SHA256
1
0
forked from pool/audit

Accepting request 920348 from home:ematsumiya:branches:security

- Fix hardened auditd.service (bsc#1181400)
  * add fix-hardened-service.patch
    Make /etc/audit read-write from the service.
    Remove PrivateDevices=true to expose /dev/* to auditd.service.
- Enable stop rules for audit.service (cf. bsc#1190227)
  * add enable-stop-rules.patch
- Change default log_format from ENRICHED to RAW (bsc#1190500):
  * add change-default-log_format.patch (SUSE-specific patch)
- Update to version 3.0.5:
  * In auditd, flush uid/gid caches when user/group added/deleted/modified
  * Fixed various issues when dealing with corrupted logs
  * In auditd, check if log_file is valid before closing handle
- Include fixed from 3.0.4:
  * Apply performance speedups to auparse library
  * Optimize rule loading in auditctl
  * Fix an auparse memory leak caused by glibc-2.33 by replacing realpath
  * Update syscall table to the 5.14 kernel
  * Fixed various issues when dealing with corrupted logs
- Update to version 3.0.5:
  * In auditd, flush uid/gid caches when user/group added/deleted/modified
  * Fixed various issues when dealing with corrupted logs
  * In auditd, check if log_file is valid before closing handle
- Include fixed from 3.0.4:
  * Apply performance speedups to auparse library
  * Optimize rule loading in auditctl
  * Fix an auparse memory leak caused by glibc-2.33 by replacing realpath
  * Update syscall table to the 5.14 kernel
  * Fixed various issues when dealing with corrupted logs

OBS-URL: https://build.opensuse.org/request/show/920348
OBS-URL: https://build.opensuse.org/package/show/security/audit?expand=0&rev=129
This commit is contained in:
Enzo Matsumiya 2021-09-20 16:14:05 +00:00 committed by Git OBS Bridge
parent 0e616b4165
commit 09b88829e8
11 changed files with 141 additions and 11 deletions

View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:23777e1dc9a80a2ee06a4d442a6a0a9bcbf1ae7ee4b5738a220ff619738cc904
size 1186684

3
audit-3.0.5.tar.gz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:23bcc88de1b4b94eedfcab9ef805269f073fe8766305e90e361fc58dac328340
size 595279

View File

@ -11,7 +11,7 @@ Signed-off-by: Tony Jones <tonyj@suse.de>
--- a/src/ausearch-parse.c
+++ b/src/ausearch-parse.c
@@ -1735,17 +1735,15 @@ static int parse_avc(const lnode *n, sea
@@ -2061,17 +2061,15 @@ other_avc:
// Now get the class...its at the end, so we do things different
str = strstr(term, "tclass=");

View File

@ -1,3 +1,32 @@
-------------------------------------------------------------------
Mon Sep 20 02:06:44 UTC 2021 - Enzo Matsumiya <ematsumiya@suse.com>
- Fix hardened auditd.service (bsc#1181400)
* add fix-hardened-service.patch
Make /etc/audit read-write from the service.
Remove PrivateDevices=true to expose /dev/* to auditd.service.
- Enable stop rules for audit.service (cf. bsc#1190227)
* add enable-stop-rules.patch
-------------------------------------------------------------------
Thu Sep 16 03:46:19 UTC 2021 - Enzo Matsumiya <ematsumiya@suse.com>
- Change default log_format from ENRICHED to RAW (bsc#1190500):
* add change-default-log_format.patch (SUSE-specific patch)
- Update to version 3.0.5:
* In auditd, flush uid/gid caches when user/group added/deleted/modified
* Fixed various issues when dealing with corrupted logs
* In auditd, check if log_file is valid before closing handle
- Include fixed from 3.0.4:
* Apply performance speedups to auparse library
* Optimize rule loading in auditctl
* Fix an auparse memory leak caused by glibc-2.33 by replacing realpath
* Update syscall table to the 5.14 kernel
* Fixed various issues when dealing with corrupted logs
-------------------------------------------------------------------
Mon Aug 16 13:29:21 UTC 2021 - Marcus Meissner <meissner@suse.com>

View File

@ -22,7 +22,7 @@
# The seperation is required to minimize unnecessary build cycles.
%define _name audit
Name: audit-secondary
Version: 3.0.3
Version: 3.0.5
Release: 0
Summary: Linux kernel audit subsystem utilities
License: GPL-2.0-or-later
@ -37,6 +37,9 @@ Patch4: audit-ausearch-do-not-require-tclass.patch
Patch5: change-default-log_group.patch
Patch6: libev-werror.patch
Patch7: harden_auditd.service.patch
Patch8: change-default-log_format.patch
Patch9: fix-hardened-service.patch
Patch10: enable-stop-rules.patch
BuildRequires: audit-devel = %{version}
BuildRequires: autoconf >= 2.12
BuildRequires: gcc-c++
@ -129,6 +132,9 @@ rm -rf audisp/plugins/prelude
%patch5 -p1
%patch6 -p1
%patch7 -p1
%patch8 -p1
%patch9 -p1
%patch10 -p1
%if %{without python2} && %{with python3}
# Fix python env call in tests if we only have Python3.

