SHA256
1
0
forked from pool/audit

Accepting request 1043243 from home:ematsumiya:branches:security

- Enable build for ARM (32-bit)
- Update to version 3.0.9:
  * In auditd, release the async flush lock on stop
  * Don't allow auditd to log directly into /var/log when log_group is non-zero
  * Cleanup krb5 memory leaks on error paths
  * Update auditd.cron to use auditctl --signal
  * In auparse, if too many fields, realloc array bigger (Paul Wolneykien)
  * In auparse, special case kernel module name interpretation
  * If overflow_action is ignore, don't treat as an error
  (3.0.8)
  * Add gcc function attributes for access and allocation
  * Add some more man pages (MIZUTA Takeshi)
  * In auditd, change the reinitializing of the plugin queue
  * Fix path normalization in auparse (Sergio Correia)
  * In libaudit, handle ECONNREFUSED for network uid/gid lookups (Enzo Matsumiya)
  * In audisp-remote, fix hang with disk_low_action=suspend (Enzo Matsumiya)
  * Drop ProtectHome from auditd.service as it interferes with rules
  (3.0.7)
  * Add support for the OPENAT2 record type (Richard Guy Briggs)
  * In auditd, close the logging file descriptor when logging is suspended
  * Update the capabilities lookup table to match 5.16 kernel
  * Improve interpretation of renamat & faccessat family of syscalls
  * Update syscall table for the 5.16 kernel
  * Reduce dependency from initscripts to initscripts-service
- Refresh patches (context adjusment):
  * audit-allow-manual-stop.patch
  * audit-ausearch-do-not-require-tclass.patch
  * audit-no-gss.patch
  * enable-stop-rules.patch
  * fix-hardened-service.patch
  * harden_auditd.service.patch
- Remove patches (fixed by version update):
  * libaudit-fix-unhandled-ECONNREFUSED-from-getpwnam-25.patch
  * audisp-remote-fix-hang-with-disk_low_action-suspend-.patch
- Enable build for ARM (32-bit)
- Update to version 3.0.9:
  * In auditd, release the async flush lock on stop
  * Don't allow auditd to log directly into /var/log when log_group is non-zero
  * Cleanup krb5 memory leaks on error paths
  * Update auditd.cron to use auditctl --signal
  * In auparse, if too many fields, realloc array bigger (Paul Wolneykien)
  * In auparse, special case kernel module name interpretation
  * If overflow_action is ignore, don't treat as an error
  (3.0.8)
  * Add gcc function attributes for access and allocation
  * Add some more man pages (MIZUTA Takeshi)
  * In auditd, change the reinitializing of the plugin queue
  * Fix path normalization in auparse (Sergio Correia)
  * In libaudit, handle ECONNREFUSED for network uid/gid lookups (Enzo Matsumiya)
  * In audisp-remote, fix hang with disk_low_action=suspend (Enzo Matsumiya)
  * Drop ProtectHome from auditd.service as it interferes with rules
  (3.0.7)
  * Add support for the OPENAT2 record type (Richard Guy Briggs)
  * In auditd, close the logging file descriptor when logging is suspended
  * Update the capabilities lookup table to match 5.16 kernel
  * Improve interpretation of renamat & faccessat family of syscalls
  * Update syscall table for the 5.16 kernel
  * Reduce dependency from initscripts to initscripts-service
- Refresh patches (context adjusment):
  * audit-allow-manual-stop.patch
  * audit-ausearch-do-not-require-tclass.patch
  * audit-no-gss.patch
  * enable-stop-rules.patch
  * fix-hardened-service.patch
  * harden_auditd.service.patch
- Remove patches (fixed by version update):
  * libaudit-fix-unhandled-ECONNREFUSED-from-getpwnam-25.patch
  * audisp-remote-fix-hang-with-disk_low_action-suspend-.patch

OBS-URL: https://build.opensuse.org/request/show/1043243
OBS-URL: https://build.opensuse.org/package/show/security/audit?expand=0&rev=141
This commit is contained in:
Enzo Matsumiya 2022-12-19 19:54:31 +00:00 committed by Git OBS Bridge
parent 4a3ef5cf8e
commit 7e1b0e83b8
12 changed files with 138 additions and 44 deletions

BIN
audit-3.0.9.tar.gz (Stored with Git LFS) Normal file

Binary file not shown.

