OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/audit?expand=0&rev=1

.gitattributes

@@ -0,0 +1,23 @@
+## Default LFS
+*.7z filter=lfs diff=lfs merge=lfs -text
+*.bsp filter=lfs diff=lfs merge=lfs -text
+*.bz2 filter=lfs diff=lfs merge=lfs -text
+*.gem filter=lfs diff=lfs merge=lfs -text
+*.gz filter=lfs diff=lfs merge=lfs -text
+*.jar filter=lfs diff=lfs merge=lfs -text
+*.lz filter=lfs diff=lfs merge=lfs -text
+*.lzma filter=lfs diff=lfs merge=lfs -text
+*.obscpio filter=lfs diff=lfs merge=lfs -text
+*.oxt filter=lfs diff=lfs merge=lfs -text
+*.pdf filter=lfs diff=lfs merge=lfs -text
+*.png filter=lfs diff=lfs merge=lfs -text
+*.rpm filter=lfs diff=lfs merge=lfs -text
+*.tbz filter=lfs diff=lfs merge=lfs -text
+*.tbz2 filter=lfs diff=lfs merge=lfs -text
+*.tgz filter=lfs diff=lfs merge=lfs -text
+*.ttf filter=lfs diff=lfs merge=lfs -text
+*.txz filter=lfs diff=lfs merge=lfs -text
+*.whl filter=lfs diff=lfs merge=lfs -text
+*.xz filter=lfs diff=lfs merge=lfs -text
+*.zip filter=lfs diff=lfs merge=lfs -text
+*.zst filter=lfs diff=lfs merge=lfs -text

.gitignore

@@ -0,0 +1 @@
+.osc

README-BEFORE-ADDING-PATCHES

@@ -0,0 +1,8 @@
+All patches need to have a patch description header similar to what is used in 
+kernel cvs.
+
+Clear description of problem.
+Buzilla entry if applicable.
+Indication as to whether patch was upstreamed.
+
+Patches added without this will be reverted.  Thanks.

audit-1.2.9.tar.bz2

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:0995cdda8aeb4cd1126427d78fcc44aa6bf84e578f15fad0074ffbb9ac609339
+size 193190

audit-auparse_missing_return.patch

@@ -0,0 +1,49 @@
+From: tonyj@suse.de
+References: none
+Patch-upstream: no
+
+Disable unused functions which are tripping the abuild garbage return code
+detection.
+
+--- audit-1.2.6/auparse/auparse.c.xx	2006-08-31 21:24:46.000000000 +0200
++++ audit-1.2.6/auparse/auparse.c	2006-08-31 21:30:48.000000000 +0200
+@@ -177,6 +177,7 @@
+ }
+ 
+ 
++#if 0
+ time_t auparse_get_time(auparse_state_t *au)
+ {
+ }
+@@ -190,6 +191,7 @@
+ unsigned long auparse_get_serial(auparse_state_t *au)
+ {
+ }
++#endif	/* not used, disable to avoid abuild garbage return error */
+ 
+ 
+ const char *auparse_get_node(auparse_state_t *au)
+@@ -198,9 +200,11 @@
+ }
+ 
+ 
++#if 0
+ int auparse_timestamp_compare(event_t *e1, event_t *e2)
+ {
+ }
++#endif	/* not used, disable to avoid abuild garbage return error */
+ 
+ 
+ /* Functions that traverse records in the same event */
+@@ -260,9 +264,11 @@
+ }
+ 
+ 
++#if 0
+ int auparse_get_field_int(auparse_state_t *au)
+ {
+ }
++#endif	/* not used, disable to avoid abuild garbage return error */
+ 
+ 
+ const char *auparse_interpret_field(auparse_state_t *au)

audit-change-paths.patch

@@ -0,0 +1,20 @@
+From: tonyj@suse.de
+References: unknown
+Upstream: no
+
+Change paths.
+1) Since libstdc++ is in /usr, audispd must move also
+2) Change location of audit config file to /etc
+
+--- audit-1.2.6/init.d/auditd.conf.xx	2006-08-31 18:18:11.000000000 +0200
++++ audit-1.2.6/init.d/auditd.conf	2006-08-31 18:19:00.000000000 +0200
+@@ -8,7 +8,7 @@
+ flush = INCREMENTAL
+ freq = 20
+ num_logs = 4
+-dispatcher = /sbin/audispd
++#dispatcher = /usr/sbin/audispd
+ disp_qos = lossy
+ max_log_file = 5 
+ max_log_file_action = ROTATE
+

