Accepting request 925195 from home:ematsumiya:branches:security

- Create separate service for augenrules (bsc#1191614, bsc#1181400) * add create-augenrules-service.patch Remove ReadWritePaths=/etc/audit from auditd.service, also removes augenrules call from ExecStartPost. Create augenrules.service with the ReadWritePaths directive above. This makes /etc/audit only accessible by augenrules.service and let auditd.service (and daemon) to be sandboxed again. - Update audit-secondary.spec to accomodate the new service file. OBS-URL: https://build.opensuse.org/request/show/925195 OBS-URL: https://build.opensuse.org/package/show/security/audit?expand=0&rev=131
2021-10-13 23:13:08 +00:00 · 2021-10-13 23:13:08 +00:00 · 1b5f7ae8b7
commit 1b5f7ae8b7
parent 3099f73ab7
3 changed files with 107 additions and 0 deletions
--- a/audit-secondary.changes
+++ b/audit-secondary.changes
@ -1,3 +1,16 @@
+-------------------------------------------------------------------
+Wed Oct 13 19:12:06 UTC 2021 - Enzo Matsumiya <ematsumiya@suse.com>
+
+- Create separate service for augenrules (bsc#1191614, bsc#1181400)
+  * add create-augenrules-service.patch
+  Remove ReadWritePaths=/etc/audit from auditd.service, also removes
+  augenrules call from ExecStartPost.
+  Create augenrules.service with the ReadWritePaths directive above.
+  This makes /etc/audit only accessible by augenrules.service and
+  let auditd.service (and daemon) to be sandboxed again.
+
+- Update audit-secondary.spec to accomodate the new service file.
+
 -------------------------------------------------------------------
 Mon Sep 20 02:06:44 UTC 2021 - Enzo Matsumiya <ematsumiya@suse.com>

--- a/audit-secondary.spec
+++ b/audit-secondary.spec
@ -40,6 +40,7 @@ Patch7:         harden_auditd.service.patch
 Patch8:         change-default-log_format.patch
 Patch9:         fix-hardened-service.patch
 Patch10:        enable-stop-rules.patch
+Patch11:        create-augenrules-service.patch
 BuildRequires:  audit-devel = %{version}
 BuildRequires:  autoconf >= 2.12
 BuildRequires:  gcc-c++
@ -135,6 +136,7 @@ rm -rf audisp/plugins/prelude
 %patch8 -p1
 %patch9 -p1
 %patch10 -p1
+%patch11 -p1

 %if %{without python2} && %{with python3}
 # Fix python env call in tests if we only have Python3.
@ -215,6 +217,7 @@ done
 # rcauditd symlink
 ln -s service %{buildroot}%{_sbindir}/rcauditd
 chmod 0644 %{buildroot}%{_unitdir}/auditd.service
+chmod 0644 %{buildroot}%{_unitdir}/augenrules.service

 %check
 make %{?_smp_mflags} check
@ -231,17 +234,21 @@ elif [ ! -f %{_sysconfdir}/audit/audit.rules ]; then
   cp %{_sysconfdir}/audit/rules.d/audit.rules %{_sysconfdir}/audit/audit.rules
 fi
 %service_add_post auditd.service
+%service_add_post augenrules.service

 %pre -n audit
 %service_add_pre auditd.service
+%service_add_pre augenrules.service

 %pre -n system-group-audit -f audit.pre

 %preun -n audit
 %service_del_preun auditd.service
+%service_del_preun augenrules.service

 %postun -n audit
 %service_del_postun auditd.service
+%service_del_postun augenrules.service

 %files -n audit
 %license COPYING
@ -292,6 +299,7 @@ fi
 %ghost %config(noreplace) %attr(640,root,audit) %{_localstatedir}/log/audit/audit.log
 %dir %attr(700,root,root) %{_localstatedir}/spool/audit
 %{_unitdir}/auditd.service
+%{_unitdir}/augenrules.service
 %{_sbindir}/rcauditd
 %{_datadir}/audit/

