SHA256
1
0
forked from pool/audit
OBS User unknown 2008-03-07 19:35:26 +00:00 committed by Git OBS Bridge
parent d1fe1b9cec
commit 8e6b6be7c4
10 changed files with 255 additions and 350 deletions

View File

@ -1,68 +0,0 @@
From: Steve Grubb <sgrubb@redhat.com>
Subject: Patches for 1.6.2
Upsteam: yes (in 1.6.3)
Misc patches for 1.6.2 audit (from Steve Grubb)
diff -urp audit-1.6.2.orig/audisp/audispd.c audit-1.6.2/audisp/audispd.c
--- audit-1.6.2.orig/audisp/audispd.c 2007-10-17 13:56:22.000000000 -0400
+++ audit-1.6.2/audisp/audispd.c 2007-10-17 14:13:49.000000000 -0400
@@ -369,7 +369,6 @@ int main(int argc, char *argv[])
conf = plist_get_cur(&plugin_conf);
while (conf) {
free_pconfig(conf->p);
- free(conf->p);
conf = plist_next(&plugin_conf);
}
plist_clear(&plugin_conf);
diff -urp audit-1.6.2.orig/lib/lookup_table.c audit-1.6.2/lib/lookup_table.c
--- audit-1.6.2.orig/lib/lookup_table.c 2007-10-17 13:56:22.000000000 -0400
+++ audit-1.6.2/lib/lookup_table.c 2007-10-17 13:56:49.000000000 -0400
@@ -483,7 +483,7 @@ int audit_name_to_msg_type(const char *m
strncpy(buf, msg_type + 8, len);
errno = 0;
return strtol(buf, NULL, 10);
- } else if (isdigit(msg_type)) {
+ } else if (isdigit(*msg_type)) {
errno = 0;
return strtol(msg_type, NULL, 10);
}
diff -urp audit-1.6.2.orig/lib/msg_typetab.h audit-1.6.2/lib/msg_typetab.h
--- audit-1.6.2.orig/lib/msg_typetab.h 2007-10-17 13:56:22.000000000 -0400
+++ audit-1.6.2/lib/msg_typetab.h 2007-10-17 13:57:27.000000000 -0400
@@ -92,7 +92,7 @@ _S(AUDIT_KERNEL_OTHER, "KE
_S(AUDIT_FD_PAIR, "FD_PAIR" )
_S(AUDIT_OBJ_PID, "OBJ_PID" )
_S(AUDIT_TTY, "TTY" )
-//_S(AUDIT_EOE, "EOE" )
+_S(AUDIT_EOE, "EOE" )
_S(AUDIT_AVC, "AVC" )
_S(AUDIT_SELINUX_ERR, "SELINUX_ERR" )
_S(AUDIT_AVC_PATH, "AVC_PATH" )
diff -urp audit-1.6.2.orig/src/auditd.c audit-1.6.2/src/auditd.c
--- audit-1.6.2.orig/src/auditd.c 2007-10-17 13:56:22.000000000 -0400
+++ audit-1.6.2/src/auditd.c 2007-10-17 13:59:32.000000000 -0400
@@ -127,16 +127,18 @@ static void distribute_event(struct audi
/* End of Event is for realtime interface - skip local logging of it */
if (rep->reply.type != AUDIT_EOE) {
+ int yield = rep->reply.type <= AUDIT_LAST_DAEMON &&
+ rep->reply.type >= AUDIT_FIRST_DAEMON ? 1 : 0;
+
/* Write to local disk */
enqueue_event(rep);
- if (rep->reply.type <= AUDIT_LAST_DAEMON &&
- rep->reply.type >= AUDIT_FIRST_DAEMON)
+ if (yield)
pthread_yield(); /* Let other thread try to log it. */
}
/* Last chance to send...maybe the pipe is empty now. */
- if (attempt)
- dispatch_event(&rep->reply, attempt);
+// if (attempt)
+// dispatch_event(&rep->reply, attempt);
}
/*

View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:c8168604d14ccbd0db3f8972035fe7e4363925a4aa6b2998d973af659796de5c
size 776148

3
audit-1.6.8.tar.gz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:88f32ed843f68a16506e3818d074ba5667040567c105f439ca0bfba97f1a2cf7
size 799726

View File

@ -1,3 +1,8 @@
-------------------------------------------------------------------
Tue Mar 4 17:58:37 CET 2008 - tonyj@suse.de
- Update to version 1.6.8
-------------------------------------------------------------------
Wed Oct 10 23:19:29 CEST 2007 - tonyj@suse.de