View File

@ -1,3 +1,18 @@
-------------------------------------------------------------------
Thu Sep 16 03:46:19 UTC 2021 - Enzo Matsumiya <ematsumiya@suse.com>
- Update to version 3.0.5:
* In auditd, flush uid/gid caches when user/group added/deleted/modified
* Fixed various issues when dealing with corrupted logs
* In auditd, check if log_file is valid before closing handle
- Include fixed from 3.0.4:
* Apply performance speedups to auparse library
* Optimize rule loading in auditctl
* Fix an auparse memory leak caused by glibc-2.33 by replacing realpath
* Update syscall table to the 5.14 kernel
* Fixed various issues when dealing with corrupted logs
-------------------------------------------------------------------
Fri Jul 30 18:14:14 CEST 2021 - Enzo Matsumiya <ematsumiya@suse.com>

View File

@ -17,7 +17,7 @@
Name: audit
Version: 3.0.3
Version: 3.0.5
Release: 0
Summary: Linux kernel audit subsystem utilities
License: GPL-2.0-or-later

View File

@ -0,0 +1,28 @@
From: Enzo Matsumiya <ematsumiya@suse.de>
Subject: auditd.conf: change default log_format
References: bsc#1190500
Upstream commit bf1270cfe ("change default logging format and update roadmap")
changed the default log_format from RAW to ENRICHED.
This causes non-audit tools to not interpret the GS character (group separator,
0x1d) that splits the raw data from the enriched data, causing it to be visually
concatenated.
Since a candidate patch to change this was rejected by upstream, we change
the default log_format back to RAW instead, to avoid confusion on customers'
environments.
Signed-off-by: Enzo Matsumiya <ematsumiya@suse.de>
--- a/init.d/auditd.conf
+++ b/init.d/auditd.conf
@@ -6,7 +6,7 @@ local_events = yes
write_logs = yes
log_file = /var/log/audit/audit.log
log_group = audit
-log_format = ENRICHED
+log_format = RAW
flush = INCREMENTAL_ASYNC
freq = 50
max_log_file = 8

24
enable-stop-rules.patch Normal file
View File

@ -0,0 +1,24 @@
From: Enzo Matsumiya <ematsumiya@suse.de>
Subject: init.d/auditd.service: enable ExecStopPost directive in auditd.service
References: bsc#1190227
This has caused confusion for customers when relating stopping auditd service
is the same as stopping system auditing. This is completely understandable, but
it's by design, so kauditd can keep filling its queues for any other userspace
daemon to consume.
Disable audit when auditd.service stops, so kauditd stops logging/running.
Signed-off-by: Enzo Matsumiya <ematsumiya@suse.de>
--- a/init.d/auditd.service
+++ b/init.d/auditd.service
@@ -25,7 +25,7 @@ ExecStartPost=-/sbin/augenrules --load
#ExecStartPost=-/sbin/auditctl -R /etc/audit/audit.rules
# By default we don't clear the rules on exit. To enable this, uncomment
# the next line after copying the file to /etc/systemd/system/auditd.service
-#ExecStopPost=/sbin/auditctl -R /etc/audit/audit-stop.rules
+ExecStopPost=/sbin/auditctl -R /etc/audit/audit-stop.rules
### Security Settings ###
MemoryDenyWriteExecute=true

View File

@ -0,0 +1,30 @@
From: Enzo Matsumiya <ematsumiya@suse.de>
Subject: init.d/auditd.service: make /etc/audit writable
References: bsc#1181400
systemd hardening effort (bsc#1181400) broke auditd.service when starting/
restarting it. This was because auditd couldn't save/create audit.rules from
/etc/audit/rules.d/* files.
Make /etc/audit writable for the service.
Also remove PrivateDevices=true so /dev/* are exposed to auditd.
Signed-off-by: Enzo Matsumiya <ematsumiya@suse.de>
--- a/init.d/auditd.service
+++ b/init.d/auditd.service
@@ -37,12 +37,12 @@ RestrictRealtime=true
# added automatically, for details please see
# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
ProtectSystem=full
-PrivateDevices=true
ProtectHostname=true
ProtectClock=true
ProtectKernelTunables=true
ProtectKernelLogs=true
# end of automatic additions
+ReadWritePaths=/etc/audit
[Install]
WantedBy=multi-user.target

View File

@ -1,8 +1,6 @@
Index: audit-3.0.3/init.d/auditd.service
===================================================================
--- audit-3.0.3.orig/init.d/auditd.service
+++ audit-3.0.3/init.d/auditd.service
@@ -35,6 +35,15 @@ ProtectControlGroups=true
--- a/init.d/auditd.service
+++ b/init.d/auditd.service
@@ -34,6 +34,15 @@ ProtectControlGroups=true
ProtectKernelModules=true
ProtectHome=true
RestrictRealtime=true