audit-disable-syscall-contexts.patch

@@ -0,0 +1,102 @@
+From: sbeattie@suse.de
+References: 172154
+Upstream: no
+ 
+Disable syscall audit context creation by default.
+This patch needs to be reevaluated in light of kernel performance improvements
+to audit comitted around ~2.6.18
+
+--- audit-1.2.6/src/auditd.c.xx	2006-07-27 19:06:08.000000000 +0200
++++ audit-1.2.6/src/auditd.c	2006-08-31 20:02:57.000000000 +0200
+@@ -36,6 +36,7 @@
+ #include <sys/wait.h>
+ #include <fcntl.h>
+ #include <pthread.h>
++#include <getopt.h>
+ 
+ #include "libaudit.h"
+ #include "auditd-config.h"
+@@ -69,7 +70,7 @@
+  */
+ static void usage(void)
+ {
+-	puts("Usage: auditd [ -f ]");
++	puts("Usage: auditd [ -f ] [ -n ]");
+ 	exit(2);
+ }
+ 
+@@ -281,18 +282,28 @@
+ 	struct rlimit limit;
+ 	int hup_info_requested = 0, usr1_info_requested = 0;
+ 	int i;
++	int opt_foreground = 0;
++	int opt_enabled = 1;
++	int c;
+ 
+ 	/* Get params && set mode */
+-	if (argc > 2)
+-		usage();
+-	if (argc == 2) {
+-		if (strcmp(argv[1], "-f") == 0) {
+-			config.daemonize = D_FOREGROUND;
+-			set_aumessage_mode(MSG_STDERR, DBG_YES);
+-		} else
++	while ((c = getopt(argc, argv, "fn")) != -1) {
++		switch (c) {
++		case 'f':
++			opt_foreground = 1;
++			break;
++		case 'n':
++			opt_enabled = 0;
++			break;
++		default:
+ 			usage();
++		}
+ 	}
+-	else {
++
++	if (opt_foreground) {
++		config.daemonize = D_FOREGROUND;
++		set_aumessage_mode(MSG_STDERR, DBG_YES);
++	} else {
+ 		config.daemonize = D_BACKGROUND;
+ 		set_aumessage_mode(MSG_SYSLOG, DBG_NO);
+ 		(void) umask( umask( 077 ) | 022 );
+@@ -429,7 +440,7 @@
+ 	tell_parent(SUCCESS);
+ 
+ 	/* Enable auditing just in case it was off */
+-	if (audit_set_enabled(fd, 1) < 0) {
++	if (audit_set_enabled(fd, opt_enabled) < 0) {
+ 		char emsg[DEFAULT_BUF_SZ];
+ 		snprintf(emsg, sizeof(emsg),
+ 			"auditd error halt, auid=%u pid=%d res=failed",
+@@ -558,6 +569,7 @@
+ 			/* Write message to log that we are going down */
+ 			int rc;
+ 
++			audit_set_enabled(fd, 0);
+ 			rc = audit_request_signal_info(fd);
+ 			if (rc > 0) {
+ 				struct audit_reply trep;
+--- audit-1.2.6/docs/auditd.8.xx	2006-04-06 23:21:14.000000000 +0200
++++ audit-1.2.6/docs/auditd.8	2006-08-31 20:02:47.000000000 +0200
+@@ -4,6 +4,7 @@
+ .SH SYNOPSIS
+ .B auditd
+ [ \fI-f \fR]
++[ \fI-n \fR]
+ .SH DESCRIPTION
+ auditd is the userspace component to the Linux Auditing System. It's responsible for writing audit records to the disk. Viewing the logs is done with the
+ .B ausearch
+@@ -18,6 +19,10 @@
+ .TP
+ \fB\-f\fR
+ leave the audit daemon in the foreground for debugging. Messages also go to stderr rather than the audit log.
++.TP
++\fB-n\fR
++start the audit daemon, but do not enabled system call auditing in the kernel.
++This can be done separately by using \fBauditctl -e\fR.
+ .SH SIGNALS
+ \fB\SIGHUP\fR
+ causes auditd to reconfigure. This means that auditd re-reads the configuration file. If there are no syntax errors, it will proceed to implement the requested changes. If the reconfigure is successful, a DAEMON_CONFIG event is recorded in the logs. If not successful, error handling is controlled by space_left_action, admin_space_left_action, disk_full_action, and disk_error_action parameters in auditd.conf.

audit-libs-python.changes

@@ -0,0 +1,21 @@
+-------------------------------------------------------------------
+Wed Nov 29 02:47:22 CET 2006 - tonyj@suse.de
+
+- Upgrade to 1.2.9 (drop several patches which are now upstream)
+- /usr/sbin/audispd now packaged by audit-libs-python
+
+-------------------------------------------------------------------
+Sun Nov  5 00:45:21 CET 2006 - ro@suse.de
+
+- fix requires 
+
+-------------------------------------------------------------------
+Thu Aug 31 22:57:52 CEST 2006 - tonyj@suse.de
+
+- Upgrade to 1.2.6-1
+
+-------------------------------------------------------------------
+Wed Aug 16 16:19:20 CEST 2006 - cthiel@suse.de
+
+- split off package 
+

