forked from pool/audit
4a3ef5cf8e
127 Commits
Author | SHA256 | Message | Date | |
---|---|---|---|---|
4a3ef5cf8e |
Accepting request 969286 from home:jengelh:branches:security
- Drop buildrequire on C++ compiler. (can't find anything that uses it) - Modernize specfile constructs. OBS-URL: https://build.opensuse.org/request/show/969286 OBS-URL: https://build.opensuse.org/package/show/security/audit?expand=0&rev=139 |
|||
Enzo Matsumiya
|
26999f1942 |
Accepting request 965005 from home:coolo:branches:security
- Fix buildrequire for openldap2-devel - audit doesn't require the (outdated) C++ binding, but the C headers that happen to be pulled in by buildrequiring the C++ devel package OBS-URL: https://build.opensuse.org/request/show/965005 OBS-URL: https://build.opensuse.org/package/show/security/audit?expand=0&rev=137 |
||
Enzo Matsumiya
|
affdcc0b01 |
Accepting request 964942 from home:ematsumiya:branches:security
- Fix unhandled ECONNREFUSED with LDAP environments (bsc#1196645) * add libaudit-fix-unhandled-ECONNREFUSED-from-getpwnam-25.patch - Fix hang in audisp-remote with disk_low_action=suspend (bsc#1196517) * add audisp-remote-fix-hang-with-disk_low_action-suspend-.patch OBS-URL: https://build.opensuse.org/request/show/964942 OBS-URL: https://build.opensuse.org/package/show/security/audit?expand=0&rev=136 |
||
Enzo Matsumiya
|
8c6f875550 |
Accepting request 964336 from home:dirkmueller:Factory
- add audit-userspace-517-compat.patch OBS-URL: https://build.opensuse.org/request/show/964336 OBS-URL: https://build.opensuse.org/package/show/security/audit?expand=0&rev=135 |
||
Enzo Matsumiya
|
c309536630 |
Accepting request 934558 from home:favogt:branches:security
- Use %autosetup - Don't include sample rules as %doc, they're already installed as normal files - Fix create-augenrules-service.patch: * auditd.service needs to require augenrules.service, not the other way around - Fix documentation for enable-stop-rules.patch OBS-URL: https://build.opensuse.org/request/show/934558 OBS-URL: https://build.opensuse.org/package/show/security/audit?expand=0&rev=134 |
||
Enzo Matsumiya
|
4de8c602d7 |
Accepting request 930154 from home:gmbr3:Active
- Update to version 3.0.6: * fixes a segfault on some SELINUX_ERR records * makes IPX packet interpretation dependent on the ipx header file existing * adds b32/b64 support to ausyscall * adds support for armv8l * fixes auditctl list of syscalls on PPC * auditd.service now restarts auditd under some conditions - Update to version 3.0.6: * fixes a segfault on some SELINUX_ERR records * makes IPX packet interpretation dependent on the ipx header file existing * adds b32/b64 support to ausyscall * adds support for armv8l * fixes auditctl list of syscalls on PPC * auditd.service now restarts auditd under some conditions OBS-URL: https://build.opensuse.org/request/show/930154 OBS-URL: https://build.opensuse.org/package/show/security/audit?expand=0&rev=133 |
||
Enzo Matsumiya
|
483b357e07 |
Accepting request 925413 from home:gmbr3:Active
- Add CONFIG parameter to %sysusers_generate_pre OBS-URL: https://build.opensuse.org/request/show/925413 OBS-URL: https://build.opensuse.org/package/show/security/audit?expand=0&rev=132 |
||
Enzo Matsumiya
|
1b5f7ae8b7 |
Accepting request 925195 from home:ematsumiya:branches:security
- Create separate service for augenrules (bsc#1191614, bsc#1181400) * add create-augenrules-service.patch Remove ReadWritePaths=/etc/audit from auditd.service, also removes augenrules call from ExecStartPost. Create augenrules.service with the ReadWritePaths directive above. This makes /etc/audit only accessible by augenrules.service and let auditd.service (and daemon) to be sandboxed again. - Update audit-secondary.spec to accomodate the new service file. OBS-URL: https://build.opensuse.org/request/show/925195 OBS-URL: https://build.opensuse.org/package/show/security/audit?expand=0&rev=131 |
||
Enzo Matsumiya
|
3099f73ab7 |
Accepting request 920360 from home:ematsumiya:branches:security
Use tarball from source URL. OBS-URL: https://build.opensuse.org/request/show/920360 OBS-URL: https://build.opensuse.org/package/show/security/audit?expand=0&rev=130 |
||
Enzo Matsumiya
|
09b88829e8 |
Accepting request 920348 from home:ematsumiya:branches:security
- Fix hardened auditd.service (bsc#1181400) * add fix-hardened-service.patch Make /etc/audit read-write from the service. Remove PrivateDevices=true to expose /dev/* to auditd.service. - Enable stop rules for audit.service (cf. bsc#1190227) * add enable-stop-rules.patch - Change default log_format from ENRICHED to RAW (bsc#1190500): * add change-default-log_format.patch (SUSE-specific patch) - Update to version 3.0.5: * In auditd, flush uid/gid caches when user/group added/deleted/modified * Fixed various issues when dealing with corrupted logs * In auditd, check if log_file is valid before closing handle - Include fixed from 3.0.4: * Apply performance speedups to auparse library * Optimize rule loading in auditctl * Fix an auparse memory leak caused by glibc-2.33 by replacing realpath * Update syscall table to the 5.14 kernel * Fixed various issues when dealing with corrupted logs - Update to version 3.0.5: * In auditd, flush uid/gid caches when user/group added/deleted/modified * Fixed various issues when dealing with corrupted logs * In auditd, check if log_file is valid before closing handle - Include fixed from 3.0.4: * Apply performance speedups to auparse library * Optimize rule loading in auditctl * Fix an auparse memory leak caused by glibc-2.33 by replacing realpath * Update syscall table to the 5.14 kernel * Fixed various issues when dealing with corrupted logs OBS-URL: https://build.opensuse.org/request/show/920348 OBS-URL: https://build.opensuse.org/package/show/security/audit?expand=0&rev=129 |
||
0e616b4165 |
- harden_auditd.service.patch: automatic hardening applied to systemd
services OBS-URL: https://build.opensuse.org/package/show/security/audit?expand=0&rev=128 |
|||
127262eccc |
Accepting request 911452 from home:jsegitz:branches:systemdhardening:security
Automatic systemd hardening effort by the security team. This has not been tested. For details please see https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort OBS-URL: https://build.opensuse.org/request/show/911452 OBS-URL: https://build.opensuse.org/package/show/security/audit?expand=0&rev=127 |
|||
d083951a31 |
- use https source urls
OBS-URL: https://build.opensuse.org/package/show/security/audit?expand=0&rev=126 |
|||
ebf7ab7764 |
- use https source urls
OBS-URL: https://build.opensuse.org/package/show/security/audit?expand=0&rev=125 |
|||
97e319769c |
Accepting request 909447 from home:ematsumiya:branches:security
- Update to version 3.0.3: * Dont interpret audit netlink groups unless AUDIT_NLGRP_MAX is defined * Add support for AUDIT_RESP_ORIGIN_UNBLOCK_TIMED to ids * Change auparse_feed_has_data in auparse to include incomplete events * Auditd, stop linking against -lrt * Add ProtectHome and RestrictRealtime to auditd.service * In auditd, read up to 3 netlink packets in a row * In auditd, do not validate path to plugin unless active * In auparse, only emit config errors when AUPARSE_DEBUG env variable exists OBS-URL: https://build.opensuse.org/request/show/909447 OBS-URL: https://build.opensuse.org/package/show/security/audit?expand=0&rev=124 |
|||
Enzo Matsumiya
|
5810f8940b |
Accepting request 900606 from home:ematsumiya:branches:security
- Adjust audit.spec and audit-secondary.spec to support new version - Include fix for libev * add libev-werror.patch - Update to version 3.0.2 - In audispd-statsd pluging, use struct sockaddr_storage (Ville Heikkinen) - Optionally interpret auid in auditctl -l - Update some syscall argument interpretations - In auditd, do not allow spaces in the hostname name format - Big documentation cleanup (MIZUTA Takeshi) - Update syscall table to the 5.12 kernel - Update the auparse normalizer for new event types - Fix compiler warnings in ids subsystem - Block a couple signals from flush & reconfigure threads - In auditd, don't wait on flush thread when exiting - Output error message if the path of input files are too long ausearch/report Included fixes from 3.0.1 - Update syscall table to the 5.11 kernel - Add new --eoe-timeout option to ausearch and aureport (Burn Alting) - Only enable periodic timers when listening on the network - Upgrade libev to 4.33 - Add auparse_new_buffer function to auparse library - Use the select libev backend unless aggregating events - Add sudoers to some base audit rules - Update the auparse normalizer for some new syscalls and event types Included fixes from 3.0 - Generate checkpoint file even when no results are returned (Burn Alting) - Fix log file creation when file logging is disabled entirely (Vlad Glagolev) - Convert auparse_test to run with python3 (Tomáš Chvátal) - Drop support for prelude - Adjust backlog_wait_time in rules to the kernel default (#1482848) - Remove ids key syntax checking of rules in auditctl - Use SIGCONT to dump auditd internal state (#1504251) - Fix parsing of virtual timestamp fields in ausearch_expression (#1515903) - Fix parsing of uid & success for ausearch - Add support for not equal operator in audit by executable (Ondrej Mosnacek) - Hide lru symbols in auparse - Add systemd process protections - Fix aureport summary time range reporting - Allow unlimited retries on startup for remote logging - Add queue_depth to remote logging stats and increase default queue_depth size - Fix segfault on shutdown - Merge auditd and audispd code - Close on execute init_pipe fd (#1587995) - Breakout audisp syslog plugin to be standalone program - Create a common internal library to reduce code - Move all audispd config files under /etc/audit/ - Move audispd.conf settings into auditd.conf - Add queue depth statistics to internal state dump report - Add network statistics to internal state dump report - SIGUSR now also restarts queue processing if its suspended - Update lookup tables for the 4.18 kernel - Add auparse_normalizer support for SOFTWARE_UPDATE event - Add 30-ospp-v42.rules to meet new Common Criteria requirements - Deprecate enable_krb and replace with transport config opt for remote logging - Mark netlabel events as simple events so that get processed quicker - When auditd is reconfiguring, only SIGHUP plugins with valid pid (#1614833) - In aureport, fix segfault in file report - Add auparse_normalizer support for labeled networking events - Fix memory leak in audisp-remote plugin when using krb5 transport. (#1622194) - In ausearch/auparse, event