SHA256
1
0
forked from pool/audit
Commit Graph

187 Commits

Author SHA256 Message Date
Dominique Leuenberger
dfdf560849 Accepting request 965461 from security
OBS-URL: https://build.opensuse.org/request/show/965461
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/audit?expand=0&rev=101
2022-03-31 15:18:30 +00:00
Enzo Matsumiya
26999f1942 Accepting request 965005 from home:coolo:branches:security
- Fix buildrequire for openldap2-devel - audit doesn't require the
  (outdated) C++ binding, but the C headers that happen to be pulled
  in by buildrequiring the C++ devel package

OBS-URL: https://build.opensuse.org/request/show/965005
OBS-URL: https://build.opensuse.org/package/show/security/audit?expand=0&rev=137
2022-03-28 17:51:02 +00:00
Enzo Matsumiya
affdcc0b01 Accepting request 964942 from home:ematsumiya:branches:security
- Fix unhandled ECONNREFUSED with LDAP environments (bsc#1196645)
  * add libaudit-fix-unhandled-ECONNREFUSED-from-getpwnam-25.patch
- Fix hang in audisp-remote with disk_low_action=suspend (bsc#1196517)
  * add audisp-remote-fix-hang-with-disk_low_action-suspend-.patch

OBS-URL: https://build.opensuse.org/request/show/964942
OBS-URL: https://build.opensuse.org/package/show/security/audit?expand=0&rev=136
2022-03-25 20:12:53 +00:00
Enzo Matsumiya
8c6f875550 Accepting request 964336 from home:dirkmueller:Factory
- add audit-userspace-517-compat.patch

OBS-URL: https://build.opensuse.org/request/show/964336
OBS-URL: https://build.opensuse.org/package/show/security/audit?expand=0&rev=135
2022-03-25 14:41:23 +00:00
Dominique Leuenberger
54f6a26404 Accepting request 934645 from security
OBS-URL: https://build.opensuse.org/request/show/934645
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/audit?expand=0&rev=100
2021-12-01 19:46:08 +00:00
Enzo Matsumiya
c309536630 Accepting request 934558 from home:favogt:branches:security
- Use %autosetup
- Don't include sample rules as %doc, they're already installed
  as normal files
- Fix create-augenrules-service.patch:
  * auditd.service needs to require augenrules.service,
    not the other way around
- Fix documentation for enable-stop-rules.patch

OBS-URL: https://build.opensuse.org/request/show/934558
OBS-URL: https://build.opensuse.org/package/show/security/audit?expand=0&rev=134
2021-11-30 01:45:17 +00:00
Dominique Leuenberger
6189ef2a7d Accepting request 930227 from security
OBS-URL: https://build.opensuse.org/request/show/930227
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/audit?expand=0&rev=99
2021-11-12 14:58:53 +00:00
Enzo Matsumiya
4de8c602d7 Accepting request 930154 from home:gmbr3:Active
- Update to version 3.0.6:
  * fixes a segfault on some SELINUX_ERR records
  * makes IPX packet interpretation dependent on the ipx header
    file existing
  * adds b32/b64 support to ausyscall
  * adds support for armv8l
  * fixes auditctl list of syscalls on PPC
  * auditd.service now restarts auditd under some conditions
- Update to version 3.0.6:
  * fixes a segfault on some SELINUX_ERR records
  * makes IPX packet interpretation dependent on the ipx header
    file existing
  * adds b32/b64 support to ausyscall
  * adds support for armv8l
  * fixes auditctl list of syscalls on PPC
  * auditd.service now restarts auditd under some conditions

OBS-URL: https://build.opensuse.org/request/show/930154
OBS-URL: https://build.opensuse.org/package/show/security/audit?expand=0&rev=133
2021-11-08 18:23:23 +00:00
Dominique Leuenberger
830ee0e3c1 Accepting request 926074 from security
OBS-URL: https://build.opensuse.org/request/show/926074
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/audit?expand=0&rev=98
2021-10-20 18:22:44 +00:00
Enzo Matsumiya
483b357e07 Accepting request 925413 from home:gmbr3:Active
- Add CONFIG parameter to %sysusers_generate_pre

OBS-URL: https://build.opensuse.org/request/show/925413
OBS-URL: https://build.opensuse.org/package/show/security/audit?expand=0&rev=132
2021-10-18 18:42:45 +00:00
Enzo Matsumiya
1b5f7ae8b7 Accepting request 925195 from home:ematsumiya:branches:security
- Create separate service for augenrules (bsc#1191614, bsc#1181400)
  * add create-augenrules-service.patch
  Remove ReadWritePaths=/etc/audit from auditd.service, also removes
  augenrules call from ExecStartPost.
  Create augenrules.service with the ReadWritePaths directive above.
  This makes /etc/audit only accessible by augenrules.service and
  let auditd.service (and daemon) to be sandboxed again.
- Update audit-secondary.spec to accomodate the new service file.

OBS-URL: https://build.opensuse.org/request/show/925195
OBS-URL: https://build.opensuse.org/package/show/security/audit?expand=0&rev=131
2021-10-13 23:13:08 +00:00
Dominique Leuenberger
a584999d5c Accepting request 920362 from security
OBS-URL: https://build.opensuse.org/request/show/920362
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/audit?expand=0&rev=97
2021-10-01 20:28:52 +00:00
Enzo Matsumiya
3099f73ab7 Accepting request 920360 from home:ematsumiya:branches:security
Use tarball from source URL.

OBS-URL: https://build.opensuse.org/request/show/920360
OBS-URL: https://build.opensuse.org/package/show/security/audit?expand=0&rev=130
2021-09-20 17:14:08 +00:00
Enzo Matsumiya
09b88829e8 Accepting request 920348 from home:ematsumiya:branches:security
- Fix hardened auditd.service (bsc#1181400)
  * add fix-hardened-service.patch
    Make /etc/audit read-write from the service.
    Remove PrivateDevices=true to expose /dev/* to auditd.service.
- Enable stop rules for audit.service (cf. bsc#1190227)
  * add enable-stop-rules.patch
- Change default log_format from ENRICHED to RAW (bsc#1190500):
  * add change-default-log_format.patch (SUSE-specific patch)
- Update to version 3.0.5:
  * In auditd, flush uid/gid caches when user/group added/deleted/modified
  * Fixed various issues when dealing with corrupted logs
  * In auditd, check if log_file is valid before closing handle
- Include fixed from 3.0.4:
  * Apply performance speedups to auparse library
  * Optimize rule loading in auditctl
  * Fix an auparse memory leak caused by glibc-2.33 by replacing realpath
  * Update syscall table to the 5.14 kernel
  * Fixed various issues when dealing with corrupted logs
- Update to version 3.0.5:
  * In auditd, flush uid/gid caches when user/group added/deleted/modified
  * Fixed various issues when dealing with corrupted logs
  * In auditd, check if log_file is valid before closing handle
- Include fixed from 3.0.4:
  * Apply performance speedups to auparse library
  * Optimize rule loading in auditctl
  * Fix an auparse memory leak caused by glibc-2.33 by replacing realpath
  * Update syscall table to the 5.14 kernel
  * Fixed various issues when dealing with corrupted logs

OBS-URL: https://build.opensuse.org/request/show/920348
OBS-URL: https://build.opensuse.org/package/show/security/audit?expand=0&rev=129
2021-09-20 16:14:05 +00:00
Dominique Leuenberger
aa32cfdfe2 Accepting request 912415 from security
- harden_auditd.service.patch: automatic hardening applied to systemd
  services

OBS-URL: https://build.opensuse.org/request/show/912415
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/audit?expand=0&rev=96
2021-08-24 08:53:51 +00:00
0e616b4165 - harden_auditd.service.patch: automatic hardening applied to systemd
services

OBS-URL: https://build.opensuse.org/package/show/security/audit?expand=0&rev=128
2021-08-16 13:36:30 +00:00
127262eccc Accepting request 911452 from home:jsegitz:branches:systemdhardening:security
Automatic systemd hardening effort by the security team. This has not been tested. For details please see https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort

OBS-URL: https://build.opensuse.org/request/show/911452
OBS-URL: https://build.opensuse.org/package/show/security/audit?expand=0&rev=127
2021-08-16 13:21:17 +00:00
Dominique Leuenberger
cdf3fa9c76 Accepting request 910030 from security
- Update to version 3.0.3:
  * Dont interpret audit netlink groups unless AUDIT_NLGRP_MAX is defined
  * Add support for AUDIT_RESP_ORIGIN_UNBLOCK_TIMED to ids
  * Change auparse_feed_has_data in auparse to include incomplete events
  * Auditd, stop linking against -lrt
  * Add ProtectHome and RestrictRealtime to auditd.service
  * In auditd, read up to 3 netlink packets in a row
  * In auditd, do not validate path to plugin unless active
  * In auparse, only emit config errors when AUPARSE_DEBUG env variable exists
- use https source urls

- Update to version 3.0.3:
  * Dont interpret audit netlink groups unless AUDIT_NLGRP_MAX is defined
  * Add support for AUDIT_RESP_ORIGIN_UNBLOCK_TIMED to ids
  * Change auparse_feed_has_data in auparse to include incomplete events
  * Auditd, stop linking against -lrt
  * Add ProtectHome and RestrictRealtime to auditd.service
  * In auditd, read up to 3 netlink packets in a row
  * In auditd, do not validate path to plugin unless active
  * In auparse, only emit config errors when AUPARSE_DEBUG env variable exists
- use https source urls

OBS-URL: https://build.opensuse.org/request/show/910030
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/audit?expand=0&rev=95
2021-08-07 15:57:08 +00:00
d083951a31 - use https source urls
OBS-URL: https://build.opensuse.org/package/show/security/audit?expand=0&rev=126
2021-08-03 15:56:57 +00:00
ebf7ab7764 - use https source urls
OBS-URL: https://build.opensuse.org/package/show/security/audit?expand=0&rev=125
2021-08-03 15:56:42 +00:00
97e319769c Accepting request 909447 from home:ematsumiya:branches:security
- Update to version 3.0.3:
  * Dont interpret audit netlink groups unless AUDIT_NLGRP_MAX is defined
  * Add support for AUDIT_RESP_ORIGIN_UNBLOCK_TIMED to ids
  * Change auparse_feed_has_data in auparse to include incomplete events
  * Auditd, stop linking against -lrt
  * Add ProtectHome and RestrictRealtime to auditd.service
  * In auditd, read up to 3 netlink packets in a row
  * In auditd, do not validate path to plugin unless active
  * In auparse, only emit config errors when AUPARSE_DEBUG env variable exists

OBS-URL: https://build.opensuse.org/request/show/909447
OBS-URL: https://build.opensuse.org/package/show/security/audit?expand=0&rev=124
2021-08-01 14:31:28 +00:00
Dominique Leuenberger
42d0a5fa7c Accepting request 900607 from security
OBS-URL: https://build.opensuse.org/request/show/900607
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/audit?expand=0&rev=94
2021-06-24 16:21:49 +00:00
Enzo Matsumiya
5810f8940b Accepting request 900606 from home:ematsumiya:branches:security
- Adjust audit.spec and audit-secondary.spec to support new version
- Include fix for libev
  * add libev-werror.patch