View File

@ -1,7 +1,7 @@
#
# spec file for package audit-libs-python (Version 1.6.2)
# spec file for package audit-libs-python (Version 1.6.8)
#
# Copyright (c) 2007 SUSE LINUX Products GmbH, Nuernberg, Germany.
# Copyright (c) 2008 SUSE LINUX Products GmbH, Nuernberg, Germany.
# This file and all modifications and additions to the pristine
# package are under the same license as the package itself.
#
@ -10,12 +10,13 @@
# norootforbuild
Name: audit-libs-python
%define _name audit
BuildRequires: audit-devel gcc-c++ pkg-config python-devel swig
BuildRequires: audit-devel gcc-c++ openldap2-devel pkg-config python-devel swig
Summary: Python Bindings for libaudit
Version: 1.6.2
Release: 10
Version: 1.6.8
Release: 1
License: GPL v2 or later
Group: System/Monitoring
Url: http://people.redhat.com/sgrubb/audit/
@ -66,24 +67,27 @@ rm -rf $RPM_BUILD_ROOT
%{_libdir}/python%{py_ver}/site-packages/_audit.so
%{_libdir}/python%{py_ver}/site-packages/auparse.so
%{_libdir}/python%{py_ver}/site-packages/audit.py*
%changelog
* Wed Oct 10 2007 - tonyj@suse.de
* Tue Mar 04 2008 tonyj@suse.de
- Update to version 1.6.8
* Thu Oct 11 2007 tonyj@suse.de
- Upgrade to 1.6.2
* Wed Jul 25 2007 - tonyj@suse.de
* Wed Jul 25 2007 tonyj@suse.de
- Upgrade to 1.5.5
Drop audit-swig-attribute.patch (upstreamed)
* Fri Jul 13 2007 - tonyj@suse.de
* Fri Jul 13 2007 tonyj@suse.de
- Fix build errors on ppc
* Thu Jul 12 2007 - tonyj@suse.de
* Thu Jul 12 2007 tonyj@suse.de
- Upgrade to 1.5.4
* Wed May 02 2007 - tonyj@suse.de
* Wed May 02 2007 tonyj@suse.de
- Upgrade to 1.5.3.
* Wed Nov 29 2006 - tonyj@suse.de
* Wed Nov 29 2006 tonyj@suse.de
- Upgrade to 1.2.9 (drop several patches which are now upstream)
- /usr/sbin/audispd now packaged by audit-libs-python
* Sun Nov 05 2006 - ro@suse.de
* Sun Nov 05 2006 ro@suse.de
- fix requires
* Thu Aug 31 2006 - tonyj@suse.de
* Thu Aug 31 2006 tonyj@suse.de
- Upgrade to 1.2.6-1
* Wed Aug 16 2006 - cthiel@suse.de
* Wed Aug 16 2006 cthiel@suse.de
- split off package

View File

@ -6,35 +6,37 @@ Python code is disabled for audit.spec. Built manually by audit-libs-python.spe
This is apparantly necessary due to the SuSE build system. Bit of a PITA but
there you have it.
--- audit-1.6.1/configure.ac.orig 2007-03-01 01:54:19.977676000 +0100
+++ audit-1.6.1/configure.ac 2007-03-01 02:09:06.032928000 +0100
@@ -39,7 +39,7 @@
--- audit-1.6.8/configure.ac.old 2008-02-29 22:20:13.248763000 +0100
+++ audit-1.6.8/configure.ac 2008-02-29 22:23:10.703128000 +0100
@@ -39,7 +39,6 @@
AM_INIT_AUTOMAKE
AM_PROG_LIBTOOL
AC_SUBST(LIBTOOL_DEPS)
-AM_PATH_PYTHON
+#AM_PATH_PYTHON
echo .
echo Checking for programs
@@ -105,7 +105,8 @@
if test x$use_apparmor != xno ; then
AC_DEFINE(WITH_APPARMOR,1,[Define if you want to enable AppArmor events.])fi
@@ -124,7 +124,8 @@
fi
AM_CONDITIONAL(HAVE_PRELUDE, test x$have_prelude = xyes)
-AC_OUTPUT(Makefile lib/Makefile auparse/Makefile auparse/test/Makefile src/Makefile src/mt/Makefile swig/Makefile docs/Makefile init.d/Makefile audisp/Makefile audisp/plugins/Makefile audisp/plugins/builtins/Makefile audisp/plugins/ids/Makefile audisp/plugins/remote/Makefile bindings/Makefile bindings/python/Makefile)
+#AC_OUTPUT(Makefile lib/Makefile auparse/Makefile auparse/test/Makefile src/Makefile src/mt/Makefile swig/Makefile docs/Makefile init.d/Makefile audisp/Makefile audisp/plugins/Makefile audisp/plugins/builtins/Makefile audisp/plugins/ids/Makefile audisp/plugins/remote/Makefile bindings/Makefile bindings/python/Makefile)
+AC_OUTPUT(Makefile lib/Makefile auparse/Makefile auparse/test/Makefile src/Makefile src/mt/Makefile docs/Makefile init.d/Makefile audisp/Makefile audisp/plugins/Makefile audisp/plugins/builtins/Makefile audisp/plugins/ids/Makefile audisp/plugins/remote/Makefile)
-AC_OUTPUT(Makefile lib/Makefile auparse/Makefile auparse/test/Makefile src/Makefile src/mt/Makefile swig/Makefile docs/Makefile init.d/Makefile audisp/Makefile audisp/plugins/Makefile audisp/plugins/builtins/Makefile audisp/plugins/prelude/Makefile audisp/plugins/remote/Makefile audisp/plugins/zos-remote/Makefile bindings/Makefile bindings/python/Makefile tools/Makefile tools/aulastlog/Makefile)
+# SuSE: remove swig/Makefile + bindings/Makefile + bindings/python/Makefile
+AC_OUTPUT(Makefile lib/Makefile auparse/Makefile auparse/test/Makefile src/Makefile src/mt/Makefile docs/Makefile init.d/Makefile audisp/Makefile audisp/plugins/Makefile audisp/plugins/builtins/Makefile audisp/plugins/prelude/Makefile audisp/plugins/remote/Makefile audisp/plugins/zos-remote/Makefile tools/Makefile tools/aulastlog/Makefile)
echo .
echo "
--- audit-1.6.1/Makefile.am.orig 2007-04-05 23:31:18.152428000 +0200
+++ audit-1.6.1/Makefile.am 2007-04-05 23:37:52.670519000 +0200
@@ -21,7 +21,7 @@
--- audit-1.6.8/Makefile.am.old 2008-02-29 22:25:06.872840000 +0100
+++ audit-1.6.8/Makefile.am 2008-02-29 22:25:40.149532000 +0100
@@ -21,7 +21,8 @@
# Rickard E. (Rik) Faith <faith@redhat.com>
#
-SUBDIRS = lib auparse src/mt src audisp swig bindings init.d docs
+SUBDIRS = lib auparse src/mt src audisp init.d docs
-SUBDIRS = lib auparse src/mt src audisp tools swig bindings init.d \
+# SuSE: remove swig + bindings
+SUBDIRS = lib auparse src/mt src audisp tools init.d \
docs
EXTRA_DIST = ChangeLog AUTHORS NEWS README README-install audit.spec \
sample.rules contrib/capp.rules contrib/nispom.rules \
contrib/lspp.rules contrib/skeleton.c contrib/avc_snap \
contrib/capp.rules contrib/nispom.rules contrib/lspp.rules \

