SHA256
1
0
forked from pool/audit
audit/enable-stop-rules.patch
Enzo Matsumiya c309536630 Accepting request 934558 from home:favogt:branches:security
- Use %autosetup
- Don't include sample rules as %doc, they're already installed
  as normal files
- Fix create-augenrules-service.patch:
  * auditd.service needs to require augenrules.service,
    not the other way around
- Fix documentation for enable-stop-rules.patch

OBS-URL: https://build.opensuse.org/request/show/934558
OBS-URL: https://build.opensuse.org/package/show/security/audit?expand=0&rev=134
2021-11-30 01:45:17 +00:00

30 lines
1.4 KiB
Diff

From: Enzo Matsumiya <ematsumiya@suse.de>
Subject: init.d/auditd.service: enable ExecStopPost directive in auditd.service
References: bsc#1190227
This has caused confusion for customers when relating stopping auditd service
is the same as stopping system auditing. This is completely understandable, but
it's by design, so kauditd can keep filling its queues for any other userspace
daemon to consume.
Disable audit when auditd.service stops, so kauditd stops logging/running.
Signed-off-by: Enzo Matsumiya <ematsumiya@suse.de>
Index: audit-3.0.6/init.d/auditd.service
===================================================================
--- audit-3.0.6.orig/init.d/auditd.service
+++ audit-3.0.6/init.d/auditd.service
@@ -23,9 +23,9 @@ ExecStart=/sbin/auditd
## NOTE: augenrules expect any rules to be added to /etc/audit/rules.d/
ExecStartPost=-/sbin/augenrules --load
#ExecStartPost=-/sbin/auditctl -R /etc/audit/audit.rules
-# By default we don't clear the rules on exit. To enable this, uncomment
+# By default we clear the rules on exit. To disable this, comment
# the next line after copying the file to /etc/systemd/system/auditd.service
-#ExecStopPost=/sbin/auditctl -R /etc/audit/audit-stop.rules
+ExecStopPost=/sbin/auditctl -R /etc/audit/audit-stop.rules
Restart=on-failure
# Do not restart for intentional exits. See EXIT CODES section in auditd(8).
RestartPreventExitStatus=2 4 6