- Update to version 3.0.2
- In audispd-statsd pluging, use struct sockaddr_storage (Ville Heikkinen)
- Optionally interpret auid in auditctl -l
- Update some syscall argument interpretations
- In auditd, do not allow spaces in the hostname name format
- Big documentation cleanup (MIZUTA Takeshi)
- Update syscall table to the 5.12 kernel
- Update the auparse normalizer for new event types
- Fix compiler warnings in ids subsystem
- Block a couple signals from flush & reconfigure threads
- In auditd, don't wait on flush thread when exiting
- Output error message if the path of input files are too long ausearch/report

Included fixes from 3.0.1
- Update syscall table to the 5.11 kernel
- Add new --eoe-timeout option to ausearch and aureport (Burn Alting)
- Only enable periodic timers when listening on the network
- Upgrade libev to 4.33
- Add auparse_new_buffer function to auparse library
- Use the select libev backend unless aggregating events
- Add sudoers to some base audit rules
- Update the auparse normalizer for some new syscalls and event types

Included fixes from 3.0
- Generate checkpoint file even when no results are returned (Burn Alting)
- Fix log file creation when file logging is disabled entirely (Vlad Glagolev)
- Convert auparse_test to run with python3 (Tomáš Chvátal)
- Drop support for prelude
- Adjust backlog_wait_time in rules to the kernel default (#1482848)
- Remove ids key syntax checking of rules in auditctl
- Use SIGCONT to dump auditd internal state (#1504251)
- Fix parsing of virtual timestamp fields in ausearch_expression (#1515903)
- Fix parsing of uid & success for ausearch
- Add support for not equal operator in audit by executable (Ondrej Mosnacek)
- Hide lru symbols in auparse
- Add systemd process protections
- Fix aureport summary time range reporting
- Allow unlimited retries on startup for remote logging
- Add queue_depth to remote logging stats and increase default queue_depth size
- Fix segfault on shutdown
- Merge auditd and audispd code
- Close on execute init_pipe fd (#1587995)
- Breakout audisp syslog plugin to be standalone program
- Create a common internal library to reduce code
- Move all audispd config files under /etc/audit/
- Move audispd.conf settings into auditd.conf
- Add queue depth statistics to internal state dump report
- Add network statistics to internal state dump report
- SIGUSR now also restarts queue processing if its suspended
- Update lookup tables for the 4.18 kernel
- Add auparse_normalizer support for SOFTWARE_UPDATE event
- Add 30-ospp-v42.rules to meet new Common Criteria requirements
- Deprecate enable_krb and replace with transport config opt for remote logging
- Mark netlabel events as simple events so that get processed quicker
- When auditd is reconfiguring, only SIGHUP plugins with valid pid (#1614833)
- In aureport, fix segfault in file report
- Add auparse_normalizer support for labeled networking events
- Fix memory leak in audisp-remote plugin when using krb5 transport. (#1622194)
- In ausearch/auparse, event aging is off by a second
- In ausearch/auparse, correct event ordering to process oldest first
- Migrate auparse python test to python3
- auparse_reset was not clearing everything it should
- Add support for AUDIT_MAC_CALIPSO_ADD, AUDIT_MAC_CALIPSO_DEL events
- In ausearch/report, lightly parse selinux portion of USER_AVC events
- Add bpf syscall command argument interpretation to auparse
- In ausearch/report, limit record size when malformed
- Port af_unix plugin to libev
- In auditd, fix extract_type function for network originating events
- In auditd, calculate right size and location for network originating events
- Make legacy script wait for auditd to terminate (#1643567)
- Treat all network originating events as VER2 so dispatcher doesn't format it
- If an event has a node name make it VER2 so dispatcher doesnt format it
- In audisp-remote do an initial connection attempt (#1625156)
- In auditd, allow expression of space left as a percentage (#1650670)
- On PPC64LE systems, only allow 64 bit rules (#1462178)
- Make some parts of auditd state report optional based on config
- Update to libev-4.25
- Fix ausearch when checkpointing a single file (Burn Alting)
- Fix scripting in 31-privileged.rules wrt filecap (#1662516)
- In ausearch, do not checkpt if stdin is input source
- In libev, remove __cold__ attribute for functions to allow proper hardening
- Add tests to configure.ac for openldap support
- Make systemd support files use /run rather than /var/run (Christian Hesse)
- Fix minor memory leak in auditd kerberos credentials code
- Allow exclude and user filter by executable name (Ondrej Mosnacek)
- Fix auditd regression where keep_logs is limited by rotate_logs 2 file test
- In ausearch/report fix --end to use midnight time instead of now (#1671338)
- Add substitue functions for strndupa & rawmemchr
- Fix memleak in auparse caused by corrected event ordering
- Fix legacy reload script to reload audit rules when daemon is reloaded
- Support for unescaping in trusted messages (Dmitry Voronin)
- In auditd, use standard template for DEAMON events (Richard Guy Briggs)
- In aureport, fix segfault for malformed USER_CMD events
- Add exe field to audit_log_user_command in libaudit
- In auditctl support filter on socket address families (Richard Guy Briggs)
- Deprecate support for Alpha & IA64 processors
- If space_left_action is rotate, allow it every time (#1718444)
- In auparse, drop standalone EOE events
- Add milliseconds column for ausearch extra time csv format
- Fix aureport first event reporting when no start given
- In audisp-remote, add new config item for startup connection errors
- Remove dependency on chkconfig
- Install rules to /usr/share/audit/sample-rules/
- Split up ospp rules to make SCAP scanning easier (#1746018)
- In audisp-syslog, support interpreting records (#1497279)
- Audit USER events now sends msg as name value pair
- Add support for AUDIT_BPF event
- Auditd should not process AUDIT_REPLACE events
- Update syscall tables to the 5.5 kernel
- Improve personality interpretation by using PERS_MASK
- Speedup ausearch/report parsing RAW logging format by caching uid/name lookup
- Change auparse python bindings to shared object (Issue #121)
- Add error messages for watch permissions
- If audit rules file doesn't exist log error message instead of info message
- Revise error message for unmatched options in auditctl
- In audisp-remote, fixup remote endpoint disappearin in ascii format
- Add backlog_wait_time_actual reporting / resetting to auditctl (Max Englander)
- In auditctl, add support for sending a signal to auditd

- Removes audit-fno-common.patch: fixed in upstream
- Removes audit-python3.patch: fixed in upstream

OBS-URL: https://build.opensuse.org/request/show/900606
OBS-URL: https://build.opensuse.org/package/show/security/audit?expand=0&rev=122
2021-06-17 14:59:32 +00:00
Enzo Matsumiya
51c3a9728b Accepting request 900442 from home:ematsumiya:branches:security
- Adjust audit.spec and audit-secondary.spec to support new version
- Include fix for libev
  * add libev-werror.patch

- Update to version 3.0.2
- In audispd-statsd pluging, use struct sockaddr_storage (Ville Heikkinen)
- Optionally interpret auid in auditctl -l
- Update some syscall argument interpretations
- In auditd, do not allow spaces in the hostname name format
- Big documentation cleanup (MIZUTA Takeshi)
- Update syscall table to the 5.12 kernel
- Update the auparse normalizer for new event types
- Fix compiler warnings in ids subsystem
- Block a couple signals from flush & reconfigure threads
- In auditd, don't wait on flush thread when exiting
- Output error message if the path of input files are too long ausearch/report

Included fixes from 3.0.1
- Update syscall table to the 5.11 kernel
- Add new --eoe-timeout option to ausearch and aureport (Burn Alting)
- Only enable periodic timers when listening on the network
- Upgrade libev to 4.33
- Add auparse_new_buffer function to auparse library
- Use the select libev backend unless aggregating events
- Add sudoers to some base audit rules
- Update the auparse normalizer for some new syscalls and event types

Included fixes from 3.0
- Generate checkpoint file even when no results are returned (Burn Alting)
- Fix log file creation when file logging is disabled entirely (Vlad Glagolev)
- Convert auparse_test to run with python3 (Tomáš Chvátal)
- Drop support for prelude
- Adjust backlog_wait_time in rules to the kernel default (#1482848)
- Remove ids key syntax checking of rules in auditctl
- Use SIGCONT to dump auditd internal state (#1504251)
- Fix parsing of virtual timestamp fields in ausearch_expression (#1515903)
- Fix parsing of uid & success for ausearch
- Add support for not equal operator in audit by executable (Ondrej Mosnacek)
- Hide lru symbols in auparse
- Add systemd process protections
- Fix aureport summary time range reporting
- Allow unlimited retries on startup for remote logging
- Add queue_depth to remote logging stats and increase default queue_depth size
- Fix segfault on shutdown
- Merge auditd and audispd code
- Close on execute init_pipe fd (#1587995)
- Breakout audisp syslog plugin to be standalone program
- Create a common internal library to reduce code
- Move all audispd config files under /etc/audit/
- Move audispd.conf settings into auditd.conf
- Add queue depth statistics to internal state dump report
- Add network statistics to internal state dump report
- SIGUSR now also restarts queue processing if its suspended
- Update lookup tables for the 4.18 kernel
- Add auparse_normalizer support for SOFTWARE_UPDATE event
- Add 30-ospp-v42.rules to meet new Common Criteria requirements
- Deprecate enable_krb and replace with transport config opt for remote logging
- Mark netlabel events as simple events so that get processed quicker
- When auditd is reconfiguring, only SIGHUP plugins with valid pid (#1614833)
- In aureport, fix segfault in file report
- Add auparse_normalizer support for labeled networking events
- Fix memory leak in audisp-remote plugin when using krb5 transport. (#1622194)
- In ausearch/auparse, event aging is off by a second
- In ausearch/auparse, correct event ordering to process oldest first
- Migrate auparse python test to python3
- auparse_reset was not clearing everything it should
- Add support for AUDIT_MAC_CALIPSO_ADD, AUDIT_MAC_CALIPSO_DEL events
- In ausearch/report, lightly parse selinux portion of USER_AVC events
- Add bpf syscall command argument interpretation to auparse
- In ausearch/report, limit record size when malformed
- Port af_unix plugin to libev
- In auditd, fix extract_type function for network originating events
- In auditd, calculate right size and location for network originating events
- Make legacy script wait for auditd to terminate (#1643567)
- Treat all network originating events as VER2 so dispatcher doesn't format it
- If an event has a node name make it VER2 so dispatcher doesnt format it
- In audisp-remote do an initial connection attempt (#1625156)
- In auditd, allow expression of space left as a percentage (#1650670)
- On PPC64LE systems, only allow 64 bit rules (#1462178)
- Make some parts of auditd state report optional based on config
- Update to libev-4.25
- Fix ausearch when checkpointing a single file (Burn Alting)
- Fix scripting in 31-privileged.rules wrt filecap (#1662516)
- In ausearch, do not checkpt if stdin is input source
- In libev, remove __cold__ attribute for functions to allow proper hardening
- Add tests to configure.ac for openldap support
- Make systemd support files use /run rather than /var/run (Christian Hesse)
- Fix minor memory leak in auditd kerberos credentials code
- Allow exclude and user filter by executable name (Ondrej Mosnacek)
- Fix auditd regression where keep_logs is limited by rotate_logs 2 file test
- In ausearch/report fix --end to use midnight time instead of now (#1671338)
- Add substitue functions for strndupa & rawmemchr
- Fix memleak in auparse caused by corrected event ordering
- Fix legacy reload script to reload audit rules when daemon is reloaded
- Support for unescaping in trusted messages (Dmitry Voronin)
- In auditd, use standard template for DEAMON events (Richard Guy Briggs)
- In aureport, fix segfault for malformed USER_CMD events
- Add exe field to audit_log_user_command in libaudit
- In auditctl support filter on socket address families (Richard Guy Briggs)
- Deprecate support for Alpha & IA64 processors
- If space_left_action is rotate, allow it every time (#1718444)
- In auparse, drop standalone EOE events
- Add milliseconds column for ausearch extra time csv format
- Fix aureport first event reporting when no start given
- In audisp-remote, add new config item for startup connection errors
- Remove dependency on chkconfig
- Install rules to /usr/share/audit/sample-rules/
- Split up ospp rules to make SCAP scanning easier (#1746018)
- In audisp-syslog, support interpreting records (#1497279)
- Audit USER events now sends msg as name value pair
- Add support for AUDIT_BPF event
- Auditd should not process AUDIT_REPLACE events
- Update syscall tables to the 5.5 kernel
- Improve personality interpretation by using PERS_MASK
- Speedup ausearch/report parsing RAW logging format by caching uid/name lookup
- Change auparse python bindings to shared object (Issue #121)
- Add error messages for watch permissions
- If audit rules file doesn't exist log error message instead of info message
- Revise error message for unmatched options in auditctl
- In audisp-remote, fixup remote endpoint disappearin in ascii format
- Add backlog_wait_time_actual reporting / resetting to auditctl (Max Englander)
- In auditctl, add support for sending a signal to auditd