View File

@ -11,13 +11,15 @@ SUSE since we lack the ability to use a custom stop/restart
init.d/auditd.service | 1 -
1 file changed, 1 deletion(-)
--- a/init.d/auditd.service
+++ b/init.d/auditd.service
@@ -11,7 +11,6 @@
Index: audit-3.0.9/init.d/auditd.service
===================================================================
--- audit-3.0.9.orig/init.d/auditd.service
+++ audit-3.0.9/init.d/auditd.service
@@ -11,7 +11,6 @@ After=local-fs.target systemd-tmpfiles-s
Before=sysinit.target shutdown.target
##Before=shutdown.target
Conflicts=shutdown.target
-RefuseManualStop=yes
ConditionKernelCommandLine=!audit=0
Documentation=man:auditd(8) https://github.com/linux-audit/audit-documentation
ConditionKernelCommandLine=!audit=off

View File

@ -9,9 +9,11 @@ Signed-off-by: Tony Jones <tonyj@suse.de>
src/ausearch-parse.c | 18 ++++++++----------
1 file changed, 8 insertions(+), 10 deletions(-)
--- a/src/ausearch-parse.c
+++ b/src/ausearch-parse.c
@@ -2061,17 +2061,15 @@ other_avc:
Index: audit-3.0.9/src/ausearch-parse.c
===================================================================
--- audit-3.0.9.orig/src/ausearch-parse.c
+++ audit-3.0.9/src/ausearch-parse.c
@@ -2062,17 +2062,15 @@ other_avc:
// Now get the class...its at the end, so we do things different
str = strstr(term, "tclass=");

View File

@ -9,8 +9,10 @@ but need manual removal here.
init.d/auditd.conf | 3 ---
1 file changed, 3 deletions(-)
--- a/init.d/auditd.conf
+++ b/init.d/auditd.conf
Index: audit-3.0.9/init.d/auditd.conf
===================================================================
--- audit-3.0.9.orig/init.d/auditd.conf
+++ audit-3.0.9/init.d/auditd.conf
@@ -30,8 +30,6 @@ tcp_max_per_addr = 1
##tcp_client_ports = 1024-65535
tcp_client_max_idle = 0
@ -18,5 +20,5 @@ but need manual removal here.
-krb5_principal = auditd
-##krb5_key_file = /etc/audit/audit.key
distribute_network = no
q_depth = 1200
q_depth = 2000
overflow_action = SYSLOG

View File

@ -1,3 +1,41 @@
-------------------------------------------------------------------
Thu Dec 15 19:17:35 UTC 2022 - Enzo Matsumiya <ematsumiya@suse.de>
- Enable build for ARM (32-bit)
- Update to version 3.0.9:
* In auditd, release the async flush lock on stop
* Don't allow auditd to log directly into /var/log when log_group is non-zero
* Cleanup krb5 memory leaks on error paths
* Update auditd.cron to use auditctl --signal
* In auparse, if too many fields, realloc array bigger (Paul Wolneykien)
* In auparse, special case kernel module name interpretation
* If overflow_action is ignore, don't treat as an error
(3.0.8)
* Add gcc function attributes for access and allocation
* Add some more man pages (MIZUTA Takeshi)
* In auditd, change the reinitializing of the plugin queue
* Fix path normalization in auparse (Sergio Correia)
* In libaudit, handle ECONNREFUSED for network uid/gid lookups (Enzo Matsumiya)
* In audisp-remote, fix hang with disk_low_action=suspend (Enzo Matsumiya)
* Drop ProtectHome from auditd.service as it interferes with rules
(3.0.7)
* Add support for the OPENAT2 record type (Richard Guy Briggs)
* In auditd, close the logging file descriptor when logging is suspended
* Update the capabilities lookup table to match 5.16 kernel
* Improve interpretation of renamat & faccessat family of syscalls
* Update syscall table for the 5.16 kernel
* Reduce dependency from initscripts to initscripts-service
- Refresh patches (context adjusment):
* audit-allow-manual-stop.patch
* audit-ausearch-do-not-require-tclass.patch
* audit-no-gss.patch
* enable-stop-rules.patch
* fix-hardened-service.patch
* harden_auditd.service.patch
- Remove patches (fixed by version update):
* libaudit-fix-unhandled-ECONNREFUSED-from-getpwnam-25.patch
* audisp-remote-fix-hang-with-disk_low_action-suspend-.patch
-------------------------------------------------------------------
Mon Apr 11 20:44:34 UTC 2022 - Jan Engelhardt <jengelh@inai.de>

