forked from pool/audit
c309536630
- Use %autosetup - Don't include sample rules as %doc, they're already installed as normal files - Fix create-augenrules-service.patch: * auditd.service needs to require augenrules.service, not the other way around - Fix documentation for enable-stop-rules.patch OBS-URL: https://build.opensuse.org/request/show/934558 OBS-URL: https://build.opensuse.org/package/show/security/audit?expand=0&rev=134
97 lines
3.7 KiB
Diff
97 lines
3.7 KiB
Diff
Index: audit-3.0.6/init.d/augenrules.service
|
|
===================================================================
|
|
--- /dev/null
|
|
+++ audit-3.0.6/init.d/augenrules.service
|
|
@@ -0,0 +1,29 @@
|
|
+[Unit]
|
|
+Description=auditd rules generation
|
|
+After=auditd.service
|
|
+Documentation=man:augenrules(8)
|
|
+
|
|
+[Service]
|
|
+Type=oneshot
|
|
+## NOTE: augenrules expect any rules to be added to /etc/audit/rules.d/
|
|
+ExecStart=/sbin/augenrules --load
|
|
+# We need RemainAfterExit=true so augenrules is called again
|
|
+# in case auditd.service is restarted.
|
|
+RemainAfterExit=true
|
|
+
|
|
+### Security Settings ###
|
|
+MemoryDenyWriteExecute=true
|
|
+LockPersonality=true
|
|
+ProtectControlGroups=true
|
|
+ProtectKernelModules=true
|
|
+ProtectHome=true
|
|
+RestrictRealtime=true
|
|
+# for details please see
|
|
+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
|
|
+ProtectSystem=full
|
|
+PrivateDevices=true
|
|
+ProtectHostname=true
|
|
+ProtectClock=true
|
|
+ProtectKernelTunables=true
|
|
+ProtectKernelLogs=true
|
|
+ReadWritePaths=/etc/audit
|
|
Index: audit-3.0.6/init.d/auditd.service
|
|
===================================================================
|
|
--- audit-3.0.6.orig/init.d/auditd.service
|
|
+++ audit-3.0.6/init.d/auditd.service
|
|
@@ -13,15 +13,16 @@ Before=sysinit.target shutdown.target
|
|
Conflicts=shutdown.target
|
|
ConditionKernelCommandLine=!audit=0
|
|
Documentation=man:auditd(8) https://github.com/linux-audit/audit-documentation
|
|
+Requires=augenrules.service
|
|
+# This unit clears rules on stop, so make sure that augenrules runs again
|
|
+PropagatesStopTo=augenrules.service
|
|
|
|
[Service]
|
|
Type=forking
|
|
PIDFile=/run/auditd.pid
|
|
ExecStart=/sbin/auditd
|
|
-## To not use augenrules, copy this file to /etc/systemd/system/auditd.service
|
|
-## and comment/delete the next line and uncomment the auditctl line.
|
|
-## NOTE: augenrules expect any rules to be added to /etc/audit/rules.d/
|
|
-ExecStartPost=-/sbin/augenrules --load
|
|
+## To not use augenrules: copy this file to /etc/systemd/system/auditd.service,
|
|
+## uncomment the next line, and comment the Requires=augenrules.service above.
|
|
#ExecStartPost=-/sbin/auditctl -R /etc/audit/audit.rules
|
|
# By default we clear the rules on exit. To disable this, comment
|
|
# the next line after copying the file to /etc/systemd/system/auditd.service
|
|
@@ -45,7 +46,6 @@ ProtectClock=true
|
|
ProtectKernelTunables=true
|
|
ProtectKernelLogs=true
|
|
# end of automatic additions
|
|
-ReadWritePaths=/etc/audit
|
|
|
|
[Install]
|
|
WantedBy=multi-user.target
|
|
Index: audit-3.0.6/init.d/Makefile.am
|
|
===================================================================
|
|
--- audit-3.0.6.orig/init.d/Makefile.am
|
|
+++ audit-3.0.6/init.d/Makefile.am
|
|
@@ -26,7 +26,7 @@ EXTRA_DIST = auditd.init auditd.service
|
|
auditd.cron libaudit.conf auditd.condrestart \
|
|
auditd.reload auditd.restart auditd.resume \
|
|
auditd.rotate auditd.state auditd.stop \
|
|
- audit-stop.rules augenrules
|
|
+ audit-stop.rules augenrules augenrules.service
|
|
libconfig = libaudit.conf
|
|
if ENABLE_SYSTEMD
|
|
initdir = /usr/lib/systemd/system
|
|
@@ -53,6 +53,7 @@ if ENABLE_SYSTEMD
|
|
mkdir -p ${DESTDIR}${initdir}
|
|
mkdir -p ${DESTDIR}${legacydir}
|
|
$(INSTALL_SCRIPT) -D -m 644 ${srcdir}/auditd.service ${DESTDIR}${initdir}
|
|
+ $(INSTALL_SCRIPT) -D -m 644 ${srcdir}/augenrules.service ${DESTDIR}${initdir}
|
|
$(INSTALL_SCRIPT) -D -m 750 ${srcdir}/auditd.rotate ${DESTDIR}${legacydir}/rotate
|
|
$(INSTALL_SCRIPT) -D -m 750 ${srcdir}/auditd.resume ${DESTDIR}${legacydir}/resume
|
|
$(INSTALL_SCRIPT) -D -m 750 ${srcdir}/auditd.reload ${DESTDIR}${legacydir}/reload
|
|
@@ -70,6 +71,7 @@ uninstall-hook:
|
|
rm ${DESTDIR}${sysconfdir}/${libconfig}
|
|
if ENABLE_SYSTEMD
|
|
rm ${DESTDIR}${initdir}/auditd.service
|
|
+ rm ${DESTDIR}${initdir}/augenrules.service
|
|
rm ${DESTDIR}${legacydir}/rotate
|
|
rm ${DESTDIR}${legacydir}/resume
|
|
rm ${DESTDIR}${legacydir}/reload
|