- Removes audit-fno-common.patch: fixed in upstream
- Removes audit-python3.patch: fixed in upstream

OBS-URL: https://build.opensuse.org/request/show/900442
OBS-URL: https://build.opensuse.org/package/show/security/audit?expand=0&rev=121
2021-06-16 18:07:14 +00:00
Enzo Matsumiya
827fffa884 Accepting request 900437 from home:ematsumiya:branches:security
Mention libev patch in changelogs

OBS-URL: https://build.opensuse.org/request/show/900437
OBS-URL: https://build.opensuse.org/package/show/security/audit?expand=0&rev=120
2021-06-16 17:29:54 +00:00
Enzo Matsumiya
0ee158a589 Accepting request 900434 from home:ematsumiya:branches:security
- Adjust spec files to support new version
- Include one fix for libev

- Update to version 3.0.2
- In audispd-statsd pluging, use struct sockaddr_storage (Ville Heikkinen)
- Optionally interpret auid in auditctl -l
- Update some syscall argument interpretations
- In auditd, do not allow spaces in the hostname name format
- Big documentation cleanup (MIZUTA Takeshi)
- Update syscall table to the 5.12 kernel
- Update the auparse normalizer for new event types
- Fix compiler warnings in ids subsystem
- Block a couple signals from flush & reconfigure threads
- In auditd, don't wait on flush thread when exiting
- Output error message if the path of input files are too long ausearch/report

Included fixes from 3.0.1
- Update syscall table to the 5.11 kernel
- Add new --eoe-timeout option to ausearch and aureport (Burn Alting)
- Only enable periodic timers when listening on the network
- Upgrade libev to 4.33
- Add auparse_new_buffer function to auparse library
- Use the select libev backend unless aggregating events
- Add sudoers to some base audit rules
- Update the auparse normalizer for some new syscalls and event types

Included fixes from 3.0
- Generate checkpoint file even when no results are returned (Burn Alting)
- Fix log file creation when file logging is disabled entirely (Vlad Glagolev)
- Convert auparse_test to run with python3 (Tomáš Chvátal)
- Drop support for prelude
- Adjust backlog_wait_time in rules to the kernel default (#1482848)
- Remove ids key syntax checking of rules in auditctl
- Use SIGCONT to dump auditd internal state (#1504251)
- Fix parsing of virtual timestamp fields in ausearch_expression (#1515903)
- Fix parsing of uid & success for ausearch
- Add support for not equal operator in audit by executable (Ondrej Mosnacek)
- Hide lru symbols in auparse
- Add systemd process protections
- Fix aureport summary time range reporting
- Allow unlimited retries on startup for remote logging
- Add queue_depth to remote logging stats and increase default queue_depth size
- Fix segfault on shutdown
- Merge auditd and audispd code
- Close on execute init_pipe fd (#1587995)
- Breakout audisp syslog plugin to be standalone program
- Create a common internal library to reduce code
- Move all audispd config files under /etc/audit/
- Move audispd.conf settings into auditd.conf
- Add queue depth statistics to internal state dump report
- Add network statistics to internal state dump report
- SIGUSR now also restarts queue processing if its suspended
- Update lookup tables for the 4.18 kernel
- Add auparse_normalizer support for SOFTWARE_UPDATE event
- Add 30-ospp-v42.rules to meet new Common Criteria requirements
- Deprecate enable_krb and replace with transport config opt for remote logging
- Mark netlabel events as simple events so that get processed quicker
- When auditd is reconfiguring, only SIGHUP plugins with valid pid (#1614833)
- In aureport, fix segfault in file report
- Add auparse_normalizer support for labeled networking events
- Fix memory leak in audisp-remote plugin when using krb5 transport. (#1622194)
- In ausearch/auparse, event aging is off by a second
- In ausearch/auparse, correct event ordering to process oldest first
- Migrate auparse python test to python3
- auparse_reset was not clearing everything it should
- Add support for AUDIT_MAC_CALIPSO_ADD, AUDIT_MAC_CALIPSO_DEL events
- In ausearch/report, lightly parse selinux portion of USER_AVC events
- Add bpf syscall command argument interpretation to auparse
- In ausearch/report, limit record size when malformed
- Port af_unix plugin to libev
- In auditd, fix extract_type function for network originating events
- In auditd, calculate right size and location for network originating events
- Make legacy script wait for auditd to terminate (#1643567)
- Treat all network originating events as VER2 so dispatcher doesn't format it
- If an event has a node name make it VER2 so dispatcher doesnt format it
- In audisp-remote do an initial connection attempt (#1625156)
- In auditd, allow expression of space left as a percentage (#1650670)
- On PPC64LE systems, only allow 64 bit rules (#1462178)
- Make some parts of auditd state report optional based on config
- Update to libev-4.25
- Fix ausearch when checkpointing a single file (Burn Alting)
- Fix scripting in 31-privileged.rules wrt filecap (#1662516)
- In ausearch, do not checkpt if stdin is input source
- In libev, remove __cold__ attribute for functions to allow proper hardening
- Add tests to configure.ac for openldap support
- Make systemd support files use /run rather than /var/run (Christian Hesse)
- Fix minor memory leak in auditd kerberos credentials code
- Allow exclude and user filter by executable name (Ondrej Mosnacek)
- Fix auditd regression where keep_logs is limited by rotate_logs 2 file test
- In ausearch/report fix --end to use midnight time instead of now (#1671338)
- Add substitue functions for strndupa & rawmemchr
- Fix memleak in auparse caused by corrected event ordering
- Fix legacy reload script to reload audit rules when daemon is reloaded
- Support for unescaping in trusted messages (Dmitry Voronin)
- In auditd, use standard template for DEAMON events (Richard Guy Briggs)
- In aureport, fix segfault for malformed USER_CMD events
- Add exe field to audit_log_user_command in libaudit
- In auditctl support filter on socket address families (Richard Guy Briggs)
- Deprecate support for Alpha & IA64 processors
- If space_left_action is rotate, allow it every time (#1718444)
- In auparse, drop standalone EOE events
- Add milliseconds column for ausearch extra time csv format
- Fix aureport first event reporting when no start given
- In audisp-remote, add new config item for startup connection errors
- Remove dependency on chkconfig
- Install rules to /usr/share/audit/sample-rules/
- Split up ospp rules to make SCAP scanning easier (#1746018)
- In audisp-syslog, support interpreting records (#1497279)
- Audit USER events now sends msg as name value pair
- Add support for AUDIT_BPF event
- Auditd should not process AUDIT_REPLACE events
- Update syscall tables to the 5.5 kernel
- Improve personality interpretation by using PERS_MASK
- Speedup ausearch/report parsing RAW logging format by caching uid/name lookup
- Change auparse python bindings to shared object (Issue #121)
- Add error messages for watch permissions
- If audit rules file doesn't exist log error message instead of info message
- Revise error message for unmatched options in auditctl
- In audisp-remote, fixup remote endpoint disappearin in ascii format
- Add backlog_wait_time_actual reporting / resetting to auditctl (Max Englander)
- In auditctl, add support for sending a signal to auditd

- Remove audit-fno-common.patch: fixed in upstream
- Remove audit-python3.patch: fixed in upstream

old: security/audit
new: home:ematsumiya:branches:security/audit rev None
Index: audit-no-gss.patch
===================================================================
--- audit-no-gss.patch (revision 118)
+++ audit-no-gss.patch (revision 17)
@@ -11,11 +11,12 @@
 
 --- a/init.d/auditd.conf
 +++ b/init.d/auditd.conf
-@@ -30,7 +30,4 @@ tcp_listen_queue = 5
- tcp_max_per_addr = 1
+@@ -30,8 +30,6 @@ tcp_max_per_addr = 1
  ##tcp_client_ports = 1024-65535
  tcp_client_max_idle = 0
--enable_krb5 = no
+ transport = TCP
 -krb5_principal = auditd
 -##krb5_key_file = /etc/audit/audit.key
  distribute_network = no
+ q_depth = 400
+ overflow_action = SYSLOG
Index: audit-plugins-path.patch
===================================================================
--- audit-plugins-path.patch (revision 118)
+++ audit-plugins-path.patch (revision 17)
@@ -5,19 +5,8 @@
 Adjust location of plugins built by audit-secondary.  These should never have
 been in /sbin plus some (for SUSE) require lib dependancies on /usr/lib
 