View File

@ -22,7 +22,7 @@
# The seperation is required to minimize unnecessary build cycles.
%define _name audit
Name: audit-secondary
Version: 3.0.6
Version: 3.0.9
Release: 0
Summary: Linux kernel audit subsystem utilities
License: GPL-2.0-or-later
@ -42,8 +42,6 @@ Patch9: fix-hardened-service.patch
Patch10: enable-stop-rules.patch
Patch11: create-augenrules-service.patch
Patch12: audit-userspace-517-compat.patch
Patch13: audisp-remote-fix-hang-with-disk_low_action-suspend-.patch
Patch14: libaudit-fix-unhandled-ECONNREFUSED-from-getpwnam-25.patch
BuildRequires: audit-devel = %{version}
BuildRequires: autoconf >= 2.12
BuildRequires: kernel-headers >= 2.6.30
@ -146,6 +144,9 @@ export LDFLAGS="-Wl,-z,relro,-z,now"
%configure \
%ifarch aarch64
--with-aarch64 \
%endif
%ifarch arm
--with-arm \
%endif
--enable-systemd \
--libexecdir=%{_libexecdir}/%{_name} \

View File

@ -1,3 +1,41 @@
-------------------------------------------------------------------
Thu Dec 15 19:17:35 UTC 2022 - Enzo Matsumiya <ematsumiya@suse.de>
- Enable build for ARM (32-bit)
- Update to version 3.0.9:
* In auditd, release the async flush lock on stop
* Don't allow auditd to log directly into /var/log when log_group is non-zero
* Cleanup krb5 memory leaks on error paths
* Update auditd.cron to use auditctl --signal
* In auparse, if too many fields, realloc array bigger (Paul Wolneykien)
* In auparse, special case kernel module name interpretation
* If overflow_action is ignore, don't treat as an error
(3.0.8)
* Add gcc function attributes for access and allocation
* Add some more man pages (MIZUTA Takeshi)
* In auditd, change the reinitializing of the plugin queue
* Fix path normalization in auparse (Sergio Correia)
* In libaudit, handle ECONNREFUSED for network uid/gid lookups (Enzo Matsumiya)
* In audisp-remote, fix hang with disk_low_action=suspend (Enzo Matsumiya)
* Drop ProtectHome from auditd.service as it interferes with rules
(3.0.7)
* Add support for the OPENAT2 record type (Richard Guy Briggs)
* In auditd, close the logging file descriptor when logging is suspended
* Update the capabilities lookup table to match 5.16 kernel
* Improve interpretation of renamat & faccessat family of syscalls
* Update syscall table for the 5.16 kernel
* Reduce dependency from initscripts to initscripts-service
- Refresh patches (context adjusment):
* audit-allow-manual-stop.patch
* audit-ausearch-do-not-require-tclass.patch
* audit-no-gss.patch
* enable-stop-rules.patch
* fix-hardened-service.patch
* harden_auditd.service.patch
- Remove patches (fixed by version update):
* libaudit-fix-unhandled-ECONNREFUSED-from-getpwnam-25.patch
* audisp-remote-fix-hang-with-disk_low_action-suspend-.patch
-------------------------------------------------------------------
Mon Apr 11 20:45:33 UTC 2022 - Jan Engelhardt <jengelh@inai.de>
@ -1013,8 +1051,8 @@ Mon May 11 17:20:28 CEST 2009 - tonyj@suse.de
- Add --exit search option to ausearch
- Fix parsing config file when kerberos is disabled
-------------------------------------------------------------------
-------------------------------------------------------------------
Tue Apr 14 14:52:39 CEST 2009 - dmueller@suse.de
- refresh patches