aging is off by a second - In ausearch/auparse, correct event ordering to process oldest first - Migrate auparse python test to python3 - auparse_reset was not clearing everything it should - Add support for AUDIT_MAC_CALIPSO_ADD, AUDIT_MAC_CALIPSO_DEL events - In ausearch/report, lightly parse selinux portion of USER_AVC events - Add bpf syscall command argument interpretation to auparse - In ausearch/report, limit record size when malformed - Port af_unix plugin to libev - In auditd, fix extract_type function for network originating events - In auditd, calculate right size and location for network originating events - Make legacy script wait for auditd to terminate (#1643567) - Treat all network originating events as VER2 so dispatcher doesn't format it - If an event has a node name make it VER2 so dispatcher doesnt format it - In audisp-remote do an initial connection attempt (#1625156) - In auditd, allow expression of space left as a percentage (#1650670) - On PPC64LE systems, only allow 64 bit rules (#1462178) - Make some parts of auditd state report optional based on config - Update to libev-4.25 - Fix ausearch when checkpointing a single file (Burn Alting) - Fix scripting in 31-privileged.rules wrt filecap (#1662516) - In ausearch, do not checkpt if stdin is input source - In libev, remove __cold__ attribute for functions to allow proper hardening - Add tests to configure.ac for openldap support - Make systemd support files use /run rather than /var/run (Christian Hesse) - Fix minor memory leak in auditd kerberos credentials code - Allow exclude and user filter by executable name (Ondrej Mosnacek) - Fix auditd regression where keep_logs is limited by rotate_logs 2 file test - In ausearch/report fix --end to use midnight time instead of now (#1671338) - Add substitue functions for strndupa & rawmemchr - Fix memleak in auparse caused by corrected event ordering - Fix legacy reload script to reload audit rules when daemon is reloaded - Support for unescaping in trusted messages (Dmitry Voronin) - In auditd, use standard template for DEAMON events (Richard Guy Briggs) - In aureport, fix segfault for malformed USER_CMD events - Add exe field to audit_log_user_command in libaudit - In auditctl support filter on socket address families (Richard Guy Briggs) - Deprecate support for Alpha & IA64 processors - If space_left_action is rotate, allow it every time (#1718444) - In auparse, drop standalone EOE events - Add milliseconds column for ausearch extra time csv format - Fix aureport first event reporting when no start given - In audisp-remote, add new config item for startup connection errors - Remove dependency on chkconfig - Install rules to /usr/share/audit/sample-rules/ - Split up ospp rules to make SCAP scanning easier (#1746018) - In audisp-syslog, support interpreting records (#1497279) - Audit USER events now sends msg as name value pair - Add support for AUDIT_BPF event - Auditd should not process AUDIT_REPLACE events - Update syscall tables to the 5.5 kernel - Improve personality interpretation by using PERS_MASK - Speedup ausearch/report parsing RAW logging format by caching uid/name lookup - Change auparse python bindings to shared object (Issue #121) - Add error messages for watch permissions - If audit rules file doesn't exist log error message instead of info message - Revise error message for unmatched options in auditctl - In audisp-remote, fixup remote endpoint disappearin in ascii format - Add backlog_wait_time_actual reporting / resetting to auditctl (Max Englander) - In auditctl, add support for sending a signal to auditd - Removes audit-fno-common.patch: fixed in upstream - Removes audit-python3.patch: fixed in upstream OBS-URL: https://build.opensuse.org/request/show/900606 OBS-URL: https://build.opensuse.org/package/show/security/audit?expand=0&rev=122 |
||
Enzo Matsumiya
|
51c3a9728b |
Accepting request 900442 from home:ematsumiya:branches:security
- Adjust audit.spec and audit-secondary.spec to support new version - Include fix for libev * add libev-werror.patch - Update to version 3.0.2 - In audispd-statsd pluging, use struct sockaddr_storage (Ville Heikkinen) - Optionally interpret auid in auditctl -l - Update some syscall argument interpretations - In auditd, do not allow spaces in the hostname name format - Big documentation cleanup (MIZUTA Takeshi) - Update syscall table to the 5.12 kernel - Update the auparse normalizer for new event types - Fix compiler warnings in ids subsystem - Block a couple signals from flush & reconfigure threads - In auditd, don't wait on flush thread when exiting - Output error message if the path of input files are too long ausearch/report Included fixes from 3.0.1 - Update syscall table to the 5.11 kernel - Add new --eoe-timeout option to ausearch and aureport (Burn Alting) - Only enable periodic timers when listening on the network - Upgrade libev to 4.33 - Add auparse_new_buffer function to auparse library - Use the select libev backend unless aggregating events - Add sudoers to some base audit rules - Update the auparse normalizer for some new syscalls and event types Included fixes from 3.0 - Generate checkpoint file even when no results are returned (Burn Alting) - Fix log file creation when file logging is disabled entirely (Vlad Glagolev) - Convert auparse_test to run with python3 (Tomáš Chvátal) - Drop support for prelude - Adjust backlog_wait_time in rules to the kernel default (#1482848) - Remove ids key syntax checking of rules in auditctl - Use SIGCONT to dump auditd internal state (#1504251) - Fix parsing of virtual timestamp fields in ausearch_expression (#1515903) - Fix parsing of uid & success for ausearch - Add support for not equal operator in audit by executable (Ondrej Mosnacek) - Hide lru symbols in auparse - Add systemd process protections - Fix aureport summary time range reporting - Allow unlimited retries on startup for remote logging - Add queue_depth to remote logging stats and increase default queue_depth size - Fix segfault on shutdown - Merge auditd and audispd code - Close on execute init_pipe fd (#1587995) - Breakout audisp syslog plugin to be standalone program - Create a common internal library to reduce code - Move all audispd config files under /etc/audit/ - Move audispd.conf settings into auditd.conf - Add queue depth statistics to internal state dump report - Add network statistics to internal state dump report - SIGUSR now also restarts queue processing if its suspended - Update lookup tables for the 4.18 kernel - Add auparse_normalizer support for SOFTWARE_UPDATE event - Add 30-ospp-v42.rules to meet new Common Criteria requirements - Deprecate enable_krb and replace with transport config opt for remote logging - Mark netlabel events as simple events so that get processed quicker - When auditd is reconfiguring, only SIGHUP plugins with valid pid (#1614833) - In aureport, fix segfault in file report - Add auparse_normalizer support for labeled networking events - Fix memory leak in audisp-remote plugin when using krb5 transport. (#1622194) - In ausearch/auparse, event aging is off by a second - In ausearch/auparse, correct event ordering to process oldest first - Migrate auparse python test to python3 - auparse_reset was not clearing everything it should - Add support for AUDIT_MAC_CALIPSO_ADD, AUDIT_MAC_CALIPSO_DEL events - In ausearch/report, lightly parse selinux portion of USER_AVC events - Add bpf syscall command argument interpretation to auparse - In ausearch/report, limit record size when malformed - Port af_unix plugin to libev - In auditd, fix extract_type function for network originating events - In auditd, calculate right size and location for network originating events - Make legacy script wait for auditd to terminate (#1643567) - Treat all network originating events as VER2 so dispatcher doesn't format it - If an event has a node name make it VER2 so dispatcher doesnt format it - In audisp-remote do an initial connection attempt (#1625156) - In auditd, allow expression of space left as a percentage (#1650670) - On PPC64LE systems, only allow 64 bit rules (#1462178) - Make some parts of auditd state report optional based on config - Update to libev-4.25 - Fix ausearch when checkpointing a single file (Burn Alting) - Fix scripting in 31-privileged.rules wrt filecap (#1662516) - In ausearch, do not checkpt if stdin is input source - In libev, remove __cold__ attribute for functions to allow proper hardening - Add tests to configure.ac for openldap support - Make systemd support files use /run rather than /var/run (Christian Hesse) - Fix minor memory leak in auditd kerberos credentials code - Allow exclude and user filter by executable name (Ondrej Mosnacek) - Fix auditd regression where keep_logs is limited by rotate_logs 2 file test - In ausearch/report fix --end to use midnight time instead of now (#1671338) - Add substitue functions for strndupa & rawmemchr - Fix memleak in auparse caused by corrected event ordering - Fix legacy reload script to reload audit rules when daemon is reloaded - Support for unescaping in trusted messages (Dmitry Voronin) - In auditd, use standard template for DEAMON events (Richard Guy Briggs) - In aureport, fix segfault for malformed USER_CMD events - Add exe field to audit_log_user_command in libaudit - In auditctl support filter on socket address families (Richard Guy Briggs) - Deprecate support for Alpha & IA64 processors - If space_left_action is rotate, allow it every time (#1718444) - In auparse, drop standalone EOE events - Add milliseconds column for ausearch extra time csv format - Fix aureport first event reporting when no start given - In audisp-remote, add new config item for startup connection errors - Remove dependency on chkconfig - Install rules to /usr/share/audit/sample-rules/ - Split up ospp rules to make SCAP scanning easier (#1746018) - In audisp-syslog, support interpreting records (#1497279) - Audit USER events now sends msg as name value pair - Add support for AUDIT_BPF event - Auditd should not process AUDIT_REPLACE events - Update syscall tables to the 5.5 kernel - Improve personality interpretation by using PERS_MASK - Speedup ausearch/report parsing RAW logging format by caching uid/name lookup - Change auparse python bindings to shared object (Issue #121) - Add error messages for watch permissions - If audit rules file doesn't exist log error message instead of info message - Revise error message for unmatched options in auditctl - In audisp-remote, fixup remote endpoint disappearin in ascii format - Add backlog_wait_time_actual reporting / resetting to auditctl (Max Englander) - In auditctl, add support for sending a signal to auditd - Removes audit-fno-common.patch: fixed in upstream - Removes audit-python3.patch: fixed in upstream OBS-URL: https://build.opensuse.org/request/show/900442 OBS-URL: https://build.opensuse.org/package/show/security/audit?expand=0&rev=121 |
