Accepting request 920348 from home:ematsumiya:branches:security

- Fix hardened auditd.service (bsc#1181400)
  * add fix-hardened-service.patch
    Make /etc/audit read-write from the service.
    Remove PrivateDevices=true to expose /dev/* to auditd.service.
- Enable stop rules for audit.service (cf. bsc#1190227)
  * add enable-stop-rules.patch
- Change default log_format from ENRICHED to RAW (bsc#1190500):
  * add change-default-log_format.patch (SUSE-specific patch)
- Update to version 3.0.5:
  * In auditd, flush uid/gid caches when user/group added/deleted/modified
  * Fixed various issues when dealing with corrupted logs
  * In auditd, check if log_file is valid before closing handle
- Include fixed from 3.0.4:
  * Apply performance speedups to auparse library
  * Optimize rule loading in auditctl
  * Fix an auparse memory leak caused by glibc-2.33 by replacing realpath
  * Update syscall table to the 5.14 kernel
  * Fixed various issues when dealing with corrupted logs
- Update to version 3.0.5:
  * In auditd, flush uid/gid caches when user/group added/deleted/modified
  * Fixed various issues when dealing with corrupted logs
  * In auditd, check if log_file is valid before closing handle
- Include fixed from 3.0.4:
  * Apply performance speedups to auparse library
  * Optimize rule loading in auditctl
  * Fix an auparse memory leak caused by glibc-2.33 by replacing realpath
  * Update syscall table to the 5.14 kernel
  * Fixed various issues when dealing with corrupted logs

OBS-URL: https://build.opensuse.org/request/show/920348
OBS-URL: https://build.opensuse.org/package/show/security/audit?expand=0&rev=129

audit-3.0.3.tar.gz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:23777e1dc9a80a2ee06a4d442a6a0a9bcbf1ae7ee4b5738a220ff619738cc904
-size 1186684

audit-3.0.5.tar.gz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:23bcc88de1b4b94eedfcab9ef805269f073fe8766305e90e361fc58dac328340
+size 595279

audit-ausearch-do-not-require-tclass.patch

@@ -11,7 +11,7 @@ Signed-off-by: Tony Jones <tonyj@suse.de>
 
 --- a/src/ausearch-parse.c
 +++ b/src/ausearch-parse.c
-@@ -1735,17 +1735,15 @@ static int parse_avc(const lnode *n, sea
+@@ -2061,17 +2061,15 @@ other_avc:
  
  	// Now get the class...its at the end, so we do things different
  	str = strstr(term, "tclass=");

audit-secondary.changes

@@ -1,3 +1,32 @@
+-------------------------------------------------------------------
+Mon Sep 20 02:06:44 UTC 2021 - Enzo Matsumiya <ematsumiya@suse.com>
+
+- Fix hardened auditd.service (bsc#1181400)
+  * add fix-hardened-service.patch
+    Make /etc/audit read-write from the service.
+    Remove PrivateDevices=true to expose /dev/* to auditd.service.
+
+- Enable stop rules for audit.service (cf. bsc#1190227)
+  * add enable-stop-rules.patch
+
+-------------------------------------------------------------------
+Thu Sep 16 03:46:19 UTC 2021 - Enzo Matsumiya <ematsumiya@suse.com>
+
+- Change default log_format from ENRICHED to RAW (bsc#1190500):
+  * add change-default-log_format.patch (SUSE-specific patch)
+
+- Update to version 3.0.5:
+  * In auditd, flush uid/gid caches when user/group added/deleted/modified
+  * Fixed various issues when dealing with corrupted logs
+  * In auditd, check if log_file is valid before closing handle
+
+- Include fixed from 3.0.4:
+  * Apply performance speedups to auparse library
+  * Optimize rule loading in auditctl
+  * Fix an auparse memory leak caused by glibc-2.33 by replacing realpath
+  * Update syscall table to the 5.14 kernel
+  * Fixed various issues when dealing with corrupted logs
+
 -------------------------------------------------------------------
 Mon Aug 16 13:29:21 UTC 2021 - Marcus Meissner <meissner@suse.com>
 

audit-secondary.spec

@@ -22,7 +22,7 @@
 # The seperation is required to minimize unnecessary build cycles.
 %define 	_name audit
 Name:           audit-secondary
-Version:        3.0.3
+Version:        3.0.5
 Release:        0
 Summary:        Linux kernel audit subsystem utilities
 License:        GPL-2.0-or-later
@@ -37,6 +37,9 @@ Patch4:         audit-ausearch-do-not-require-tclass.patch
 Patch5:         change-default-log_group.patch
 Patch6:         libev-werror.patch
 Patch7:         harden_auditd.service.patch
+Patch8:         change-default-log_format.patch
+Patch9:         fix-hardened-service.patch
+Patch10:        enable-stop-rules.patch
 BuildRequires:  audit-devel = %{version}
 BuildRequires:  autoconf >= 2.12
 BuildRequires:  gcc-c++
@@ -129,6 +132,9 @@ rm -rf audisp/plugins/prelude
 %patch5 -p1
 %patch6 -p1
 %patch7 -p1
+%patch8 -p1
+%patch9 -p1
+%patch10 -p1
 
 %if %{without python2} && %{with python3}
 # Fix python env call in tests if we only have Python3.