audit-libs-python.spec

@@ -0,0 +1,93 @@
+#
+# spec file for package audit-libs-python (Version 1.2.9)
+#
+# Copyright (c) 2006 SUSE LINUX Products GmbH, Nuernberg, Germany.
+# This file and all modifications and additions to the pristine
+# package are under the same license as the package itself.
+#
+# Please submit bugfixes or comments via http://bugs.opensuse.org/
+#
+
+# norootforbuild
+
+Name:           audit-libs-python
+%define _name audit
+BuildRequires:  audit-devel gcc-c++ python-devel swig
+Summary:        Python bindings for libaudit
+Version:        1.2.9
+Release:        2
+License:        GNU General Public License (GPL)
+Group:          System/Monitoring
+URL:            http://people.redhat.com/sgrubb/audit/
+Source0:        audit-%{version}.tar.bz2
+Patch0:         audit-change-paths.patch
+Patch1:         audit-disable-syscall-contexts.patch
+Patch2:         audit-auparse_missing_return.patch
+BuildRoot:      %{_tmppath}/%{name}-%{version}-build
+Requires:       audit-libs = %( echo `rpm -q --queryformat '%{VERSION}-%{RELEASE}' audit-libs`)
+PreReq:         %insserv_prereq %fillup_prereq
+
+%description
+The audit-libs-python package contains the bindings so that libaudit
+can be used by python.
+
+
+
+Authors:
+--------
+    Steve Grubb <sgrubb@redhat.com>
+
+%prep
+%setup -q -n audit-%{version}
+%patch0 -p1
+%patch1 -p1
+%patch2 -p1
+
+%build
+autoreconf -fv --install
+export CFLAGS="%{optflags} -fno-strict-aliasing"
+export CXXFLAGS="$CFLAGS"
+./configure --prefix=%{_prefix} --sbindir=/sbin --mandir=%{_mandir} --libdir=/%{_lib} --sysconfdir=/etc --with-apparmor
+pushd src/mt
+        make libaudit.h
+popd
+make
+
+%install
+make DESTDIR=$RPM_BUILD_ROOT install -C swig
+make DESTDIR=$RPM_BUILD_ROOT install -C audisp LIBDIR=$RPM_BUILD_ROOT/%{_libdir}/python%{py_ver}/site-packages
+mkdir $RPM_BUILD_ROOT/usr/sbin
+mv $RPM_BUILD_ROOT/sbin/audispd $RPM_BUILD_ROOT/usr/sbin/audispd
+rm -f $RPM_BUILD_ROOT/%{_libdir}/python%{py_ver}/site-packages/_audit.a
+rm -f $RPM_BUILD_ROOT/%{_libdir}/python%{py_ver}/site-packages/_audit.la
+
+%clean
+rm -rf $RPM_BUILD_ROOT
+
+%post
+if [ -f /etc/audit/auditd.conf ]; then
+   tmp=`mktemp /etc/audit/auditd-post.$$`
+   if [ -n $tmp ]; then
+      sed 's|^#dispatcher|dispatcher|g' /etc/audit/auditd.conf > $tmp && \
+         cat $tmp > /etc/audit/auditd.conf
+      rm -f $tmp
+   fi
+fi
+
+%files
+%defattr(-,root,root,-)
+%attr(750,root,root) /usr/sbin/audispd
+%{_libdir}/python%{py_ver}/site-packages/_audit.so
+%{_libdir}/python%{py_ver}/site-packages/audit.py*
+%{_libdir}/python%{py_ver}/site-packages/AuditMsg.py*
+
+%changelog -n audit-libs-python
+* Wed Nov 29 2006 - tonyj@suse.de
+- Upgrade to 1.2.9 (drop several patches which are now upstream)
+- /usr/sbin/audispd now packaged by audit-libs-python
+* Sun Nov 05 2006 - ro@suse.de
+- fix requires
+* Thu Aug 31 2006 - tonyj@suse.de
+- Upgrade to 1.2.6-1
+* Wed Aug 16 2006 - cthiel@suse.de
+- split off package

audit-no_python.patch

@@ -0,0 +1,41 @@
+From: tonyj@suse.de
+Date: unknown
+Upstream: no
+
+This patch is used by audit.spec to disable use of Python.
+Necessary Python files are built seperately by audit-libs-python.spec
+(make -C swig ; make -C auditsp)
+
+--- audit-1.2.6/configure.ac.xx	2006-07-13 23:02:17.000000000 +0200
++++ audit-1.2.6/configure.ac	2006-08-31 20:52:49.000000000 +0200
+@@ -39,7 +39,7 @@
+ AM_INIT_AUTOMAKE
+ AM_PROG_LIBTOOL
+ AC_SUBST(LIBTOOL_DEPS)
+-AM_PATH_PYTHON(2.4)
++#AM_PATH_PYTHON(2.4)
+ 
+ echo .
+ echo Checking for programs
+@@ -105,7 +105,8 @@
+ if test x$use_apparmor != xno ; then
+       AC_DEFINE(WITH_APPARMOR,1,[Define if you want to enable AppArmor events.])fi
+ 
+-AC_OUTPUT(Makefile lib/Makefile auparse/Makefile src/Makefile src/mt/Makefile swig/Makefile docs/Makefile init.d/Makefile)
++#AC_OUTPUT(Makefile lib/Makefile auparse/Makefile src/Makefile src/mt/Makefile swig/Makefile docs/Makefile init.d/Makefile)
++AC_OUTPUT(Makefile lib/Makefile auparse/Makefile src/Makefile src/mt/Makefile docs/Makefile init.d/Makefile)
+ 
+ echo .
+ echo "
+--- audit-1.2.6/Makefile.am.xx	2006-07-13 22:24:35.000000000 +0200
++++ audit-1.2.6/Makefile.am	2006-08-31 20:52:49.000000000 +0200
+@@ -22,7 +22,8 @@
+ #
+ 
+ #SUBDIRS = lib auparse src/mt src audisp audisp/tests swig init.d docs
+-SUBDIRS = lib src/mt src audisp swig init.d docs
++#SUBDIRS = lib src/mt src audisp swig init.d docs
++SUBDIRS = lib src/mt src init.d docs
+ EXTRA_DIST = ChangeLog AUTHORS NEWS README sample.rules contrib/capp.rules contrib/lspp.rules contrib/skeleton.c README-install audit.spec
+ CONFIG_CLEAN_FILES = Makefile.in aclocal.m4* config.h.* configure debug*.list config/*
+ 