---- audit-1.7.2/audisp/plugins/prelude/au-prelude.conf.orig	2008-04-23 11:56:11.946681000 +0200
-+++ audit-1.7.2/audisp/plugins/prelude/au-prelude.conf	2008-04-23 11:56:22.789827000 +0200
-@@ -5,7 +5,7 @@
- 
- active = no
- direction = out
--path = /sbin/audisp-prelude
-+path = /usr/sbin/audisp-prelude
- type = always
- #args =
- format = string
---- audit-1.7.2/audisp/plugins/remote/au-remote.conf.orig	2008-04-23 11:56:11.976660000 +0200
-+++ audit-1.7.2/audisp/plugins/remote/au-remote.conf	2008-04-23 11:56:30.958657000 +0200
+--- a/audisp/plugins/remote/au-remote.conf
++++ b/audisp/plugins/remote/au-remote.conf
 @@ -5,7 +5,7 @@
  
  active = no
@@ -27,8 +16,8 @@
  type = always
  #args =
  format = string
---- audit-1.7.2/audisp/plugins/zos-remote/audispd-zos-remote.conf.orig	2008-04-23 11:56:11.993637000 +0200
-+++ audit-1.7.2/audisp/plugins/zos-remote/audispd-zos-remote.conf	2008-04-23 11:56:40.533070000 +0200
+--- a/audisp/plugins/zos-remote/audispd-zos-remote.conf
++++ b/audisp/plugins/zos-remote/audispd-zos-remote.conf
 @@ -8,7 +8,7 @@
  
  active = no
@@ -36,5 +25,5 @@
 -path = /sbin/audispd-zos-remote
 +path = /usr/sbin/audispd-zos-remote
  type = always 
- args = /etc/audisp/zos-remote.conf
+ args = /etc/audit/zos-remote.conf
  format = string
Index: audit-secondary.changes
===================================================================
--- audit-secondary.changes (revision 118)
+++ audit-secondary.changes (revision 17)
@@ -1,4 +1,129 @@
 -------------------------------------------------------------------
+Mon Jun 14 20:54:49 CEST 2021 - Enzo Matsumiya <ematsumiya@suse.com>
+
+- Update to version 3.0.2
+- In audispd-statsd pluging, use struct sockaddr_storage (Ville Heikkinen)
+- Optionally interpret auid in auditctl -l
+- Update some syscall argument interpretations
+- In auditd, do not allow spaces in the hostname name format
+- Big documentation cleanup (MIZUTA Takeshi)
+- Update syscall table to the 5.12 kernel
+- Update the auparse normalizer for new event types
+- Fix compiler warnings in ids subsystem
+- Block a couple signals from flush & reconfigure threads
+- In auditd, don't wait on flush thread when exiting
+- Output error message if the path of input files are too long ausearch/report
+
+Included fixes from 3.0.1
+- Update syscall table to the 5.11 kernel
+- Add new --eoe-timeout option to ausearch and aureport (Burn Alting)
+- Only enable periodic timers when listening on the network
+- Upgrade libev to 4.33
+- Add auparse_new_buffer function to auparse library
+- Use the select libev backend unless aggregating events
+- Add sudoers to some base audit rules
+- Update the auparse normalizer for some new syscalls and event types
+
+Included fixes from 3.0
+- Generate checkpoint file even when no results are returned (Burn Alting)
+- Fix log file creation when file logging is disabled entirely (Vlad Glagolev)
+- Convert auparse_test to run with python3 (Tomáš Chvátal)
+- Drop support for prelude
+- Adjust backlog_wait_time in rules to the kernel default (#1482848)
+- Remove ids key syntax checking of rules in auditctl
+- Use SIGCONT to dump auditd internal state (#1504251)
+- Fix parsing of virtual timestamp fields in ausearch_expression (#1515903)
+- Fix parsing of uid & success for ausearch
+- Add support for not equal operator in audit by executable (Ondrej Mosnacek)
+- Hide lru symbols in auparse
+- Add systemd process protections
+- Fix aureport summary time range reporting
+- Allow unlimited retries on startup for remote logging
+- Add queue_depth to remote logging stats and increase default queue_depth size
+- Fix segfault on shutdown
+- Merge auditd and audispd code
+- Close on execute init_pipe fd (#1587995)
+- Breakout audisp syslog plugin to be standalone program
+- Create a common internal library to reduce code
+- Move all audispd config files under /etc/audit/
+- Move audispd.conf settings into auditd.conf
+- Add queue depth statistics to internal state dump report
+- Add network statistics to internal state dump report
+- SIGUSR now also restarts queue processing if its suspended
+- Update lookup tables for the 4.18 kernel
+- Add auparse_normalizer support for SOFTWARE_UPDATE event
+- Add 30-ospp-v42.rules to meet new Common Criteria requirements
+- Deprecate enable_krb and replace with transport config opt for remote logging
+- Mark netlabel events as simple events so that get processed quicker
+- When auditd is reconfiguring, only SIGHUP plugins with valid pid (#1614833)
+- In aureport, fix segfault in file report
+- Add auparse_normalizer support for labeled networking events
+- Fix memory leak in audisp-remote plugin when using krb5 transport. (#1622194)
+- In ausearch/auparse, event aging is off by a second
+- In ausearch/auparse, correct event ordering to process oldest first
+- Migrate auparse python test to python3
+- auparse_reset was not clearing everything it should
+- Add support for AUDIT_MAC_CALIPSO_ADD, AUDIT_MAC_CALIPSO_DEL events
+- In ausearch/report, lightly parse selinux portion of USER_AVC events
+- Add bpf syscall command argument interpretation to auparse
+- In ausearch/report, limit record size when malformed
+- Port af_unix plugin to libev
+- In auditd, fix extract_type function for network originating events
+- In auditd, calculate right size and location for network originating events
+- Make legacy script wait for auditd to terminate (#1643567)
+- Treat all network originating events as VER2 so dispatcher doesn't format it
+- If an event has a node name make it VER2 so dispatcher doesnt format it
+- In audisp-remote do an initial connection attempt (#1625156)
+- In auditd, allow expression of space left as a percentage (#1650670)
+- On PPC64LE systems, only allow 64 bit rules (#1462178)
+- Make some parts of auditd state report optional based on config
+- Update to libev-4.25
+- Fix ausearch when checkpointing a single file (Burn Alting)
+- Fix scripting in 31-privileged.rules wrt filecap (#1662516)
+- In ausearch, do not checkpt if stdin is input source
+- In libev, remove __cold__ attribute for functions to allow proper hardening
+- Add tests to configure.ac for openldap support
+- Make systemd support files use /run rather than /var/run (Christian Hesse)
+- Fix minor memory leak in auditd kerberos credentials code
+- Allow exclude and user filter by executable name (Ondrej Mosnacek)
+- Fix auditd regression where keep_logs is limited by rotate_logs 2 file test
+- In ausearch/report fix --end to use midnight time instead of now (#1671338)
+- Add substitue functions for strndupa & rawmemchr
+- Fix memleak in auparse caused by corrected event ordering
+- Fix legacy reload script to reload audit rules when daemon is reloaded
+- Support for unescaping in trusted messages (Dmitry Voronin)
+- In auditd, use standard template for DEAMON events (Richard Guy Briggs)
+- In aureport, fix segfault for malformed USER_CMD events
+- Add exe field to audit_log_user_command in libaudit
+- In auditctl support filter on socket address families (Richard Guy Briggs)
+- Deprecate support for Alpha & IA64 processors
+- If space_left_action is rotate, allow it every time (#1718444)
+- In auparse, drop standalone EOE events
+- Add milliseconds column for ausearch extra time csv format
+- Fix aureport first event reporting when no start given
+- In audisp-remote, add new config item for startup connection errors
+- Remove dependency on chkconfig
+- Install rules to /usr/share/audit/sample-rules/
+- Split up ospp rules to make SCAP scanning easier (#1746018)
+- In audisp-syslog, support interpreting records (#1497279)
+- Audit USER events now sends msg as name value pair
+- Add support for AUDIT_BPF event
+- Auditd should not process AUDIT_REPLACE events
+- Update syscall tables to the 5.5 kernel
+- Improve personality interpretation by using PERS_MASK
+- Speedup ausearch/report parsing RAW logging format by caching uid/name lookup
+- Change auparse python bindings to shared object (Issue #121)
+- Add error messages for watch permissions
+- If audit rules file doesn't exist log error message instead of info message
+- Revise error message for unmatched options in auditctl
+- In audisp-remote, fixup remote endpoint disappearin in ascii format
+- Add backlog_wait_time_actual reporting / resetting to auditctl (Max Englander)
+- In auditctl, add support for sending a signal to auditd
+
+- Removes audit-fno-common.patch: fixed in upstream
+- Removes audit-python3.patch: fixed in upstream
+
+-------------------------------------------------------------------
 Mon Feb  1 18:13:18 UTC 2021 - Dominique Leuenberger <dimstar@opensuse.org>
 
 - Do not explicitly provide group(audit) in system-users-audit:
@@ -24,7 +149,7 @@
 -------------------------------------------------------------------
 Mon Jan 13 17:39:03 UTC 2020 - Tony Jones <tonyj@suse.com>
 
-- Update to version 2.6.5:
+- Update to version 2.8.5:
   * Fix segfault on shutdown
   * Fix hang on startup (#1587995)
   * Add sleep to script to dump state so file is ready when needed
Index: audit-secondary.spec
===================================================================
--- audit-secondary.spec (revision 118)
+++ audit-secondary.spec (revision 17)
@@ -22,7 +22,7 @@
 # The seperation is required to minimize unnecessary build cycles.
 %define 	_name audit
 Name:           audit-secondary
-Version:        2.8.5
+Version:        3.0.2
 Release:        0
 Summary:        Linux kernel audit subsystem utilities
 License:        GPL-2.0-or-later
@@ -34,9 +34,8 @@
 Patch2:         audit-no-gss.patch
 Patch3:         audit-allow-manual-stop.patch
 Patch4:         audit-ausearch-do-not-require-tclass.patch
-Patch5:         audit-python3.patch
-Patch6:         audit-fno-common.patch
-Patch7:         change-default-log_group.patch
+Patch5:         change-default-log_group.patch
+Patch6:         libev-werror.patch
 BuildRequires:  audit-devel = %{version}
 BuildRequires:  autoconf >= 2.12
 BuildRequires:  gcc-c++
@@ -55,6 +54,7 @@
 BuildRequires:  sysuser-tools
 BuildRequires:  tcpd-devel
 BuildRequires:  pkgconfig(libcap-ng)
+Provides:       bundled(libev) = 4.33
 
 %description
 The audit package contains the user space utilities for storing and
@@ -127,14 +127,13 @@
 %patch4 -p1
 %patch5 -p1
 %patch6 -p1
-%patch7 -p1
 
 %if %{without python2} && %{with python3}
 # Fix python env call in tests if we only have Python3.
 # If both versions are present, python2 bindings are preferred by the tests and
 # unconditionally using /usr/bin/python3 breaks the tests
 # Probably the correct solution is to run the tests twice if both are present.
-sed -i -e 's:#!/usr/bin/env python:#!/usr/bin/python3:g' auparse/test/auparse_test.py
+perl -i -lpe 's{#!/usr/bin/env python\S+}{#!/usr/bin/python3}' auparse/test/auparse_test.py
 %endif
 
 %build
@@ -144,15 +143,18 @@
 export LDFLAGS="-Wl,-z,relro,-z,now"
 # no krb support (omit --enable-gssapi-krb5=yes), see audit-no-gss.patch
 %configure \
+%ifarch aarch64
+	--with-aarch64 \
+%endif
 	--enable-systemd \
 	--libexecdir=%{_libexecdir}/%{_name} \
 	--with-apparmor \
 	--with-libwrap \
 	--with-libcap-ng=yes \
-%ifarch aarch64
-	--with-aarch64 \
-%endif
-	--disable-static
+	--disable-static \
+	%{?_with_python3} \
+	%{?_without_python}
+
 make %{?_smp_mflags}
 
 %sysusers_generate_pre %{SOURCE1} audit
@@ -197,7 +199,7 @@
 #USR-MERGE
 %if !0%{?usrmerged}
 mkdir %{buildroot}/sbin/
-for prog in auditctl auditd ausearch autrace audispd aureport augenrules; do
+for prog in auditctl auditd ausearch autrace aureport augenrules; do
   ln -s %{_sbindir}/$prog %{buildroot}/sbin/$prog
 done
 %endif
@@ -235,8 +237,7 @@
 