--- a/create-augenrules-service.patch
+++ b/create-augenrules-service.patch
@ -0,0 +1,86 @@
+--- /dev/null
+++ b/init.d/augenrules.service
+@@ -0,0 +1,33 @@
+[Unit]
+Description=auditd rules generation
+After=auditd.service
+PartOf=auditd.service
+Documentation=man:augenrules(8)
+
+[Service]
+Type=oneshot
+## NOTE: augenrules expect any rules to be added to /etc/audit/rules.d/
+ExecStart=/sbin/augenrules --load
+# We need RemainAfterExit=true so augenrules is called again
+# in case auditd.service is restarted.
+RemainAfterExit=true
+
+### Security Settings ###
+MemoryDenyWriteExecute=true
+LockPersonality=true
+ProtectControlGroups=true
+ProtectKernelModules=true
+ProtectHome=true
+RestrictRealtime=true
+# for details please see
+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
+ProtectSystem=full
+PrivateDevices=true
+ProtectHostname=true
+ProtectClock=true
+ProtectKernelTunables=true
+ProtectKernelLogs=true
+ReadWritePaths=/etc/audit
+
+[Install]
+WantedBy=multi-user.target
+--- a/init.d/auditd.service
+++ b/init.d/auditd.service
+@@ -18,10 +18,8 @@ Documentation=man:auditd(8) https://gith
+ Type=forking
+ PIDFile=/run/auditd.pid
+ ExecStart=/sbin/auditd
+-## To not use augenrules, copy this file to /etc/systemd/system/auditd.service
+-## and comment/delete the next line and uncomment the auditctl line.
+-## NOTE: augenrules expect any rules to be added to /etc/audit/rules.d/
+-ExecStartPost=-/sbin/augenrules --load
+## To not use augenrules: copy this file to /etc/systemd/system/auditd.service,
+## uncomment the next line, and run "systemctl disable --now augenrules.service".
+ #ExecStartPost=-/sbin/auditctl -R /etc/audit/audit.rules
+ # By default we don't clear the rules on exit. To enable this, uncomment
+ # the next line after copying the file to /etc/systemd/system/auditd.service
+@@ -42,7 +40,6 @@ ProtectClock=true
+ ProtectKernelTunables=true
+ ProtectKernelLogs=true
+ # end of automatic additions 
+-ReadWritePaths=/etc/audit
+ 
+ [Install]
+ WantedBy=multi-user.target
+--- a/init.d/Makefile.am
+++ b/init.d/Makefile.am
+@@ -26,7 +26,7 @@ EXTRA_DIST = auditd.init auditd.service
+ 	auditd.cron libaudit.conf auditd.condrestart \
+ 	auditd.reload auditd.restart auditd.resume \
+ 	auditd.rotate auditd.state auditd.stop \
+-	audit-stop.rules augenrules
+	audit-stop.rules augenrules augenrules.service
+ libconfig = libaudit.conf
+ if ENABLE_SYSTEMD
+ initdir = /usr/lib/systemd/system
+@@ -53,6 +53,7 @@ if ENABLE_SYSTEMD
+ 	mkdir -p ${DESTDIR}${initdir}
+ 	mkdir -p ${DESTDIR}${legacydir}
+ 	$(INSTALL_SCRIPT) -D -m 644 ${srcdir}/auditd.service ${DESTDIR}${initdir}
+	$(INSTALL_SCRIPT) -D -m 644 ${srcdir}/augenrules.service ${DESTDIR}${initdir}
+ 	$(INSTALL_SCRIPT) -D -m 750 ${srcdir}/auditd.rotate ${DESTDIR}${legacydir}/rotate
+ 	$(INSTALL_SCRIPT) -D -m 750 ${srcdir}/auditd.resume ${DESTDIR}${legacydir}/resume
+ 	$(INSTALL_SCRIPT) -D -m 750 ${srcdir}/auditd.reload ${DESTDIR}${legacydir}/reload
+@@ -70,6 +71,7 @@ uninstall-hook:
+ 	rm ${DESTDIR}${sysconfdir}/${libconfig}
+ if ENABLE_SYSTEMD
+ 	rm ${DESTDIR}${initdir}/auditd.service
+	rm ${DESTDIR}${initdir}/augenrules.service
+ 	rm ${DESTDIR}${legacydir}/rotate
+ 	rm ${DESTDIR}${legacydir}/resume
+ 	rm ${DESTDIR}${legacydir}/reload