||
Enzo Matsumiya
|
827fffa884 |
Accepting request 900437 from home:ematsumiya:branches:security
Mention libev patch in changelogs OBS-URL: https://build.opensuse.org/request/show/900437 OBS-URL: https://build.opensuse.org/package/show/security/audit?expand=0&rev=120 |
||
Enzo Matsumiya
|
0ee158a589 |
Accepting request 900434 from home:ematsumiya:branches:security
- Adjust spec files to support new version - Include one fix for libev - Update to version 3.0.2 - In audispd-statsd pluging, use struct sockaddr_storage (Ville Heikkinen) - Optionally interpret auid in auditctl -l - Update some syscall argument interpretations - In auditd, do not allow spaces in the hostname name format - Big documentation cleanup (MIZUTA Takeshi) - Update syscall table to the 5.12 kernel - Update the auparse normalizer for new event types - Fix compiler warnings in ids subsystem - Block a couple signals from flush & reconfigure threads - In auditd, don't wait on flush thread when exiting - Output error message if the path of input files are too long ausearch/report Included fixes from 3.0.1 - Update syscall table to the 5.11 kernel - Add new --eoe-timeout option to ausearch and aureport (Burn Alting) - Only enable periodic timers when listening on the network - Upgrade libev to 4.33 - Add auparse_new_buffer function to auparse library - Use the select libev backend unless aggregating events - Add sudoers to some base audit rules - Update the auparse normalizer for some new syscalls and event types Included fixes from 3.0 - Generate checkpoint file even when no results are returned (Burn Alting) - Fix log file creation when file logging is disabled entirely (Vlad Glagolev) - Convert auparse_test to run with python3 (Tomáš Chvátal) - Drop support for prelude - Adjust backlog_wait_time in rules to the kernel default (#1482848) - Remove ids key syntax checking of rules in auditctl - Use SIGCONT to dump auditd internal state (#1504251) - Fix parsing of virtual timestamp fields in ausearch_expression (#1515903) - Fix parsing of uid & success for ausearch - Add support for not equal operator in audit by executable (Ondrej Mosnacek) - Hide lru symbols in auparse - Add systemd process protections - Fix aureport summary time range reporting - Allow unlimited retries on startup for remote logging - Add queue_depth to remote logging stats and increase default queue_depth size - Fix segfault on shutdown - Merge auditd and audispd code - Close on execute init_pipe fd (#1587995) - Breakout audisp syslog plugin to be standalone program - Create a common internal library to reduce code - Move all audispd config files under /etc/audit/ - Move audispd.conf settings into auditd.conf - Add queue depth statistics to internal state dump report - Add network statistics to internal state dump report - SIGUSR now also restarts queue processing if its suspended - Update lookup tables for the 4.18 kernel - Add auparse_normalizer support for SOFTWARE_UPDATE event - Add 30-ospp-v42.rules to meet new Common Criteria requirements - Deprecate enable_krb and replace with transport config opt for remote logging - Mark netlabel events as simple events so that get processed quicker - When auditd is reconfiguring, only SIGHUP plugins with valid pid (#1614833) - In aureport, fix segfault in file report - Add auparse_normalizer support for labeled networking events - Fix memory leak in audisp-remote plugin when using krb5 transport. (#1622194) - In ausearch/auparse, event aging is off by a second - In ausearch/auparse, correct event ordering to process oldest first - Migrate auparse python test to python3 - auparse_reset was not clearing everything it should - Add support for AUDIT_MAC_CALIPSO_ADD, AUDIT_MAC_CALIPSO_DEL events - In ausearch/report, lightly parse selinux portion of USER_AVC events - Add bpf syscall command argument interpretation to auparse - In ausearch/report, limit record size when malformed - Port af_unix plugin to libev - In auditd, fix extract_type function for network originating events - In auditd, calculate right size and location for network originating events - Make legacy script wait for auditd to terminate (#1643567) - Treat all network originating events as VER2 so dispatcher doesn't format it - If an event has a node name make it VER2 so dispatcher doesnt format it - In audisp-remote do an initial connection attempt (#1625156) - In auditd, allow expression of space left as a percentage (#1650670) - On PPC64LE systems, only allow 64 bit rules (#1462178) - Make some parts of auditd state report optional based on config - Update to libev-4.25 - Fix ausearch when checkpointing a single file (Burn Alting) - Fix scripting in 31-privileged.rules wrt filecap (#1662516) - In ausearch, do not checkpt if stdin is input source - In libev, remove __cold__ attribute for functions to allow proper hardening - Add tests to configure.ac for openldap support - Make systemd support files use /run rather than /var/run (Christian Hesse) - Fix minor memory leak in auditd kerberos credentials code - Allow exclude and user filter by executable name (Ondrej Mosnacek) - Fix auditd regression where keep_logs is limited by rotate_logs 2 file test - In ausearch/report fix --end to use midnight time instead of now (#1671338) - Add substitue functions for strndupa & rawmemchr - Fix memleak in auparse caused by corrected event ordering - Fix legacy reload script to reload audit rules when daemon is reloaded - Support for unescaping in trusted messages (Dmitry Voronin) - In auditd, use standard template for DEAMON events (Richard Guy Briggs) - In aureport, fix segfault for malformed USER_CMD events - Add exe field to audit_log_user_command in libaudit - In auditctl support filter on socket address families (Richard Guy Briggs) - Deprecate support for Alpha & IA64 processors - If space_left_action is rotate, allow it every time (#1718444) - In auparse, drop standalone EOE events - Add milliseconds column for ausearch extra time csv format - Fix aureport first event reporting when no start given - In audisp-remote, add new config item for startup connection errors - Remove dependency on chkconfig - Install rules to /usr/share/audit/sample-rules/ - Split up ospp rules to make SCAP scanning easier (#1746018) - In audisp-syslog, support interpreting records (#1497279) - Audit USER events now sends msg as name value pair - Add support for AUDIT_BPF event - Auditd should not process AUDIT_REPLACE events - Update syscall tables to the 5.5 kernel - Improve personality interpretation by using PERS_MASK - Speedup ausearch/report parsing RAW logging format by caching uid/name lookup - Change auparse python bindings to shared object (Issue #121) - Add error messages for watch permissions - If audit rules file doesn't exist log error message instead of info message - Revise error message for unmatched options in auditctl - In audisp-remote, fixup remote endpoint disappearin in ascii format - Add backlog_wait_time_actual reporting / resetting to auditctl (Max Englander) - In auditctl, add support for sending a signal to auditd - Remove audit-fno-common.patch: fixed in upstream - Remove audit-python3.patch: fixed in upstream old: security/audit new: home:ematsumiya:branches:security/audit rev None Index: audit-no-gss.patch =================================================================== --- audit-no-gss.patch (revision 118) +++ audit-no-gss.patch (revision 17) @@ -11,11 +11,12 @@ --- a/init.d/auditd.conf +++ b/init.d/auditd.conf -@@ -30,7 +30,4 @@ tcp_listen_queue = 5 - tcp_max_per_addr = 1 +@@ -30,8 +30,6 @@ tcp_max_per_addr = 1 ##tcp_client_ports = 1024-65535 tcp_client_max_idle = 0 --enable_krb5 = no + transport = TCP -krb5_principal = auditd -##krb5_key_file = /etc/audit/audit.key distribute_network = no + q_depth = 400 + overflow_action = SYSLOG Index: audit-plugins-path.patch =================================================================== --- audit-plugins-path.patch (revision 118) +++ audit-plugins-path.patch (revision 17) @@ -5,19 +5,8 @@ Adjust location of plugins built by audit-secondary. These should never have been in /sbin plus some (for SUSE) require lib dependancies on /usr/lib ---- audit-1.7.2/audisp/plugins/prelude/au-prelude.conf.orig 2008-04-23 11:56:11.946681000 +0200 -+++ audit-1.7.2/audisp/plugins/prelude/au-prelude.conf 2008-04-23 11:56:22.789827000 +0200 -@@ -5,7 +5,7 @@ - - active = no - direction = out --path = /sbin/audisp-prelude -+path = /usr/sbin/audisp-prelude - type = always - #args = - format = string ---- audit-1.7.2/audisp/plugins/remote/au-remote.conf.orig 2008-04-23 11:56:11.976660000 +0200 -+++ audit-1.7.2/audisp/plugins/remote/au-remote.conf 2008-04-23 11:56:30.958657000 +0200 +--- a/audisp/plugins/remote/au-remote.conf ++++ b/audisp/plugins/remote/au-remote.conf @@ -5,7 +5,7 @@ active = no @@ -27,8 +16,8 @@ type = always #args = format = string ---- audit-1.7.2/audisp/plugins/zos-remote/audispd-zos-remote.conf.orig 2008-04-23 11:56:11.993637000 +0200 -+++ audit-1.7.2/audisp/plugins/zos-remote/audispd-zos-remote.conf 2008-04-23 11:56:40.533070000 +0200 +--- a/audisp/plugins/zos-remote/audispd-zos-remote.conf ++++ b/audisp/plugins/zos-remote/audispd-zos-remote.conf @@ -8,7 +8,7 @@ active = no @@ -36,5 +25,5 @@ -path = /sbin/audispd-zos-remote +path = /usr/sbin/audispd-zos-remote type = always - args = /etc/audisp/zos-remote.conf + args = /etc/audit/zos-remote.conf format = string Index: audit-secondary.changes =================================================================== --- audit-secondary.changes (revision 118) +++ audit-secondary.changes (revision 17) @@ -1,4 +1,129 @@ ------------------------------------------------------------------- +Mon Jun 14 20:54:49 CEST 2021 - Enzo Matsumiya <ematsumiya@suse.com> + +- Update to version 3.0.2 +- In audispd-statsd pluging, use struct sockaddr_storage (Ville Heikkinen) +- Optionally interpret auid in auditctl -l +- Update some syscall argument interpretations +- In auditd, do not allow spaces in the hostname name format +- Big documentation cleanup (MIZUTA Takeshi) +- Update syscall table to the 5.12 kernel +- Update the auparse normalizer for new event types +- Fix compiler warnings in ids subsystem +- Block a couple signals from flush & reconfigure threads +- In auditd, don't wait on flush thread when exiting +- Output error message if the path of input files are too long ausearch/report + +Included fixes from 3.0.1 +- Update syscall table to the 5.11 kernel +- Add new --eoe-timeout option to ausearch and aureport (Burn Alting) +- Only enable periodic timers when listening on the network +- Upgrade libev to 4.33 +- Add auparse_new_buffer function to auparse library +- Use the select libev backend unless aggregating events +- Add sudoers to some base audit rules +- Update the auparse normalizer for some new syscalls and event types + +Included fixes from 3.0 +- Generate checkpoint file even when no results are returned (Burn Alting) +- Fix log file creation when file logging is disabled entirely (Vlad Glagolev) +- Convert auparse_test to run with python3 (Tomáš Chvátal) +- Drop support for prelude +- Adjust backlog_wait_time in rules to the kernel default (#1482848) +- Remove ids key syntax checking of rules in auditctl +- Use SIGCONT to dump auditd internal state (#1504251) +- Fix parsing of virtual timestamp fields in ausearch_expression (#1515903) +- Fix parsing of uid & success for ausearch +- Add support for not equal operator in audit by executable (Ondrej Mosnacek) +- Hide lru symbols in auparse +- Add systemd process protections +- Fix aureport summary time range reporting +- Allow unlimited retries on startup for remote logging +- Add queue_depth to remote logging stats and increase default queue_depth size +- Fix segfault on shutdown +- Merge auditd and audispd code +- Close on execute init_pipe fd (#1587995) +- Breakout audisp syslog plugin to be standalone program +- Create a common internal library to reduce code +- Move all audispd config files under /etc/audit/ +- Move audispd.conf settings into auditd.conf +- Add queue depth statistics to internal state dump report +- Add network statistics to internal state dump report +- SIGUSR now also restarts queue processing if its suspended +- Update lookup tables for the 4.18 kernel +- Add auparse_normalizer support for SOFTWARE_UPDATE event +- Add 30-ospp-v42.rules to meet new Common Criteria requirements +- Deprecate enable_krb and replace with transport config opt for remote logging +- Mark netlabel events as simple events so that get processed quicker +- When auditd is reconfiguring, only SIGHUP plugins with valid pid (#1614833) +- In aureport, fix segfault in file report +- Add auparse_normalizer support for labeled networking events +- Fix memory leak in audisp-remote plugin when using krb5 transport. (#1622194) +- In ausearch/auparse, event aging is off by a second +- In ausearch/auparse, correct event ordering to process oldest first +- Migrate auparse python test to python3 +- auparse_reset was not clearing everything it should +- Add support for AUDIT_MAC_CALIPSO_ADD, AUDIT_MAC_CALIPSO_DEL events +- In ausearch/report, lightly parse selinux portion of USER_AVC events +- Add bpf syscall command argument interpretation to auparse +- In ausearch/report, limit record size when malformed +- Port af_unix plugin to libev +- In auditd, fix extract_type function for network originating events +- In auditd, calculate right size and location for network originating events +- Make legacy script wait for auditd to terminate (#1643567) +- Treat all network originating events as VER2 so dispatcher doesn't format it +- If an event has a node name make it VER2 so dispatcher doesnt format it +- In audisp-remote do an initial connection attempt (#1625156) +- In auditd, allow expression of space left as a percentage (#1650670) +- On PPC64LE systems, only allow 64 bit rules (#1462178) +- Make some parts of auditd state report optional based on config +- Update to libev-4.25 +- Fix ausearch when checkpointing a single file (Burn Alting) +- Fix scripting in 31-privileged.rules wrt filecap (#1662516) +- In ausearch, do not checkpt if stdin is input source +- In libev, remove __cold__ attribute for functions to allow proper hardening +- Add tests to configure.ac for openldap support +- Make systemd support files use /run rather than /var/run (Christian Hesse) +- Fix minor memory leak in auditd kerberos credentials code +- Allow exclude and user filter by executable name (Ondrej Mosnacek) +- Fix auditd regression where keep_logs is limited by rotate_logs 2 file test +- In ausearch/report fix --end to use midnight time instead of now (#1671338) +- Add substitue functions for strndupa & rawmemchr +- Fix memleak in auparse caused by corrected event ordering +- Fix legacy reload script to reload audit rules when daemon is reloaded +- Support for unescaping in trusted messages (Dmitry Voronin) +- In auditd, use standard template for DEAMON events (Richard Guy Briggs) +- In aureport, fix segfault for malformed USER_CMD events +- Add exe field to audit_log_user_command in libaudit +- In auditctl support filter on socket address families (Richard Guy Briggs) +- Deprecate support for Alpha & IA64 processors +- If space_left_action is rotate, allow it every time (#1718444) +- In auparse, drop standalone EOE events +- Add milliseconds column for ausearch extra time csv format +- Fix aureport first event reporting when no start given +- In audisp-remote, add new config item for startup connection errors +- Remove dependency on chkconfig +- Install rules to /usr/share/audit/sample-rules/ +- Split up ospp rules to make SCAP scanning easier (#1746018) +- In audisp-syslog, support interpreting records (#1497279) +- Audit USER events now sends msg as name value pair +- Add support for AUDIT_BPF event +- Auditd should not process AUDIT_REPLACE events +- Update syscall tables to the 5.5 kernel +- Improve personality interpretation by using PERS_MASK +- Speedup ausearch/report parsing RAW logging format by caching uid/name lookup +- Change auparse python bindings to shared object (Issue #121) +- Add error messages for watch permissions +- If audit rules file doesn't exist log error message instead of info message +- Revise error message for unmatched options in auditctl +- In audisp-remote, fixup remote endpoint disappearin in ascii format +- Add backlog_wait_time_actual reporting / resetting to auditctl (Max Englander) +- In auditctl, add support for sending a signal to auditd + +- Removes audit-fno-common.patch: fixed in upstream +- Removes audit-python3.patch: fixed in upstream + +------------------------------------------------------------------- Mon Feb 1 18:13:18 UTC 2021 - Dominique Leuenberger <dimstar@opensuse.org> - Do not explicitly provide group(audit) in system-users-audit: @@ -24,7 +149,7 @@ ------------------------------------------------------------------- Mon Jan 13 17:39:03 UTC 2020 - Tony Jones <tonyj@suse.com> -- Update to version 2.6.5: +- Update to version 2.8.5: * Fix segfault on shutdown * Fix hang on startup (#1587995) * Add sleep to script to dump state so file is ready when needed Index: audit-secondary.spec =================================================================== --- audit-secondary.spec (revision 118) +++ audit-secondary.spec (revision 17) @@ -22,7 +22,7 @@ # The seperation is required to minimize unnecessary build cycles. %define _name audit Name: audit-secondary -Version: 2.8.5 +Version: 3.0.2 Release: 0 Summary: Linux kernel audit subsystem utilities License: GPL-2.0-or-later @@ -34,9 +34,8 @@ Patch2: audit-no-gss.patch Patch3: audit-allow-manual-stop.patch Patch4: audit-ausearch-do-not-require-tclass.patch -Patch5: audit-python3.patch -Patch6: audit-fno-common.patch -Patch7: change-default-log_group.patch +Patch5: change-default-log_group.patch +Patch6: libev-werror.patch BuildRequires: audit-devel = %{version} BuildRequires: autoconf >= 2.12 BuildRequires: gcc-c++ @@ -55,6 +54,7 @@ BuildRequires: sysuser-tools BuildRequires: tcpd-devel BuildRequires: pkgconfig(libcap-ng) +Provides: bundled(libev) = 4.33 %description The audit package contains the user space utilities for storing and @@ -127,14 +127,13 @@ %patch4 -p1 %patch5 -p1 %patch6 -p1 -%patch7 -p1 %if %{without python2} && %{with python3} # Fix python env call in tests if we only have Python3. # If both versions are present, python2 bindings are preferred by the tests and # unconditionally using /usr/bin/python3 breaks the tests # Probably the correct solution is to run the tests twice if both are present. -sed -i -e 's:#!/usr/bin/env python:#!/usr/bin/python3:g' auparse/test/auparse_test.py +perl -i -lpe 's{#!/usr/bin/env python\S+}{#!/usr/bin/python3}' auparse/test/auparse_test.py %endif %build @@ -144,15 +143,18 @@ export LDFLAGS="-Wl,-z,relro,-z,now" # no krb support (omit --enable-gssapi-krb5=yes), see audit-no-gss.patch %configure \ +%ifarch aarch64 + --with-aarch64 \ +%endif --enable-systemd \ --libexecdir=%{_libexecdir}/%{_name} \ --with-apparmor \ --with-libwrap \ --with-libcap-ng=yes \ -%ifarch aarch64 - --with-aarch64 \ -%endif - --disable-static + --disable-static \ + %{?_with_python3} \ + %{?_without_python} + make %{?_smp_mflags} %sysusers_generate_pre %{SOURCE1} audit @@ -197,7 +199,7 @@ #USR-MERGE %if !0%{?usrmerged} mkdir %{buildroot}/sbin/ -for prog in auditctl auditd ausearch autrace audispd aureport augenrules; do +for prog in auditctl auditd ausearch autrace aureport augenrules; do ln -s %{_sbindir}/$prog %{buildroot}/sbin/$prog done %endif @@ -235,8 +237,7 @@ %files -n audit %license COPYING -%doc README ChangeLog rules/[0-9]* rules/README-rules init.d/auditd.cron -%attr(644,root,root) %{_mandir}/man8/audispd.8.gz +%doc README ChangeLog rules init.d/auditd.cron %attr(644,root,root) %{_mandir}/man8/auditctl.8.gz %attr(644,root,root) %{_mandir}/man8/auditd.8.gz %attr(644,root,root) %{_mandir}/man8/aureport.8.gz @@ -247,7 +248,6 @@ %attr(644,root,root) %{_mandir}/man8/ausyscall.8.gz %attr(644,root,root) %{_mandir}/man7/audit.rules.7.gz %attr(644,root,root) %{_mandir}/man5/auditd.conf.5.gz -%attr(644,root,root) %{_mandir}/man5/audispd.conf.5.gz %attr(644,root,root) %{_mandir}/man5/ausearch-expression.5.gz %attr(644,root,root) %{_mandir}/man8/auvirt.8.gz %attr(644,root,root) %{_mandir}/man8/augenrules.8.gz @@ -256,7 +256,6 @@ /sbin/auditd /sbin/ausearch /sbin/autrace -/sbin/audispd /sbin/augenrules /sbin/aureport %endif @@ -265,29 +264,28 @@ %attr(755,root,root) %{_sbindir}/ausearch %attr(750,root,root) %{_sbindir}/autrace %attr(750,root,root) %{_sbindir}/augenrules -%attr(750,root,root) %{_sbindir}/audispd +%attr(750,root,root) %{_sbindir}/audisp-syslog %attr(755,root,root) %{_bindir}/aulast %attr(755,root,root) %{_bindir}/aulastlog %attr(755,root,root) %{_bindir}/ausyscall %attr(755,root,root) %{_sbindir}/aureport %attr(755,root,root) %{_bindir}/auvirt %dir %attr(750,root,root) %{_sysconfdir}/audit -%attr(750,root,root) %dir %{_sysconfdir}/audisp -%attr(750,root,root) %dir %{_sysconfdir}/audisp/plugins.d -%config(noreplace) %attr(640,root,root) %{_sysconfdir}/audisp/plugins.d/af_unix.conf -%config(noreplace) %attr(640,root,root) %{_sysconfdir}/audisp/plugins.d/syslog.conf +%attr(750,root,root) %dir %{_sysconfdir}/audit/plugins.d +%config(noreplace) %attr(640,root,root) %{_sysconfdir}/audit/plugins.d/af_unix.conf +%config(noreplace) %attr(640,root,root) %{_sysconfdir}/audit/plugins.d/syslog.conf %ghost %{_sysconfdir}/auditd.conf %ghost %{_sysconfdir}/audit.rules %config(noreplace) %attr(640,root,root) %{_sysconfdir}/audit/auditd.conf %dir %attr(750,root,root) %{_sysconfdir}/audit/rules.d %config(noreplace) %attr(640,root,root) %{_sysconfdir}/audit/rules.d/audit.rules -%config(noreplace) %attr(640,root,root) %{_sysconfdir}/audisp/audispd.conf %config(noreplace) %attr(640,root,root) %{_sysconfdir}/audit/audit-stop.rules %dir %attr(750,root,audit) %{_localstatedir}/log/audit %ghost %config(noreplace) %attr(640,root,audit) %{_localstatedir}/log/audit/audit.log %dir %attr(700,root,root) %{_localstatedir}/spool/audit %{_unitdir}/auditd.service %{_sbindir}/rcauditd +%{_datadir}/audit/ %files -n system-group-audit %{_sysusersdir}/system-group-audit.conf @@ -301,23 +299,24 @@ %if %{with python3} %files -n python3-audit -%attr(755,root,root) %{python3_sitearch}/_audit.so -%attr(755,root,root) %{python3_sitearch}/auparse.so -%{python3_sitearch}/audit.py* +%defattr(-,root,root,-) +%attr(755,root,root) %{python3_sitearch}/* %endif %files -n audit-audispd-plugins %attr(644,root,root) %{_mandir}/man8/audispd-zos-remote.8.gz %attr(644,root,root) %{_mandir}/man5/zos-remote.conf.5.gz %attr(644,root,root) %{_mandir}/man5/audisp-remote.conf.5.gz +%attr(644,root,root) %{_mandir}/man5/auditd-plugins.5.gz %attr(644,root,root) %{_mandir}/man8/audisp-remote.8.gz -%attr(750,root,root) %dir %{_sysconfdir}/audisp -%attr(750,root,root) %dir %{_sysconfdir}/audisp/plugins.d -%config(noreplace) %attr(640,root,root) %{_sysconfdir}/audisp/plugins.d/audispd-zos-remote.conf -%config(noreplace) %attr(640,root,root) %{_sysconfdir}/audisp/zos-remote.conf +%attr(644,root,root) %{_mandir}/man8/audisp-syslog.8.gz +%attr(750,root,root) %dir %{_sysconfdir}/audit +%attr(750,root,root) %dir %{_sysconfdir}/audit/plugins.d +%config(noreplace) %attr(640,root,root) %{_sysconfdir}/audit/plugins.d/audispd-zos-remote.conf +%config(noreplace) %attr(640,root,root) %{_sysconfdir}/audit/zos-remote.conf %attr(750,root,root) %{_sbindir}/audisp-remote %attr(750,root,root) %{_sbindir}/audispd-zos-remote -%config(noreplace) %attr(640,root,root) %{_sysconfdir}/audisp/audisp-remote.conf -%config(noreplace) %attr(640,root,root) %{_sysconfdir}/audisp/plugins.d/au-remote.conf +%config(noreplace) %attr(640,root,root) %{_sysconfdir}/audit/audisp-remote.conf +%config(noreplace) %attr(640,root,root) %{_sysconfdir}/audit/plugins.d/au-remote.conf %changelog Index: audit.changes =================================================================== --- audit.changes (revision 118) +++ audit.changes (revision 17) @@ -1,4 +1,129 @@ ------------------------------------------------------------------- +Mon Jun 14 20:54:49 CEST 2021 - Enzo Matsumiya <ematsumiya@suse.com> + +- Update to version 3.0.2 +- In audispd-statsd pluging, use struct sockaddr_storage (Ville Heikkinen) +- Optionally interpret auid in auditctl -l +- Update some syscall argument interpretations +- In auditd, do not allow spaces in the hostname name format +- Big documentation cleanup (MIZUTA Takeshi) +- Update syscall table to the 5.12 kernel +- Update the auparse normalizer for new event types +- Fix compiler warnings in ids subsystem +- Block a couple signals from flush & reconfigure threads +- In auditd, don't wait on flush thread when exiting +- Output error message if the path of input files are too long ausearch/report + +Included fixes from 3.0.1 +- Update syscall table to the 5.11 kernel +- Add new --eoe-timeout option to ausearch and aureport (Burn Alting) +- Only enable periodic timers when listening on the network +- Upgrade libev to 4.33 +- Add auparse_new_buffer function to auparse library +- Use the select libev backend unless aggregating events +- Add sudoers to some base audit rules +- Update the auparse normalizer for some new syscalls and event types + +Included fixes from 3.0 +- Generate checkpoint file even when no results are returned (Burn Alting) +- Fix log file creation when file logging is disabled entirely (Vlad Glagolev) +- Convert auparse_test to run with python3 (Tomáš Chvátal) +- Drop support for prelude +- Adjust backlog_wait_time in rules to the kernel default (#1482848) +- Remove ids key syntax checking of rules in auditctl +- Use SIGCONT to dump auditd internal state (#1504251) +- Fix parsing of virtual timestamp fields in ausearch_expression (#1515903) +- Fix parsing of uid & success for ausearch +- Add support for not equal operator in audit by executable (Ondrej Mosnacek) +- Hide lru symbols in auparse +- Add systemd process protections +- Fix aureport summary time range reporting +- Allow unlimited retries on startup for remote logging +- Add queue_depth to remote logging stats and increase default queue_depth size +- Fix segfault on shutdown +- Merge auditd and audispd code +- Close on execute init_pipe fd (#1587995) +- Breakout audisp syslog plugin to be standalone program +- Create a common internal library to reduce code +- Move all audispd config files under /etc/audit/ +- Move audispd.conf settings into auditd.conf +- Add queue depth statistics to internal state dump report +- Add network statistics to internal state dump report +- SIGUSR now also restarts queue processing if its suspended +- Update lookup tables for the 4.18 kernel +- Add auparse_normalizer support for SOFTWARE_UPDATE event +- Add 30-ospp-v42.rules to meet new Common Criteria requirements +- Deprecate enable_krb and replace with transport config opt for remote logging +- Mark netlabel events as simple events so that get processed quicker +- When auditd is reconfiguring, only SIGHUP plugins with valid pid (#1614833) +- In aureport, fix segfault in file report +- Add auparse_normalizer support for labeled networking events +- Fix memory leak in audisp-remote plugin when using krb5 transport. (#1622194) +- In ausearch/auparse, event aging is off by a second +- In ausearch/auparse, correct event ordering to process oldest first +- Migrate auparse python test to python3 +- auparse_reset was not clearing everything it should +- Add support for AUDIT_MAC_CALIPSO_ADD, AUDIT_MAC_CALIPSO_DEL events +- In ausearch/report, lightly parse selinux portion of USER_AVC events +- Add bpf syscall command argument interpretation to auparse +- In ausearch/report, limit record size when malformed +- Port af_unix plugin to libev +- In auditd, fix extract_type function for network originating events +- In auditd, calculate right size and location for network originating events +- Make legacy script wait for auditd to terminate (#1643567) +- Treat all network originating events as VER2 so dispatcher doesn't format it +- If an event has a node name make it VER2 so dispatcher doesnt format it +- In audisp-remote do an initial connection attempt (#1625156) +- In auditd, allow expression of space left as a percentage (#1650670) +- On PPC64LE systems, only allow 64 bit rules (#1462178) +- Make some parts of auditd state report optional based on config +- Update to libev-4.25 +- Fix ausearch when checkpointing a single file (Burn Alting) +- Fix scripting in 31-privileged.rules wrt filecap (#1662516) +- In ausearch, do not checkpt if stdin is input source +- In libev, remove __cold__ attribute for functions to allow proper hardening +- Add tests to configure.ac for openldap support +- Make systemd support files use /run rather than /var/run (Christian Hesse) +- Fix minor memory leak in auditd kerberos credentials code +- Allow exclude and user filter by executable name (Ondrej Mosnacek) +- Fix auditd regression where keep_logs is limited by rotate_logs 2 file test +- In ausearch/report fix --end to use midnight time instead of now (#1671338) +- Add substitue functions for strndupa & rawmemchr +- Fix memleak in auparse caused by corrected event ordering +- Fix legacy reload script to reload audit rules when daemon is reloaded +- Support for unescaping in trusted messages (Dmitry Voronin) +- In auditd, use standard template for DEAMON events (Richard Guy Briggs) +- In aureport, fix segfault for malformed USER_CMD events +- Add exe field to audit_log_user_command in libaudit +- In auditctl support filter on socket address families (Richard Guy Briggs) +- Deprecate support for Alpha & IA64 processors +- If space_left_action is rotate, allow it every time (#1718444) +- In auparse, drop standalone EOE events +- Add milliseconds column for ausearch extra time csv format +- Fix aureport first event reporting when no start given +- In audisp-remote, add new config item for startup connection errors +- Remove dependency on chkconfig +- Install rules to /usr/share/audit/sample-rules/ +- Split up ospp rules to make SCAP scanning easier (#1746018) +- In audisp-syslog, support interpreting records (#1497279) +- Audit USER events now sends msg as name value pair +- Add support for AUDIT_BPF event +- Auditd should not process AUDIT_REPLACE events +- Update syscall tables to the 5.5 kernel +- Improve personality interpretation by using PERS_MASK +- Speedup ausearch/report parsing RAW logging format by caching uid/name lookup +- Change auparse python bindings to shared object (Issue #121) +- Add error messages for watch permissions +- If audit rules file doesn't exist log error message instead of info message +- Revise error message for unmatched options in auditctl +- In audisp-remote, fixup remote endpoint disappearin in ascii format +- Add backlog_wait_time_actual reporting / resetting to auditctl (Max Englander) +- In auditctl, add support for sending a signal to auditd + +- Remove audit-fno-common.patch: fixed in upstream +- Remove audit-python3.patch: fixed in upstream + +------------------------------------------------------------------- Wed Dec 2 11:49:28 UTC 2020 - Alexander Bergmann <abergmann@suse.com> - Enable Aarch64 processor support. (bsc#1179515 bsc#1179806) @@ -12,7 +137,7 @@ ------------------------------------------------------------------- Mon Jan 13 17:39:03 UTC 2020 - Tony Jones <tonyj@suse.com> -- Update to version 2.6.5: +- Update to version 2.8.5: * Fix segfault on shutdown * Fix hang on startup (#1587995) * Add sleep to script to dump state so file is ready when needed Index: audit.spec =================================================================== --- audit.spec (revision 118) +++ audit.spec (revision 17) @@ -17,7 +17,7 @@ Name: audit -Version: 2.8.5 +Version: 3.0.2 Release: 0 Summary: Linux kernel audit subsystem utilities License: GPL-2.0-or-later @@ -35,6 +35,7 @@ BuildRequires: tcpd-devel Requires: libaudit1 = %{version} Requires: libauparse0 = %{version} +Provides: bundled(libev) = 4.33 %description The audit package contains the user space utilities for storing and @@ -79,27 +80,30 @@ %build autoreconf -fi +cp INSTALL.tmp INSTALl export CFLAGS="%{optflags} -fno-strict-aliasing" export CXXFLAGS="$CFLAGS" export LDFLAGS="-Wl,-z,relro,-z,now" # no krb support (omit --enable-gssapi-krb5=yes), see audit-no-gss.patch %configure \ +%ifarch aarch64 + --with-aarch64 \ +%endif --enable-systemd \ --libexecdir=%{_libexecdir}/%{name} \ --with-apparmor \ - --with-libwrap \ - --without-libcap-ng \ + --with-libcap-ng=no \ --disable-static \ - --without-python \ -%ifarch aarch64 - --with-aarch64 \ -%endif + --with-python=no \ --disable-zos-remote + +make %{?