From ca9983ce34a07dfd5a1b899d9fca41030fe47a9103b05e4e98bbeea4f4b253e9 Mon Sep 17 00:00:00 2001 From: Tony Jones Date: Tue, 3 Dec 2013 22:28:29 +0000 Subject: [PATCH 1/2] Accepting request 209349 from home:jones_tony:branches:security OBS-URL: https://build.opensuse.org/request/show/209349 OBS-URL: https://build.opensuse.org/package/show/security/audit?expand=0&rev=57 --- audit-2.2.3.tar.gz | 3 -- audit-2.3.2.tar.gz | 3 ++ audit-allow-manual-stop.patch | 23 +++++++++++++++ audit-secondary.changes | 11 ++++++++ audit-secondary.spec | 44 +++++++++++++++-------------- audit.changes | 53 +++++++++++++++++++++++++++++++++++ audit.spec | 2 +- 7 files changed, 114 insertions(+), 25 deletions(-) delete mode 100644 audit-2.2.3.tar.gz create mode 100644 audit-2.3.2.tar.gz create mode 100644 audit-allow-manual-stop.patch diff --git a/audit-2.2.3.tar.gz b/audit-2.2.3.tar.gz deleted file mode 100644 index fc4373c..0000000 --- a/audit-2.2.3.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:2fc8f97020121593f516dc011ef61f39043c4cea9b2cb9ab3849bf9e41dedf02 -size 910762 diff --git a/audit-2.3.2.tar.gz b/audit-2.3.2.tar.gz new file mode 100644 index 0000000..9853a26 --- /dev/null +++ b/audit-2.3.2.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:8872e0b5392888789061db8034164305ef0e1b34543e1e7004d275f039081d29 +size 947897 diff --git a/audit-allow-manual-stop.patch b/audit-allow-manual-stop.patch new file mode 100644 index 0000000..21b18f3 --- /dev/null +++ b/audit-allow-manual-stop.patch @@ -0,0 +1,23 @@ +From: Tony Jones +Subject: allow service stop +References: https://lists.fedoraproject.org/pipermail/devel/2012-June/169411.html +References: https://www.redhat.com/archives/linux-audit/2013-July/msg00048.html +--- + +legacy-actions is Fedora specific, so blocking manual stop won't work for +SuSE since we lack the ability to use a custom stop/restart + + + init.d/auditd.service | 1 - + 1 file changed, 1 deletion(-) + +--- a/init.d/auditd.service ++++ b/init.d/auditd.service +@@ -4,7 +4,6 @@ DefaultDependencies=no + After=local-fs.target + Conflicts=shutdown.target + Before=sysinit.target shutdown.target +-RefuseManualStop=yes + + [Service] + ExecStart=/sbin/auditd -n diff --git a/audit-secondary.changes b/audit-secondary.changes index d38eb56..dabec0d 100644 --- a/audit-secondary.changes +++ b/audit-secondary.changes @@ -1,3 +1,14 @@ +------------------------------------------------------------------- +Tue Nov 26 18:28:58 UTC 2013 - tonyj@suse.com + +- Update to version 2.3.2. See audit.spec (libaudit1) for upstream + changelog +- Drop patch 'audit-fix-implicit-defn.patch' (upstream) +- Add patch 'audit-allow-manual-stop.patch' to reinstate service + stop/restart. +- /etc/sysconfig/audit still existed but was no longer referenced + by systemd, so remove + ------------------------------------------------------------------- Wed Oct 2 12:48:50 UTC 2013 - opensuse@cboltz.de diff --git a/audit-secondary.spec b/audit-secondary.spec index 9dd1945..fda5e39 100644 --- a/audit-secondary.spec +++ b/audit-secondary.spec @@ -30,17 +30,15 @@ BuildRequires: swig Summary: Secondary packages for audit License: GPL-2.0+ Group: System/Monitoring -Version: 2.2.3 +Version: 2.3.2 Release: 0 Url: http://people.redhat.com/sgrubb/audit/ Source0: http://people.redhat.com/sgrubb/audit/%{_name}-%{version}.tar.gz -Source2: auditd.sysconfig Patch1: audit-plugins-path.patch Patch2: audit-no-gss.patch Patch3: audit-no_m4_dir.patch -Patch4: audit-fix-implicit-defn.patch +Patch4: audit-allow-manual-stop.