From 09b88829e8dd3a50e6f5319af207a672932e5db954b481e412529738e01492b0 Mon Sep 17 00:00:00 2001 From: Enzo Matsumiya Date: Mon, 20 Sep 2021 16:14:05 +0000 Subject: [PATCH 1/2] Accepting request 920348 from home:ematsumiya:branches:security - Fix hardened auditd.service (bsc#1181400) * add fix-hardened-service.patch Make /etc/audit read-write from the service. Remove PrivateDevices=true to expose /dev/* to auditd.service. - Enable stop rules for audit.service (cf. bsc#1190227) * add enable-stop-rules.patch - Change default log_format from ENRICHED to RAW (bsc#1190500): * add change-default-log_format.patch (SUSE-specific patch) - Update to version 3.0.5: * In auditd, flush uid/gid caches when user/group added/deleted/modified * Fixed various issues when dealing with corrupted logs * In auditd, check if log_file is valid before closing handle - Include fixed from 3.0.4: * Apply performance speedups to auparse library * Optimize rule loading in auditctl * Fix an auparse memory leak caused by glibc-2.33 by replacing realpath * Update syscall table to the 5.14 kernel * Fixed various issues when dealing with corrupted logs - Update to version 3.0.5: * In auditd, flush uid/gid caches when user/group added/deleted/modified * Fixed various issues when dealing with corrupted logs * In auditd, check if log_file is valid before closing handle - Include fixed from 3.0.4: * Apply performance speedups to auparse library * Optimize rule loading in auditctl * Fix an auparse memory leak caused by glibc-2.33 by replacing realpath * Update syscall table to the 5.14 kernel * Fixed various issues when dealing with corrupted logs OBS-URL: https://build.opensuse.org/request/show/920348 OBS-URL: https://build.opensuse.org/package/show/security/audit?expand=0&rev=129 --- audit-3.0.3.tar.gz | 3 --- audit-3.0.5.tar.gz | 3 +++ audit-ausearch-do-not-require-tclass.patch | 2 +- audit-secondary.changes | 29 +++++++++++++++++++++ audit-secondary.spec | 8 +++++- audit.changes | 15 +++++++++++ audit.spec | 2 +- change-default-log_format.patch | 28 ++++++++++++++++++++ enable-stop-rules.patch | 24 +++++++++++++++++ fix-hardened-service.patch | 30 ++++++++++++++++++++++ harden_auditd.service.patch | 8 +++--- 11 files changed, 141 insertions(+), 11 deletions(-) delete mode 100644 audit-3.0.3.tar.gz create mode 100644 audit-3.0.5.tar.gz create mode 100644 change-default-log_format.patch create mode 100644 enable-stop-rules.patch create mode 100644 fix-hardened-service.patch diff --git a/audit-3.0.3.tar.gz b/audit-3.0.3.tar.gz deleted file mode 100644 index 02b03b8..0000000 --- a/audit-3.0.3.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:23777e1dc9a80a2ee06a4d442a6a0a9bcbf1ae7ee4b5738a220ff619738cc904 -size 1186684 diff --git a/audit-3.0.5.tar.gz b/audit-3.0.5.tar.gz new file mode 100644 index 0000000..266579e --- /dev/null +++ b/audit-3.0.5.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:23bcc88de1b4b94eedfcab9ef805269f073fe8766305e90e361fc58dac328340 +size 595279 diff --git a/audit-ausearch-do-not-require-tclass.patch b/audit-ausearch-do-not-require-tclass.patch index db54e5d..251860c 100644 --- a/audit-ausearch-do-not-require-tclass.patch +++ b/audit-ausearch-do-not-require-tclass.patch @@ -11,7 +11,7 @@ Signed-off-by: Tony Jones --- a/src/ausearch-parse.c +++ b/src/ausearch-parse.c -@@ -1735,17 +1735,15 @@ static int parse_avc(const lnode *n, sea +@@ -2061,17 +2061,15 @@ other_avc: // Now get the class...its at the end, so we do things different str = strstr(term, "tclass="); diff --git a/audit-secondary.changes b/audit-secondary.changes index d9d143f..e947c94 100644 --- a/audit-secondary.changes +++ b/audit-secondary.changes @@ -1,3 +1,32 @@ +------------------------------------------------------------------- +Mon Sep 20 02:06:44 UTC 2021 - Enzo Matsumiya + +- Fix hardened auditd.service (bsc#1181400) + * add fix-hardened-service.patch + Make /etc/audit read-write from the service. + Remove