audit.changes

@@ -0,0 +1,209 @@
+-------------------------------------------------------------------
+Wed Nov 29 02:46:08 CET 2006 - tonyj@suse.de
+
+- Upgrade to 1.2.9 (drop several patches which are now upstream)
+- Move to using /etc/audit directory for config files
+
+-------------------------------------------------------------------
+Thu Aug 31 22:57:52 CEST 2006 - tonyj@suse.de
+
+- Upgrade to 1.2.6-1
+
+-------------------------------------------------------------------
+Sat Aug 26 09:01:50 CEST 2006 - olh@suse.de
+
+- do not define __KERNEL__ in userland apps
+- remove unused sys/syscall.h include
+
+-------------------------------------------------------------------
+Wed Aug 16 15:42:58 CEST 2006 - cthiel@suse.de
+
+- split audit into audit and audit-libs-python
+
+-------------------------------------------------------------------
+Fri May  5 21:05:40 CEST 2006 - sbeattie@suse.de
+
+- disable syscall audit context creation by default #172154  
+
+-------------------------------------------------------------------
+Mon Mar 20 16:18:29 CET 2006 - meissner@suse.de
+
+- Do not print a misleading errormessage when audit
+  is not compiled into the kernel. #152733
+
+-------------------------------------------------------------------
+Mon Mar  6 14:21:06 CET 2006 - meissner@suse.de
+
+- On kernels without auditing, which report ECONNREFUSED,
+  do not output stuff to stderr on startup. #152733
+
+-------------------------------------------------------------------
+Sat Feb 25 09:55:48 CET 2006 - kukuk@suse.de
+
+- Fix moving of devel libraries, don't install .la file
+
+-------------------------------------------------------------------
+Wed Feb 22 15:10:44 CET 2006 - meissner@suse.de
+
+- moved libaudit.so symlink to /usr/lib and to -devel package,
+  as requested by Thorsten.
+
+-------------------------------------------------------------------
+Fri Feb 17 19:56:14 CET 2006 - meissner@suse.de
+
+- check sendto() return against -1 (error with errno set).
+
+-------------------------------------------------------------------
+Wed Jan 25 21:34:31 CET 2006 - mls@suse.de
+
+- converted neededforbuild to BuildRequires
+
+-------------------------------------------------------------------
+Wed Jan 25 12:09:31 CET 2006 - ro@suse.de
+
+- fix fillup call since filename != packagename 
+
+-------------------------------------------------------------------
+Tue Jan 24 19:01:52 CET 2006 - ro@suse.de
+
+- do not skip fillup in postinstall 
+
+-------------------------------------------------------------------
+Mon Jan 23 08:54:33 CET 2006 - dreynolds@suse.de
+
+- Modified inssrv macro args to enable on boot
+
+-------------------------------------------------------------------
+Wed Jan 18 21:33:21 CET 2006 - tonyj@suse.de
+
+- Add support for AppArmor (submitted upstream for 1.1.4)
+
+-------------------------------------------------------------------
+Fri Jan 13 11:35:57 CET 2006 - meissner@suse.de
+
+- Updated to 1.1.3. 
+- Moved audispd to /usr/sbin since it uses /usr/lib/libstdc++
+- Updated sysconfig snippet.
+
+-------------------------------------------------------------------
+Tue Nov  8 11:32:45 CET 2005 - meissner@suse.de
+
+- upgraded to 1.0.12.
+
+-------------------------------------------------------------------
+Fri Nov  4 12:41:35 CET 2005 - kukuk@suse.de
+
+- Update to 1.0.9.
+
+-------------------------------------------------------------------
+Wed Oct 12 17:24:55 CEST 2005 - meissner@suse.de
+
+- upgraded to 1.0.6. ptrdift patch now solved upstream.
+
+-------------------------------------------------------------------
+Wed Oct  5 15:17:05 CEST 2005 - meissner@suse.de
+
+- Upgraded to 1.0.5
+
+-------------------------------------------------------------------
+Wed Oct  5 12:00:38 CEST 2005 - dmueller@suse.de
+
+ - add norootforbuild
+
+-------------------------------------------------------------------
+Mon Sep 26 11:40:27 CEST 2005 - meissner@suse.de
+
+- Upgraded to 1.0.4.
+	- Make rate & backlog 32 bit unsigned int in auditctl
+	- In auditctl, if -F arch is given with -t option, don't require list
+	- Update auditd man page
+	- Add size check to audit_send
+	- Update message for audit_open failure when kernel doesn't support audit
+
+-------------------------------------------------------------------
+Tue Aug 23 14:07:44 CEST 2005 - meissner@suse.de
+
+- Upgraded to 1.0.3 bugfix release:
+	- adjust file perms of newly created log file in auditd
+	- fix 2 memory leaks and an out of bounds access in auditd
+	- fix case where auditd was closing netlink descriptor too early
+	- fix watch rules not to take field arguments in auditctl
+	- fix bug where inode, devmajor, devminor, exit, and success fields in auditctl 
+	rules were not getting the correct value stored
+
+-------------------------------------------------------------------
+Wed Aug 17 14:19:29 CEST 2005 - meissner@suse.de
+
+- Added /var/log/audit directory and ghost audit.log #105131
+
+-------------------------------------------------------------------
+Wed Aug 10 13:37:56 CEST 2005 - meissner@suse.de
+
+- Upgraded to 1.0.2
+
+-------------------------------------------------------------------
+Thu Aug  4 11:20:00 CEST 2005 - meissner@suse.de
+
+- Upgraded to 1.0.1.
+
+-------------------------------------------------------------------
+Mon Jul 11 14:47:38 CEST 2005 - meissner@suse.de
+
+- Update to version 0.9.16.
+
+-------------------------------------------------------------------
+Tue Jun 21 08:38:17 CEST 2005 - meissner@suse.de
+
+- Update to version 0.9.10.
+
+-------------------------------------------------------------------
+Fri Jun 17 11:21:42 CEST 2005 - meissner@suse.de
+
+- Update to version 0.9.7.
+
+-------------------------------------------------------------------
+Thu Jun 16 14:51:48 CEST 2005 - kukuk@suse.de
+
+- Update to version 0.9.5
+
+-------------------------------------------------------------------
+Tue Jun 14 01:30:20 CEST 2005 - ro@suse.de
+
+- make it build with current includes 
+
+-------------------------------------------------------------------
+Tue May 31 14:15:30 CEST 2005 - meissner@suse.de
+
+- Upgraded to 0.9.
+
+-------------------------------------------------------------------
+Fri May 13 13:08:41 CEST 2005 - meissner@suse.de
+
+- upgraded to 0.6.8
+
+-------------------------------------------------------------------
+Tue Apr 19 10:39:54 CEST 2005 - meissner@suse.de
+
+- Upgraded to 0.6.11.
+
+-------------------------------------------------------------------
+Fri Apr 15 17:52:43 CEST 2005 - pth@suse.de
+
+- Make libaudit.h define pgoff_t by itself.
+- Fix a minor warning.
+
+-------------------------------------------------------------------
+Wed Mar 30 17:58:32 CEST 2005 - meissner@suse.de
+
+- Upgraded to 0.6.9.
+
+-------------------------------------------------------------------
+Fri Mar  4 11:23:29 CET 2005 - meissner@suse.de
+
+- Upgraded to 0.6.5.
+
+-------------------------------------------------------------------
+Thu Mar  3 14:59:36 CET 2005 - meissner@suse.de
+
+- initial package of auditd for new kernel auditing system.
+

