forked from pool/audit
Accepting request 926074 from security
OBS-URL: https://build.opensuse.org/request/show/926074 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/audit?expand=0&rev=98
This commit is contained in:
commit
830ee0e3c1
@ -1,3 +1,21 @@
|
|||||||
|
-------------------------------------------------------------------
|
||||||
|
Fri Oct 15 11:13:26 UTC 2021 - Callum Farmer <gmbr3@opensuse.org>
|
||||||
|
|
||||||
|
- Add CONFIG parameter to %sysusers_generate_pre
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Wed Oct 13 19:12:06 UTC 2021 - Enzo Matsumiya <ematsumiya@suse.com>
|
||||||
|
|
||||||
|
- Create separate service for augenrules (bsc#1191614, bsc#1181400)
|
||||||
|
* add create-augenrules-service.patch
|
||||||
|
Remove ReadWritePaths=/etc/audit from auditd.service, also removes
|
||||||
|
augenrules call from ExecStartPost.
|
||||||
|
Create augenrules.service with the ReadWritePaths directive above.
|
||||||
|
This makes /etc/audit only accessible by augenrules.service and
|
||||||
|
let auditd.service (and daemon) to be sandboxed again.
|
||||||
|
|
||||||
|
- Update audit-secondary.spec to accomodate the new service file.