View File

@ -4,26 +4,26 @@ Upsteam: never
Disable system-config-audit. A Yast equivalent would be useful though.
--- audit-1.6.1/configure.ac.old 2007-07-25 02:13:48.399097000 +0200
+++ audit-1.6.1/configure.ac 2007-07-25 02:14:25.113347000 +0200
--- audit-1.6.8/configure.ac.old 2007-07-25 02:13:48.399097000 +0200
+++ audit-1.6.8/configure.ac 2007-07-25 02:14:25.113347000 +0200
@@ -108,7 +108,6 @@
if test x$use_apparmor != xno ; then
AC_DEFINE(WITH_APPARMOR,1,[Define if you want to enable AppArmor events.])fi
fi
AM_CONDITIONAL(HAVE_PRELUDE, test x$have_prelude = xyes)
-AC_CONFIG_SUBDIRS([system-config-audit])
AC_OUTPUT(Makefile lib/Makefile auparse/Makefile auparse/test/Makefile src/Makefile src/mt/Makefile swig/Makefile docs/Makefile init.d/Makefile audisp/Makefile audisp/plugins/Makefile audisp/plugins/builtins/Makefile audisp/plugins/ids/Makefile audisp/plugins/remote/Makefile bindings/Makefile bindings/python/Makefile)
AC_OUTPUT(Makefile lib/Makefile auparse/Makefile auparse/test/Makefile src/Makefile src/mt/Makefile swig/Makefile docs/Makefile init.d/Makefile audisp/Makefile audisp/plugins/Makefile audisp/plugins/builtins/Makefile audisp/plugins/prelude/Makefile audisp/plugins/remote/Makefile audisp/plugins/zos-remote/Makefile bindings/Makefile bindings/python/Makefile tools/Makefile tools/aulastlog/Makefile)
echo .
--- audit-1.6.1/Makefile.am.orig 2007-09-18 02:58:06.195934000 +0200
+++ audit-1.6.1/Makefile.am 2007-09-18 02:58:33.272829000 +0200
@@ -21,8 +21,7 @@
# Rickard E. (Rik) Faith <faith@redhat.com>
--- audit-1.6.8/Makefile.am.old 2008-02-29 21:53:11.791067000 +0100
+++ audit-1.6.8/Makefile.am 2008-02-29 21:53:24.682161000 +0100
@@ -22,7 +22,7 @@
#
-SUBDIRS = lib auparse src/mt src audisp swig bindings init.d docs \
- system-config-audit
+SUBDIRS = lib auparse src/mt src audisp swig bindings init.d docs
SUBDIRS = lib auparse src/mt src audisp tools swig bindings init.d \
- docs system-config-audit
+ docs
EXTRA_DIST = ChangeLog AUTHORS NEWS README README-install audit.spec \
sample.rules contrib/capp.rules contrib/nispom.rules \
contrib/lspp.rules contrib/skeleton.c contrib/avc_snap \
contrib/capp.rules contrib/nispom.rules contrib/lspp.rules \
contrib/skeleton.c contrib/avc_snap contrib/avc_syslog \