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build -PreReq: %insserv_prereq %fillup_prereq BuildRequires: audit-devel = %{version} BuildRequires: autoconf >= 2.12 BuildRequires: gcc-c++ @@ -108,19 +106,17 @@ export LDFLAGS="-Wl,-z,relro,-z,now" %{__make} %{?_smp_mflags} %install -mkdir -p $RPM_BUILD_ROOT/{sbin,etc/{sysconfig,audispd/plugins.d,init.d}} +mkdir -p $RPM_BUILD_ROOT/{sbin,etc/{audispd/plugins.d,init.d}} mkdir -p $RPM_BUILD_ROOT/usr/sbin mkdir -p $RPM_BUILD_ROOT/%{_mandir}/{man5,man8} make DESTDIR=$RPM_BUILD_ROOT install -mkdir -p $RPM_BUILD_ROOT/var/adm/fillup-templates -cp %{SOURCE2} $RPM_BUILD_ROOT/var/adm/fillup-templates/sysconfig.auditd mkdir -p $RPM_BUILD_ROOT/var/log/audit/ touch $RPM_BUILD_ROOT/var/log/audit/audit.log mkdir -p $RPM_BUILD_ROOT/var/spool/audit/ # For ghost below, so that old location files will still be there when # post copy runs -touch $RPM_BUILD_ROOT/etc/{auditd.conf,audit.rules} +touch $RPM_BUILD_ROOT/etc/{auditd.conf,audit.rules} $RPM_BUILD_ROOT/etc/audit/auditd.conf # On platforms with 32 & 64 bit libs, we need to coordinate the timestamp touch -r ./audit.spec $RPM_BUILD_ROOT/etc/libaudit.conf @@ -128,6 +124,9 @@ touch -r ./audit.spec $RPM_BUILD_ROOT/etc/libaudit.conf rm -rf $RPM_BUILD_ROOT/etc/sysconfig/auditd rm -rf $RPM_BUILD_ROOT/etc/init.d/auditd rm -rf $RPM_BUILD_ROOT/etc/rc.d/init.d +# delete redhat systemd legacy scripts, our systemd doesn't support the feature +# https://lists.fedoraproject.org/pipermail/devel/2012-June/169411.html +rm -rf $RPM_BUILD_ROOT/usr/lib/audit # Clean up some unneeded library files rm -f $RPM_BUILD_ROOT/%{_libdir}/python%{py_ver}/site-packages/_audit.a rm -f $RPM_BUILD_ROOT/%{_libdir}/python%{py_ver}/site-packages/_audit.la @@ -147,7 +146,7 @@ rm -rf $RPM_BUILD_ROOT/%{_mandir}/man3 # audisp-remote shouldn't be in /sbin either, it's not 'essential' mv $RPM_BUILD_ROOT/sbin/{audispd-zos-remote,audisp-remote} $RPM_BUILD_ROOT/usr/sbin #USR-MERGE -for prog in auditctl auditd ausearch autrace audispd aureport; do +for prog in auditctl auditd ausearch autrace audispd aureport augenrules; do [ \! -f %{buildroot}/sbin/$prog ] || mv %{buildroot}/sbin/$prog %{buildroot}/usr/sbin/$prog ln -s %{_prefix}/sbin/$prog %{buildroot}/sbin/$prog done @@ -159,15 +158,15 @@ done make check %post -n audit -%{fillup_only -n auditd} -# Save existing audit files if any (from old location) +# Save existing audit files if any (from old locations) if [ -f /etc/auditd.conf ]; then mv /etc/audit/auditd.conf /etc/audit/auditd.conf.new mv /etc/auditd.conf /etc/audit/auditd.conf fi if [ -f /etc/audit.rules ]; then - mv /etc/audit/audit.rules /etc/audit/audit.rules.new mv /etc/audit.rules /etc/audit/audit.rules +elif [ ! -f /etc/audit/auditd.conf ]; then + cp /etc/audit/rules.d/audit.rules /etc/audit/audit.rules fi %service_add_post auditd.service @@ -197,20 +196,23 @@ fi %attr(644,root,root) %{_mandir}/man5/audispd.conf.5.gz %attr(644,root,root) %{_mandir}/man5/ausearch-expression.5.gz %attr(644,root,root) %{_mandir}/man8/auvirt.8.gz -%attr(750,root,root) /sbin/auditctl +%attr(644,root,root) %{_mandir}/man8/augenrules.8.gz +/sbin/auditctl %attr(750,root,root) /usr/sbin/auditctl -%attr(750,root,root) /sbin/auditd +/sbin/auditd %attr(750,root,root) /usr/sbin/auditd -%attr(755,root,root) /sbin/ausearch +/sbin/ausearch %attr(755,root,root) /usr/sbin/ausearch -%attr(750,root,root) /sbin/autrace +/sbin/autrace %attr(750,root,root) /usr/sbin/autrace -%attr(750,root,root) /sbin/audispd +/sbin/audispd +%attr(750,root,root) /usr/sbin/augenrules +/sbin/augenrules %attr(750,root,root) /usr/sbin/audispd %attr(755,root,root) /usr/bin/aulast %attr(755,root,root) /usr/bin/aulastlog %attr(755,root,root) /usr/bin/ausyscall -%attr(755,root,root) /sbin/aureport +/sbin/aureport %attr(755,root,root) /usr/sbin/aureport %attr(755,root,root) /usr/bin/auvirt %dir %attr(750,root,root) /etc/audit @@ -220,10 +222,10 @@ fi %config(noreplace) %attr(640,root,root) /etc/audisp/plugins.d/syslog.conf %ghost /etc/auditd.conf %ghost /etc/audit.rules -%config(noreplace) %attr(640,root,root) /etc/audit/auditd.conf -%config(noreplace) %attr(640,root,root) /etc/audit/audit.rules +%dir %attr(750,root,root) /etc/audit/rules.d +%config %attr(640,root,root) /etc/audit/rules.d/audit.rules +%ghost /etc/audit/auditd.conf %config(noreplace) %attr(640,root,root) /etc/audisp/audispd.conf -/var/adm/fillup-templates/sysconfig.auditd %dir %attr(700,root,root) /var/log/audit %ghost %config(noreplace) /var/log/audit/audit.log %dir %attr(700,root,root) /var/spool/audit diff --git a/audit.changes b/audit.changes index 289ce42..2156ee3 100644 --- a/audit.changes +++ b/audit.changes @@ -1,3 +1,56 @@ +------------------------------------------------------------------- +Tue Nov 26 18:26:57 UTC 2013 - tonyj@suse.com + +- Update to version 2.3.2 + + Changelog 2.3.2 + - Put RefuseManualStop in the right systemd section (#969345) + - Add legacy restart scripts for systemd support + - Add more syscall argument interpretations + - Add 'unset' keyword for uid & gid values in auditctl + - In ausearch, parse obj in IPC records + - In ausearch, parse subj in DAEMON_ROTATE records + - Fix interpretation of MQ_OPEN and MQ_NOTIFY events + - In auditd, restart dispatcher on SIGHUP if it had previously exited + - In audispd, exit when no active plugins are detected on reconfigure + - In audispd, clear signal mask set by libev so that SIGHUP works again + - In audispd, track binary plugins and restart if binary was updated + - In audispd, make sure we send signals to the correct process + - In auditd, clear signal mask when spawning any child process + - In audispd, make builtin plugins respond to SIGHUP + - In auparse, interpret mode flags of open syscall if O_CREAT is passed + - In audisp-remote, don't make address lookup always a permanent failure + - In audisp-remote, remove EOE events more efficiently + - In auditd, log the reason when email account is not valid + - In audisp-remote, change default remote_ending action to reconnect + - Add support for Aarch64 processors + + Changelog 2.3.1 + - Rearrange auditd setting enabled and pid to avoid a race (#910568) + - Interpret the ocomm field from OBJ_PID records + - Fix missing 'then' statement in sysvinit script + - Switch ausearch to use