|
||||||
|
|
||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
Mon Sep 20 02:06:44 UTC 2021 - Enzo Matsumiya <ematsumiya@suse.com>
|
Mon Sep 20 02:06:44 UTC 2021 - Enzo Matsumiya <ematsumiya@suse.com>
|
||||||
|
|
||||||
|
@ -40,6 +40,7 @@ Patch7: harden_auditd.service.patch
|
|||||||
Patch8: change-default-log_format.patch
|
Patch8: change-default-log_format.patch
|
||||||
Patch9: fix-hardened-service.patch
|
Patch9: fix-hardened-service.patch
|
||||||
Patch10: enable-stop-rules.patch
|
Patch10: enable-stop-rules.patch
|
||||||
|
Patch11: create-augenrules-service.patch
|
||||||
BuildRequires: audit-devel = %{version}
|
BuildRequires: audit-devel = %{version}
|
||||||
BuildRequires: autoconf >= 2.12
|
BuildRequires: autoconf >= 2.12
|
||||||
BuildRequires: gcc-c++
|
BuildRequires: gcc-c++
|
||||||
@ -135,6 +136,7 @@ rm -rf audisp/plugins/prelude
|
|||||||
%patch8 -p1
|
%patch8 -p1
|
||||||
%patch9 -p1
|
%patch9 -p1
|
||||||
%patch10 -p1
|
%patch10 -p1
|
||||||
|
%patch11 -p1
|
||||||
|
|
||||||
%if %{without python2} && %{with python3}
|
%if %{without python2} && %{with python3}
|
||||||
# Fix python env call in tests if we only have Python3.
|
# Fix python env call in tests if we only have Python3.
|
||||||
@ -165,7 +167,7 @@ export LDFLAGS="-Wl,-z,relro,-z,now"
|
|||||||
|
|
||||||
make %{?_smp_mflags}
|
make %{?_smp_mflags}
|
||||||
|
|
||||||
%sysusers_generate_pre %{SOURCE1} audit
|
%sysusers_generate_pre %{SOURCE1} audit system-group-audit.conf
|
||||||
|
|
||||||
%install
|
%install
|
||||||
%make_install
|
%make_install
|
||||||
@ -215,6 +217,7 @@ done
|
|||||||
# rcauditd symlink
|
# rcauditd symlink
|
||||||
ln -s service %{buildroot}%{_sbindir}/rcauditd
|
ln -s service %{buildroot}%{_sbindir}/rcauditd
|
||||||
chmod 0644 %{buildroot}%{_unitdir}/auditd.service
|
chmod 0644 %{buildroot}%{_unitdir}/auditd.service
|
||||||
|
chmod 0644 %{buildroot}%{_unitdir}/augenrules.service
|
||||||
|
|
||||||
%check
|
%check
|
||||||
make %{?_smp_mflags} check
|
make %{?_smp_mflags} check
|
||||||
@ -231,17 +234,21 @@ elif [ ! -f %{_sysconfdir}/audit/audit.rules ]; then
|
|||||||
cp %{_sysconfdir}/audit/rules.d/audit.rules %{_sysconfdir}/audit/audit.rules
|
cp %{_sysconfdir}/audit/rules.d/audit.rules %{_sysconfdir}/audit/audit.rules
|
||||||
fi
|
fi
|
||||||
%service_add_post auditd.service
|
%service_add_post auditd.service
|
||||||
|
%service_add_post augenrules.service
|
||||||
|
|
||||||
%pre -n audit
|
%pre -n audit
|
||||||
%service_add_pre auditd.service
|
%service_add_pre auditd.service
|
||||||
|
%service_add_pre augenrules.service
|
||||||
|
|
||||||
%pre -n system-group-audit -f audit.pre
|
%pre -n system-group-audit -f audit.pre
|
||||||
|
|
||||||
%preun -n audit
|
%preun -n audit
|
||||||
%service_del_preun auditd.service
|
%service_del_preun auditd.service
|
||||||
|
%service_del_preun augenrules.service
|
||||||
|
|
||||||
%postun -n audit
|
%postun -n audit
|
||||||
%service_del_postun auditd.service
|
%service_del_postun auditd.service
|
||||||
|
%service_del_postun augenrules.service
|
||||||
|
|
||||||
%files -n audit
|
%files -n audit
|
||||||
%license COPYING
|
%license COPYING
|
||||||
@ -292,6 +299,7 @@ fi
|
|||||||
%ghost %config(noreplace) %attr(640,root,audit) %{_localstatedir}/log/audit/audit.log
|
%ghost %config(noreplace) %attr(640,root,audit) %{_localstatedir}/log/audit/audit.log
|
||||||
%dir %attr(700,root,root) %{_localstatedir}/spool/audit
|
%dir %attr(700,root,root) %{_localstatedir}/spool/audit
|
||||||
%{_unitdir}/auditd.service
|
%{_unitdir}/auditd.service
|
||||||
|
%{_unitdir}/augenrules.service
|
||||||
%{_sbindir}/rcauditd
|
%{_sbindir}/rcauditd
|
||||||
%{_datadir}/audit/
|
%{_datadir}/audit/
|
||||||
|
|
||||||
|
86
create-augenrules-service.patch
Normal file
86
create-augenrules-service.patch
Normal file
@ -0,0 +1,86 @@
|
|||||||
|
--- /dev/null
|
||||||
|
+++ b/init.d/augenrules.service
|
||||||
|
@@ -0,0 +1,33 @@
|
||||||
|
+[Unit]
|
||||||
|
+Description=auditd rules generation
|
||||||
|
+After=auditd.service
|
||||||
|
+PartOf=auditd.service
|
||||||
|
+Documentation=man:augenrules(8)
|
||||||
|
+
|
||||||
|
+[Service]
|
||||||
|
+Type=oneshot
|
||||||
|
+## NOTE: augenrules expect any rules to be added to /etc/audit/rules.d/
|
||||||
|
+ExecStart=/sbin/augenrules --load
|
||||||
|
+# We need RemainAfterExit=true so augenrules is called again
|
||||||
|
+# in case auditd.service is restarted.
|
||||||
|
+RemainAfterExit=true
|
||||||
|
+
|
||||||
|
+### Security Settings ###
|
||||||
|
+MemoryDenyWriteExecute=true
|
||||||
|
+LockPersonality=true
|
||||||
|
+ProtectControlGroups=true
|
||||||
|
+ProtectKernelModules=true
|
||||||
|
+ProtectHome=true
|
||||||
|
+RestrictRealtime=true
|
||||||
|
+# for details please see
|
||||||
|
+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
|
||||||
|
+ProtectSystem=full
|
||||||
|
+PrivateDevices=true
|
||||||
|
+ProtectHostname=true
|
||||||
|
+ProtectClock=true
|
||||||
|
+ProtectKernelTunables=true
|
||||||
|
+ProtectKernelLogs=true
|
||||||
|
+ReadWritePaths=/etc/audit
|
||||||
|
+
|
||||||
|
+[Install]
|
||||||
|
+WantedBy=multi-user.target
|
||||||
|
--- a/init.d/auditd.service
|
||||||
|
+++ b/init.d/auditd.service
|
||||||
|
@@ -18,10 +18,8 @@ Documentation=man:auditd(8) https://gith
|
||||||
|
Type=forking
|
||||||
|
PIDFile=/run/auditd.pid
|
||||||
|
ExecStart=/sbin/auditd
|
||||||
|
-## To not use augenrules, copy this file to /etc/systemd/system/auditd.service
|
||||||
|
-## and comment/delete the next line and uncomment the auditctl line.