_smp_mflags} -C common make %{?_smp_mflags} -C lib make %{?_smp_mflags} -C auparse make %{?_smp_mflags} -C docs %install +%make_install -C common %make_install -C lib %make_install -C auparse %make_install -C docs @@ -134,7 +138,7 @@ %{_libdir}/libauparse.so.* %files -n audit-devel -%doc contrib/skeleton.c contrib/plugin +%doc contrib/plugin %{_libdir}/libaudit.so %{_libdir}/libauparse.so %{_includedir}/libaudit.h Index: change-default-log_group.patch =================================================================== --- change-default-log_group.patch (revision 118) +++ change-default-log_group.patch (revision 17) @@ -16,6 +16,6 @@ log_file = /var/log/audit/audit.log -log_group = root +log_group = audit - log_format = RAW + log_format = ENRICHED flush = INCREMENTAL_ASYNC freq = 50 Index: audit-3.0.2.tar.gz =================================================================== Binary file audit-3.0.2.tar.gz (revision 17) added Index: libev-werror.patch =================================================================== --- libev-werror.patch (added) +++ libev-werror.patch (revision 17) @@ -0,0 +1,26 @@ +From: Jan Engelhardt <jengelh@inai.de> +Date: 2021-06-02 16:18:03.256597842 +0200 + +Cherry-pick http://cvs.schmorp.de/libev/ev_iouring.c?view=log&r1=1.25 +to fix some terrible code. + +[ 50s] ev_iouring.c: In function 'iouring_sqe_submit': +[ 50s] ev_iouring.c:300:1: error: no return statement in function returning non-void [-Werror=return-type] + +--- + src/libev/ev_iouring.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +Index: audit-3.0.1/src/libev/ev_iouring.c +=================================================================== +--- audit-3.0.1.orig/src/libev/ev_iouring.c ++++ audit-3.0.1/src/libev/ev_iouring.c +@@ -287,7 +287,7 @@ iouring_sqe_get (EV_P) + } + + inline_size +-struct io_uring_sqe * ++void + iouring_sqe_submit (EV_P_ struct io_uring_sqe *sqe) + { + unsigned idx = sqe - EV_SQES; Index: audit-2.8.5.tar.gz =================================================================== Binary file audit-2.8.5.tar.gz (revision 118) deleted Index: audit-fno-common.patch =================================================================== --- audit-fno-common.patch (revision 118) +++ audit-fno-common.patch (deleted) @@ -1,24 +0,0 @@ -From: Tony Jones <tonyj@suse.de> -Subject: Resolve errors when compiling with -fno-common -Git-commmit: 017e6c6ab95df55f34e339d2139def83e5dada1f -References: bsc#1160384 -Upsteam: pending - -Header definitios need to be external when building with -fno-common (which -is default in GCC 10). - -Fixes: ff25054df7ed -Signed-off-by: Tony Jones <tonyj@suse.de> - ---- a/src/ausearch-common.h -+++ b/src/ausearch-common.h -@@ -50,7 +50,7 @@ extern pid_t event_pid; - extern int event_exact_match; - extern uid_t event_uid, event_euid, event_loginuid; - extern const char *event_tuid, *event_teuid, *event_tauid; --slist *event_node_list; -+extern slist *event_node_list; - extern const char *event_comm; - extern const char *event_filename; - extern const char *event_hostname; - Index: audit-python3.patch =================================================================== --- audit-python3.patch (revision 118) +++ audit-python3.patch (deleted) @@ -1,292 +0,0 @@ -From: Tomas Chvatal <tchvatal@suse.com> -Date: Wed Feb 7 09:26:35 UTC 2018 -Subject: Convert tests to run under python3 -References: https://github.com/linux-audit/audit-userspace/pull/39 -Patch-mainline: no; pending with maintainer - -Adjust auparse_test to run with python3 and python2 - -Index: audit-2.8.1/auparse/test/auparse_test.py -=================================================================== ---- audit-2.8.1.orig/auparse/test/auparse_test.py -+++ audit-2.8.1/auparse/test/auparse_test.py -@@ -1,5 +1,7 @@ - #!/usr/bin/env python - -+from __future__ import print_function -+ - import os - srcdir = os.getenv('srcdir') - -@@ -30,29 +32,29 @@ def walk_test(au): - au.reset() - while True: - if not au.first_record(): -- print "Error getting first record" -+ print("Error getting first record") - sys.exit(1) - -- print "event %d has %d records" % (event_cnt, au.get_num_records()) -+ print("event %d has %d records" % (event_cnt, au.get_num_records())) - - record_cnt = 1 - while True: -- print " record %d of type %d(%s) has %d fields" % \ -+ print(" record %d of type %d(%s) has %d fields" % \ - (record_cnt, - au.get_type(), audit.audit_msg_type_to_name(au.get_type()), -- au.get_num_fields()) -- print " line=%d file=%s" % (au.get_line_number(), au.get_filename()) -+ au.get_num_fields())) -+ print(" line=%d file=%s" % (au.get_line_number(), au.get_filename())) - event = au.get_timestamp() - if event is None: -- print "Error getting timestamp - aborting" -+ print("Error getting timestamp - aborting") - sys.exit(1) - -- print " event time: %d.%d:%d, host=%s" % (event.sec, event.milli, event.serial, none_to_null(event.host)) -+ print(" event time: %d.%d:%d, host=%s" % (event.sec, event.milli, event.serial, none_to_null(event.host))) - au.first_field() - while True: -- print " %s=%s (%s)" % (au.get_field_name(), au.get_field_str(), au.interpret_field()) -+ print(" %s=%s (%s)" % (au.get_field_name(), au.get_field_str(), au.interpret_field())) - if not au.next_field(): break -- print -+ print("") - record_cnt += 1 - if not au.next_record(): break - event_cnt += 1 -@@ -62,25 +64,25 @@ def walk_test(au): - def light_test(au): - while True: - if not au.first_record(): -- print "Error getting first record" -+ print("Error getting first record") - sys.exit(1) - -- print "event has %d records" % (au.get_num_records()) -+ print("event has %d records" % (au.get_num_records())) - - record_cnt = 1 - while True: -- print " record %d of type %d(%s) has %d fields" % \ -+ print(" record %d of type %d(%s) has %d fields" % \ - (record_cnt, - au.get_type(), audit.audit_msg_type_to_name(au.get_type()), -- au.get_num_fields()) -- print " line=%d file=%s" % (au.get_line_number(), au.get_filename()) -+ au.get_num_fields())) -+ print(" line=%d file=%s" % (au.get_line_number(), au.get_filename())) - event = au.get_timestamp() - if event is None: -- print "Error getting timestamp - aborting" -+ print("Error getting timestamp - aborting") - sys.exit(1) - -- print " event time: %d.%d:%d, host=%s" % (event.sec, event.milli, event.serial, none_to_null(event.host)) -- print -+ print(" event time: %d.%d:%d, host=%s" % (event.sec, event.milli, event.serial, none_to_null(event.host))) -+ print("") - record_cnt += 1 - if not au.next_record(): break - if not au.parse_next_event(): break -@@ -97,9 +99,9 @@ def simple_search(au, source, where): - au.search_add_item("auid", "=", val, auparse.AUSEARCH_RULE_CLEAR) - au.search_set_stop(where) - if not au.search_next_event(): -- print "Error searching for auid" -+ print("Error searching for auid") - else: -- print "Found %s = %s" % (au.get_field_name(), au.get_field_str()) -+ print("Found %s = %s" % (au.get_field_name(), au.get_field_str())) - - def compound_search(au, how): - au = auparse.AuParser(auparse.AUSOURCE_FILE, srcdir + "/test.log"); -@@ -115,119 +117,119 @@ def compound_search(au, how): - - au.search_set_stop(auparse.AUSEARCH_STOP_FIELD) - if not au.search_next_event(): -- print "Error searching for auid" -+ print("Error searching for auid") - else: -- print "Found %s = %s" % (au.get_field_name(), au.get_field_str()) -+ print("Found %s = %s" % (au.get_field_name(), au.get_field_str())) - - def feed_callback(au, cb_event_type, event_cnt): - if cb_event_type == auparse.AUPARSE_CB_EVENT_READY: - if not au.first_record(): -- print "Error getting first record" -+ print("Error getting first record") - sys.exit(1) - -- print "event %d has %d records" % (event_cnt[0], au.get_num_records()) -+ print("event %d has %d records" % (event_cnt[0], au.get_num_records())) - - record_cnt = 1 - while True: -- print " record %d of type %d(%s) has %d fields" % \ -+ print(" record %d of type %d(%s) has %d fields" % \ - (record_cnt, - au.get_type(), audit.audit_msg_type_to_name(au.get_type()), -- au.get_num_fields()) -- print " line=%d file=%s" % (au.get_line_number(), au.get_filename()) -+ au.get_num_fields())) -+ print(" line=%d file=%s" % (au.get_line_number(), au.get_filename())) - event = au.get_timestamp() - if event is None: -- print "Error getting timestamp - aborting" -+ print("Error getting timestamp - aborting") - sys.exit(1) - -- print " event time: %d.%d:%d, host=%s" % (event.sec, event.milli, event.serial, none_to_null(event.host)) -+ print(" event time: %d.