audit.spec

@@ -0,0 +1,283 @@
+#
+# spec file for package audit (Version 1.2.9)
+#
+# Copyright (c) 2006 SUSE LINUX Products GmbH, Nuernberg, Germany.
+# This file and all modifications and additions to the pristine
+# package are under the same license as the package itself.
+#
+# Please submit bugfixes or comments via http://bugs.opensuse.org/
+#
+
+# norootforbuild
+
+Name:           audit
+BuildRequires:  gcc-c++
+Summary:        User Space Tools for 2.6 Kernel Auditing
+Version:        1.2.9
+Release:        2
+License:        GNU General Public License (GPL)
+Group:          System/Monitoring
+URL:            http://people.redhat.com/sgrubb/audit/
+Source0:        %{name}-%{version}.tar.bz2
+Source1:        auditd.init
+Source2:        auditd.sysconfig
+Patch0:         audit-change-paths.patch
+Patch1:         audit-no_python.patch
+Patch2:         audit-disable-syscall-contexts.patch
+Patch3:         audit-auparse_missing_return.patch
+BuildRoot:      %{_tmppath}/%{name}-%{version}-build
+Requires:       %{name}-libs = %{version}-%{release}
+PreReq:         %insserv_prereq %fillup_prereq
+
+%description
+The audit package contains the user space utilities for storing and
+processing the audit records generated by the audit subsystem in the
+Linux 2.6 kernel.
+
+
+
+Authors:
+--------
+    Steve Grubb <sgrubb@redhat.com>
+
+%package libs
+Summary:        Dynamic library for libaudit
+License:        GNU General Public License (GPL)
+Group:          System/Monitoring
+
+%description libs
+The audit-libs package contains the dynamic libraries needed for
+applications to use the audit framework.
+
+
+
+Authors:
+--------
+    Steve Grubb <sgrubb@redhat.com>
+
+%package devel
+Summary:        Header files and static library for libaudit
+License:        GNU Library General Public License v. 2.0 and 2.1 (LGPL)
+Group:          System/Monitoring
+Requires:       %{name}-libs = %{version}-%{release}
+
+%description devel
+The audit-devel package contains the static libraries and header files
+needed for developing applications that need to use the audit framework
+libraries.
+
+
+
+Authors:
+--------
+    Steve Grubb <sgrubb@redhat.com>
+
+%prep
+%setup -q
+%patch0 -p1
+%patch1 -p1
+%patch2 -p1
+%patch3 -p1
+
+%build
+autoreconf -fv --install
+export CFLAGS="%{optflags} -fno-strict-aliasing"
+export CXXFLAGS="$CFLAGS"
+./configure --prefix=%{_prefix} --sbindir=/sbin --mandir=%{_mandir} --libdir=/%{_lib} --sysconfdir=/etc --with-apparmor
+pushd src/mt
+	make libaudit.h
+popd
+make
+
+%install
+mkdir -p $RPM_BUILD_ROOT/{sbin,etc/{sysconfig,init.d}}
+mkdir -p $RPM_BUILD_ROOT/usr/sbin
+mkdir -p $RPM_BUILD_ROOT/%{_mandir}/man8
+mkdir -p $RPM_BUILD_ROOT/%{_lib}/security
+make DESTDIR=$RPM_BUILD_ROOT install
+mkdir -p $RPM_BUILD_ROOT/%{_includedir}
+mkdir -p $RPM_BUILD_ROOT/%{_libdir}
+# We manually install this since Makefile doesn't
+install -m 0644 lib/libaudit.h $RPM_BUILD_ROOT/%{_includedir}
+# This winds up in the wrong place when libtool is involved
+# -- 11/06 -- temp disable libauparse
+#rm $RPM_BUILD_ROOT/%{_lib}/libaudit.so $RPM_BUILD_ROOT/%{_lib}/libauparse.so
+#ln -sf /%{_lib}/libaudit.so.0 $RPM_BUILD_ROOT%{_libdir}/libaudit.so
+#ln -sf /%{_lib}/libauparse.so.0 $RPM_BUILD_ROOT%{_libdir}/libauparse.so
+#mv $RPM_BUILD_ROOT/%{_lib}/libaudit.a $RPM_BUILD_ROOT/%{_lib}/libauparse.a $RPM_BUILD_ROOT%{_libdir}
+#rm $RPM_BUILD_ROOT/%{_lib}/libaudit.la $RPM_BUILD_ROOT/%{_lib}/libauparse.la
+# -- 
+rm $RPM_BUILD_ROOT/%{_lib}/libaudit.so
+# Link points to real /lib not buildroot /lib
+ln -sf /%{_lib}/libaudit.so.0 $RPM_BUILD_ROOT%{_libdir}/libaudit.so
+mv $RPM_BUILD_ROOT/%{_lib}/libaudit.a $RPM_BUILD_ROOT%{_libdir}
+rm $RPM_BUILD_ROOT/%{_lib}/libaudit.la
+mkdir -p $RPM_BUILD_ROOT/var/adm/fillup-templates
+cp %{SOURCE2} $RPM_BUILD_ROOT/var/adm/fillup-templates/sysconfig.auditd
+# delete redhat script, use ours
+rm -rf $RPM_BUILD_ROOT/etc/sysconfig/auditd
+rm -rf $RPM_BUILD_ROOT/etc/init.d/auditd
+rm -rf $RPM_BUILD_ROOT/etc/rc.d/init.d
+install -c -m 755 %{SOURCE1} $RPM_BUILD_ROOT/etc/init.d/auditd
+ln -s /etc/init.d/auditd $RPM_BUILD_ROOT/sbin/rcauditd
+mkdir -p $RPM_BUILD_ROOT/var/log/audit/
+touch $RPM_BUILD_ROOT/var/log/audit/audit.log
+# for %ghost below, so that old location files will still be there when
+# %post copy runs
+touch $RPM_BUILD_ROOT/etc/{auditd.conf,audit.rules}
+
+%clean
+rm -rf $RPM_BUILD_ROOT
+
+%post libs -p /sbin/ldconfig
+
+%postun libs -p /sbin/ldconfig
+
+%post
+%{fillup_and_insserv -yn auditd auditd}
+# Save existing audit files if any (from old location)
+if [ -f /etc/auditd.conf ]; then
+   mv /etc/audit/auditd.conf /etc/audit/auditd.conf.new
+   mv /etc/auditd.conf /etc/audit/auditd.conf
+fi
+if [ -f /etc/audit.rules ]; then
+   mv /etc/audit/audit.rules /etc/audit/audit.rules.new
+   mv /etc/audit.rules /etc/audit/audit.rules
+fi
+
+%preun
+%stop_on_removal auditd
