Accepting request 912415 from security

- harden_auditd.service.patch: automatic hardening applied to systemd
  services

OBS-URL: https://build.opensuse.org/request/show/912415
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/audit?expand=0&rev=96

audit-secondary.changes

@@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Mon Aug 16 13:29:21 UTC 2021 - Marcus Meissner <meissner@suse.com>
+
+- harden_auditd.service.patch: automatic hardening applied to systemd
+  services
+
 -------------------------------------------------------------------
 Fri Jul 30 18:14:14 CEST 2021 - Enzo Matsumiya <ematsumiya@suse.com>
 

audit-secondary.spec

@@ -36,6 +36,7 @@ Patch3:         audit-allow-manual-stop.patch
 Patch4:         audit-ausearch-do-not-require-tclass.patch
 Patch5:         change-default-log_group.patch
 Patch6:         libev-werror.patch
+Patch7:         harden_auditd.service.patch
 BuildRequires:  audit-devel = %{version}
 BuildRequires:  autoconf >= 2.12
 BuildRequires:  gcc-c++
@@ -127,6 +128,7 @@ rm -rf audisp/plugins/prelude
 %patch4 -p1
 %patch5 -p1
 %patch6 -p1
+%patch7 -p1
 
 %if %{without python2} && %{with python3}
 # Fix python env call in tests if we only have Python3.

harden_auditd.service.patch

@@ -0,0 +1,20 @@
+Index: audit-3.0.3/init.d/auditd.service
+===================================================================
+--- audit-3.0.3.orig/init.d/auditd.service
++++ audit-3.0.3/init.d/auditd.service
+@@ -35,6 +35,15 @@ ProtectControlGroups=true
+ ProtectKernelModules=true
+ ProtectHome=true
+ RestrictRealtime=true
++# added automatically, for details please see
++# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
++ProtectSystem=full
++PrivateDevices=true
++ProtectHostname=true
++ProtectClock=true
++ProtectKernelTunables=true
++ProtectKernelLogs=true
++# end of automatic additions 
+ 
+ [Install]
+ WantedBy=multi-user.target