%d:%d, host=%s" % (event.sec, event.milli, event.serial, none_to_null(event.host))) - au.first_field() - while True: -- print " %s=%s (%s)" % (au.get_field_name(), au.get_field_str(), au.interpret_field()) -+ print(" %s=%s (%s)" % (au.get_field_name(), au.get_field_str(), au.interpret_field())) - if not au.next_field(): break -- print -+ print("") - record_cnt += 1 - if not au.next_record(): break - event_cnt[0] += 1 - - au = auparse.AuParser(auparse.AUSOURCE_BUFFER_ARRAY, buf) - --print "Starting Test 1, iterate..." -+print("Starting Test 1, iterate...") - while au.parse_next_event(): - if au.find_field("auid"): -- print "%s=%s" % (au.get_field_name(), au.get_field_str()) -- print "interp auid=%s" % (au.interpret_field()) -+ print("%s=%s" % (au.get_field_name(), au.get_field_str())) -+ print("interp auid=%s" % (au.interpret_field())) - else: -- print "Error iterating to auid" --print "Test 1 Done\n" -+ print("Error iterating to auid") -+print("Test 1 Done\n") - - # Reset, now lets go to beginning and walk the list manually */ --print "Starting Test 2, walk events, records, and fields..." -+print("Starting Test 2, walk events, records, and fields...") - au.reset() - walk_test(au) --print "Test 2 Done\n" -+print("Test 2 Done\n") - - # Reset, now lets go to beginning and walk the list manually */ --print "Starting Test 3, walk events, records of 1 buffer..." -+print("Starting Test 3, walk events, records of 1 buffer...") - au = auparse.AuParser(auparse.AUSOURCE_BUFFER, buf[1]) - au.reset() - light_test(au); --print "Test 3 Done\n" -+print("Test 3 Done\n") - --print "Starting Test 4, walk events, records of 1 file..." -+print("Starting Test 4, walk events, records of 1 file...") - au = auparse.AuParser(auparse.AUSOURCE_FILE, srcdir + "/test.log"); - walk_test(au); --print "Test 4 Done\n" -+print("Test 4 Done\n") - --print "Starting Test 5, walk events, records of 2 files..." -+print("Starting Test 5, walk events, records of 2 files...") - au = auparse.AuParser(auparse.AUSOURCE_FILE_ARRAY, files); - walk_test(au); --print "Test 5 Done\n" -+print("Test 5 Done\n") - --print "Starting Test 6, search..." -+print("Starting Test 6, search...") - au = auparse.AuParser(auparse.AUSOURCE_BUFFER_ARRAY, buf) - au.search_add_item("auid", "=", "500", auparse.AUSEARCH_RULE_CLEAR) - au.search_set_stop(auparse.AUSEARCH_STOP_EVENT) - if au.search_next_event(): -- print "Error search found something it shouldn't have" -+ print("Error search found something it shouldn't have") - else: -- print "auid = 500 not found...which is correct" -+ print("auid = 500 not found...which is correct") - au.search_clear() - au = auparse.AuParser(auparse.AUSOURCE_BUFFER_ARRAY, buf) - #au.search_add_item("auid", "exists", None, auparse.AUSEARCH_RULE_CLEAR) - au.search_add_item("auid", "exists", "", auparse.AUSEARCH_RULE_CLEAR) - au.search_set_stop(auparse.AUSEARCH_STOP_EVENT) - if not au.search_next_event(): -- print "Error searching for existence of auid" --print "auid exists...which is correct" --print "Testing BUFFER_ARRAY, stop on field" -+ print("Error searching for existence of auid") -+print("auid exists...which is correct") -+print("Testing BUFFER_ARRAY, stop on field") - simple_search(au, auparse.AUSOURCE_BUFFER_ARRAY, auparse.AUSEARCH_STOP_FIELD) --print "Testing BUFFER_ARRAY, stop on record" -+print("Testing BUFFER_ARRAY, stop on record") - simple_search(au, auparse.AUSOURCE_BUFFER_ARRAY, auparse.AUSEARCH_STOP_RECORD) --print "Testing BUFFER_ARRAY, stop on event" -+print("Testing BUFFER_ARRAY, stop on event") - simple_search(au, auparse.AUSOURCE_BUFFER_ARRAY, auparse.AUSEARCH_STOP_EVENT) --print "Testing test.log, stop on field" -+print("Testing test.log, stop on field") - simple_search(au, auparse.AUSOURCE_FILE, auparse.AUSEARCH_STOP_FIELD) --print "Testing test.log, stop on record" -+print("Testing test.log, stop on record") - simple_search(au, auparse.AUSOURCE_FILE, auparse.AUSEARCH_STOP_RECORD) --print "Testing test.log, stop on event" -+print("Testing test.log, stop on event") - simple_search(au, auparse.AUSOURCE_FILE, auparse.AUSEARCH_STOP_EVENT) --print "Test 6 Done\n" -+print("Test 6 Done\n") - --print "Starting Test 7, compound search..." -+print("Starting Test 7, compound search...") - au = auparse.AuParser(auparse.AUSOURCE_BUFFER_ARRAY, buf) - compound_search(au, auparse.AUSEARCH_RULE_AND) - compound_search(au, auparse.AUSEARCH_RULE_OR) --print "Test 7 Done\n" -+print("Test 7 Done\n") - --print "Starting Test 8, regex search..." -+print("Starting Test 8, regex search...") - au = auparse.AuParser(auparse.AUSOURCE_BUFFER_ARRAY, buf) --print "Doing regex match...\n" -+print("Doing regex match...\n") - au = auparse.AuParser(auparse.AUSOURCE_BUFFER_ARRAY, buf) --print "Test 8 Done\n" -+print("Test 8 Done\n") - - # Note: this should match Test 2 exactly - # Note: this should match Test 2 exactly --print "Starting Test 9, buffer feed..." -+print("Starting Test 9, buffer feed...") - au = auparse.AuParser(auparse.AUSOURCE_FEED); - event_cnt = 1 - au.add_callback(feed_callback, [event_cnt]) -@@ -241,10 +243,10 @@ for s in buf: - beg += chunk_len - au.feed(data) - au.flush_feed() --print "Test 9 Done\n" -+print("Test 9 Done\n") - - # Note: this should match Test 4 exactly --print "Starting Test 10, file feed..." -+print("Starting Test 10, file feed...") - au = auparse.AuParser(auparse.AUSOURCE_FEED); - event_cnt = 1 - au.add_callback(feed_callback, [event_cnt]) -@@ -254,9 +256,9 @@ while True: - if not data: break - au.feed(data) - au.flush_feed() --print "Test 10 Done\n" -+print("Test 10 Done\n") - --print "Finished non-admin tests\n" -+print("Finished non-admin tests\n") - - au = None - sys.exit(0) OBS-URL: https://build.opensuse.org/request/show/900434 OBS-URL: https://build.opensuse.org/package/show/security/audit?expand=0&rev=119 |
||
e1db8b24d2 |
Accepting request 868443 from home:dimstar:Factory
- Do not explicitly provide group(audit) in system-users-audit: this is automatically handled by rpm/providers. - Enable Aarch64 processor support. (bsc#1179515 bsc#1179806) OBS-URL: https://build.opensuse.org/request/show/868443 OBS-URL: https://build.opensuse.org/package/show/security/audit?expand=0&rev=117 |
|||
d19eedf2c5 |
Accepting request 867563 from home:ematsumiya:branches:security
- Create new "audit" group for read access to logs (bsc#1178154) * add change-default-log_group.patch * update audit-secondary.spec OBS-URL: https://build.opensuse.org/request/show/867563 OBS-URL: https://build.opensuse.org/package/show/security/audit?expand=0&rev=116 |
|||
da2300c646 |
- Enable Aarch64 processor support. (bsc#1179515 bsc#1179806)
- Enable Aarch64 processor support. (bsc#1179515 bsc#1179806) OBS-URL: https://build.opensuse.org/package/show/security/audit?expand=0&rev=114 |
|||
Enzo Matsumiya
|
07903acdf1 |
Accepting request 849560 from home:lnussel:usrmove
- prepare usrmerge (boo#1029961) OBS-URL: https://build.opensuse.org/request/show/849560 OBS-URL: https://build.opensuse.org/package/show/security/audit?expand=0&rev=112 |
||
Enzo Matsumiya
|
005741884e |
- Fix specfile to require libauparse0 and libaudit1 after splitting
audit-libs (bsc#1172295) OBS-URL: https://build.opensuse.org/package/show/security/audit?expand=0&rev=110 |
||
Tony Jones
|
74524fcb73 |
- Update to version 2.6.5:
* Fix segfault on shutdown * Fix hang on startup (#1587995) * Add sleep to script to dump state so file is ready when needed * Add auparse_normalizer support for SOFTWARE_UPDATE event * Mark netlabel events as simple events so that get processed quicker * When audispd is reconfiguring, only SIGHUP plugins with valid pid (#1614833) * Add 30-ospp-v42.rules to meet new Common Criteria requirements * Update lookup tables for the 4.18 kernel * In aureport, fix segfault in file report * Add auparse_normalizer support for labeled networking events * Fix memory leak in audisp-remote plugin when using krb5 transport. (#1622194) * Event aging is off by a second * In ausearch/auparse, correct event ordering to process oldest first * auparse_reset was not clearing everything it should * Add support for AUDIT_MAC_CALIPSO_ADD, AUDIT_MAC_CALIPSO_DEL events * In ausearch/report, lightly parse selinux portion of USER_AVC events * In ausearch/report, limit record size when malformed * In auditd, fix extract_type function for network originating events * In auditd, calculate right size and location for network originating events * Treat all network originating events as VER2 so dispatcher doesn't format it * In audisp-remote do an initial connection attempt (#1625156) * In auditd, allow expression of space left as a percentage (#1650670) * On PPC64LE systems, only allow 64 bit rules (#1462178) * Make some parts of auditd state report optional based on config * Fix ausearch when checkpointing a single file (Burn Alting) * Fix scripting in 31-privileged.rules wrt filecap (#1662516) * In ausearch, do not checkpt if stdin is input source * In libev, remove __cold__ attribute for functions to allow proper hardening * Add tests to configure.ac for openldap support OBS-URL: https://build.opensuse.org/package/show/security/audit?expand=0&rev=108 |
||
Tony Jones
|
4971d594a2 |
osc copypac from project:security package:audit revision:105
OBS-URL: https://build.opensuse.org/package/show/security/audit?expand=0&rev=107 |
||
Tony Jones
|
a026abd994 |
Accepting request 739736 from home:RBrownSUSE:branches:security
Remove obsolete Groups tag (fate#326485) OBS-URL: https://build.opensuse.org/request/show/739736 OBS-URL: https://build.opensuse.org/package/show/security/audit?expand=0&rev=106 |
||
Lars Vogdt
|
c90af7d388 |
Accepting request 687275 from home:jengelh:sct
- Reduce scriptlets' hard dependency on systemd. - Make use of some %make_install. OBS-URL: https://build.opensuse.org/request/show/687275 OBS-URL: https://build.opensuse.org/package/show/security/audit?expand=0&rev=104 |
||
Tony Jones
|
f7b3eda238 |
Accepting request 618655 from home:1Antoine1:branches:security
- Update to version 2.8.4: * Generate checkpoint file even when not results are returned (Burn Alting). * Fix log file creation when file logging is disabled entirely (Vlad Glagolev). * Use SIGCONT to dump auditd internal state (rh#1504251). * Fix parsing of virtual timestamp fields in ausearch_expression (rh#1515903). * Fix parsing of uid & success for ausearch. * Hide lru symbols in auparse. * Fix aureport summary time range reporting. * Allow unlimited retries on startup for remote logging. * Add queue_depth to remote logging stats and increase default queue_depth size. - Update to version 2.8.3: * Correct msg function name in lru debug code. * Fix a segfault in auditd when dns resolution isn't available. * Make a reload legacy service for auditd. * In auparse python bindings, expose some new types that were missing. * In normalizer, pickup subject kind for user_login events. * Fix interpretation of unknown ioctcmds (rh#1540507). * Add ANOM_LOGIN_SERVICE, RESP_ORIGIN_BLOCK, & RESP_ORIGIN_BLOCK_TIMED events. * In auparse_normalize for USER_LOGIN events, map acct for subj_kind. * Fix logging of IPv6 addresses in DAEMON_ACCEPT events (rh#1534748). * Do not rotate auditd logs when num_logs < 2 (brozs). - Update to version 2.8.4: * Generate checkpoint file even when not results are returned (Burn Alting). * Fix log file creation when file logging is disabled entirely (Vlad Glagolev). * Use SIGCONT to dump auditd internal state (rh#1504251). * Fix parsing of virtual timestamp fields in ausearch_expression (rh#1515903). * Fix parsing of uid & success for ausearch. * Hide lru symbols in auparse. * Fix aureport summary time range reporting. * Allow unlimited retries on startup for remote logging. * Add queue_depth to remote logging stats and increase default queue_depth size. - Update to version 2.8.3: * Correct msg function name in lru debug code. * Fix a segfault in auditd when dns resolution isn't available. * Make a reload legacy service for auditd. * In auparse python bindings, expose some new types that were missing. * In normalizer, pickup subject kind for user_login events. * Fix interpretation of unknown ioctcmds (rh#1540507). * Add ANOM_LOGIN_SERVICE, RESP_ORIGIN_BLOCK, & RESP_ORIGIN_BLOCK_TIMED events. * In auparse_normalize for USER_LOGIN events, map acct for subj_kind. * Fix logging of IPv6 addresses in DAEMON_ACCEPT events (rh#1534748). * Do not rotate auditd logs when num_logs < 2 (brozs). OBS-URL: https://build.opensuse.org/request/show/618655 OBS-URL: https://build.opensuse.org/package/show/security/audit?expand=0&rev=102 |