View File

@ -1,167 +0,0 @@
--- audit-1.6.2.orig/docs/auditd.8
+++ audit-1.6.2/docs/auditd.8
@@ -3,7 +3,7 @@
auditd \- The Linux Audit daemon
.SH SYNOPSIS
.B auditd
-.RB [ \-f ]\ [ \-l ]\ [ \-n ]
+.RB [ \-f ]\ [ \-l ]\ [ \-n ]\ [ \-s\ disable|enable|nochange ]
.SH DESCRIPTION
\fBauditd\fP is the userspace component to the Linux Auditing System. It's responsible for writing audit records to the disk. Viewing the logs is done with the
.B ausearch
@@ -24,6 +24,9 @@
.TP
.B \-n
no fork. This is useful for running off of inittab
+.TP
+.B \-s=\fIENABLE_STATE\fR
+specify when starting if auditd should change the current value for the kernel enabled flag. Valid values for ENABLE_STATE are "disable", "enable" or "nochange". The default is to enable (and disable when auditd terminates). The value of the enabled flag may be changed during the lifetime of auditd using 'auditctl -e'.
.SH SIGNALS
.TP
SIGHUP
--- audit-1.6.2.orig/src/auditd.c
+++ audit-1.6.2/src/auditd.c
@@ -36,6 +36,7 @@
#include <sys/wait.h>
#include <fcntl.h>
#include <pthread.h>
+#include <getopt.h>
#include "libaudit.h"
#include "auditd-config.h"
@@ -65,13 +66,19 @@
static void clean_exit(void);
static int get_reply(int fd, struct audit_reply *rep, int seq);
+enum startup_state {startup_disable=0, startup_enable, startup_nochange, startup_INVALID};
+static const char *startup_states[] = {"disable", "enable", "nochange"};
/*
* Output a usage message
*/
static void usage(void)
{
- puts("Usage: auditd [ -f -l -n ]");
+ fprintf(stderr, "Usage: auditd [-f] [-l] [-n] [-s %s|%s|%s]\n",
+ startup_states[startup_disable],
+ startup_states[startup_enable],
+ startup_states[startup_nochange]);
+
exit(2);
}
@@ -308,26 +315,56 @@
struct rlimit limit;
int hup_info_requested = 0, usr1_info_requested = 0;
int i;
+ int opt_foreground = 0, opt_allow_links = 0;
+ enum startup_state opt_startup = startup_enable;
+ int c;
+ extern char *optarg;
+ extern int optind;
/* Get params && set mode */
- config.daemonize = D_BACKGROUND;
- if (argc > 1) {
- for (i=1; i<argc; i++) {
- if (strcmp(argv[i], "-f") == 0)
- config.daemonize = D_FOREGROUND;
- else if (strcmp(argv[i], "-l") == 0)
- set_allow_links(1);
- else if (strcmp(argv[i], "-n") == 0)
- do_fork = 0;
- else
+ while ((c = getopt(argc, argv, "flns:")) != -1) {
+ switch (c) {
+ case 'f':
+ opt_foreground = 1;
+ break;
+ case 'l':
+ opt_allow_links=1;
+ break;
+ case 'n':
+ do_fork = 0;
+ break;
+ case 's':
+ for (i=0; i<startup_INVALID; i++) {
+ if (strncmp(optarg, startup_states[i],
+ strlen(optarg)) == 0) {
+ opt_startup = i;
+ break;
+ }
+ }
+ if (i == startup_INVALID) {
+ fprintf(stderr, "unknown startup mode '%s'\n",
+ optarg);
usage();
+ }
+ break;
+ default:
+ usage();
}
}
- // Make paramemters take effect
- if (config.daemonize == D_FOREGROUND)
+ /* check for trailing command line following options */
+ if (optind < argc) {
+ usage();
+ }
+
+ if (opt_allow_links)
+ set_allow_links(1);
+
+ if (opt_foreground) {
+ config.daemonize = D_FOREGROUND;
set_aumessage_mode(MSG_STDERR, DBG_YES);
- else {
+ } else {
+ config.daemonize = D_BACKGROUND;
set_aumessage_mode(MSG_SYSLOG, DBG_NO);
(void) umask( umask( 077 ) | 022 );
}
@@ -472,8 +509,9 @@
/* Now tell parent that everything went OK */
tell_parent(SUCCESS);
- /* Enable auditing just in case it was off */
- if (audit_set_enabled(fd, 1) < 0) {
+ /* Depending on value of opt_startup (-s) set initial audit state */
+ if (opt_startup != startup_nochange &&
+ audit_set_enabled(fd, (int)opt_startup) < 0) {
char emsg[DEFAULT_BUF_SZ];
snprintf(emsg, sizeof(emsg),
"auditd error halt, auid=%u pid=%d res=failed",
@@ -481,15 +519,19 @@
stop = 1;
//FIXME add subj
send_audit_event(AUDIT_DAEMON_ABORT, emsg);
- audit_msg(LOG_ERR, "Unable to enable auditing, exiting");
+ audit_msg(LOG_ERR,
+ "Unable to set intitial audit startup state to '%s', exiting",
+ startup_states[opt_startup]);
close_down();
if (pidfile)
unlink(pidfile);
shutdown_dispatcher();
return 1;
}
- audit_msg(LOG_NOTICE, "Init complete, auditd %s listening for events",
- VERSION);
+ audit_msg(LOG_NOTICE,
+ "Init complete, auditd %s listening for events (startup state %s)",
+ VERSION,
+ startup_states[opt_startup]);
/* Parent should be gone by now... */
if (do_fork)
@@ -603,6 +645,9 @@
/* Write message to log that we are going down */
int rc;
+ if (opt_startup == startup_enable) {
+ audit_set_enabled(fd, (int)startup_disable);
+ }
rc = audit_request_signal_info(fd);
if (rc > 0) {
struct audit_reply trep;