View File

@ -17,7 +17,7 @@
Name: audit
Version: 3.0.6
Version: 3.0.9
Release: 0
Summary: Linux kernel audit subsystem utilities
License: GPL-2.0-or-later
@ -85,6 +85,9 @@ export LDFLAGS="-Wl,-z,relro,-z,now"
%configure \
%ifarch aarch64
--with-aarch64 \
%endif
%ifarch arm
--with-arm \
%endif
--enable-systemd \
--libexecdir=%{_libexecdir}/%{name} \

View File

@ -1,7 +1,7 @@
Index: audit-3.0.6/init.d/augenrules.service
Index: audit-3.0.9/init.d/augenrules.service
===================================================================
--- /dev/null
+++ audit-3.0.6/init.d/augenrules.service
+++ audit-3.0.9/init.d/augenrules.service
@@ -0,0 +1,29 @@
+[Unit]
+Description=auditd rules generation
@ -32,13 +32,13 @@ Index: audit-3.0.6/init.d/augenrules.service
+ProtectKernelTunables=true
+ProtectKernelLogs=true
+ReadWritePaths=/etc/audit
Index: audit-3.0.6/init.d/auditd.service
Index: audit-3.0.9/init.d/auditd.service
===================================================================
--- audit-3.0.6.orig/init.d/auditd.service
+++ audit-3.0.6/init.d/auditd.service
@@ -13,15 +13,16 @@ Before=sysinit.target shutdown.target
Conflicts=shutdown.target
ConditionKernelCommandLine=!audit=0
--- audit-3.0.9.orig/init.d/auditd.service
+++ audit-3.0.9/init.d/auditd.service
@@ -15,15 +15,16 @@ ConditionKernelCommandLine=!audit=0
ConditionKernelCommandLine=!audit=off
Documentation=man:auditd(8) https://github.com/linux-audit/audit-documentation
+Requires=augenrules.service
+# This unit clears rules on stop, so make sure that augenrules runs again
@ -57,7 +57,7 @@ Index: audit-3.0.6/init.d/auditd.service
#ExecStartPost=-/sbin/auditctl -R /etc/audit/audit.rules
# By default we clear the rules on exit. To disable this, comment
# the next line after copying the file to /etc/systemd/system/auditd.service
@@ -45,7 +46,6 @@ ProtectClock=true
@@ -46,7 +47,6 @@ ProtectClock=true
ProtectKernelTunables=true
ProtectKernelLogs=true
# end of automatic additions
@ -65,28 +65,29 @@ Index: audit-3.0.6/init.d/auditd.service
[Install]
WantedBy=multi-user.target
Index: audit-3.0.6/init.d/Makefile.am
Index: audit-3.0.9/init.d/Makefile.am
===================================================================
--- audit-3.0.6.orig/init.d/Makefile.am
+++ audit-3.0.6/init.d/Makefile.am
@@ -26,7 +26,7 @@ EXTRA_DIST = auditd.init auditd.service
--- audit-3.0.9.orig/init.d/Makefile.am
+++ audit-3.0.9/init.d/Makefile.am
@@ -26,7 +26,8 @@ EXTRA_DIST = auditd.init auditd.service
auditd.cron libaudit.conf auditd.condrestart \
auditd.reload auditd.restart auditd.resume \
auditd.rotate auditd.state auditd.stop \
- audit-stop.rules augenrules
+ audit-stop.rules augenrules augenrules.service
- audit-stop.rules augenrules audit-functions
+ audit-stop.rules augenrules audit-functions \
+ augenrules.service
libconfig = libaudit.conf
if ENABLE_SYSTEMD
initdir = /usr/lib/systemd/system
@@ -53,6 +53,7 @@ if ENABLE_SYSTEMD
mkdir -p ${DESTDIR}${initdir}
@@ -54,6 +55,7 @@ if ENABLE_SYSTEMD
mkdir -p ${DESTDIR}${legacydir}
mkdir -p ${DESTDIR}${libexecdir}
$(INSTALL_SCRIPT) -D -m 644 ${srcdir}/auditd.service ${DESTDIR}${initdir}
+ $(INSTALL_SCRIPT) -D -m 644 ${srcdir}/augenrules.service ${DESTDIR}${initdir}
$(INSTALL_SCRIPT) -D -m 750 ${srcdir}/auditd.rotate ${DESTDIR}${legacydir}/rotate
$(INSTALL_SCRIPT) -D -m 750 ${srcdir}/auditd.resume ${DESTDIR}${legacydir}/resume
$(INSTALL_SCRIPT) -D -m 750 ${srcdir}/auditd.reload ${DESTDIR}${legacydir}/reload
@@ -70,6 +71,7 @@ uninstall-hook:
@@ -72,6 +74,7 @@ uninstall-hook:
rm ${DESTDIR}${sysconfdir}/${libconfig}
if ENABLE_SYSTEMD
rm ${DESTDIR}${initdir}/auditd.service

