forked from pool/audit
d1358f4337
- Update to 3.1.1: * Add user friendly keywords for signals to auditctl * In ausearch, parse up URINGOP and DM_CTRL records * Harden auparse to better handle corrupt logs * Fix a CFLAGS propogation problem in the common directory * Move the audispd af_unix plugin to a standalone program - Update to 3.1.1: * Add user friendly keywords for signals to auditctl * In ausearch, parse up URINGOP and DM_CTRL records * Harden auparse to better handle corrupt logs * Fix a CFLAGS propogation problem in the common directory * Move the audispd af_unix plugin to a standalone program OBS-URL: https://build.opensuse.org/request/show/1096509 OBS-URL: https://build.opensuse.org/package/show/security/audit?expand=0&rev=148
33 lines
1.0 KiB
Diff
33 lines
1.0 KiB
Diff
From: Enzo Matsumiya <ematsumiya@suse.de>
|
|
Subject: init.d/auditd.service: make /etc/audit writable
|
|
References: bsc#1181400
|
|
|
|
systemd hardening effort (bsc#1181400) broke auditd.service when starting/
|
|
restarting it. This was because auditd couldn't save/create audit.rules from
|
|
/etc/audit/rules.d/* files.
|
|
|
|
Make /etc/audit writable for the service.
|
|
|
|
Also remove PrivateDevices=true so /dev/* are exposed to auditd.
|
|
|
|
Signed-off-by: Enzo Matsumiya <ematsumiya@suse.de>
|
|
|
|
Index: audit-3.1.1/init.d/auditd.service
|
|
===================================================================
|
|
--- audit-3.1.1.orig/init.d/auditd.service
|
|
+++ audit-3.1.1/init.d/auditd.service
|
|
@@ -42,12 +42,12 @@ RestrictRealtime=true
|
|
# added automatically, for details please see
|
|
# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
|
|
ProtectSystem=full
|
|
-PrivateDevices=true
|
|
ProtectHostname=true
|
|
ProtectClock=true
|
|
ProtectKernelTunables=true
|
|
ProtectKernelLogs=true
|
|
# end of automatic additions
|
|
+ReadWritePaths=/etc/audit
|
|
|
|
[Install]
|
|
WantedBy=multi-user.target
|