diff --git a/audit-secondary.changes b/audit-secondary.changes index e947c94..2155f15 100644 --- a/audit-secondary.changes +++ b/audit-secondary.changes @@ -1,3 +1,16 @@ +------------------------------------------------------------------- +Wed Oct 13 19:12:06 UTC 2021 - Enzo Matsumiya + +- Create separate service for augenrules (bsc#1191614, bsc#1181400) + * add create-augenrules-service.patch + Remove ReadWritePaths=/etc/audit from auditd.service, also removes + augenrules call from ExecStartPost. + Create augenrules.service with the ReadWritePaths directive above. + This makes /etc/audit only accessible by augenrules.service and + let auditd.service (and daemon) to be sandboxed again. + +- Update audit-secondary.spec to accomodate the new service file. + ------------------------------------------------------------------- Mon Sep 20 02:06:44 UTC 2021 - Enzo Matsumiya diff --git a/audit-secondary.spec b/audit-secondary.spec index a1821dd..c128b1e 100644 --- a/audit-secondary.spec +++ b/audit-secondary.spec @@ -40,6 +40,7 @@ Patch7: harden_auditd.service.patch Patch8: change-default-log_format.patch Patch9: fix-hardened-service.patch Patch10: enable-stop-rules.patch +Patch11: create-augenrules-service.patch BuildRequires: audit-devel = %{version} BuildRequires: autoconf >= 2.12 BuildRequires: gcc-c++ @@ -135,6 +136,7 @@ rm -rf audisp/plugins/prelude %patch8 -p1 %patch9 -p1 %patch10 -p1 +%patch11 -p1 %if %{without python2} && %{with python3} # Fix python env call in tests if we only have Python3. @@ -215,6 +217,7 @@ done # rcauditd symlink ln -s service %{buildroot}%{_sbindir}/rcauditd chmod 0644 %{buildroot}%{_unitdir}/auditd.service +chmod 0644 %{buildroot}%{_unitdir}/augenrules.service %check make %{?_smp_mflags} check @@ -231,17 +234,21 @@ elif [ ! -f %{_sysconfdir}/audit/audit.rules ]; then cp %{_sysconfdir}/audit/rules.d/audit.rules %{_sysconfdir}/audit/audit.rules fi %service_add_post auditd.service +%service_add_post augenrules.service %pre -n audit %service_add_pre auditd.service +%service_add_pre augenrules.service %pre -n system-group-audit -f audit.pre %preun -n audit %service_del_preun auditd.service +%service_del_preun augenrules.service %postun -n audit %service_del_postun auditd.service +%service_del_postun augenrules.service %files -n audit %license COPYING @@ -292,6 +299,7 @@ fi %ghost %config(noreplace) %attr(640,root,audit) %{_localstatedir}/log/audit/audit.log %dir %attr(700,root,root) %{_localstatedir}/spool/audit %{_unitdir}/auditd.service +%{_unitdir}/augenrules.service %{_sbindir}/rcauditd %{_datadir}/audit/ diff --git a/create-augenrules-service.patch b/create-augenrules-service.patch new file mode 100644 index 0000000..e8bcefe --- /dev/null +++ b/create-augenrules-service.patch @@ -0,0 +1,86 @@ +--- /dev/null ++++ b/init.d/augenrules.service +@@ -0,0 +1,33 @@ ++[Unit] ++Description=auditd rules generation ++After=auditd.service ++PartOf=auditd.service ++Documentation=man:augenrules(8) ++ ++[Service] ++Type=oneshot ++## NOTE: augenrules expect any rules to be added to /etc/audit/rules.d/ ++ExecStart=/sbin/augenrules --load ++# We need RemainAfterExit=true so augenrules is called again ++# in case auditd.service is restarted. ++RemainAfterExit=true ++ ++### Security Settings ### ++MemoryDenyWriteExecute=true ++LockPersonality=true ++ProtectControlGroups=true ++ProtectKernelModules=true ++ProtectHome=true ++RestrictRealtime=true ++# for details please see ++# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort ++ProtectSystem=full ++PrivateDevices=true ++ProtectHostname=true ++ProtectClock=true ++ProtectKernelTunables=true ++ProtectKernelLogs=true ++ReadWritePaths=/etc/audit ++ ++[Install] ++WantedBy=multi-user.target +--- a/init.d/auditd.service ++++ b/init.d/auditd.service +@@ -18,10 +18,8 @@ Documentation=man:auditd(8) https://gith + Type=forking + PIDFile=/run/auditd.pid + ExecStart=/sbin/auditd +-## To not use augenrules, copy this file to /etc/systemd/system/auditd.service +-## and comment/delete the next line and uncomment the auditctl line. +-## NOTE: augenrules expect any rules to be added to /etc/audit/rules.d/ +-ExecStartPost=-/sbin/augenrules --load ++## To not use augenrules: copy this file to /etc/systemd/system/auditd.service, ++## uncomment the next line, and run "systemctl disable --now augenrules.service". + #ExecStartPost=-/sbin/auditctl -R /etc/audit/audit.rules + # By default we don't clear the rules on exit. To enable this, uncomment + # the next line after copying the file to /etc/systemd/system/auditd.service +@@ -42,7 +40,6 @@ ProtectClock=true + ProtectKernelTunables=true + ProtectKernelLogs=true + # end of automatic additions +-ReadWritePaths=/etc/audit + + [Install] + WantedBy=multi-user.target +--- a/init.d/Makefile.am ++++ b/init.d/Makefile.am +@@ -26,7 +26,7 @@ EXTRA_DIST = auditd.init auditd.service + auditd.cron libaudit.conf auditd.condrestart \ + auditd.reload auditd.restart auditd.resume \ + auditd.rotate auditd.state auditd.stop \ +- audit-stop.rules augenrules ++ audit-stop.rules augenrules augenrules.service + libconfig = libaudit.conf + if ENABLE_SYSTEMD + initdir = /usr/lib/systemd/system +@@ -53,6 +53,7 @@ if ENABLE_SYSTEMD + mkdir -p ${DESTDIR}${initdir} + mkdir -p ${DESTDIR}${legacydir} + $(INSTALL_SCRIPT) -D -m 644 ${srcdir}/auditd.service ${DESTDIR}${initdir} ++ $(INSTALL_SCRIPT) -D -m 644 ${srcdir}/augenrules.service ${DESTDIR}${initdir} + $(INSTALL_SCRIPT) -D -m 750 ${srcdir}/auditd.rotate ${DESTDIR}${legacydir}/rotate + $(INSTALL_SCRIPT) -D -m 750 ${srcdir}/auditd.resume ${DESTDIR}${legacydir}/resume + $(INSTALL_SCRIPT) -D -m 750 ${srcdir}/auditd.reload ${DESTDIR}${legacydir}/reload +@@ -70,6 +71,7 @@ uninstall-hook: + rm ${DESTDIR}${sysconfdir}/${libconfig} + if ENABLE_SYSTEMD + rm ${DESTDIR}${initdir}/auditd.service ++ rm ${DESTDIR}${initdir}/augenrules.service + rm ${DESTDIR}${legacydir}/rotate + rm ${DESTDIR}${legacydir}/resume + rm ${DESTDIR}${legacydir}/reload