 %files -n audit
 %license COPYING
-%doc README ChangeLog rules/[0-9]* rules/README-rules init.d/auditd.cron
-%attr(644,root,root) %{_mandir}/man8/audispd.8.gz
+%doc README ChangeLog rules init.d/auditd.cron
 %attr(644,root,root) %{_mandir}/man8/auditctl.8.gz
 %attr(644,root,root) %{_mandir}/man8/auditd.8.gz
 %attr(644,root,root) %{_mandir}/man8/aureport.8.gz
@@ -247,7 +248,6 @@
 %attr(644,root,root) %{_mandir}/man8/ausyscall.8.gz
 %attr(644,root,root) %{_mandir}/man7/audit.rules.7.gz
 %attr(644,root,root) %{_mandir}/man5/auditd.conf.5.gz
-%attr(644,root,root) %{_mandir}/man5/audispd.conf.5.gz
 %attr(644,root,root) %{_mandir}/man5/ausearch-expression.5.gz
 %attr(644,root,root) %{_mandir}/man8/auvirt.8.gz
 %attr(644,root,root) %{_mandir}/man8/augenrules.8.gz
@@ -256,7 +256,6 @@
 /sbin/auditd
 /sbin/ausearch
 /sbin/autrace
-/sbin/audispd
 /sbin/augenrules
 /sbin/aureport
 %endif
@@ -265,29 +264,28 @@
 %attr(755,root,root) %{_sbindir}/ausearch
 %attr(750,root,root) %{_sbindir}/autrace
 %attr(750,root,root) %{_sbindir}/augenrules
-%attr(750,root,root) %{_sbindir}/audispd
+%attr(750,root,root) %{_sbindir}/audisp-syslog
 %attr(755,root,root) %{_bindir}/aulast
 %attr(755,root,root) %{_bindir}/aulastlog
 %attr(755,root,root) %{_bindir}/ausyscall
 %attr(755,root,root) %{_sbindir}/aureport
 %attr(755,root,root) %{_bindir}/auvirt
 %dir %attr(750,root,root) %{_sysconfdir}/audit
-%attr(750,root,root) %dir %{_sysconfdir}/audisp
-%attr(750,root,root) %dir %{_sysconfdir}/audisp/plugins.d
-%config(noreplace) %attr(640,root,root) %{_sysconfdir}/audisp/plugins.d/af_unix.conf
-%config(noreplace) %attr(640,root,root) %{_sysconfdir}/audisp/plugins.d/syslog.conf
+%attr(750,root,root) %dir %{_sysconfdir}/audit/plugins.d
+%config(noreplace) %attr(640,root,root) %{_sysconfdir}/audit/plugins.d/af_unix.conf
+%config(noreplace) %attr(640,root,root) %{_sysconfdir}/audit/plugins.d/syslog.conf
 %ghost %{_sysconfdir}/auditd.conf
 %ghost %{_sysconfdir}/audit.rules
 %config(noreplace) %attr(640,root,root) %{_sysconfdir}/audit/auditd.conf
 %dir %attr(750,root,root) %{_sysconfdir}/audit/rules.d
 %config(noreplace) %attr(640,root,root) %{_sysconfdir}/audit/rules.d/audit.rules
-%config(noreplace) %attr(640,root,root) %{_sysconfdir}/audisp/audispd.conf
 %config(noreplace) %attr(640,root,root) %{_sysconfdir}/audit/audit-stop.rules
 %dir %attr(750,root,audit) %{_localstatedir}/log/audit
 %ghost %config(noreplace) %attr(640,root,audit) %{_localstatedir}/log/audit/audit.log
 %dir %attr(700,root,root) %{_localstatedir}/spool/audit
 %{_unitdir}/auditd.service
 %{_sbindir}/rcauditd
+%{_datadir}/audit/
 
 %files -n system-group-audit
 %{_sysusersdir}/system-group-audit.conf
@@ -301,23 +299,24 @@
 
 %if %{with python3}
 %files -n python3-audit
-%attr(755,root,root) %{python3_sitearch}/_audit.so
-%attr(755,root,root) %{python3_sitearch}/auparse.so
-%{python3_sitearch}/audit.py*
+%defattr(-,root,root,-)
+%attr(755,root,root) %{python3_sitearch}/*
 %endif
 
 %files -n audit-audispd-plugins
 %attr(644,root,root) %{_mandir}/man8/audispd-zos-remote.8.gz
 %attr(644,root,root) %{_mandir}/man5/zos-remote.conf.5.gz
 %attr(644,root,root) %{_mandir}/man5/audisp-remote.conf.5.gz
+%attr(644,root,root) %{_mandir}/man5/auditd-plugins.5.gz
 %attr(644,root,root) %{_mandir}/man8/audisp-remote.8.gz
-%attr(750,root,root) %dir %{_sysconfdir}/audisp
-%attr(750,root,root) %dir %{_sysconfdir}/audisp/plugins.d
-%config(noreplace) %attr(640,root,root) %{_sysconfdir}/audisp/plugins.d/audispd-zos-remote.conf
-%config(noreplace) %attr(640,root,root) %{_sysconfdir}/audisp/zos-remote.conf
+%attr(644,root,root) %{_mandir}/man8/audisp-syslog.8.gz
+%attr(750,root,root) %dir %{_sysconfdir}/audit
+%attr(750,root,root) %dir %{_sysconfdir}/audit/plugins.d
+%config(noreplace) %attr(640,root,root) %{_sysconfdir}/audit/plugins.d/audispd-zos-remote.conf
+%config(noreplace) %attr(640,root,root) %{_sysconfdir}/audit/zos-remote.conf
 %attr(750,root,root) %{_sbindir}/audisp-remote
 %attr(750,root,root) %{_sbindir}/audispd-zos-remote
-%config(noreplace) %attr(640,root,root) %{_sysconfdir}/audisp/audisp-remote.conf
-%config(noreplace) %attr(640,root,root) %{_sysconfdir}/audisp/plugins.d/au-remote.conf
+%config(noreplace) %attr(640,root,root) %{_sysconfdir}/audit/audisp-remote.conf
+%config(noreplace) %attr(640,root,root) %{_sysconfdir}/audit/plugins.d/au-remote.conf
 
 %changelog
Index: audit.changes
===================================================================
--- audit.changes (revision 118)
+++ audit.changes (revision 17)
@@ -1,4 +1,129 @@
 -------------------------------------------------------------------
+Mon Jun 14 20:54:49 CEST 2021 - Enzo Matsumiya <ematsumiya@suse.com>
+
+- Update to version 3.0.2
+- In audispd-statsd pluging, use struct sockaddr_storage (Ville Heikkinen)
+- Optionally interpret auid in auditctl -l
+- Update some syscall argument interpretations
+- In auditd, do not allow spaces in the hostname name format
+- Big documentation cleanup (MIZUTA Takeshi)
+- Update syscall table to the 5.12 kernel
+- Update the auparse normalizer for new event types
+- Fix compiler warnings in ids subsystem
+- Block a couple signals from flush & reconfigure threads
+- In auditd, don't wait on flush thread when exiting
+- Output error message if the path of input files are too long ausearch/report
+
+Included fixes from 3.0.1
+- Update syscall table to the 5.11 kernel
+- Add new --eoe-timeout option to ausearch and aureport (Burn Alting)
+- Only enable periodic timers when listening on the network
+- Upgrade libev to 4.33
+- Add auparse_new_buffer function to auparse library
+- Use the select libev backend unless aggregating events
+- Add sudoers to some base audit rules
+- Update the auparse normalizer for some new syscalls and event types
+
+Included fixes from 3.0
+- Generate checkpoint file even when no results are returned (Burn Alting)
+- Fix log file creation when file logging is disabled entirely (Vlad Glagolev)
+- Convert auparse_test to run with python3 (Tomáš Chvátal)
+- Drop support for prelude
+- Adjust backlog_wait_time in rules to the kernel default (#1482848)
+- Remove ids key syntax checking of rules in auditctl
+- Use SIGCONT to dump auditd internal state (#1504251)
+- Fix parsing of virtual timestamp fields in ausearch_expression (#1515903)
+- Fix parsing of uid & success for ausearch
+- Add support for not equal operator in audit by executable (Ondrej Mosnacek)
+- Hide lru symbols in auparse
+- Add systemd process protections
+- Fix aureport summary time range reporting
+- Allow unlimited retries on startup for remote logging
+- Add queue_depth to remote logging stats and increase default queue_depth size
+- Fix segfault on shutdown
+- Merge auditd and audispd code
+- Close on execute init_pipe fd (#1587995)
+- Breakout audisp syslog plugin to be standalone program
+- Create a common internal library to reduce code
+- Move all audispd config files under /etc/audit/
+- Move audispd.conf settings into auditd.conf
+- Add queue depth statistics to internal state dump report
+- Add network statistics to internal state dump report
+- SIGUSR now also restarts queue processing if its suspended
+- Update lookup tables for the 4.18 kernel
+- Add auparse_normalizer support for SOFTWARE_UPDATE event
+- Add 30-ospp-v42.rules to meet new Common Criteria requirements
+- Deprecate enable_krb and replace with transport config opt for remote logging
+- Mark netlabel events as simple events so that get processed quicker
+- When auditd is reconfiguring, only SIGHUP plugins with valid pid (#1614833)
+- In aureport, fix segfault in file report
+- Add auparse_normalizer support for labeled networking events
+- Fix memory leak in audisp-remote plugin when using krb5 transport. (#1622194)
+- In ausearch/auparse, event aging is off by a second
+- In ausearch/auparse, correct event ordering to process oldest first
+- Migrate auparse python test to python3
+- auparse_reset was not clearing everything it should
+- Add support for AUDIT_MAC_CALIPSO_ADD, AUDIT_MAC_CALIPSO_DEL events
+- In ausearch/report, lightly parse selinux portion of USER_AVC events
+- Add bpf syscall command argument interpretation to auparse
+- In ausearch/report, limit record size when malformed
+- Port af_unix plugin to libev
+- In auditd, fix extract_type function for network originating events
+- In auditd, calculate right size and location for network originating events
+- Make legacy script wait for auditd to terminate (#1643567)
+- Treat all network originating events as VER2 so dispatcher doesn't format it
+- If an event has a node name make it VER2 so dispatcher doesnt format it
+- In audisp-remote do an initial connection attempt (#1625156)
+- In auditd, allow expression of space left as a percentage (#1650670)
+- On PPC64LE systems, only allow 64 bit rules (#1462178)
+- Make some parts of auditd state report optional based on config
+- Update to libev-4.25
+- Fix ausearch when checkpointing a single file (Burn Alting)
+- Fix scripting in 31-privileged.rules wrt filecap (#1662516)
+- In ausearch, do not checkpt if stdin is input source
+- In libev, remove __cold__ attribute for functions to allow proper hardening
+- Add tests to configure.ac for openldap support
+- Make systemd support files use /run rather than /var/run (Christian Hesse)
+- Fix minor memory leak in auditd kerberos credentials code
+- Allow exclude and user filter by executable name (Ondrej Mosnacek)
+- Fix auditd regression where keep_logs is limited by rotate_logs 2 file test
+- In ausearch/report fix --end to use midnight time instead of now (#1671338)
+- Add substitue functions for strndupa & rawmemchr
+- Fix memleak in auparse caused by corrected event ordering
+- Fix legacy reload script to reload audit rules when daemon is reloaded
+- Support for unescaping in trusted messages (Dmitry Voronin)
+- In auditd, use standard template for DEAMON events (Richard Guy Briggs)
+- In aureport, fix segfault for malformed USER_CMD events
+- Add exe field to audit_log_user_command in libaudit
+- In auditctl support filter on socket address families (Richard Guy Briggs)
+- Deprecate support for Alpha & IA64 processors
+- If space_left_action is rotate, allow it every time (#1718444)
+- In auparse, drop standalone EOE events
+- Add milliseconds column for ausearch extra time csv format
+- Fix aureport first event reporting when no start given
+- In audisp-remote, add new config item for startup connection errors
+- Remove dependency on chkconfig
+- Install rules to /usr/share/audit/sample-rules/
+- Split up ospp rules to make SCAP scanning easier (#1746018)
+- In audisp-syslog, support interpreting records (#1497279)
+- Audit USER events now sends msg as name value pair
+- Add support for AUDIT_BPF event
+- Auditd should not process AUDIT_REPLACE events
+- Update syscall tables to the 5.5 kernel
+- Improve personality interpretation by using PERS_MASK
+- Speedup ausearch/report parsing RAW logging format by caching uid/name lookup
+- Change auparse python bindings to shared object (Issue #121)
+- Add error messages for watch permissions
+- If audit rules file doesn't exist log error message instead of info message
+- Revise error message for unmatched options in auditctl
+- In audisp-remote, fixup remote endpoint disappearin in ascii format
+- Add backlog_wait_time_actual reporting / resetting to auditctl (Max Englander)
+- In auditctl, add support for sending a signal to auditd
+
+- Remove audit-fno-common.patch: fixed in upstream
+- Remove audit-python3.patch: fixed in upstream
+
+-------------------------------------------------------------------
 Wed Dec  2 11:49:28 UTC 2020 - Alexander Bergmann <abergmann@suse.com>
 