View File

@ -1,3 +1,56 @@
-------------------------------------------------------------------
Tue Mar 4 17:58:18 CET 2008 - tonyj@suse.de
- Update from 1.6.2 to 1.6.8. Start building audispd-plugins rpm.
Redhat changelog follows:
* Thu Feb 14 2008 Steve Grubb <sgrubb@redhat.com> 1.6.8-1
- Update for gcc 4.3
- Cleanup descriptors in audispd before running plugin
- Fix 'recent' keyword for aureport/search
- Fix SE Linux policy for zos_remote plugin
- Add event type for group password authentication attempts
- Couple of updates to the translation tables
- Add detection of failed group authentication to audisp-prelude
* Thu Jan 31 2008 Steve Grubb <sgrubb@redhat.com> 1.6.7-1
- In ausearch/report, prefer -if to stdin
- In ausearch/report, add new command line option --input-logs (#428860)
- Updated audisp-prelude based on feedback from prelude-devel
- Added prelude alert for promiscuous socket being opened
- Added prelude alert for SE Linux policy enforcement changes
- Added prelude alerts for Forbidden Login Locations and Time
- Applied patch to auparse fixing error handling of searching by
interpreted value (Miloslav Trmac)
* Sat Jan 19 2008 Steve Grubb <sgrubb@redhat.com> 1.6.6-1
- Add prelude IDS plugin for IDMEF alerts
- Add --user option to aulastlog command
- Use desktop-file-install for system-config-audit
* Mon Jan 07 2008 Steve Grubb <sgrubb@redhat.com> 1.6.5-1
- Add more errno strings for exit codes in auditctl
- Fix config parser to allow either 0640 or 0600 for audit logs (#427062)
- Check for audit log being writable by owner in auditd
- If auditd logging was suspended, it can be resumed with SIGUSR2 (#251639)
- Updated CAPP, LSPP, and NISPOM rules for new capabilities
- Added aulastlog utility
* Sat Dec 29 2007 Steve Grubb <sgrubb@redhat.com> 1.6.4-1
- fchmod of log file was on wrong variable (#426934)
- Allow use of errno strings for exit codes in audit rules
* Thu Dec 27 2007 Steve Grubb <sgrubb@redhat.com> 1.6.3-1
- Add kernel release string to DEAMON_START events
- Fix keep_logs when num_logs option disabled (#325561)
- Fix auparse to handle node fields for syscall records
- Update system-config-audit to version 0.4.5 (Miloslav Trmac)
- Add keyword week-ago to aureport & ausearch start/end times
- Fix audit log permissions on rotate. If group is root 0400, otherwise 0440
- Add RACF zos remote audispd plugin (Klaus Kiwi)
- Add event queue overflow action to audispd
-------------------------------------------------------------------
Wed Oct 31 07:08:38 CET 2007 - tonyj@suse.de

