Accepting request 925195 from home:ematsumiya:branches:security

- Create separate service for augenrules (bsc#1191614, bsc#1181400)
  * add create-augenrules-service.patch
  Remove ReadWritePaths=/etc/audit from auditd.service, also removes
  augenrules call from ExecStartPost.
  Create augenrules.service with the ReadWritePaths directive above.
  This makes /etc/audit only accessible by augenrules.service and
  let auditd.service (and daemon) to be sandboxed again.
- Update audit-secondary.spec to accomodate the new service file.

OBS-URL: https://build.opensuse.org/request/show/925195
OBS-URL: https://build.opensuse.org/package/show/security/audit?expand=0&rev=131

audit-secondary.changes

@@ -1,3 +1,16 @@
+-------------------------------------------------------------------
+Wed Oct 13 19:12:06 UTC 2021 - Enzo Matsumiya <ematsumiya@suse.com>
+
+- Create separate service for augenrules (bsc#1191614, bsc#1181400)
+  * add create-augenrules-service.patch
+  Remove ReadWritePaths=/etc/audit from auditd.service, also removes
+  augenrules call from ExecStartPost.
+  Create augenrules.service with the ReadWritePaths directive above.
+  This makes /etc/audit only accessible by augenrules.service and
+  let auditd.service (and daemon) to be sandboxed again.
+
+- Update audit-secondary.spec to accomodate the new service file.
+
 -------------------------------------------------------------------
 Mon Sep 20 02:06:44 UTC 2021 - Enzo Matsumiya <ematsumiya@suse.com>
 

audit-secondary.spec

@@ -40,6 +40,7 @@ Patch7:         harden_auditd.service.patch
 Patch8:         change-default-log_format.patch
 Patch9:         fix-hardened-service.patch
 Patch10:        enable-stop-rules.patch
+Patch11:        create-augenrules-service.patch
 BuildRequires:  audit-devel = %{version}
 BuildRequires:  autoconf >= 2.12
 BuildRequires:  gcc-c++
@@ -135,6 +136,7 @@ rm -rf audisp/plugins/prelude
 %patch8 -p1
 %patch9 -p1
 %patch10 -p1
+%patch11 -p1
 
 %if %{without python2} && %{with python3}
 # Fix python env call in tests if we only have Python3.
@@ -215,6 +217,7 @@ done
 # rcauditd symlink
 ln -s service %{buildroot}%{_sbindir}/rcauditd
 chmod 0644 %{buildroot}%{_unitdir}/auditd.service
+chmod 0644 %{buildroot}%{_unitdir}/augenrules.service
 
 %check
 make %{?_smp_mflags} check
@@ -231,17 +234,21 @@ elif [ ! -f %{_sysconfdir}/audit/audit.rules ]; then
    cp %{_sysconfdir}/audit/rules.d/audit.rules %{_sysconfdir}/audit/audit.rules
 fi
 %service_add_post auditd.service
+%service_add_post augenrules.service
 
 %pre -n audit
 %service_add_pre auditd.service
+%service_add_pre augenrules.service
 
 %pre -n system-group-audit -f audit.pre
 
 %preun -n audit
 %service_del_preun auditd.service
+%service_del_preun augenrules.service
 
 %postun -n audit
 %service_del_postun auditd.service
+%service_del_postun augenrules.service
 
 %files -n audit
 %license COPYING
@@ -292,6 +299,7 @@ fi
 %ghost %config(noreplace) %attr(640,root,audit) %{_localstatedir}/log/audit/audit.log
 %dir %attr(700,root,root) %{_localstatedir}/spool/audit
 %{_unitdir}/auditd.service
+%{_unitdir}/augenrules.service
 %{_sbindir}/rcauditd
 %{_datadir}/audit/
 