 - Enable Aarch64 processor support. (bsc#1179515 bsc#1179806) 
@@ -12,7 +137,7 @@
 -------------------------------------------------------------------
 Mon Jan 13 17:39:03 UTC 2020 - Tony Jones <tonyj@suse.com>
 
-- Update to version 2.6.5:
+- Update to version 2.8.5:
   * Fix segfault on shutdown
   * Fix hang on startup (#1587995)
   * Add sleep to script to dump state so file is ready when needed
Index: audit.spec
===================================================================
--- audit.spec (revision 118)
+++ audit.spec (revision 17)
@@ -17,7 +17,7 @@
 
 
 Name:           audit
-Version:        2.8.5
+Version:        3.0.2
 Release:        0
 Summary:        Linux kernel audit subsystem utilities
 License:        GPL-2.0-or-later
@@ -35,6 +35,7 @@
 BuildRequires:  tcpd-devel
 Requires:       libaudit1 = %{version}
 Requires:       libauparse0 = %{version}
+Provides:       bundled(libev) = 4.33
 
 %description
 The audit package contains the user space utilities for storing and
@@ -79,27 +80,30 @@
 
 %build
 autoreconf -fi
+cp INSTALL.tmp INSTALl
 export CFLAGS="%{optflags} -fno-strict-aliasing"
 export CXXFLAGS="$CFLAGS"
 export LDFLAGS="-Wl,-z,relro,-z,now"
 # no krb support (omit --enable-gssapi-krb5=yes), see audit-no-gss.patch
 %configure \
+%ifarch aarch64
+	--with-aarch64 \
+%endif
 	--enable-systemd \
 	--libexecdir=%{_libexecdir}/%{name} \
 	--with-apparmor \
-	--with-libwrap \
-	--without-libcap-ng \
+	--with-libcap-ng=no \
 	--disable-static \
-	--without-python \
-%ifarch aarch64
-       --with-aarch64 \
-%endif
+	--with-python=no \
 	--disable-zos-remote
+
+make %{?_smp_mflags} -C common
 make %{?_smp_mflags} -C lib
 make %{?_smp_mflags} -C auparse
 make %{?_smp_mflags} -C docs
 
 %install
+%make_install -C common
 %make_install -C lib
 %make_install -C auparse
 %make_install -C docs
@@ -134,7 +138,7 @@
 %{_libdir}/libauparse.so.*
 