PrivateDevices=true to expose /dev/* to auditd.service. + +- Enable stop rules for audit.service (cf. bsc#1190227) + * add enable-stop-rules.patch + +------------------------------------------------------------------- +Thu Sep 16 03:46:19 UTC 2021 - Enzo Matsumiya + +- Change default log_format from ENRICHED to RAW (bsc#1190500): + * add change-default-log_format.patch (SUSE-specific patch) + +- Update to version 3.0.5: + * In auditd, flush uid/gid caches when user/group added/deleted/modified + * Fixed various issues when dealing with corrupted logs + * In auditd, check if log_file is valid before closing handle + +- Include fixed from 3.0.4: + * Apply performance speedups to auparse library + * Optimize rule loading in auditctl + * Fix an auparse memory leak caused by glibc-2.33 by replacing realpath + * Update syscall table to the 5.14 kernel + * Fixed various issues when dealing with corrupted logs + ------------------------------------------------------------------- Mon Aug 16 13:29:21 UTC 2021 - Marcus Meissner diff --git a/audit-secondary.spec b/audit-secondary.spec index f1366ed..a1821dd 100644 --- a/audit-secondary.spec +++ b/audit-secondary.spec @@ -22,7 +22,7 @@ # The seperation is required to minimize unnecessary build cycles. %define _name audit Name: audit-secondary -Version: 3.0.3 +Version: 3.0.5 Release: 0 Summary: Linux kernel audit subsystem utilities License: GPL-2.0-or-later @@ -37,6 +37,9 @@ Patch4: audit-ausearch-do-not-require-tclass.patch Patch5: change-default-log_group.patch Patch6: libev-werror.patch Patch7: harden_auditd.service.patch +Patch8: change-default-log_format.patch +Patch9: fix-hardened-service.patch +Patch10: enable-stop-rules.patch BuildRequires: audit-devel = %{version} BuildRequires: autoconf >= 2.12 BuildRequires: gcc-c++ @@ -129,6 +132,9 @@ rm -rf audisp/plugins/prelude %patch5 -p1 %patch6 -p1 %patch7 -p1 +%patch8 -p1 +%patch9 -p1 +%patch10 -p1 %if %{without python2} && %{with python3} # Fix python env call in tests if we only have Python3. diff --git a/audit.changes b/audit.changes index fe83d86..c8db949 100644 --- a/audit.changes +++ b/audit.changes @@ -1,3 +1,18 @@ +------------------------------------------------------------------- +Thu Sep 16 03:46:19 UTC 2021 - Enzo Matsumiya + +- Update to version 3.0.5: + * In auditd, flush uid/gid caches when user/group added/deleted/modified + * Fixed various issues when dealing with corrupted logs + * In auditd, check if log_file is valid before closing handle + +- Include fixed from 3.0.4: + * Apply performance speedups to auparse library + * Optimize rule loading in auditctl + * Fix an auparse memory leak caused by glibc-2.33 by replacing realpath + * Update syscall table to the 5.14 kernel + * Fixed various issues when dealing with corrupted logs + ------------------------------------------------------------------- Fri Jul 30 18:14:14 CEST 2021 - Enzo Matsumiya diff --git a/audit.spec b/audit.spec index 2df0023..d1972f7 100644 --- a/audit.spec +++ b/audit.spec @@ -17,7 +17,7 @@ Name: audit -Version: 3.0.3 +Version: 3.0.5 Release: 0 Summary: Linux kernel audit subsystem utilities License: GPL-2.0-or-later diff --git a/change-default-log_format.patch b/change-default-log_format.patch new file mode 100644 index 0000000..a829bdf --- /dev/null +++ b/change-default-log_format.patch @@ -0,0 +1,28 @@ +From: Enzo Matsumiya +Subject: auditd.conf: change default log_format +References: bsc#1190500 + +Upstream commit bf1270cfe ("change default logging format and update roadmap") +changed the default log_format from RAW to ENRICHED. + +This causes non-audit tools to not interpret the GS character (group separator, +0x1d) that splits the raw data from the enriched data, causing it to be visually +concatenated. + +Since a candidate patch to change this was rejected by upstream, we change +the default log_format back to RAW instead, to avoid confusion on customers' +environments. + +Signed-off-by: Enzo Matsumiya + +--- a/init.d/auditd.conf ++++ b/init.d/auditd.conf +@@ -6,7 +6,7 @@ local_events = yes + write_logs = yes + log_file = /var/log/audit/audit.log + log_group = audit +-log_format = ENRICHED ++log_format = RAW + flush = INCREMENTAL_ASYNC + freq = 50 + max_log_file = 8 diff --git a/enable-stop-rules.patch b/enable-stop-rules.patch new file mode 100644 index 0000000..7e0ea7e --- /dev/null +++ b/enable-stop-rules.patch @@ -0,0 +1,24 @@ +From: Enzo Matsumiya +Subject: init.d/auditd.service: enable ExecStopPost directive in auditd.service +References: bsc#1190227 + +This has caused confusion for customers when relating stopping auditd service +is the same as stopping system auditing. This is completely understandable, but +it's by design, so kauditd can keep filling its queues for any other userspace +daemon to consume. + +Disable audit when auditd.service stops, so kauditd stops logging/running. + +Signed-off-by: Enzo Matsumiya + +--- a/init.d/auditd.service ++++ b/init.d/auditd.service +@@ -25,7 +25,7 @@ ExecStartPost=-/sbin/augenrules --load + #ExecStartPost=-/sbin/auditctl -R /etc/audit/audit.rules + # By default we don't clear the rules on exit. To enable this, uncomment + # the next line after copying the file to /etc/systemd/system/auditd.service +-#ExecStopPost=/sbin/auditctl -R /etc/audit/audit-stop.rules ++ExecStopPost=/sbin/auditctl -R /etc/audit/audit-stop.rules + + ### Security Settings ### + MemoryDenyWriteExecute=true diff --git a/fix-hardened-service.patch b/fix-hardened-service.patch new file mode 100644 index 0000000..34f97c1 --- /dev/null +++ b/fix-hardened-service.patch @@ -0,0 +1,30 @@ +From: Enzo Matsumiya +Subject: init.d/auditd.service: make /etc/audit writable +References: bsc#1181400 + +systemd hardening effort (bsc#1181400) broke auditd.service when starting/ +restarting it. This was because auditd couldn't save/create audit.rules from +/etc/audit/rules.d/* files. + +Make /etc/audit writable for the service. + +Also remove PrivateDevices=true so /dev/* are exposed to auditd. + +Signed-off-by: Enzo Matsumiya + +--- a/init.d/auditd.service ++++ b/init.d/auditd.service +@@ -37,12 +37,12 @@ RestrictRealtime=true + # added automatically, for details please see + # https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort + ProtectSystem=full +-PrivateDevices=true + ProtectHostname=true + ProtectClock=true + ProtectKernelTunables=true + ProtectKernelLogs=true + # end of automatic additions ++ReadWritePaths=/etc/audit + + [Install] + WantedBy=multi-user.target diff --git a/harden_auditd.service.patch b/harden_auditd.service.patch index fb927fd..8dc1528 100644 --- a/harden_auditd.service.patch +++ b/harden_auditd.service.patch @@ -1,8 +1,6 @@ -Index: audit-3.0.3/init.d/auditd.service -=================================================================== ---- audit-3.0.3.orig/init.d/auditd.service -+++ audit-3.0.3/init.d/auditd.service -@@ -35,6 +35,15 @@ ProtectControlGroups=true +--- a/init.d/auditd.service ++++ b/init.d/auditd.service +@@ -34,6 +34,15 @@ ProtectControlGroups=true ProtectKernelModules=true ProtectHome=true RestrictRealtime=true From 3099f73ab7a076726b86bdf660350f88d3f8fef473a1ab346e8a9ac49291bdee Mon Sep 17 00:00:00 2001 From: Enzo Matsumiya Date: Mon, 20 Sep 2021 17:14:08 +0000 Subject: [PATCH 2/2] Accepting request 920360 from home:ematsumiya:branches:security Use tarball from source URL. OBS-URL: https://build.opensuse.org/request/show/920360 OBS-URL: https://build.opensuse.org/package/show/security/audit?expand=0&rev=130 --- audit-3.0.5.tar.gz | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/audit-3.0.5.tar.gz b/audit-3.0.5.tar.gz index 266579e..f64209c 100644 --- a/audit-3.0.5.tar.gz +++ b/audit-3.0.5.tar.gz @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:23bcc88de1b4b94eedfcab9ef805269f073fe8766305e90e361fc58dac328340 -size 595279 +oid sha256:7c54e73a6cafc8154ee6e37971efb1c8dd9ac2361daec429a52a7538c24fdc70 +size 1188884