create-augenrules-service.patch

@@ -0,0 +1,86 @@
+--- /dev/null
++++ b/init.d/augenrules.service
+@@ -0,0 +1,33 @@
++[Unit]
++Description=auditd rules generation
++After=auditd.service
++PartOf=auditd.service
++Documentation=man:augenrules(8)
++
++[Service]
++Type=oneshot
++## NOTE: augenrules expect any rules to be added to /etc/audit/rules.d/
++ExecStart=/sbin/augenrules --load
++# We need RemainAfterExit=true so augenrules is called again
++# in case auditd.service is restarted.
++RemainAfterExit=true
++
++### Security Settings ###
++MemoryDenyWriteExecute=true
++LockPersonality=true
++ProtectControlGroups=true
++ProtectKernelModules=true
++ProtectHome=true
++RestrictRealtime=true
++# for details please see
++# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
++ProtectSystem=full
++PrivateDevices=true
++ProtectHostname=true
++ProtectClock=true
++ProtectKernelTunables=true
++ProtectKernelLogs=true
++ReadWritePaths=/etc/audit
++
++[Install]
++WantedBy=multi-user.target
+--- a/init.d/auditd.service
++++ b/init.d/auditd.service
+@@ -18,10 +18,8 @@ Documentation=man:auditd(8) https://gith
+ Type=forking
+ PIDFile=/run/auditd.pid
+ ExecStart=/sbin/auditd
+-## To not use augenrules, copy this file to /etc/systemd/system/auditd.service
+-## and comment/delete the next line and uncomment the auditctl line.
+-## NOTE: augenrules expect any rules to be added to /etc/audit/rules.d/
+-ExecStartPost=-/sbin/augenrules --load
++## To not use augenrules: copy this file to /etc/systemd/system/auditd.service,
++## uncomment the next line, and run "systemctl disable --now augenrules.service".
+ #ExecStartPost=-/sbin/auditctl -R /etc/audit/audit.rules
+ # By default we don't clear the rules on exit. To enable this, uncomment
+ # the next line after copying the file to /etc/systemd/system/auditd.service
+@@ -42,7 +40,6 @@ ProtectClock=true
+ ProtectKernelTunables=true
+ ProtectKernelLogs=true
+ # end of automatic additions 
+-ReadWritePaths=/etc/audit
+ 
+ [Install]
+ WantedBy=multi-user.target
+--- a/init.d/Makefile.am
++++ b/init.d/Makefile.am
+@@ -26,7 +26,7 @@ EXTRA_DIST = auditd.init auditd.service
+ 	auditd.cron libaudit.conf auditd.condrestart \
+ 	auditd.reload auditd.restart auditd.resume \
+ 	auditd.rotate auditd.state auditd.stop \
+-	audit-stop.rules augenrules
++	audit-stop.rules augenrules augenrules.service
+ libconfig = libaudit.conf
+ if ENABLE_SYSTEMD
+ initdir = /usr/lib/systemd/system
+@@ -53,6 +53,7 @@ if ENABLE_SYSTEMD
+ 	mkdir -p ${DESTDIR}${initdir}
+ 	mkdir -p ${DESTDIR}${legacydir}
+ 	$(INSTALL_SCRIPT) -D -m 644 ${srcdir}/auditd.service ${DESTDIR}${initdir}
++	$(INSTALL_SCRIPT) -D -m 644 ${srcdir}/augenrules.service ${DESTDIR}${initdir}
+ 	$(INSTALL_SCRIPT) -D -m 750 ${srcdir}/auditd.rotate ${DESTDIR}${legacydir}/rotate
+ 	$(INSTALL_SCRIPT) -D -m 750 ${srcdir}/auditd.resume ${DESTDIR}${legacydir}/resume
+ 	$(INSTALL_SCRIPT) -D -m 750 ${srcdir}/auditd.reload ${DESTDIR}${legacydir}/reload
+@@ -70,6 +71,7 @@ uninstall-hook:
+ 	rm ${DESTDIR}${sysconfdir}/${libconfig}
+ if ENABLE_SYSTEMD
+ 	rm ${DESTDIR}${initdir}/auditd.service
++	rm ${DESTDIR}${initdir}/augenrules.service
+ 	rm ${DESTDIR}${legacydir}/rotate
+ 	rm ${DESTDIR}${legacydir}/resume
+ 	rm ${DESTDIR}${legacydir}/reload