View File

@ -1,7 +1,7 @@
#
# spec file for package audit (Version 1.6.2)
# spec file for package audit (Version 1.6.8)
#
# Copyright (c) 2007 SUSE LINUX Products GmbH, Nuernberg, Germany.
# Copyright (c) 2008 SUSE LINUX Products GmbH, Nuernberg, Germany.
# This file and all modifications and additions to the pristine
# package are under the same license as the package itself.
#
@ -10,11 +10,12 @@
# norootforbuild
Name: audit
BuildRequires: gcc-c++
BuildRequires: gcc-c++ openldap2-devel
Summary: User Space Tools for 2.6 Kernel Auditing
Version: 1.6.2
Release: 4
Version: 1.6.8
Release: 1
License: GPL v2 or later
Group: System/Monitoring
Url: http://people.redhat.com/sgrubb/audit/
@ -23,8 +24,6 @@ Source1: auditd.init
Source2: auditd.sysconfig
Patch0: audit-no_sca.patch
Patch1: audit-no_python.patch
Patch2: audit-1.6.2-bugs.patch
Patch3: audit-startup.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
Requires: %{name}-libs = %{version}-%{release}
PreReq: %insserv_prereq %fillup_prereq
@ -68,24 +67,40 @@ libraries.
Authors:
--------
Steve Grubb <sgrubb@redhat.com>
%package -n audit-audispd-plugins
Summary: Default plugins for the audit dispatcher
License: GPL v2 or later
Group: System/Monitoring
Requires: %{name} = %{version}-%{release}
Requires: %{name}-libs = %{version}-%{release}
Requires: openldap2
%description -n audit-audispd-plugins
The audit-audispd-plugins package contains plugin components for the
audit dispatcher (audispd).
Authors:
--------
Steve Grubb <sgrubb@redhat.com>
%prep
rm -rf audisp/plugins/zos-remote/policy
rm -rf audisp/plugins/prelude
%setup -q
%patch0 -p1
%patch1 -p1
%patch2 -p1
%patch3 -p1
%build
#autoreconf -iv --install
aclocal && autoconf && autoheader && automake
export CFLAGS="%{optflags} -fno-strict-aliasing"
export CXXFLAGS="$CFLAGS"
./configure --prefix=%{_prefix} --sbindir=/sbin --mandir=%{_mandir} --libdir=/%{_lib} --sysconfdir=/etc --libexecdir=%{_prefix}/lib/%{name} --with-apparmor
#./configure --prefix=%{_prefix} --sbindir=/sbin --mandir=%{_mandir} --libdir=/%{_lib} --sysconfdir=/etc --libexecdir=%{_libexecdir}
pushd src/mt
make libaudit.h
popd
@ -94,7 +109,7 @@ make
%install
mkdir -p $RPM_BUILD_ROOT/{sbin,etc/{sysconfig,audispd/plugins.d,init.d}}
mkdir -p $RPM_BUILD_ROOT/usr/sbin
mkdir -p $RPM_BUILD_ROOT/%{_mandir}/man8
mkdir -p $RPM_BUILD_ROOT/%{_mandir}/{man5,man8}
mkdir -p $RPM_BUILD_ROOT/%{_lib}/security
make DESTDIR=$RPM_BUILD_ROOT install
mkdir -p $RPM_BUILD_ROOT/%{_includedir}
@ -117,15 +132,16 @@ install -c -m 755 %{SOURCE1} $RPM_BUILD_ROOT/etc/init.d/auditd
ln -s /etc/init.d/auditd $RPM_BUILD_ROOT/sbin/rcauditd
mkdir -p $RPM_BUILD_ROOT/var/log/audit/
touch $RPM_BUILD_ROOT/var/log/audit/audit.log
# for %ghost below, so that old location files will still be there when
# Cleanup plugins
# audispd-zos-remote uses ldap which is in /usr/lib so move to /usr/sbin
mv $RPM_BUILD_ROOT/sbin/audispd-zos-remote $RPM_BUILD_ROOT/usr/sbin/audispd-zos-remote
# we don't package prelude
rm -f $RPM_BUILD_ROOT/usr/share/man/man8/audisp-prelude.8
# For %ghost below, so that old location files will still be there when
# %post copy runs
touch $RPM_BUILD_ROOT/etc/{auditd.conf,audit.rules}
# On platforms with 32 & 64 bit libs, we need to coordinate the timestamp
touch -r ./audit.spec $RPM_BUILD_ROOT/etc/libaudit.conf
# Remove the plugin stuff for now
rm -f $RPM_BUILD_ROOT/etc/audisp/plugins.d/au-ids.conf
rm -f $RPM_BUILD_ROOT/etc/audisp/plugins.d/remote.conf
rm -f $RPM_BUILD_ROOT/sbin/audisp-ids
%clean
rm -rf $RPM_BUILD_ROOT
@ -161,32 +177,39 @@ fi
%files devel
%defattr(-,root,root)
%doc contrib/skeleton.c contrib/plugin
%{_libdir}/libaudit.*
%{_libdir}/libauparse.*
%{_includedir}/libaudit.h
%{_includedir}/auparse.h
%{_includedir}/auparse-defs.h
%{_mandir}/man3/*
%doc contrib/skeleton.c contrib/plugin
%files
%defattr(-,root,root,-)
%doc README COPYING ChangeLog contrib/capp.rules contrib/nispom.rules contrib/lspp.rules contrib/skeleton.c init.d/auditd.cron
%{_mandir}/man8/*
%{_mandir}/man5/*
%doc README COPYING ChangeLog contrib/capp.rules contrib/nispom.rules contrib/lspp.rules init.d/auditd.cron
%attr(644,root,root) %{_mandir}/man8/audispd.8.gz
%attr(644,root,root) %{_mandir}/man8/auditctl.8.gz
%attr(644,root,root) %{_mandir}/man8/auditd.8.gz
%attr(644,root,root) %{_mandir}/man8/aureport.8.gz
%attr(644,root,root) %{_mandir}/man8/ausearch.8.gz
%attr(644,root,root) %{_mandir}/man8/autrace.8.gz
%attr(644,root,root) %{_mandir}/man8/aulastlog.8.gz
%attr(644,root,root) %{_mandir}/man5/auditd.conf.5.gz
%attr(644,root,root) %{_mandir}/man5/audispd.conf.5.gz
%attr(750,root,root) /sbin/auditctl
%attr(750,root,root) /sbin/auditd
%attr(755,root,root) /sbin/ausearch
%attr(750,root,root) /sbin/rcauditd
%attr(750,root,root) /sbin/autrace
%attr(750,root,root) /sbin/audispd
%attr(750,root,root) /sbin/aulastlog