+
+%postun
+%restart_on_update auditd
+%{insserv_cleanup}
+
+%files libs
+%defattr(-,root,root)
+/%{_lib}/libaudit.*
+#/%{_lib}/libauparse.*
+%config(noreplace) %attr(640,root,root) /etc/libaudit.conf
+
+%files devel
+%defattr(-,root,root)
+%{_libdir}/libaudit.*
+#%{_libdir}/libauparse.*
+%{_includedir}/libaudit.h
+%{_mandir}/man3/*
+
+%files
+%defattr(-,root,root,-)
+%doc README COPYING ChangeLog sample.rules
+%{_mandir}/man8/*
+%attr(750,root,root) /sbin/auditctl
+%attr(750,root,root) /sbin/auditd
+%attr(750,root,root) /sbin/ausearch
+%attr(750,root,root) /sbin/rcauditd
+%attr(750,root,root) /sbin/autrace
+%attr(750,root,root) /sbin/aureport
+/etc/init.d/auditd
+%dir %attr(750,root,root) /etc/audit
+%ghost /etc/auditd.conf
+%ghost /etc/audit.rules
+%config(noreplace) %attr(640,root,root) /etc/audit/auditd.conf
+%config(noreplace) %attr(640,root,root) /etc/audit/audit.rules
+/var/adm/fillup-templates/sysconfig.auditd
+%dir %attr(700,root,root) /var/log/audit
+%ghost /var/log/audit/audit.log
+
+%changelog -n audit
+* Wed Nov 29 2006 - tonyj@suse.de
+- Upgrade to 1.2.9 (drop several patches which are now upstream)
+- Move to using /etc/audit directory for config files
+* Thu Aug 31 2006 - tonyj@suse.de
+- Upgrade to 1.2.6-1
+* Sat Aug 26 2006 - olh@suse.de
+- do not define __KERNEL__ in userland apps
+- remove unused sys/syscall.h include
+* Wed Aug 16 2006 - cthiel@suse.de
+- split audit into audit and audit-libs-python
+* Fri May 05 2006 - sbeattie@suse.de
+- disable syscall audit context creation by default #172154
+* Mon Mar 20 2006 - meissner@suse.de
+- Do not print a misleading errormessage when audit
+  is not compiled into the kernel. #152733
+* Mon Mar 06 2006 - meissner@suse.de
+- On kernels without auditing, which report ECONNREFUSED,
+  do not output stuff to stderr on startup. #152733
+* Sat Feb 25 2006 - kukuk@suse.de
+- Fix moving of devel libraries, don't install .la file
+* Wed Feb 22 2006 - meissner@suse.de
+- moved libaudit.so symlink to /usr/lib and to -devel package,
+  as requested by Thorsten.
+* Fri Feb 17 2006 - meissner@suse.de
+- check sendto() return against -1 (error with errno set).
+* Wed Jan 25 2006 - mls@suse.de
+- converted neededforbuild to BuildRequires
+* Wed Jan 25 2006 - ro@suse.de
+- fix fillup call since filename != packagename
+* Tue Jan 24 2006 - ro@suse.de
+- do not skip fillup in postinstall
+* Mon Jan 23 2006 - dreynolds@suse.de
+- Modified inssrv macro args to enable on boot
+* Wed Jan 18 2006 - tonyj@suse.de
+- Add support for AppArmor (submitted upstream for 1.1.4)
+* Fri Jan 13 2006 - meissner@suse.de
+- Updated to 1.1.3.
+- Moved audispd to /usr/sbin since it uses /usr/lib/libstdc++
+- Updated sysconfig snippet.
+* Tue Nov 08 2005 - meissner@suse.de
+- upgraded to 1.0.12.
+* Fri Nov 04 2005 - kukuk@suse.de
+- Update to 1.0.9.
+* Wed Oct 12 2005 - meissner@suse.de
+- upgraded to 1.0.6. ptrdift patch now solved upstream.
+* Wed Oct 05 2005 - meissner@suse.de
+- Upgraded to 1.0.5
+* Wed Oct 05 2005 - dmueller@suse.de
+- add norootforbuild
+* Mon Sep 26 2005 - meissner@suse.de
+- Upgraded to 1.0.4.
+	- Make rate & backlog 32 bit unsigned int in auditctl
+	- In auditctl, if -F arch is given with -t option, don't require list
+	- Update auditd man page
+	- Add size check to audit_send
+	- Update message for audit_open failure when kernel doesn't support audit
+* Tue Aug 23 2005 - meissner@suse.de
+- Upgraded to 1.0.3 bugfix release:
+	- adjust file perms of newly created log file in auditd
+	- fix 2 memory leaks and an out of bounds access in auditd
+	- fix case where auditd was closing netlink descriptor too early
+	- fix watch rules not to take field arguments in auditctl
+	- fix bug where inode, devmajor, devminor, exit, and success fields in auditctl
+  rules were not getting the correct value stored
+* Wed Aug 17 2005 - meissner@suse.de
+- Added /var/log/audit directory and ghost audit.log #105131
+* Wed Aug 10 2005 - meissner@suse.de
+- Upgraded to 1.0.2
+* Thu Aug 04 2005 - meissner@suse.de
+- Upgraded to 1.0.1.
+* Mon Jul 11 2005 - meissner@suse.de
+- Update to version 0.9.16.
+* Tue Jun 21 2005 - meissner@suse.de
+- Update to version 0.9.10.
+* Fri Jun 17 2005 - meissner@suse.de
+- Update to version 0.9.7.
+* Thu Jun 16 2005 - kukuk@suse.de
+- Update to version 0.9.5
+* Tue Jun 14 2005 - ro@suse.de
+- make it build with current includes
+* Tue May 31 2005 - meissner@suse.de
+- Upgraded to 0.9.
+* Fri May 13 2005 - meissner@suse.de
+- upgraded to 0.6.8
+* Tue Apr 19 2005 - meissner@suse.de
+- Upgraded to 0.6.11.
+* Fri Apr 15 2005 - pth@suse.de
+- Make libaudit.h define pgoff_t by itself.
+- Fix a minor warning.
+* Wed Mar 30 2005 - meissner@suse.de
+- Upgraded to 0.6.9.
+* Fri Mar 04 2005 - meissner@suse.de
+- Upgraded to 0.6.5.
+* Thu Mar 03 2005 - meissner@suse.de
+- initial package of auditd for new kernel auditing system.