|
||||||
|
-## NOTE: augenrules expect any rules to be added to /etc/audit/rules.d/
|
||||||
|
-ExecStartPost=-/sbin/augenrules --load
|
||||||
|
+## To not use augenrules: copy this file to /etc/systemd/system/auditd.service,
|
||||||
|
+## uncomment the next line, and run "systemctl disable --now augenrules.service".
|
||||||
|
#ExecStartPost=-/sbin/auditctl -R /etc/audit/audit.rules
|
||||||
|
# By default we don't clear the rules on exit. To enable this, uncomment
|
||||||
|
# the next line after copying the file to /etc/systemd/system/auditd.service
|
||||||
|
@@ -42,7 +40,6 @@ ProtectClock=true
|
||||||
|
ProtectKernelTunables=true
|
||||||
|
ProtectKernelLogs=true
|
||||||
|
# end of automatic additions
|
||||||
|
-ReadWritePaths=/etc/audit
|
||||||
|
|
||||||
|
[Install]
|
||||||
|
WantedBy=multi-user.target
|
||||||
|
--- a/init.d/Makefile.am
|
||||||
|
+++ b/init.d/Makefile.am
|
||||||
|
@@ -26,7 +26,7 @@ EXTRA_DIST = auditd.init auditd.service
|
||||||
|
auditd.cron libaudit.conf auditd.condrestart \
|
||||||
|
auditd.reload auditd.restart auditd.resume \
|
||||||
|
auditd.rotate auditd.state auditd.stop \
|
||||||
|
- audit-stop.rules augenrules
|
||||||
|
+ audit-stop.rules augenrules augenrules.service
|
||||||
|
libconfig = libaudit.conf
|
||||||
|
if ENABLE_SYSTEMD
|
||||||
|
initdir = /usr/lib/systemd/system
|
||||||
|
@@ -53,6 +53,7 @@ if ENABLE_SYSTEMD
|
||||||
|
mkdir -p ${DESTDIR}${initdir}
|
||||||
|
mkdir -p ${DESTDIR}${legacydir}
|
||||||
|
$(INSTALL_SCRIPT) -D -m 644 ${srcdir}/auditd.service ${DESTDIR}${initdir}
|
||||||
|
+ $(INSTALL_SCRIPT) -D -m 644 ${srcdir}/augenrules.service ${DESTDIR}${initdir}
|
||||||
|
$(INSTALL_SCRIPT) -D -m 750 ${srcdir}/auditd.rotate ${DESTDIR}${legacydir}/rotate
|
||||||
|
$(INSTALL_SCRIPT) -D -m 750 ${srcdir}/auditd.resume ${DESTDIR}${legacydir}/resume
|
||||||
|
$(INSTALL_SCRIPT) -D -m 750 ${srcdir}/auditd.reload ${DESTDIR}${legacydir}/reload
|
||||||
|
@@ -70,6 +71,7 @@ uninstall-hook:
|
||||||
|
rm ${DESTDIR}${sysconfdir}/${libconfig}
|
||||||
|
if ENABLE_SYSTEMD
|
||||||
|
rm ${DESTDIR}${initdir}/auditd.service
|
||||||
|
+ rm ${DESTDIR}${initdir}/augenrules.service
|
||||||
|
rm ${DESTDIR}${legacydir}/rotate
|
||||||
|
rm ${DESTDIR}${legacydir}/resume
|
||||||
|
rm ${DESTDIR}${legacydir}/reload
|
Loading…
Reference in New Issue
Block a user