%attr(755,root,root) /sbin/aureport
/etc/init.d/auditd
%dir %attr(750,root,root) /etc/audit
%attr(750,root,root) %dir /etc/audisp
%attr(750,root,root) %dir /etc/audisp/plugins.d
%attr(640,root,root) /etc/audisp/plugins.d/af_unix.conf
%attr(640,root,root) /etc/audisp/plugins.d/syslog.conf
%config(noreplace) %attr(640,root,root) /etc/audisp/plugins.d/af_unix.conf
%ghost /etc/auditd.conf
%ghost /etc/audit.rules
%config(noreplace) %attr(640,root,root) /etc/audit/auditd.conf
@ -195,20 +218,73 @@ fi
/var/adm/fillup-templates/sysconfig.auditd
%dir %attr(700,root,root) /var/log/audit
%ghost %config(noreplace) /var/log/audit/audit.log
%files -n audit-audispd-plugins
%defattr(-,root,root,-)
%attr(640,root,root) /etc/audisp/plugins.d/syslog.conf
%attr(644,root,root) %{_mandir}/man8/audispd-zos-remote.8.gz
%attr(644,root,root) %{_mandir}/man5/zos-remote.conf.5.gz
%config(noreplace) %attr(640,root,root) /etc/audisp/plugins.d/audispd-zos-remote.conf
%config(noreplace) %attr(640,root,root) /etc/audisp/zos-remote.conf
%attr(750,root,root) /usr/sbin/audispd-zos-remote
%changelog
* Wed Oct 31 2007 - tonyj@suse.de
* Tue Mar 04 2008 tonyj@suse.de
- Update from 1.6.2 to 1.6.8. Start building audispd-plugins rpm.
Redhat changelog follows:
* Thu Feb 14 2008 Steve Grubb <sgrubb@redhat.com> 1.6.8-1
- Update for gcc 4.3
- Cleanup descriptors in audispd before running plugin
- Fix 'recent' keyword for aureport/search
- Fix SE Linux policy for zos_remote plugin
- Add event type for group password authentication attempts
- Couple of updates to the translation tables
- Add detection of failed group authentication to audisp-prelude
* Thu Jan 31 2008 Steve Grubb <sgrubb@redhat.com> 1.6.7-1
- In ausearch/report, prefer -if to stdin
- In ausearch/report, add new command line option --input-logs (#428860)
- Updated audisp-prelude based on feedback from prelude-devel
- Added prelude alert for promiscuous socket being opened
- Added prelude alert for SE Linux policy enforcement changes
- Added prelude alerts for Forbidden Login Locations and Time
- Applied patch to auparse fixing error handling of searching by
interpreted value (Miloslav Trmac)
* Sat Jan 19 2008 Steve Grubb <sgrubb@redhat.com> 1.6.6-1
- Add prelude IDS plugin for IDMEF alerts
- Add --user option to aulastlog command
- Use desktop-file-install for system-config-audit
* Mon Jan 07 2008 Steve Grubb <sgrubb@redhat.com> 1.6.5-1
- Add more errno strings for exit codes in auditctl
- Fix config parser to allow either 0640 or 0600 for audit logs (#427062)
- Check for audit log being writable by owner in auditd
- If auditd logging was suspended, it can be resumed with SIGUSR2 (#251639)
- Updated CAPP, LSPP, and NISPOM rules for new capabilities
- Added aulastlog utility
* Sat Dec 29 2007 Steve Grubb <sgrubb@redhat.com> 1.6.4-1
- fchmod of log file was on wrong variable (#426934)
- Allow use of errno strings for exit codes in audit rules
* Thu Dec 27 2007 Steve Grubb <sgrubb@redhat.com> 1.6.3-1
- Add kernel release string to DEAMON_START events
- Fix keep_logs when num_logs option disabled (#325561)
- Fix auparse to handle node fields for syscall records
- Update system-config-audit to version 0.4.5 (Miloslav Trmac)
- Add keyword week-ago to aureport & ausearch start/end times
- Fix audit log permissions on rotate. If group is root 0400, otherwise 0440
- Add RACF zos remote audispd plugin (Klaus Kiwi)
- Add event queue overflow action to audispd
* Wed Oct 31 2007 tonyj@suse.de
- Incorporate 1 more Redhat fixe post 1.6.2
- Go back to 10.2 behaviour wrt to starting in disabled state.
This time using patch submitted upstream, fix for #Bug 333739
* Wed Oct 10 2007 - tonyj@suse.de
* Thu Oct 11 2007 tonyj@suse.de
- Upgrade to 1.6.2
Plus two bugs discovered in Fedora, will be fixed in 1.6.3
* Wed Jul 25 2007 - tonyj@suse.de
* Wed Jul 25 2007 tonyj@suse.de
- Upgrade to 1.5.5
Correct bug in audit_make_equivalent function (Al Viro)
Local: add AppArmor audit ID (upstream in 1.5.6)
don't build RedHat system-config-audit
* Thu Jul 12 2007 - tonyj@suse.de
* Thu Jul 12 2007 tonyj@suse.de
- Upgrade to 1.5.4
Add feed interface to auparse library (John Dennis)
Apply patch to libauparse for unresolved symbols (#241178)
@ -218,67 +294,67 @@ fi
Add support for directory auditing
Update acct field to be escaped
- Fix for #280487 "%%ghost /var/log/audit/audit.log will remove the logfile"
* Mon May 07 2007 - rguenther@suse.de
* Mon May 07 2007 rguenther@suse.de
- Drop pkg-config BuildRequires introduced by last change.
* Wed May 02 2007 - tonyj@suse.de
* Wed May 02 2007 tonyj@suse.de
- Upgrade to 1.5.3. Drop AUDITD_DISABLE_CONTEXTS from audit sysconfig
* Wed Nov 29 2006 - tonyj@suse.de
* Wed Nov 29 2006 tonyj@suse.de
- Upgrade to 1.2.9 (drop several patches which are now upstream)
- Move to using /etc/audit directory for config files