auditd.init

@@ -0,0 +1,207 @@
+#! /bin/sh
+# Copyright (c) 1995-2004 SUSE Linux AG, Nuernberg, Germany.
+# All rights reserved.
+#
+# Author: Kurt Garloff
+# Please send feedback to http://www.suse.de/feedback/
+#
+# /etc/init.d/auditd
+#   and its symbolic link
+# /(usr/)sbin/rcauditd
+#
+# Template system startup script for some example service/daemon auditd
+#
+# LSB compatible service control script; see http://www.linuxbase.org/spec/
+# 
+# Note: This template uses functions rc_XXX defined in /etc/rc.status on
+# UnitedLinux (UL) based Linux distributions. If you want to base your 
+# script on this template and ensure that it works on non UL based LSB 
+# compliant Linux distributions, you either have to provide the rc.status
+# functions from UL or change the script to work without them.
+#
+### BEGIN INIT INFO
+# Provides:          auditd
+# Required-Start:    $syslog 
+# Should-Start:
+# Required-Stop:     $syslog 
+# Should-Stop:
+# Default-Start:     3 5
+# Default-Stop:      0 1 2 6
+# Short-Description: auditd daemon providing core auditing services
+# Description:       Starts the auditing subsystem.
+### END INIT INFO
+# 
+# A registry has been set up to manage the init script namespace.
+# http://www.lanana.org/
+# Please use the names already registered or register one or use a
+# vendor prefix.
+
+
+# Check for missing binaries (stale symlinks should not happen)
+# Note: Special treatment of stop for LSB conformance
+AUDITD_BIN=/sbin/auditd
+test -x $AUDITD_BIN || { echo "$AUDITD_BIN not installed"; 
+	if [ "$1" = "stop" ]; then exit 0;
+	else exit 5; fi; }
+
+# Check for existence of needed config file and read it
+AUDITD_CONFIG=/etc/sysconfig/auditd
+test -r $AUDITD_CONFIG || { echo "$AUDITD_CONFIG not existing";
+	if [ "$1" = "stop" ]; then exit 0;
+	else exit 6; fi; }
+
+# Read config	
+. $AUDITD_CONFIG
+
+# Source LSB init functions
+# providing start_daemon, killproc, pidofproc, 
+# log_success_msg, log_failure_msg and log_warning_msg.
+# This is currently not used by UnitedLinux based distributions and
+# not needed for init scripts for UnitedLinux only. If it is used,
+# the functions from rc.status should not be sourced or used.
+#. /lib/lsb/init-functions
+
+# Shell functions sourced from /etc/rc.status:
+#      rc_check         check and set local and overall rc status
+#      rc_status        check and set local and overall rc status
+#      rc_status -v     be verbose in local rc status and clear it afterwards
+#      rc_status -v -r  ditto and clear both the local and overall rc status
+#      rc_status -s     display "skipped" and exit with status 3
+#      rc_status -u     display "unused" and exit with status 3
+#      rc_failed        set local and overall rc status to failed
+#      rc_failed <num>  set local and overall rc status to <num>
+#      rc_reset         clear both the local and overall rc status
+#      rc_exit          exit appropriate to overall rc status
+#      rc_active        checks whether a service is activated by symlinks
+#      rc_splash arg    sets the boot splash screen to arg (if active)
+. /etc/rc.status
+
+# Reset status of this service
+rc_reset
+
+# Return values acc. to LSB for all commands but status:
+# 0	  - success
+# 1       - generic or unspecified error
+# 2       - invalid or excess argument(s)
+# 3       - unimplemented feature (e.g. "reload")
+# 4       - user had insufficient privileges
+# 5       - program is not installed
+# 6       - program is not configured
+# 7       - program is not running
+# 8--199  - reserved (8--99 LSB, 100--149 distrib, 150--199 appl)
+# 
+# Note that starting an already running service, stopping
+# or restarting a not-running service as well as the restart
+# with force-reload (in case signaling is not supported) are
+# considered a success.
+
+case "$1" in
+    start)
+	echo -n "Starting auditd "
+	if [ "$AUDITD_DISABLE_CONTEXTS" == "yes" ] ; then 
+		EXTRAOPTIONS="$EXTRAOPTIONS -n"
+	fi