libauparse for interpretting fields + - In libauparse, interpret prctl arg0, sched_setscheduler arg1 + - In auparse, check source_list isn't NULL when opening next file (Liequan Che) + - In libauparse, interpret send* flags argument + - In libauparse, interpret level and name options for set/getsockopt + - In ausearch/report, don't flush events until last file (Burn Alting) + - Don't use systemctl to stop the audit daemon + + Changelog 2.3 + - The clone(2) man page is really clone(3), fix interpretation of clone syscall + - Add systemd support for reload (#901533) + - Allow -F msgtype on the user filter + - Add legacy support for resuming logging under systemd (#830780) + - Add legacy support for rotating logs under systemd (#916611) + - In auditd, collect SIGUSR2 info for DAEMON_RESUME events + - Updated man pages + - Update libev to 4.15 + - Update syscall tables for 3.9 kernel + - Interpret MQ_OPEN events + - Add augenrules support (Burn Alting) + - Consume less stack sending audit events + ------------------------------------------------------------------- Fri Jun 28 09:30:54 UTC 2013 - coolo@suse.com diff --git a/audit.spec b/audit.spec index 92eefa6..6809116 100644 --- a/audit.spec +++ b/audit.spec @@ -20,7 +20,7 @@ Name: audit Summary: First part of auditing package License: GPL-2.0+ Group: System/Monitoring -Version: 2.2.3 +Version: 2.3.2 Release: 0 Url: http://people.redhat.com/sgrubb/audit/ Source0: http://people.redhat.com/sgrubb/audit/%{name}-%{version}.tar.gz From 87bc3dd49c21a9b09e74bb464c4259300733615ebdb4d8a6cb953d352555926a Mon Sep 17 00:00:00 2001 From: Tony Jones Date: Wed, 4 Dec 2013 07:41:29 +0000 Subject: [PATCH 2/2] Accepting request 209366 from home:jones_tony:branches:security OBS-URL: https://build.opensuse.org/request/show/209366 OBS-URL: https://build.opensuse.org/package/show/security/audit?expand=0&rev=58 --- audit-fix-implicit-defn.patch | 16 ---------------- audit-no_plugins.patch | 33 --------------------------------- audit-secondary.changes | 2 ++ audit-secondary.spec | 4 ++-- audit.spec | 5 ++--- auditd.sysconfig | 15 --------------- 6 files changed, 6 insertions(+), 69 deletions(-) delete mode 100644 audit-fix-implicit-defn.patch delete mode 100644 audit-no_plugins.patch delete mode 100644 auditd.sysconfig diff --git a/audit-fix-implicit-defn.patch b/audit-fix-implicit-defn.patch deleted file mode 100644 index e6dbb6d..0000000 --- a/audit-fix-implicit-defn.patch +++ /dev/null @@ -1,16 +0,0 @@ -From: Tony Jones -Subject: fix implicit definition warnings -Upstream: pending - -Fixes "W: audit-secondary implicit-pointer-decl auvirt.c:984" - ---- a/tools/auvirt/auvirt.c -+++ b/tools/auvirt/auvirt.c -@@ -25,6 +25,7 @@ - #include - #include - #include -+#include - #include - #include - #include diff --git a/audit-no_plugins.patch b/audit-no_plugins.patch deleted file mode 100644 index 94925da..0000000 --- a/audit-no_plugins.patch +++ /dev/null @@ -1,33 +0,0 @@ -From: Tony Jones -Subject: Disable automatic building of plugins -Upsteam: never - -Non builtin plugins is build as part of phase2 by audit-secondary.spec. -Conf files for builtins are still installed - ---- - audisp/plugins/Makefile.am | 2 +- - docs/Makefile.am | 3 +-- - 2 files changed, 2 insertions(+), 3 