 %files -n audit-devel
-%doc contrib/skeleton.c contrib/plugin
+%doc contrib/plugin
 %{_libdir}/libaudit.so
 %{_libdir}/libauparse.so
 %{_includedir}/libaudit.h
Index: change-default-log_group.patch
===================================================================
--- change-default-log_group.patch (revision 118)
+++ change-default-log_group.patch (revision 17)
@@ -16,6 +16,6 @@
  log_file = /var/log/audit/audit.log
 -log_group = root
 +log_group = audit
- log_format = RAW
+ log_format = ENRICHED
  flush = INCREMENTAL_ASYNC
  freq = 50
Index: audit-3.0.2.tar.gz
===================================================================
Binary file audit-3.0.2.tar.gz (revision 17) added
Index: libev-werror.patch
===================================================================
--- libev-werror.patch (added)
+++ libev-werror.patch (revision 17)
@@ -0,0 +1,26 @@
+From: Jan Engelhardt <jengelh@inai.de>
+Date: 2021-06-02 16:18:03.256597842 +0200
+
+Cherry-pick http://cvs.schmorp.de/libev/ev_iouring.c?view=log&r1=1.25
+to fix some terrible code.
+
+[   50s] ev_iouring.c: In function 'iouring_sqe_submit':
+[   50s] ev_iouring.c:300:1: error: no return statement in function returning non-void [-Werror=return-type]
+
+---
+ src/libev/ev_iouring.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+Index: audit-3.0.1/src/libev/ev_iouring.c
+===================================================================
+--- audit-3.0.1.orig/src/libev/ev_iouring.c
++++ audit-3.0.1/src/libev/ev_iouring.c
+@@ -287,7 +287,7 @@ iouring_sqe_get (EV_P)
+ }
+ 
+ inline_size
+-struct io_uring_sqe *
++void
+ iouring_sqe_submit (EV_P_ struct io_uring_sqe *sqe)
+ {
+   unsigned idx = sqe - EV_SQES;
Index: audit-2.8.5.tar.gz
===================================================================
Binary file audit-2.8.5.tar.gz (revision 118) deleted
Index: audit-fno-common.patch
===================================================================
--- audit-fno-common.patch (revision 118)
+++ audit-fno-common.patch (deleted)
@@ -1,24 +0,0 @@
-From: Tony Jones <tonyj@suse.de>
-Subject: Resolve errors when compiling with -fno-common
-Git-commmit: 017e6c6ab95df55f34e339d2139def83e5dada1f
-References: bsc#1160384
-Upsteam: pending
-
-Header definitios need to be external when building with -fno-common (which
-is default in GCC 10).
-
-Fixes: ff25054df7ed
-Signed-off-by: Tony Jones <tonyj@suse.de>
-
---- a/src/ausearch-common.h
-+++ b/src/ausearch-common.h
-@@ -50,7 +50,7 @@ extern pid_t event_pid;
- extern int event_exact_match;
- extern uid_t event_uid, event_euid, event_loginuid;
- extern const char *event_tuid, *event_teuid, *event_tauid;
--slist *event_node_list;
-+extern slist *event_node_list;
- extern const char *event_comm;
- extern const char *event_filename;
- extern const char *event_hostname;
-
Index: audit-python3.patch
===================================================================
--- audit-python3.patch (revision 118)
+++ audit-python3.patch (deleted)
@@ -1,292 +0,0 @@
-From: Tomas Chvatal <tchvatal@suse.com>
-Date: Wed Feb  7 09:26:35 UTC 2018
-Subject: Convert tests to run under python3
-References: https://github.com/linux-audit/audit-userspace/pull/39
-Patch-mainline: no; pending with maintainer
-
-Adjust auparse_test to run with python3 and python2
-
-Index: audit-2.8.1/auparse/test/auparse_test.py
-===================================================================
---- audit-2.8.1.orig/auparse/test/auparse_test.py
-+++ audit-2.8.1/auparse/test/auparse_test.py
-@@ -1,5 +1,7 @@
- #!/usr/bin/env python
- 
-+from __future__ import print_function
-+
- import os
- srcdir = os.getenv('srcdir')
- 
-@@ -30,29 +32,29 @@ def walk_test(au):
-     au.reset()
-     while True:
-         if not au.first_record():
--            print "Error getting first record"
-+            print("Error getting first record")
-             sys.exit(1)
- 
--        print "event %d has %d records" % (event_cnt, au.get_num_records())
-+        print("event %d has %d records" % (event_cnt, au.get_num_records()))
- 
-         record_cnt = 1
-         while True:
--            print "    record %d of type %d(%s) has %d fields" % \
-+            print("    record %d of type %d(%s) has %d fields" % \
-                   (record_cnt,
-                    au.get_type(), audit.audit_msg_type_to_name(au.get_type()),
--                   au.get_num_fields())
--            print "    line=%d file=%s" % (au.get_line_number(), au.get_filename())
-+                   au.get_num_fields()))
-+            print("    line=%d file=%s" % (au.get_line_number(), au.get_filename()))
-             event = au.get_timestamp()
-             if event is None:
--                print "Error getting timestamp - aborting"
-+                print("Error getting timestamp - aborting")
-                 sys.exit(1)
- 
--            print "    event time: %d.%d:%d, host=%s" % (event.sec, event.milli, event.serial, none_to_null(event.host))
-+            print("    event time: %d.%d:%d, host=%s" % (event.sec, event.milli, event.serial, none_to_null(event.host)))
-             au.first_field()
-             while True:
--                print "        %s=%s (%s)" % (au.get_field_name(), au.get_field_str(), au.interpret_field())
-+                print("        %s=%s (%s)" % (au.get_field_name(), au.get_field_str(), au.interpret_field()))
-                 if not au.next_field(): break
--            print
-+            print("")
-             record_cnt += 1
-             if not au.next_record(): break
-         event_cnt += 1
-@@ -62,25 +64,25 @@ def walk_test(au):
- def light_test(au):
-     while True:
-         if not au.first_record():
--            print "Error getting first record"
-+            print("Error getting first record")
-             sys.exit(1)
- 
--        print "event has %d records" % (au.get_num_records())
-+        print("event has %d records" % (au.get_num_records()))
- 
-         record_cnt = 1
-         while True:
--            print "    record %d of type %d(%s) has %d fields" % \
-+            print("    record %d of type %d(%s) has %d fields" % \
-                   (record_cnt,
-                    au.get_type(), audit.audit_msg_type_to_name(au.get_type()),
--                   au.get_num_fields())
--            print "    line=%d file=%s" % (au.get_line_number(), au.get_filename())
-+                   au.get_num_fields()))
-+            print("    line=%d file=%s" % (au.get_line_number(), au.get_filename()))
-             event = au.get_timestamp()
-             if event is None:
--                print "Error getting timestamp - aborting"
-+                print("Error getting timestamp - aborting")
-                 sys.exit(1)
- 
--            print "    event time: %d.%d:%d, host=%s" % (event.sec, event.milli, event.serial, none_to_null(event.host))
--            print
-+            print("    event time: %d.%d:%d, host=%s" % (event.sec, event.milli, event.serial, none_to_null(event.host)))
-+            print("")
-             record_cnt += 1
-             if not au.next_record(): break
-         if not au.parse_next_event(): break
-@@ -97,9 +99,9 @@ def simple_search(au, source, where):
-     au.search_add_item("auid", "=", val, auparse.AUSEARCH_RULE_CLEAR)
-     au.search_set_stop(where)
-     if not au.search_next_event():
--        print "Error searching for auid"
-+        print("Error searching for auid")
-     else:
--        print "Found %s = %s" % (au.get_field_name(), au.get_field_str())
-+        print("Found %s = %s" % (au.get_field_name(), au.get_field_str()))
- 
- def compound_search(au, how):
-     au = auparse.AuParser(auparse.AUSOURCE_FILE, srcdir + "/test.log");
-@@ -115,119 +117,119 @@ def compound_search(au, how):
- 
-     au.search_set_stop(auparse.AUSEARCH_STOP_FIELD)
-     if not au.search_next_event():
--        print "Error searching for auid"
-+        print("Error searching for auid")
-     else:
--        print "Found %s = %s" % (au.get_field_name(), au.get_field_str())
-+        print("Found %s = %s" % (au.get_field_name(), au.get_field_str()))
- 
- def feed_callback(au, cb_event_type, event_cnt):
-     if cb_event_type == auparse.AUPARSE_CB_EVENT_READY:
-         if not au.first_record():
--            print "Error getting first record"
-+            print("Error getting first record")
-             sys.exit(1)
- 
--        print "event %d has %d records" % (event_cnt[0], au.get_num_records())
-+        print("event %d has %d records" % (event_cnt[0], au.get_num_records()))
- 
-         record_cnt = 1
-         while True:
--            print "    record %d of type %d(%s) has %d fields" % \
-+            print("    record %d of type %d(%s) has %d fields" % \
-                   (record_cnt,
-                    au.get_type(), audit.audit_msg_type_to_name(au.get_type()),
--                   au.get_num_fields())
--            print "    line=%d file=%s" % (au.get_line_number(), au.get_filename())
-+                   au.get_num_fields()))
-+            print("    line=%d file=%s" % (au.get_line_number(), au.get_filename()))
-             event = au.get_timestamp()
-             if event is None:
--                print "Error getting timestamp - aborting"
-+                print("Error getting timestamp - aborting")
-                 sys.exit(1)
- 
--            print "    event time: %d.%d:%d, host=%s" % (event.sec, event.milli, event.serial, none_to_null(event.host))
-+            print("    event time: %d.%d:%d, host=%s" % (event.sec, event.milli, event.serial, none_to_null(event.host)))
-             au.first_field()
-             while True:
--                print "        %s=%s (%s)" % (au.get_field_name(), au.get_field_str(), au.interpret_field())
-+                print("        %s=%s (%s)" % (au.get_field_name(), au.get_field_str(), au.interpret_field()))
-                 if not au.next_field(): break
--            print
-+            print("")
-             record_cnt += 1
-             if not au.next_record(): break
-         event_cnt[0] += 1
- 
- au = auparse.AuParser(auparse.AUSOURCE_BUFFER_ARRAY, buf)
- 
--print "Starting Test 1, iterate..."
-+print("Starting Test 1, iterate...")
- while au.parse_next_event():
-     if au.find_field("auid"):
--        print "%s=%s" % (au.get_field_name(), au.get_field_str())
--        print "interp auid=%s" % (au.interpret_field())
-+        print("%s=%s" % (au.get_field_name(), au.get_field_str()))
-+        print("interp auid=%s" % (au.interpret_field()))
-     else:
--        print "Error iterating to auid"
--print "Test 1 Done\n"
-+        print("Error iterating to auid")
-+print("Test 1 Done\n")
- 
- # Reset, now lets go to beginning and walk the list manually */
--print "Starting Test 2, walk events, records, and fields..."
-+print("Starting Test 2, walk events, records, and fields...")
- au.reset()
- walk_test(au)
--print "Test 2 Done\n"
-+print("Test 2 Done\n")
- 
- # Reset, now lets go to beginning and walk the list manually */
--print "Starting Test 3, walk events, records of 1 buffer..."
-+print("Starting Test 3, walk events, records of 1 buffer...")
- au = auparse.AuParser(auparse.AUSOURCE_BUFFER, buf[1])
- au.reset()
- light_test(au);
--print "Test 3 Done\n"
-+print("Test 3 Done\n")
- 
--print "Starting Test 4, walk events, records of 1 file..."
-+print("Starting Test 4, walk events, records of 1 file...")
- au = auparse.AuParser(auparse.AUSOURCE_FILE, srcdir + "/test.log");
- walk_test(au); 
--print "Test 4 Done\n"
-+print("Test 4 Done\n")
- 
--print "Starting Test 5, walk events, records of 2 files..."
-+print("Starting Test 5, walk events, records of 2 files...")
- au = auparse.AuParser(auparse.AUSOURCE_FILE_ARRAY, files);
- walk_test(au);
--print "Test 5 Done\n"
-+print("Test 5 Done\n")
- 
--print "Starting Test 6, search..."
-+print("Starting Test 6, search...")
- au = auparse.AuParser(auparse.AUSOURCE_BUFFER_ARRAY, buf)
- au.search_add_item("auid", "=", "500", auparse.AUSEARCH_RULE_CLEAR)
- au.search_set_stop(auparse.AUSEARCH_STOP_EVENT)
- if au.search_next_event():
--    print "Error search found something it shouldn't have"
-+    print("Error search found something it shouldn't have")
- else:
--    print "auid = 500 not found...which is correct"
-+    print("auid = 500 not found...which is correct")
- au.search_clear()
- au = auparse.AuParser(auparse.AUSOURCE_BUFFER_ARRAY, buf)
- #au.search_add_item("auid", "exists", None, auparse.AUSEARCH_RULE_CLEAR)
- au.search_add_item("auid", "exists", "", auparse.AUSEARCH_RULE_CLEAR)
- au.search_set_stop(auparse.AUSEARCH_STOP_EVENT)
- if not au.search_next_event():
--    print "Error searching for existence of auid"
--print "auid exists...which is correct"
--print "Testing BUFFER_ARRAY, stop on field"
-+    print("Error searching for existence of auid")
-+print("auid exists...which is correct")
-+print("Testing BUFFER_ARRAY, stop on field")
- simple_search(au, auparse.AUSOURCE_BUFFER_ARRAY, auparse.AUSEARCH_STOP_FIELD)
--print "Testing BUFFER_ARRAY, stop on record"
-+print("Testing BUFFER_ARRAY, stop on record")
- simple_search(au, auparse.AUSOURCE_BUFFER_ARRAY, auparse.AUSEARCH_STOP_RECORD)
--print "Testing BUFFER_ARRAY, stop on event"
-+print("Testing BUFFER_ARRAY, stop on event")
- simple_search(au, auparse.AUSOURCE_BUFFER_ARRAY, auparse.AUSEARCH_STOP_EVENT)
--print "Testing test.log, stop on field"
-+print("Testing test.log, stop on field")
- simple_search(au, auparse.AUSOURCE_FILE, auparse.AUSEARCH_STOP_FIELD)
--print "Testing test.log, stop on record"
-+print("Testing test.log, stop on record")
- simple_search(au, auparse.AUSOURCE_FILE, auparse.AUSEARCH_STOP_RECORD)
--print "Testing test.log, stop on event"
-+print("Testing test.log, stop on event")
- simple_search(au, auparse.AUSOURCE_FILE, auparse.AUSEARCH_STOP_EVENT)
--print "Test 6 Done\n"
-+print("Test 6 Done\n")
- 
--print "Starting Test 7, compound search..."
-+print("Starting Test 7, compound search...")
- au = auparse.AuParser(auparse.AUSOURCE_BUFFER_ARRAY, buf)
- compound_search(au, auparse.AUSEARCH_RULE_AND)
- compound_search(au, auparse.AUSEARCH_RULE_OR)
--print "Test 7 Done\n"
-+print("Test 7 Done\n")
- 
--print "Starting Test 8, regex search..."
-+print("Starting Test 8, regex search...")
- au = auparse.AuParser(auparse.AUSOURCE_BUFFER_ARRAY, buf)
--print "Doing regex match...\n"
-+print("Doing regex match...\n")
- au = auparse.AuParser(auparse.AUSOURCE_BUFFER_ARRAY, buf)
--print "Test 8 Done\n"
-+print("Test 8 Done\n")
- 
- # Note: this should match Test 2 exactly
- # Note: this should match Test 2 exactly
--print "Starting Test 9, buffer feed..."
-+print("Starting Test 9, buffer feed...")
- au = auparse.AuParser(auparse.AUSOURCE_FEED);
- event_cnt = 1
- au.add_callback(feed_callback, [event_cnt])
-@@ -241,10 +243,10 @@ for s in buf:
-         beg += chunk_len
-         au.feed(data)
- au.flush_feed()
--print "Test 9 Done\n"
-+print("Test 9 Done\n")
- 
- # Note: this should match Test 4 exactly
--print "Starting Test 10, file feed..."
-+print("Starting Test 10, file feed...")
- au = auparse.AuParser(auparse.AUSOURCE_FEED);
- event_cnt = 1
- au.add_callback(feed_callback, [event_cnt])
-@@ -254,9 +256,9 @@ while True:
-     if not data: break
-     au.feed(data)
- au.flush_feed()
--print "Test 10 Done\n"
-+print("Test 10 Done\n")
- 
--print "Finished non-admin tests\n"
-+print("Finished non-admin tests\n")
- 
- au = None
- sys.exit(0)

OBS-URL: https://build.opensuse.org/request/show/900434
OBS-URL: https://build.opensuse.org/package/show/security/audit?expand=0&rev=119
2021-06-16 17:16:06 +00:00
Dominique Leuenberger
0a1e448676 Accepting request 868681 from security
- Do not explicitly provide group(audit) in system-users-audit:
  this is automatically handled by rpm/providers.

- Enable Aarch64 processor support. (bsc#1179515 bsc#1179806) (forwarded request 868443 from dimstar)

OBS-URL: https://build.opensuse.org/request/show/868681
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/audit?expand=0&rev=93
2021-02-07 14:13:59 +00:00
e1db8b24d2 Accepting request 868443 from home:dimstar:Factory
- Do not explicitly provide group(audit) in system-users-audit:
  this is automatically handled by rpm/providers.