* Thu Aug 31 2006 - tonyj@suse.de
* Thu Aug 31 2006 tonyj@suse.de
- Upgrade to 1.2.6-1
* Sat Aug 26 2006 - olh@suse.de
* Sat Aug 26 2006 olh@suse.de
- do not define __KERNEL__ in userland apps
- remove unused sys/syscall.h include
* Wed Aug 16 2006 - cthiel@suse.de
* Wed Aug 16 2006 cthiel@suse.de
- split audit into audit and audit-libs-python
* Fri May 05 2006 - sbeattie@suse.de
* Fri May 05 2006 sbeattie@suse.de
- disable syscall audit context creation by default #172154
* Mon Mar 20 2006 - meissner@suse.de
* Mon Mar 20 2006 meissner@suse.de
- Do not print a misleading errormessage when audit
is not compiled into the kernel. #152733
* Mon Mar 06 2006 - meissner@suse.de
* Mon Mar 06 2006 meissner@suse.de
- On kernels without auditing, which report ECONNREFUSED,
do not output stuff to stderr on startup. #152733
* Sat Feb 25 2006 - kukuk@suse.de
* Sat Feb 25 2006 kukuk@suse.de
- Fix moving of devel libraries, don't install .la file
* Wed Feb 22 2006 - meissner@suse.de
* Wed Feb 22 2006 meissner@suse.de
- moved libaudit.so symlink to /usr/lib and to -devel package,
as requested by Thorsten.
* Fri Feb 17 2006 - meissner@suse.de
* Fri Feb 17 2006 meissner@suse.de
- check sendto() return against -1 (error with errno set).
* Wed Jan 25 2006 - mls@suse.de
* Wed Jan 25 2006 mls@suse.de
- converted neededforbuild to BuildRequires
* Wed Jan 25 2006 - ro@suse.de
* Wed Jan 25 2006 ro@suse.de
- fix fillup call since filename != packagename
* Tue Jan 24 2006 - ro@suse.de
* Tue Jan 24 2006 ro@suse.de
- do not skip fillup in postinstall
* Mon Jan 23 2006 - dreynolds@suse.de
* Mon Jan 23 2006 dreynolds@suse.de
- Modified inssrv macro args to enable on boot
* Wed Jan 18 2006 - tonyj@suse.de
* Wed Jan 18 2006 tonyj@suse.de
- Add support for AppArmor (submitted upstream for 1.1.4)
* Fri Jan 13 2006 - meissner@suse.de
* Fri Jan 13 2006 meissner@suse.de
- Updated to 1.1.3.
- Moved audispd to /usr/sbin since it uses /usr/lib/libstdc++
- Updated sysconfig snippet.
* Tue Nov 08 2005 - meissner@suse.de
* Tue Nov 08 2005 meissner@suse.de
- upgraded to 1.0.12.
* Fri Nov 04 2005 - kukuk@suse.de
* Fri Nov 04 2005 kukuk@suse.de
- Update to 1.0.9.
* Wed Oct 12 2005 - meissner@suse.de
* Wed Oct 12 2005 meissner@suse.de
- upgraded to 1.0.6. ptrdift patch now solved upstream.
* Wed Oct 05 2005 - meissner@suse.de
* Wed Oct 05 2005 meissner@suse.de
- Upgraded to 1.0.5
* Wed Oct 05 2005 - dmueller@suse.de
* Wed Oct 05 2005 dmueller@suse.de
- add norootforbuild
* Mon Sep 26 2005 - meissner@suse.de
* Mon Sep 26 2005 meissner@suse.de
- Upgraded to 1.0.4.
- Make rate & backlog 32 bit unsigned int in auditctl
- In auditctl, if -F arch is given with -t option, don't require list
- Update auditd man page
- Add size check to audit_send
- Update message for audit_open failure when kernel doesn't support audit
* Tue Aug 23 2005 - meissner@suse.de
* Tue Aug 23 2005 meissner@suse.de
- Upgraded to 1.0.3 bugfix release:
- adjust file perms of newly created log file in auditd
- fix 2 memory leaks and an out of bounds access in auditd
@ -286,34 +362,34 @@ fi
- fix watch rules not to take field arguments in auditctl
- fix bug where inode, devmajor, devminor, exit, and success fields in auditctl
rules were not getting the correct value stored
* Wed Aug 17 2005 - meissner@suse.de
* Wed Aug 17 2005 meissner@suse.de
- Added /var/log/audit directory and ghost audit.log #105131
* Wed Aug 10 2005 - meissner@suse.de
* Wed Aug 10 2005 meissner@suse.de
- Upgraded to 1.0.2
* Thu Aug 04 2005 - meissner@suse.de
* Thu Aug 04 2005 meissner@suse.de
- Upgraded to 1.0.1.
* Mon Jul 11 2005 - meissner@suse.de
* Mon Jul 11 2005 meissner@suse.de
- Update to version 0.9.16.
* Tue Jun 21 2005 - meissner@suse.de
* Tue Jun 21 2005 meissner@suse.de
- Update to version 0.9.10.
* Fri Jun 17 2005 - meissner@suse.de
* Fri Jun 17 2005 meissner@suse.de
- Update to version 0.9.7.
* Thu Jun 16 2005 - kukuk@suse.de
* Thu Jun 16 2005 kukuk@suse.de
- Update to version 0.9.5
* Tue Jun 14 2005 - ro@suse.de
* Tue Jun 14 2005 ro@suse.de
- make it build with current includes
* Tue May 31 2005 - meissner@suse.de
* Tue May 31 2005 meissner@suse.de
- Upgraded to 0.9.
* Fri May 13 2005 - meissner@suse.de
* Fri May 13 2005 meissner@suse.de
- upgraded to 0.6.8
* Tue Apr 19 2005 - meissner@suse.de
* Tue Apr 19 2005 meissner@suse.de
- Upgraded to 0.6.11.
* Fri Apr 15 2005 - pth@suse.de
* Fri Apr 15 2005 pth@suse.de
- Make libaudit.h define pgoff_t by itself.
- Fix a minor warning.
* Wed Mar 30 2005 - meissner@suse.de
* Wed Mar 30 2005 meissner@suse.de
- Upgraded to 0.6.9.
* Fri Mar 04 2005 - meissner@suse.de
* Fri Mar 04 2005 meissner@suse.de
- Upgraded to 0.6.5.
* Thu Mar 03 2005 - meissner@suse.de
* Thu Mar 03 2005 meissner@suse.de
- initial package of auditd for new kernel auditing system.