deletions(-) - ---- a/audisp/plugins/Makefile.am -+++ b/audisp/plugins/Makefile.am -@@ -22,7 +22,7 @@ - - CONFIG_CLEAN_FILES = *.loT *.rej *.orig - --SUBDIRS = builtins zos-remote remote -+SUBDIRS = builtins - #SUBDIRS = builtins zos-remote - if HAVE_PRELUDE - SUBDIRS += prelude ---- a/docs/Makefile.am -+++ b/docs/Makefile.am -@@ -53,6 +53,5 @@ ausearch_add_expression.3 ausearch_add_t - ausearch_clear.3 \ - ausearch_next_event.3 ausearch_set_stop.3 \ - autrace.8 get_auditfail_action.3 set_aumessage_mode.3 \ --audispd.8 audispd.conf.5 audispd-zos-remote.8 libaudit.conf.5 \ --zos-remote.conf.5 -+audispd.8 audispd.conf.5 libaudit.conf.5 - diff --git a/audit-secondary.changes b/audit-secondary.changes index dabec0d..f32f09a 100644 --- a/audit-secondary.changes +++ b/audit-secondary.changes @@ -8,6 +8,8 @@ Tue Nov 26 18:28:58 UTC 2013 - tonyj@suse.com stop/restart. - /etc/sysconfig/audit still existed but was no longer referenced by systemd, so remove +- Delete audit-no_plugins.patch, it was stale (no longer referenced + by specfiles) but had not been removed. ------------------------------------------------------------------- Wed Oct 2 12:48:50 UTC 2013 - opensuse@cboltz.de diff --git a/audit-secondary.spec b/audit-secondary.spec index fda5e39..5fa21e4 100644 --- a/audit-secondary.spec +++ b/audit-secondary.spec @@ -165,7 +165,7 @@ if [ -f /etc/auditd.conf ]; then fi if [ -f /etc/audit.rules ]; then mv /etc/audit.rules /etc/audit/audit.rules -elif [ ! -f /etc/audit/auditd.conf ]; then +elif [ ! -f /etc/audit/audit.rules ]; then cp /etc/audit/rules.d/audit.rules /etc/audit/audit.rules fi %service_add_post auditd.service @@ -222,9 +222,9 @@ fi %config(noreplace) %attr(640,root,root) /etc/audisp/plugins.d/syslog.conf %ghost /etc/auditd.conf %ghost /etc/audit.rules +%config(noreplace) %attr(640,root,root) /etc/audit/auditd.conf %dir %attr(750,root,root) /etc/audit/rules.d %config %attr(640,root,root) /etc/audit/rules.d/audit.rules -%ghost /etc/audit/auditd.conf %config(noreplace) %attr(640,root,root) /etc/audisp/audispd.conf %dir %attr(700,root,root) /var/log/audit %ghost %config(noreplace) /var/log/audit/audit.log diff --git a/audit.spec b/audit.spec index 6809116..410eb3f 100644 --- a/audit.spec +++ b/audit.spec @@ -24,9 +24,8 @@ Version: 2.3.2 Release: 0 Url: http://people.redhat.com/sgrubb/audit/ Source0: http://people.redhat.com/sgrubb/audit/%{name}-%{version}.tar.gz -Source2: auditd.sysconfig -Source3: baselibs.conf -Source4: README-BEFORE-ADDING-PATCHES +Source1: baselibs.conf +Source2: README-BEFORE-ADDING-PATCHES Patch1: audit-no_m4_dir.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRequires: autoconf >= 2.12 diff --git a/auditd.sysconfig b/auditd.sysconfig deleted file mode 100644 index 75fac98..0000000 --- a/auditd.sysconfig +++ /dev/null @@ -1,15 +0,0 @@ -# -## Type: string -## Default: "yes" -# -# This option is used to determine if rules & watches should be deleted on -# shutdown. This is beneficial in most cases so that a watch doesn't linger -# on a drive that is being unmounted. If set to no, it will NOT be cleaned up. -AUDITD_CLEAN_STOP="yes" -# -## Type: yesno -## Default: yes -# -# This option disables syscall auditing by default. This can also be -# accomplished by auditctl -e. -AUDITD_DISABLE_CONTEXTS="yes"