View File

@ -11,11 +11,11 @@ Disable audit when auditd.service stops, so kauditd stops logging/running.
Signed-off-by: Enzo Matsumiya <ematsumiya@suse.de>
Index: audit-3.0.6/init.d/auditd.service
Index: audit-3.0.9/init.d/auditd.service
===================================================================
--- audit-3.0.6.orig/init.d/auditd.service
+++ audit-3.0.6/init.d/auditd.service
@@ -23,9 +23,9 @@ ExecStart=/sbin/auditd
--- audit-3.0.9.orig/init.d/auditd.service
+++ audit-3.0.9/init.d/auditd.service
@@ -25,9 +25,9 @@ ExecStart=/sbin/auditd
## NOTE: augenrules expect any rules to be added to /etc/audit/rules.d/
ExecStartPost=-/sbin/augenrules --load
#ExecStartPost=-/sbin/auditctl -R /etc/audit/audit.rules

View File

@ -12,9 +12,11 @@ Also remove PrivateDevices=true so /dev/* are exposed to auditd.
Signed-off-by: Enzo Matsumiya <ematsumiya@suse.de>
--- a/init.d/auditd.service
+++ b/init.d/auditd.service
@@ -37,12 +37,12 @@ RestrictRealtime=true
Index: audit-3.0.9/init.d/auditd.service
===================================================================
--- audit-3.0.9.orig/init.d/auditd.service
+++ audit-3.0.9/init.d/auditd.service
@@ -41,12 +41,12 @@ RestrictRealtime=true
# added automatically, for details please see
# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
ProtectSystem=full

View File

@ -1,8 +1,10 @@
--- a/init.d/auditd.service
+++ b/init.d/auditd.service
@@ -34,6 +34,15 @@ ProtectControlGroups=true
Index: audit-3.0.9/init.d/auditd.service
===================================================================
--- audit-3.0.9.orig/init.d/auditd.service
+++ audit-3.0.9/init.d/auditd.service
@@ -38,6 +38,15 @@ LockPersonality=true
ProtectControlGroups=true
ProtectKernelModules=true
ProtectHome=true
RestrictRealtime=true
+# added automatically, for details please see
+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort