Accepting request 867563 from home:ematsumiya:branches:security

- Create new "audit" group for read access to logs (bsc#1178154)
  * add change-default-log_group.patch
  * update audit-secondary.spec

OBS-URL: https://build.opensuse.org/request/show/867563
OBS-URL: https://build.opensuse.org/package/show/security/audit?expand=0&rev=116

audit-secondary.changes

@@ -1,3 +1,10 @@
+-------------------------------------------------------------------
+Thu Jan 28 17:59:43 UTC 2021 - Enzo Matsumiya <ematsumiya@suse.com>
+
+- Create new "audit" group for read access to logs (bsc#1178154)
+  * add change-default-log_group.patch
+  * update audit-secondary.spec
+
 -------------------------------------------------------------------
 Wed Dec  2 11:49:28 UTC 2020 - Alexander Bergmann <abergmann@suse.com>
 

audit-secondary.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package audit-secondary
 #
-# Copyright (c) 2020 SUSE LLC
+# Copyright (c) 2021 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -29,12 +29,14 @@ License:        GPL-2.0-or-later
 Group:          System/Monitoring
 URL:            http://people.redhat.com/sgrubb/audit/
 Source0:        http://people.redhat.com/sgrubb/audit/%{_name}-%{version}.tar.gz
+Source1:        system-group-audit.conf
 Patch1:         audit-plugins-path.patch
 Patch2:         audit-no-gss.patch
 Patch3:         audit-allow-manual-stop.patch
 Patch4:         audit-ausearch-do-not-require-tclass.patch
 Patch5:         audit-python3.patch
 Patch6:         audit-fno-common.patch
+Patch7:         change-default-log_group.patch
 BuildRequires:  audit-devel = %{version}
 BuildRequires:  autoconf >= 2.12
 BuildRequires:  gcc-c++
@@ -50,6 +52,7 @@ BuildRequires:  python3-devel
 %endif
 BuildRequires:  swig
 BuildRequires:  systemd-rpm-macros
+BuildRequires:  sysuser-tools
 BuildRequires:  tcpd-devel
 BuildRequires:  pkgconfig(libcap-ng)
 
@@ -64,6 +67,7 @@ License:        LGPL-2.1-or-later
 Group:          System/Monitoring
 Requires:       %{_name}-libs = %{version}
 Requires:       coreutils
+Requires:       group(audit)
 %{?systemd_ordering}
 
 %description -n audit
@@ -71,6 +75,16 @@ The audit package contains the user space utilities for storing and
 processing the audit records generated by the audit subsystem in the
 Linux kernel.
 
+%package -n     system-group-audit
+Summary:        System group 'audit'
+License:        LGPL-2.1-or-later
+Group:          System/Fhs
+Provides:       group(audit)
+%sysusers_requires
+
+%description -n system-group-audit
+This package contains the system group 'audit' for read access to logs.
+
 %package -n     python2-audit
 Summary:        Python Bindings for libaudit
 License:        LGPL-2.1-or-later
@@ -114,6 +128,7 @@ rm -rf audisp/plugins/prelude
 %patch4 -p1
 %patch5 -p1
 %patch6 -p1
+%patch7 -p1
 
 %if %{without python2} && %{with python3}
 # Fix python env call in tests if we only have Python3.
@@ -141,12 +156,16 @@ export LDFLAGS="-Wl,-z,relro,-z,now"
 	--disable-static
 make %{?_smp_mflags}
 
+%sysusers_generate_pre %{SOURCE1} audit
+
 %install
 %make_install
 
 mkdir -p %{buildroot}%{_localstatedir}/log/audit/
 touch %{buildroot}%{_localstatedir}/log/audit/audit.log
 mkdir -p %{buildroot}%{_localstatedir}/spool/audit/
+mkdir -p %{buildroot}%{_sysusersdir}
+install -m 0644 %{SOURCE1} %{buildroot}%{_sysusersdir}/
 # For ghost below, so that old location files will still be there when
 # post copy runs
 mkdir -p %{buildroot}%{_sysconfdir}/%{_name}/
@@ -207,6 +226,8 @@ fi
 %pre -n audit
 %service_add_pre auditd.service
 
+%pre -n system-group-audit -f audit.pre
+
 %preun -n audit
 %service_del_preun auditd.service
 
@@ -263,12 +284,15 @@ fi
 %config(noreplace) %attr(640,root,root) %{_sysconfdir}/audit/rules.d/audit.rules
 %config(noreplace) %attr(640,root,root) %{_sysconfdir}/audisp/audispd.conf
 %config(noreplace) %attr(640,root,root) %{_sysconfdir}/audit/audit-stop.rules
-%dir %attr(700,root,root) %{_localstatedir}/log/audit
-%ghost %config(noreplace) %{_localstatedir}/log/audit/audit.log
+%dir %attr(750,root,audit) %{_localstatedir}/log/audit
+%ghost %config(noreplace) %attr(640,root,audit) %{_localstatedir}/log/audit/audit.log
 %dir %attr(700,root,root) %{_localstatedir}/spool/audit
 %{_unitdir}/auditd.service
 %{_sbindir}/rcauditd
 
+%files -n system-group-audit
+%{_sysusersdir}/system-group-audit.conf
+
 %if %{with python2}
 %files -n python2-audit
 %attr(755,root,root) %{python2_sitearch}/_audit.so

audit.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package audit
 #
-# Copyright (c) 2020 SUSE LLC
+# Copyright (c) 2021 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -26,6 +26,7 @@ URL:            http://people.redhat.com/sgrubb/audit/
 Source0:        http://people.redhat.com/sgrubb/audit/%{name}-%{version}.tar.gz
 Source1:        baselibs.conf
 Source2:        README-BEFORE-ADDING-PATCHES
+Patch0:         change-default-log_group.patch
 BuildRequires:  autoconf >= 2.12
 BuildRequires:  gcc-c++
 BuildRequires:  kernel-headers >= 2.6.30
@@ -74,6 +75,7 @@ libraries.
 
 %prep
 %setup -q
+%patch0 -p1
 
 %build
 autoreconf -fi

change-default-log_group.patch

@@ -0,0 +1,21 @@
+From: Enzo Matsumiya <ematsumiya@suse.de>
+Date: Thu Jan 28 18:11:39 UTC 2021
+References: bsc#1178154
+Patch-mainline: Not yet, under review
+Subject: change default log_group to "audit"
+
+Change the default log_group to newly added "audit" group.
+
+Signed-Off-by: Enzo Matsumiya <ematsumiya@suse.de>
+
+--- a/init.d/auditd.conf
++++ b/init.d/auditd.conf
+@@ -5,7 +5,7 @@
+ local_events = yes
+ write_logs = yes
+ log_file = /var/log/audit/audit.log
+-log_group = root
++log_group = audit
+ log_format = RAW
+ flush = INCREMENTAL_ASYNC
+ freq = 50

system-group-audit.conf

@@ -0,0 +1,2 @@
+# Type Name ID GECOS [HOME]
+g audit -