- Enable Aarch64 processor support. (bsc#1179515 bsc#1179806)

OBS-URL: https://build.opensuse.org/request/show/868443
OBS-URL: https://build.opensuse.org/package/show/security/audit?expand=0&rev=117
2021-02-02 15:17:31 +00:00
d19eedf2c5 Accepting request 867563 from home:ematsumiya:branches:security
- Create new "audit" group for read access to logs (bsc#1178154)
  * add change-default-log_group.patch
  * update audit-secondary.spec

OBS-URL: https://build.opensuse.org/request/show/867563
OBS-URL: https://build.opensuse.org/package/show/security/audit?expand=0&rev=116
2021-01-30 08:05:50 +00:00
Dominique Leuenberger
3ef1d32d19 Accepting request 854217 from security
- Enable Aarch64 processor support. (bsc#1179515 bsc#1179806) 

- Enable Aarch64 processor support. (bsc#1179515 bsc#1179806)

OBS-URL: https://build.opensuse.org/request/show/854217
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/audit?expand=0&rev=92
2020-12-21 09:21:49 +00:00
da2300c646 - Enable Aarch64 processor support. (bsc#1179515 bsc#1179806)
- Enable Aarch64 processor support. (bsc#1179515 bsc#1179806)

OBS-URL: https://build.opensuse.org/package/show/security/audit?expand=0&rev=114
2020-12-09 10:00:48 +00:00
Dominique Leuenberger
0efabbed8d Accepting request 851328 from security
OBS-URL: https://build.opensuse.org/request/show/851328
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/audit?expand=0&rev=91
2020-12-03 17:38:06 +00:00
Enzo Matsumiya
07903acdf1 Accepting request 849560 from home:lnussel:usrmove
- prepare usrmerge (boo#1029961)

OBS-URL: https://build.opensuse.org/request/show/849560
OBS-URL: https://build.opensuse.org/package/show/security/audit?expand=0&rev=112
2020-11-27 13:40:00 +00:00
Dominique Leuenberger
f0e0e85897 Accepting request 810662 from security
- Fix specfile to require libauparse0 and libaudit1 after splitting
  audit-libs (bsc#1172295)

OBS-URL: https://build.opensuse.org/request/show/810662
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/audit?expand=0&rev=90
2020-06-11 12:38:39 +00:00
Enzo Matsumiya
005741884e - Fix specfile to require libauparse0 and libaudit1 after splitting
audit-libs (bsc#1172295)

OBS-URL: https://build.opensuse.org/package/show/security/audit?expand=0&rev=110
2020-06-01 17:13:53 +00:00
Dominique Leuenberger
9f1fdb1bed Accepting request 765091 from security
Version update to version 2.8.5
Fix bz#1160384

OBS-URL: https://build.opensuse.org/request/show/765091
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/audit?expand=0&rev=89
2020-01-23 15:07:45 +00:00
Tony Jones
74524fcb73 - Update to version 2.6.5:
* Fix segfault on shutdown
  * Fix hang on startup (#1587995)
  * Add sleep to script to dump state so file is ready when needed
  * Add auparse_normalizer support for SOFTWARE_UPDATE event
  * Mark netlabel events as simple events so that get processed quicker
  * When audispd is reconfiguring, only SIGHUP plugins with valid pid (#1614833)
  * Add 30-ospp-v42.rules to meet new Common Criteria requirements
  * Update lookup tables for the 4.18 kernel
  * In aureport, fix segfault in file report
  * Add auparse_normalizer support for labeled networking events
  * Fix memory leak in audisp-remote plugin when using krb5 transport. (#1622194)
  * Event aging is off by a second
  * In ausearch/auparse, correct event ordering to process oldest first
  * auparse_reset was not clearing everything it should
  * Add support for AUDIT_MAC_CALIPSO_ADD, AUDIT_MAC_CALIPSO_DEL events
  * In ausearch/report, lightly parse selinux portion of USER_AVC events
  * In ausearch/report, limit record size when malformed
  * In auditd, fix extract_type function for network originating events
  * In auditd, calculate right size and location for network originating events
  * Treat all network originating events as VER2 so dispatcher doesn't format it
  * In audisp-remote do an initial connection attempt (#1625156)
  * In auditd, allow expression of space left as a percentage (#1650670)
  * On PPC64LE systems, only allow 64 bit rules (#1462178)
  * Make some parts of auditd state report optional based on config
  * Fix ausearch when checkpointing a single file (Burn Alting)
  * Fix scripting in 31-privileged.rules wrt filecap (#1662516)
  * In ausearch, do not checkpt if stdin is input source
  * In libev, remove __cold__ attribute for functions to allow proper hardening
  * Add tests to configure.ac for openldap support

OBS-URL: https://build.opensuse.org/package/show/security/audit?expand=0&rev=108
2020-01-16 20:02:22 +00:00
Tony Jones
4971d594a2 osc copypac from project:security package:audit revision:105
OBS-URL: https://build.opensuse.org/package/show/security/audit?expand=0&rev=107
2019-10-18 17:26:13 +00:00
Tony Jones
a026abd994 Accepting request 739736 from home:RBrownSUSE:branches:security
Remove obsolete Groups tag (fate#326485)

OBS-URL: https://build.opensuse.org/request/show/739736
OBS-URL: https://build.opensuse.org/package/show/security/audit?expand=0&rev=106
2019-10-17 14:14:02 +00:00
Dominique Leuenberger
ea50e39101 Accepting request 708766 from security
OBS-URL: https://build.opensuse.org/request/show/708766
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/audit?expand=0&rev=88
2019-06-26 13:59:07 +00:00
Lars Vogdt
c90af7d388 Accepting request 687275 from home:jengelh:sct
- Reduce scriptlets' hard dependency on systemd.
- Make use of some %make_install.

OBS-URL: https://build.opensuse.org/request/show/687275
OBS-URL: https://build.opensuse.org/package/show/security/audit?expand=0&rev=104
2019-06-08 16:58:52 +00:00
Dominique Leuenberger
59a15871f8 Accepting request 619464 from security
OBS-URL: https://build.opensuse.org/request/show/619464
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/audit?expand=0&rev=87
2018-07-07 19:51:47 +00:00
Tony Jones
f7b3eda238 Accepting request 618655 from home:1Antoine1:branches:security
- Update to version 2.8.4:
  * Generate checkpoint file even when not results are returned
    (Burn Alting).
  * Fix log file creation when file logging is disabled entirely
    (Vlad Glagolev).
  * Use SIGCONT to dump auditd internal state (rh#1504251).
  * Fix parsing of virtual timestamp fields in ausearch_expression
    (rh#1515903).
  * Fix parsing of uid & success for ausearch.
  * Hide lru symbols in auparse.
  * Fix aureport summary time range reporting.
  * Allow unlimited retries on startup for remote logging.
  * Add queue_depth to remote logging stats and increase default
    queue_depth size.
- Update to version 2.8.3:
  * Correct msg function name in lru debug code.
  * Fix a segfault in auditd when dns resolution isn't available.
  * Make a reload legacy service for auditd.
  * In auparse python bindings, expose some new types that were
    missing.
  * In normalizer, pickup subject kind for user_login events.
  * Fix interpretation of unknown ioctcmds (rh#1540507).
  * Add ANOM_LOGIN_SERVICE, RESP_ORIGIN_BLOCK, &
    RESP_ORIGIN_BLOCK_TIMED events.
  * In auparse_normalize for USER_LOGIN events, map acct for
    subj_kind.
  * Fix logging of IPv6 addresses in DAEMON_ACCEPT events
    (rh#1534748).
  * Do not rotate auditd logs when num_logs < 2 (brozs).
- Update to version 2.8.4:
  * Generate checkpoint file even when not results are returned
    (Burn Alting).
  * Fix log file creation when file logging is disabled entirely
    (Vlad Glagolev).
  * Use SIGCONT to dump auditd internal state (rh#1504251).
  * Fix parsing of virtual timestamp fields in ausearch_expression
    (rh#1515903).
  * Fix parsing of uid & success for ausearch.
  * Hide lru symbols in auparse.
  * Fix aureport summary time range reporting.
  * Allow unlimited retries on startup for remote logging.
  * Add queue_depth to remote logging stats and increase default
    queue_depth size.
- Update to version 2.8.3:
  * Correct msg function name in lru debug code.
  * Fix a segfault in auditd when dns resolution isn't available.
  * Make a reload legacy service for auditd.
  * In auparse python bindings, expose some new types that were
    missing.
  * In normalizer, pickup subject kind for user_login events.
  * Fix interpretation of unknown ioctcmds (rh#1540507).
  * Add ANOM_LOGIN_SERVICE, RESP_ORIGIN_BLOCK, &
    RESP_ORIGIN_BLOCK_TIMED events.
  * In auparse_normalize for USER_LOGIN events, map acct for
    subj_kind.
  * Fix logging of IPv6 addresses in DAEMON_ACCEPT events
    (rh#1534748).
  * Do not rotate auditd logs when num_logs < 2 (brozs).

OBS-URL: https://build.opensuse.org/request/show/618655
OBS-URL: https://build.opensuse.org/package/show/security/audit?expand=0&rev=102
2018-06-28 01:17:18 +00:00
6975dcd5ff Accepting request 593188 from home:kukuk:branches:security
- Use %license instead of %doc [bsc#1082318]

OBS-URL: https://build.opensuse.org/request/show/593188
OBS-URL: https://build.opensuse.org/package/show/security/audit?expand=0&rev=101
2018-04-11 13:58:54 +00:00
Dominique Leuenberger
e5a6970bfd Accepting request 588035 from security
OBS-URL: https://build.opensuse.org/request/show/588035
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/audit?expand=0&rev=86
2018-03-26 09:51:53 +00:00
Tony Jones
e57cf5edeb Accepting request 588034 from home:jones_tony:branches:security
- Change openldap dependency to client only (bsc#1085003)
- Resolve issue with previous change if both Python2 and Python3 are
  present, tests were failing as python2 bindings are preferred in this
  case.
- Update header in audit-python3.patch
- Update patch guidelines in README-BEFORE-ADDING-PATCHES

OBS-URL: https://build.opensuse.org/request/show/588034
OBS-URL: https://build.opensuse.org/package/show/security/audit?expand=0&rev=99
2018-03-16 23:10:56 +00:00
Tony Jones
7176e3c394 Accepting request 580988 from openSUSE:Factory:Staging:O
- Add patch to fix test run without python2 interpreter:
  * audit-python3.patch
- Update to 2.8.2 release:
  * Update tables for 4.14 kernel
  * Fixup ipv6 server side binding
  * AVC report from aureport was missing result column header (#1511606)
  * Add SOFTWARE_UPDATE event
  * In ausearch/report pickup any path and new-disk fields as a file
  * Fix value returned by auditctl --reset-lost (Richard Guy Briggs)
  * In auparse, fix expr_create_timestamp_comparison_ex to be numeric field
  * Fix building on old systems without linux/fanotify.h
  * Fix shell portability issues reported by shellcheck
  * Auditd validate_email should not use gethostbyname

- Add patch to fix test run without python2 interpreter:
  * audit-python3.patch
- Update to 2.8.2 release:
  * Update tables for 4.14 kernel
  * Fixup ipv6 server side binding
  * AVC report from aureport was missing result column header (#1511606)
  * Add SOFTWARE_UPDATE event
  * In ausearch/report pickup any path and new-disk fields as a file
  * Fix value returned by auditctl --reset-lost (Richard Guy Briggs)
  * In auparse, fix expr_create_timestamp_comparison_ex to be numeric field
  * Fix building on old systems without linux/fanotify.h
  * Fix shell portability issues reported by shellcheck
  * Auditd validate_email should not use gethostbyname

OBS-URL: https://build.opensuse.org/request/show/580988
OBS-URL: https://build.opensuse.org/package/show/security/audit?expand=0&rev=98
2018-03-01 21:24:42 +00:00
c3b4f0e839 - reverted -j1 force ppc specific only
OBS-URL: https://build.opensuse.org/package/show/security/audit?expand=0&rev=97
2018-02-22 11:00:36 +00:00
c2369388d3 Accepting request 573323 from home:michel_mno:branches:security
- force -j1 for PowerPC make check to avoid build failure
  (lookup_test.o: file not recognized: File truncated)

OBS-URL: https://build.opensuse.org/request/show/573323
OBS-URL: https://build.opensuse.org/package/show/security/audit?expand=0&rev=96
2018-02-19 07:17:33 +00:00
Dominique Leuenberger
dfaa3130a1 Accepting request 567005 from security
OBS-URL: https://build.opensuse.org/request/show/567005
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/audit?expand=0&rev=85
2018-01-26 12:33:24 +00:00