||
6975dcd5ff |
Accepting request 593188 from home:kukuk:branches:security
- Use %license instead of %doc [bsc#1082318] OBS-URL: https://build.opensuse.org/request/show/593188 OBS-URL: https://build.opensuse.org/package/show/security/audit?expand=0&rev=101 |
|||
Tony Jones
|
e57cf5edeb |
Accepting request 588034 from home:jones_tony:branches:security
- Change openldap dependency to client only (bsc#1085003) - Resolve issue with previous change if both Python2 and Python3 are present, tests were failing as python2 bindings are preferred in this case. - Update header in audit-python3.patch - Update patch guidelines in README-BEFORE-ADDING-PATCHES OBS-URL: https://build.opensuse.org/request/show/588034 OBS-URL: https://build.opensuse.org/package/show/security/audit?expand=0&rev=99 |
||
Tony Jones
|
7176e3c394 |
Accepting request 580988 from openSUSE:Factory:Staging:O
- Add patch to fix test run without python2 interpreter: * audit-python3.patch - Update to 2.8.2 release: * Update tables for 4.14 kernel * Fixup ipv6 server side binding * AVC report from aureport was missing result column header (#1511606) * Add SOFTWARE_UPDATE event * In ausearch/report pickup any path and new-disk fields as a file * Fix value returned by auditctl --reset-lost (Richard Guy Briggs) * In auparse, fix expr_create_timestamp_comparison_ex to be numeric field * Fix building on old systems without linux/fanotify.h * Fix shell portability issues reported by shellcheck * Auditd validate_email should not use gethostbyname - Add patch to fix test run without python2 interpreter: * audit-python3.patch - Update to 2.8.2 release: * Update tables for 4.14 kernel * Fixup ipv6 server side binding * AVC report from aureport was missing result column header (#1511606) * Add SOFTWARE_UPDATE event * In ausearch/report pickup any path and new-disk fields as a file * Fix value returned by auditctl --reset-lost (Richard Guy Briggs) * In auparse, fix expr_create_timestamp_comparison_ex to be numeric field * Fix building on old systems without linux/fanotify.h * Fix shell portability issues reported by shellcheck * Auditd validate_email should not use gethostbyname OBS-URL: https://build.opensuse.org/request/show/580988 OBS-URL: https://build.opensuse.org/package/show/security/audit?expand=0&rev=98 |
||
c3b4f0e839 |
- reverted -j1 force ppc specific only
OBS-URL: https://build.opensuse.org/package/show/security/audit?expand=0&rev=97 |
|||
c2369388d3 |
Accepting request 573323 from home:michel_mno:branches:security
- force -j1 for PowerPC make check to avoid build failure (lookup_test.o: file not recognized: File truncated) OBS-URL: https://build.opensuse.org/request/show/573323 OBS-URL: https://build.opensuse.org/package/show/security/audit?expand=0&rev=96 |
|||
Tony Jones
|
b1e7f92a48 |
Accepting request 566726 from home:scarabeus_iv:branches:security
- Add conditions around python plugins to allow us to conditionalize them in enviroment without python2 OBS-URL: https://build.opensuse.org/request/show/566726 OBS-URL: https://build.opensuse.org/package/show/security/audit?expand=0&rev=94 |
||
32adeb8614 |
Accepting request 540272 from home:pluskalm:branches:security
- Rename python binding packages to match current python packaging standards - Update python build dependencies to resolve future split of python2/3 OBS-URL: https://build.opensuse.org/request/show/540272 OBS-URL: https://build.opensuse.org/package/show/security/audit?expand=0&rev=92 |
|||
1ded129a42 |
Accepting request 539420 from home:avindra
- Update to version 2.8.1. See audit.spec (libaudit1) for upstream changelog - Remove audit-implicit-writev.patch (fixed upstream across 2 commits) * 3b30db20ad983274989ce9a522120c3c225436b3 * 07132c22314e9abbe64d1031fd8734243285bb3f - Cleanup with spec-cleaner - Update to version 2.8.1 release (includes 2.8 and 2.7.8 changes) * many features added to auparse_normalize * cli option added to auditd and audispd for setting config dir * in auditd, restore the umask after creating a log file * option added to auditd for skipping email verification - Full changelog: http://people.redhat.com/sgrubb/audit/ChangeLog OBS-URL: https://build.opensuse.org/request/show/539420 OBS-URL: https://build.opensuse.org/package/show/security/audit?expand=0&rev=91 |
|||
757d4f4e1d |
Accepting request 517517 from home:dimstar:Factory
include sys/uio.h for writev, fixes build failure in Staging:C https://build.opensuse.org/build/openSUSE:Factory:Staging:C:DVD/standard/x86_64/audit-secondary/_log OBS-URL: https://build.opensuse.org/request/show/517517 OBS-URL: https://build.opensuse.org/package/show/security/audit?expand=0&rev=89 |
|||
f336e4b06a |
Accepting request 512289 from home:jengelh:branches:security
- Rectify RPM groups, diversify descriptions. - Remove mentions of static libraries because they are not built. OBS-URL: https://build.opensuse.org/request/show/512289 OBS-URL: https://build.opensuse.org/package/show/security/audit?expand=0&rev=87 |
|||
Tony Jones
|
e3d31e63b6 |
Accepting request 511710 from home:jones_tony:branches:security
OBS-URL: https://build.opensuse.org/request/show/511710 OBS-URL: https://build.opensuse.org/package/show/security/audit?expand=0&rev=85 |
||
8bfd2e643e |
Accepting request 383289 from home:scarabeus_iv:branches:security
- Create folder for the m4 file from previous commit to avoid install failure OBS-URL: https://build.opensuse.org/request/show/383289 OBS-URL: https://build.opensuse.org/package/show/security/audit?expand=0&rev=83 |
|||
Tony Jones
|
e700ce1264 |
Accepting request 382986 from home:scarabeus_iv:branches:security
- Version update to 2.5. See audit.spec (libaudit1) for upstream changelog - Cleanup with spec-cleaner - Sort out bit /sbin /usr/sbin/ installation - Install the rules as documentation - Remove needless %py_requires from python subpkgs - Version update to 2.5 release - Refresh two patches and README to contain SUSE and not SuSE * audit-allow-manual-stop.patch * audit-plugins-path.patch - Cleanup with spec-cleaner and do not use subshells but rather use -C parameter of make - Install m4 file to the devel package OBS-URL: https://build.opensuse.org/request/show/382986 OBS-URL: https://build.opensuse.org/package/show/security/audit?expand=0&rev=82 |
||
23489d2c18 |
Accepting request 347165 from home:posophe:branches:security
little fix OBS-URL: https://build.opensuse.org/request/show/347165 OBS-URL: https://build.opensuse.org/package/show/security/audit?expand=0&rev=80 |
|||
Tony Jones
|
b5e111de83 | OBS-URL: https://build.opensuse.org/package/show/security/audit?expand=0&rev=79 | ||
Tony Jones
|
7a17f4104f |
Accepting request 329223 from home:jones_tony:branches:security
OBS-URL: https://build.opensuse.org/request/show/329223 OBS-URL: https://build.opensuse.org/package/show/security/audit?expand=0&rev=78 |
||
Tony Jones
|
35ac1a5f73 |
Accepting request 283377 from security
revert to r75 OBS-URL: https://build.opensuse.org/request/show/283377 OBS-URL: https://build.opensuse.org/package/show/security/audit?expand=0&rev=77 |
||
Tony Jones
|
42d7928102 |
Accepting request 283367 from home:fdmanana:branches:security
- Teach ausearch to filter AppArmor events (Fate#317726). Added patch file audit-ausearch-filter-apparmor-events.patch OBS-URL: https://build.opensuse.org/request/show/283367 OBS-URL: https://build.opensuse.org/package/show/security/audit?expand=0&rev=76 |
||
Jan Matejka
|
74ea258675 |
- Update to version 2.4.1
Changelog 2.4.1 - Make python3 support easier - Add support for ppc64le (Tony Jones) - Add some translations for a1 of ioctl system calls - Add command & virtualization reports to aureport - Update aureport config report for new events - Add account modification summary report to aureport - Add GRP_MGMT and GRP_CHAUTHTOK event types - Correct aureport account change reports - Add integrity event report to aureport - Add config change summary report to aureport - Adjust some syslogging level settings in audispd - Improve parsing performance in everything - When ausearch outputs a line, use the previously parsed values (Burn Alting) - Improve searching and interpreting groups in events - Fully interpret the proctitle field in auparse - Correct libaudit and auditctl support for kernel features - Add support for backlog_time_wait setting via auditctl - Update syscall tables for the 3.18 kernel - Ignore DNS failure for email validation in auditd (#1138674) - Allow rotate as action for space_left and disk_full in auditd.conf - Correct login summary report of aureport - Auditctl syscalls can be comma separated list now - Update rules for new subsystems and capabilities - Drop patch audit-add-ppc64le-mach-support.patch (already upstream) OBS-URL: https://build.opensuse.org/package/show/security/audit?expand=0&rev=74 |
||
Tony Jones
|
a550638087 |
Accepting request 247315 from home:jones_tony:branches:security
OBS-URL: https://build.opensuse.org/request/show/247315 OBS-URL: https://build.opensuse.org/package/show/security/audit?expand=0&rev=72 |
||
42c1e24684 |
Accepting request 244848 from home:elvigia:branches:security
- If the system has been booted with audit=0 in the kernel cmdline auditd.service must refrain from starting as the relevant kernel subsystem will be permanently disabled. add patch: auditd-donot-start-if-kernel-cmdline-disabled.patch OBS-URL: https://build.opensuse.org/request/show/244848 OBS-URL: https://build.opensuse.org/package/show/security/audit?expand=0&rev=70 |