forked from pool/audit
Accepting request 920362 from security
OBS-URL: https://build.opensuse.org/request/show/920362 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/audit?expand=0&rev=97
This commit is contained in:
commit
a584999d5c
@ -1,3 +0,0 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:23777e1dc9a80a2ee06a4d442a6a0a9bcbf1ae7ee4b5738a220ff619738cc904
|
||||
size 1186684
|
3
audit-3.0.5.tar.gz
Normal file
3
audit-3.0.5.tar.gz
Normal file
@ -0,0 +1,3 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:7c54e73a6cafc8154ee6e37971efb1c8dd9ac2361daec429a52a7538c24fdc70
|
||||
size 1188884
|
@ -11,7 +11,7 @@ Signed-off-by: Tony Jones <tonyj@suse.de>
|
||||
|
||||
--- a/src/ausearch-parse.c
|
||||
+++ b/src/ausearch-parse.c
|
||||
@@ -1735,17 +1735,15 @@ static int parse_avc(const lnode *n, sea
|
||||
@@ -2061,17 +2061,15 @@ other_avc:
|
||||
|
||||
// Now get the class...its at the end, so we do things different
|
||||
str = strstr(term, "tclass=");
|
||||
|
@ -1,3 +1,32 @@
|
||||
-------------------------------------------------------------------
|
||||
Mon Sep 20 02:06:44 UTC 2021 - Enzo Matsumiya <ematsumiya@suse.com>
|
||||
|
||||
- Fix hardened auditd.service (bsc#1181400)
|
||||
* add fix-hardened-service.patch
|
||||
Make /etc/audit read-write from the service.
|
||||
Remove PrivateDevices=true to expose /dev/* to auditd.service.
|
||||
|
||||
- Enable stop rules for audit.service (cf. bsc#1190227)
|
||||
* add enable-stop-rules.patch
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Thu Sep 16 03:46:19 UTC 2021 - Enzo Matsumiya <ematsumiya@suse.com>
|
||||
|
||||
- Change default log_format from ENRICHED to RAW (bsc#1190500):
|
||||
* add change-default-log_format.patch (SUSE-specific patch)
|
||||
|
||||
- Update to version 3.0.5:
|
||||
* In auditd, flush uid/gid caches when user/group added/deleted/modified
|
||||
* Fixed various issues when dealing with corrupted logs
|
||||
* In auditd, check if log_file is valid before closing handle
|
||||
|
||||
- Include fixed from 3.0.4:
|
||||
* Apply performance speedups to auparse library
|
||||
* Optimize rule loading in auditctl
|
||||
* Fix an auparse memory leak caused by glibc-2.33 by replacing realpath
|
||||
* Update syscall table to the 5.14 kernel
|
||||
* Fixed various issues when dealing with corrupted logs
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Mon Aug 16 13:29:21 UTC 2021 - Marcus Meissner <meissner@suse.com>
|
||||
|
||||
|
@ -22,7 +22,7 @@
|
||||
# The seperation is required to minimize unnecessary build cycles.
|
||||
%define _name audit
|
||||
Name: audit-secondary
|
||||
Version: 3.0.3
|
||||
Version: 3.0.5
|
||||
Release: 0
|
||||
Summary: Linux kernel audit subsystem utilities
|
||||
License: GPL-2.0-or-later
|
||||
@ -37,6 +37,9 @@ Patch4: audit-ausearch-do-not-require-tclass.patch
|
||||
Patch5: change-default-log_group.patch
|
||||
Patch6: libev-werror.patch
|
||||
Patch7: harden_auditd.service.patch
|
||||
Patch8: change-default-log_format.patch
|
||||
Patch9: fix-hardened-service.patch
|
||||
Patch10: enable-stop-rules.patch
|
||||
BuildRequires: audit-devel = %{version}
|
||||
BuildRequires: autoconf >= 2.12
|
||||
BuildRequires: gcc-c++
|
||||
@ -129,6 +132,9 @@ rm -rf audisp/plugins/prelude
|
||||
%patch5 -p1
|
||||
%patch6 -p1
|
||||
%patch7 -p1
|
||||
%patch8 -p1
|
||||
%patch9 -p1
|
||||
%patch10 -p1
|
||||
|
||||
%if %{without python2} && %{with python3}
|
||||
# Fix python env call in tests if we only have Python3.
|
||||
|
@ -1,3 +1,18 @@
|
||||
-------------------------------------------------------------------
|
||||
Thu Sep 16 03:46:19 UTC 2021 - Enzo Matsumiya <ematsumiya@suse.com>
|
||||
|
||||
- Update to version 3.0.5:
|
||||
* In auditd, flush uid/gid caches when user/group added/deleted/modified
|
||||
* Fixed various issues when dealing with corrupted logs
|
||||
* In auditd, check if log_file is valid before closing handle
|
||||
|
||||
- Include fixed from 3.0.4:
|
||||
* Apply performance speedups to auparse library
|
||||
* Optimize rule loading in auditctl
|
||||
* Fix an auparse memory leak caused by glibc-2.33 by replacing realpath
|
||||
* Update syscall table to the 5.14 kernel
|
||||
* Fixed various issues when dealing with corrupted logs
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Fri Jul 30 18:14:14 CEST 2021 - Enzo Matsumiya <ematsumiya@suse.com>
|
||||
|
||||
|
@ -17,7 +17,7 @@
|
||||
|
||||
|
||||
Name: audit
|
||||
Version: 3.0.3
|
||||
Version: 3.0.5
|
||||
Release: 0
|
||||
Summary: Linux kernel audit subsystem utilities
|
||||
License: GPL-2.0-or-later
|
||||
|
28
change-default-log_format.patch
Normal file
28
change-default-log_format.patch
Normal file
@ -0,0 +1,28 @@
|
||||
From: Enzo Matsumiya <ematsumiya@suse.de>
|
||||
Subject: auditd.conf: change default log_format
|
||||
References: bsc#1190500
|
||||
|
||||
Upstream commit bf1270cfe ("change default logging format and update roadmap")
|
||||
changed the default log_format from RAW to ENRICHED.
|
||||
|
||||
This causes non-audit tools to not interpret the GS character (group separator,
|
||||
0x1d) that splits the raw data from the enriched data, causing it to be visually
|
||||
concatenated.
|
||||
|
||||
Since a candidate patch to change this was rejected by upstream, we change
|
||||
the default log_format back to RAW instead, to avoid confusion on customers'
|
||||
environments.
|
||||
|
||||
Signed-off-by: Enzo Matsumiya <ematsumiya@suse.de>
|
||||
|
||||
--- a/init.d/auditd.conf
|
||||
+++ b/init.d/auditd.conf
|
||||
@@ -6,7 +6,7 @@ local_events = yes
|
||||
write_logs = yes
|
||||
log_file = /var/log/audit/audit.log
|
||||
log_group = audit
|
||||
-log_format = ENRICHED
|
||||
+log_format = RAW
|
||||
flush = INCREMENTAL_ASYNC
|
||||
freq = 50
|
||||
max_log_file = 8
|
24
enable-stop-rules.patch
Normal file
24
enable-stop-rules.patch
Normal file
@ -0,0 +1,24 @@
|
||||
From: Enzo Matsumiya <ematsumiya@suse.de>
|
||||
Subject: init.d/auditd.service: enable ExecStopPost directive in auditd.service
|
||||
References: bsc#1190227
|
||||
|
||||
This has caused confusion for customers when relating stopping auditd service
|
||||
is the same as stopping system auditing. This is completely understandable, but
|
||||
it's by design, so kauditd can keep filling its queues for any other userspace
|
||||
daemon to consume.
|
||||
|
||||
Disable audit when auditd.service stops, so kauditd stops logging/running.
|
||||
|
||||
Signed-off-by: Enzo Matsumiya <ematsumiya@suse.de>
|
||||
|
||||
--- a/init.d/auditd.service
|
||||
+++ b/init.d/auditd.service
|
||||
@@ -25,7 +25,7 @@ ExecStartPost=-/sbin/augenrules --load
|
||||
#ExecStartPost=-/sbin/auditctl -R /etc/audit/audit.rules
|
||||
# By default we don't clear the rules on exit. To enable this, uncomment
|
||||
# the next line after copying the file to /etc/systemd/system/auditd.service
|
||||
-#ExecStopPost=/sbin/auditctl -R /etc/audit/audit-stop.rules
|
||||
+ExecStopPost=/sbin/auditctl -R /etc/audit/audit-stop.rules
|
||||
|
||||
### Security Settings ###
|
||||
MemoryDenyWriteExecute=true
|
30
fix-hardened-service.patch
Normal file
30
fix-hardened-service.patch
Normal file
@ -0,0 +1,30 @@
|
||||
From: Enzo Matsumiya <ematsumiya@suse.de>
|
||||
Subject: init.d/auditd.service: make /etc/audit writable
|
||||
References: bsc#1181400
|
||||
|
||||
systemd hardening effort (bsc#1181400) broke auditd.service when starting/
|
||||
restarting it. This was because auditd couldn't save/create audit.rules from
|
||||
/etc/audit/rules.d/* files.
|
||||
|
||||
Make /etc/audit writable for the service.
|
||||
|
||||
Also remove PrivateDevices=true so /dev/* are exposed to auditd.
|
||||
|
||||
Signed-off-by: Enzo Matsumiya <ematsumiya@suse.de>
|
||||
|
||||
--- a/init.d/auditd.service
|
||||
+++ b/init.d/auditd.service
|
||||
@@ -37,12 +37,12 @@ RestrictRealtime=true
|
||||
# added automatically, for details please see
|
||||
# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
|
||||
ProtectSystem=full
|
||||
-PrivateDevices=true
|
||||
ProtectHostname=true
|
||||
ProtectClock=true
|
||||
ProtectKernelTunables=true
|
||||
ProtectKernelLogs=true
|
||||
# end of automatic additions
|
||||
+ReadWritePaths=/etc/audit
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
@ -1,8 +1,6 @@
|
||||
Index: audit-3.0.3/init.d/auditd.service
|
||||
===================================================================
|
||||
--- audit-3.0.3.orig/init.d/auditd.service
|
||||
+++ audit-3.0.3/init.d/auditd.service
|
||||
@@ -35,6 +35,15 @@ ProtectControlGroups=true
|
||||
--- a/init.d/auditd.service
|
||||
+++ b/init.d/auditd.service
|
||||
@@ -34,6 +34,15 @@ ProtectControlGroups=true
|
||||
ProtectKernelModules=true
|
||||
ProtectHome=true
|
||||
RestrictRealtime=true
|
||||
|
Loading…
Reference in New Issue
Block a user