audit.changes

@@ -1,3 +1,18 @@
+-------------------------------------------------------------------
+Thu Sep 16 03:46:19 UTC 2021 - Enzo Matsumiya <ematsumiya@suse.com>
+
+- Update to version 3.0.5:
+  * In auditd, flush uid/gid caches when user/group added/deleted/modified
+  * Fixed various issues when dealing with corrupted logs
+  * In auditd, check if log_file is valid before closing handle
+
+- Include fixed from 3.0.4:
+  * Apply performance speedups to auparse library
+  * Optimize rule loading in auditctl
+  * Fix an auparse memory leak caused by glibc-2.33 by replacing realpath
+  * Update syscall table to the 5.14 kernel
+  * Fixed various issues when dealing with corrupted logs
+
 -------------------------------------------------------------------
 Fri Jul 30 18:14:14 CEST 2021 - Enzo Matsumiya <ematsumiya@suse.com>
 

audit.spec

@@ -17,7 +17,7 @@
 
 
 Name:           audit
-Version:        3.0.3
+Version:        3.0.5
 Release:        0
 Summary:        Linux kernel audit subsystem utilities
 License:        GPL-2.0-or-later

change-default-log_format.patch

@@ -0,0 +1,28 @@
+From: Enzo Matsumiya <ematsumiya@suse.de>
+Subject: auditd.conf: change default log_format
+References: bsc#1190500
+
+Upstream commit bf1270cfe ("change default logging format and update roadmap")
+changed the default log_format from RAW to ENRICHED.
+
+This causes non-audit tools to not interpret the GS character (group separator,
+0x1d) that splits the raw data from the enriched data, causing it to be visually
+concatenated.
+
+Since a candidate patch to change this was rejected by upstream, we change
+the default log_format back to RAW instead, to avoid confusion on customers'
+environments.
+
+Signed-off-by: Enzo Matsumiya <ematsumiya@suse.de>
+
+--- a/init.d/auditd.conf
++++ b/init.d/auditd.conf
+@@ -6,7 +6,7 @@ local_events = yes
+ write_logs = yes
+ log_file = /var/log/audit/audit.log
+ log_group = audit
+-log_format = ENRICHED
++log_format = RAW
+ flush = INCREMENTAL_ASYNC
+ freq = 50
+ max_log_file = 8

enable-stop-rules.patch

@@ -0,0 +1,24 @@
+From: Enzo Matsumiya <ematsumiya@suse.de>
+Subject: init.d/auditd.service: enable ExecStopPost directive in auditd.service
+References: bsc#1190227
+
+This has caused confusion for customers when relating stopping auditd service
+is the same as stopping system auditing. This is completely understandable, but
+it's by design, so kauditd can keep filling its queues for any other userspace
+daemon to consume.
+
+Disable audit when auditd.service stops, so kauditd stops logging/running.
+
+Signed-off-by: Enzo Matsumiya <ematsumiya@suse.de>
+
+--- a/init.d/auditd.service
++++ b/init.d/auditd.service
+@@ -25,7 +25,7 @@ ExecStartPost=-/sbin/augenrules --load
+ #ExecStartPost=-/sbin/auditctl -R /etc/audit/audit.rules
+ # By default we don't clear the rules on exit. To enable this, uncomment
+ # the next line after copying the file to /etc/systemd/system/auditd.service
+-#ExecStopPost=/sbin/auditctl -R /etc/audit/audit-stop.rules
++ExecStopPost=/sbin/auditctl -R /etc/audit/audit-stop.rules
+ 
+ ### Security Settings ###
+ MemoryDenyWriteExecute=true

fix-hardened-service.patch

@@ -0,0 +1,30 @@
+From: Enzo Matsumiya <ematsumiya@suse.de>
+Subject: init.d/auditd.service: make /etc/audit writable
+References: bsc#1181400
+
+systemd hardening effort (bsc#1181400) broke auditd.service when starting/
+restarting it. This was because auditd couldn't save/create audit.rules from
+/etc/audit/rules.d/* files.
+
+Make /etc/audit writable for the service.
+
+Also remove PrivateDevices=true so /dev/* are exposed to auditd.
+
+Signed-off-by: Enzo Matsumiya <ematsumiya@suse.de>
+
+--- a/init.d/auditd.service
++++ b/init.d/auditd.service
+@@ -37,12 +37,12 @@ RestrictRealtime=true
+ # added automatically, for details please see
+ # https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
+ ProtectSystem=full
+-PrivateDevices=true
+ ProtectHostname=true
+ ProtectClock=true
+ ProtectKernelTunables=true
+ ProtectKernelLogs=true
+ # end of automatic additions 
++ReadWritePaths=/etc/audit
+ 
+ [Install]
+ WantedBy=multi-user.target

harden_auditd.service.patch

@@ -1,8 +1,6 @@
-Index: audit-3.0.3/init.d/auditd.service
+--- a/init.d/auditd.service
-===================================================================
++++ b/init.d/auditd.service
---- audit-3.0.3.orig/init.d/auditd.service
+@@ -34,6 +34,15 @@ ProtectControlGroups=true
-+++ audit-3.0.3/init.d/auditd.service
-@@ -35,6 +35,15 @@ ProtectControlGroups=true
  ProtectKernelModules=true
  ProtectHome=true
  RestrictRealtime=true