+	## Start daemon with startproc(8). If this fails
+	## the return value is set appropriately by startproc.
+	startproc $AUDITD_BIN $EXTRAOPTIONS
+	test -f /etc/audit/audit.rules && /sbin/auditctl -R /etc/audit/audit.rules >/dev/null
+
+	# Remember status and be verbose
+	rc_status -v
+	;;
+    stop)
+	echo -n "Shutting down auditd "
+	## Stop daemon with killproc(8) and if this fails
+	## killproc sets the return value according to LSB.
+
+	killproc -TERM $AUDITD_BIN
+
+	# Remember status and be verbose
+	rc_status -v
+	;;
+    try-restart|condrestart)
+	## Do a restart only if the service was active before.
+	## Note: try-restart is now part of LSB (as of 1.9).
+	## RH has a similar command named condrestart.
+	if test "$1" = "condrestart"; then
+		echo "${attn} Use try-restart ${done}(LSB)${attn} rather than condrestart ${warn}(RH)${norm}"
+	fi
+	$0 status
+	if test $? = 0; then
+		$0 restart
+	else
+		rc_reset	# Not running is not a failure.
+	fi
+	# Remember status and be quiet
+	rc_status
+	;;
+    restart)
+	## Stop the service and regardless of whether it was
+	## running or not, start it again.
+	$0 stop
+	$0 start
+
+	# Remember status and be quiet
+	rc_status
+	;;
+    force-reload)
+	## Signal the daemon to reload its config. Most daemons
+	## do this on signal 1 (SIGHUP).
+	## If it does not support it, restart.
+
+	echo -n "Reload service AUDITD "
+	## if it supports it:
+	killproc -HUP $AUDITD_BIN
+	#touch /var/run/auditd.pid
+	rc_status -v
+
+	## Otherwise:
+	#$0 try-restart
+	#rc_status
+	;;
+    reload)
+	## Like force-reload, but if daemon does not support
+	## signaling, do nothing (!)
+
+	# If it supports signaling:
+	echo -n "Reload service auditd "
+	killproc -HUP $AUDITD_BIN
+	#touch /var/run/auditd.pid
+	rc_status -v
+	
+	## Otherwise if it does not support reload:
+	#rc_failed 3
+	#rc_status -v
+	;;
+    status)
+	echo -n "Checking for service auditd "
+	## Check status with checkproc(8), if process is running
+	## checkproc will return with exit status 0.
+
+	# Return value is slightly different for the status command:
+	# 0 - service up and running
+	# 1 - service dead, but /var/run/  pid  file exists
+	# 2 - service dead, but /var/lock/ lock file exists
+	# 3 - service not running (unused)
+	# 4 - service status unknown :-(
+	# 5--199 reserved (5--99 LSB, 100--149 distro, 150--199 appl.)
+	
+	# NOTE: checkproc returns LSB compliant status values.
+	checkproc $AUDITD_BIN
+	# NOTE: rc_status knows that we called this init script with
+	# "status" option and adapts its messages accordingly.
+	rc_status -v
+	;;
+    probe)
+	## Optional: Probe for the necessity of a reload, print out the
+	## argument to this init script which is required for a reload.
+	## Note: probe is not (yet) part of LSB (as of 1.9)
+
+	test /etc/audit/auditd.conf -nt /var/run/auditd.pid && echo reload
+	;;
+    *)
+	echo "Usage: $0 {start|stop|status|try-restart|restart|force-reload|reload|probe}"
+	exit 1
+	;;
+esac
+rc_exit

auditd.sysconfig

@@ -0,0 +1,35 @@
+## Path:        System/Auditing
+## Description: Auditing Options
+## Type:        string
+## Default:     auditd
+## ServiceReload: auditd
+## ServiceRestart: auditd
+#
+IDENT="auditd"
+# Type: string
+# Default: ""
+# Add extra options here
+EXTRAOPTIONS=""
+#
+## Type: string
+## Default: "en_US"
+#
+# This is the locale information that audit uses. Its defaulted to en_US.
+# To remove all locale information from audit's environment, set
+# AUDITD_LANG to the empty string or the string "none".
+AUDITD_LANG="en_US"
+#
+## Type: string
+## Default: "yes"
+#
+# This option is used to determine if rules & watches should be deleted on
+# shutdown. This is beneficial in most cases so that a watch doesn't linger
+# on a drive that is being unmounted. If set to no, it will NOT be cleaned up.
+AUDITD_CLEAN_STOP="yes"
+#
+## Type: yesno
+## Default: yes
+#
+# This option disables syscall auditing by default. This can also be
+# accomplished by auditctl -e.
+AUDITD_DISABLE_CONTEXTS="yes"