`
			`ProtectHostname=true`
			`ProtectClock=true`
			`ProtectKernelTunables=true`
			`ProtectKernelLogs=true`
			`# end of automatic additions`
			`+ReadWritePaths=/etc/audit`

			`[Install]`
			`WantedBy=multi-user.target`