diff --git a/audit-3.1.1.tar.gz b/audit-3.1.1.tar.gz deleted file mode 100644 index 16cf0d9..0000000 --- a/audit-3.1.1.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:46e46b37623cce09e6ee134e78d668afc34f4e1c870c853ef12e4193078cfe87 -size 1218111 diff --git a/audit-4.0.2.tar.gz b/audit-4.0.2.tar.gz new file mode 100644 index 0000000..5d7f09b --- /dev/null +++ b/audit-4.0.2.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:d5d1b5d50ee4a2d0d17875bc6ae6bd6a7d5b34d9557ea847a39faec531faaa0a +size 1198769 diff --git a/audit-allow-manual-stop.patch b/audit-allow-manual-stop.patch index 82663c3..dcc3a79 100644 --- a/audit-allow-manual-stop.patch +++ b/audit-allow-manual-stop.patch @@ -11,15 +11,12 @@ SUSE since we lack the ability to use a custom stop/restart init.d/auditd.service | 1 - 1 file changed, 1 deletion(-) -Index: audit-3.0.9/init.d/auditd.service -=================================================================== ---- audit-3.0.9.orig/init.d/auditd.service -+++ audit-3.0.9/init.d/auditd.service -@@ -11,7 +11,6 @@ After=local-fs.target systemd-tmpfiles-s +--- audit-4.0.2.orig/init.d/auditd.service.in 2024-08-08 19:40:19.000000000 +0200 ++++ audit-4.0.2/init.d/auditd.service.in 2025-06-12 12:09:00.612234841 +0200 +@@ -21,7 +21,6 @@ Before=sysinit.target shutdown.target - ##Before=shutdown.target + #Before=shutdown.target Conflicts=shutdown.target -RefuseManualStop=yes - ConditionKernelCommandLine=!audit=0 - ConditionKernelCommandLine=!audit=off - + + Documentation=man:auditd(8) https://github.com/linux-audit/audit-documentation diff --git a/audit-secondary.changes b/audit-secondary.changes index e1fb40f..1f8631f 100644 --- a/audit-secondary.changes +++ b/audit-secondary.changes @@ -1,3 +1,121 @@ +------------------------------------------------------------------- +Tue Jun 10 14:24:47 UTC 2025 - Wolfgang Frisch + +- Refresh systemd service patches: + - audit-allow-manual-stop.patch + - auditd.service-fix-plugin-termination.patch + - enable-stop-rules.patch + - fix-hardened-service.patch + - harden_auditd.service.patch + +- Update to 4.0.2 + - Fix musl C builds + - Many code cleanups (Yugend) + - Use atomic variables if available for signal related flags + - Dont rotate audit logs when auditd is in debug mode + - Fix a couple memory leaks on error paths + - Correct output when displaying rules with exe/path/dir (Attila Lakatos) + - Fix auparse lookup test to not use the system libaupaurse + - Improve auparse metrics + - Update auparse normalizer for recent syscalls + - Make status report uniform + +- Update to 4.0.1 + - Update TRUSTED_APP interpretation to look for known fields + - In auditd plugins, allow variable amount of arguments (Attila Lakatos) + - Fix augenrules to work correctly when kernel is in immutable mode + - Add ausearch_cur_event to auparse library (Attila Lakatos) + - Add audisp-filter plugin (Attila Lakatos) + - Improve sorting speed of aureport --summary reports + - auditd & audit-rules.service pick up paths automatically (Laurent Bigonville) + - Update auparse normalizer for new syscalls + +------------------------------------------------------------------- +Fri Oct 4 16:06:06 UTC 2024 - Enzo Matsumiya + +- Update audit.spec (bsc#1231236): + * add requirement for 'awk' package + * move some %post logic from audit to audit-rules + +------------------------------------------------------------------- +Wed Oct 2 11:15:07 UTC 2024 - Enzo Matsumiya + +- Readd audit-allow-manual-stop.patch (removed by mistake) + +------------------------------------------------------------------- +Tue Oct 1 14:43:13 UTC 2024 - Enzo Matsumiya + +- Fix plugin termination when using systemd service units (bsc#1215377) + * add auditd.service-fix-plugin-termination.patch + +------------------------------------------------------------------- +Thu Sep 26 16:51:29 UTC 2024 - Enzo Matsumiya + +- Update audit-secondary.spec: + * Add "Requires: audit-rules" for audit package + * Remove preun/postun handling of audit-rules.service + +------------------------------------------------------------------- +Tue Sep 17 18:23:15 UTC 2024 - Enzo Matsumiya + +- Update to 4.0 + - Drop python2 support + - Drop auvirt and autrace programs + - Drop SysVinit support + - Require the use of the 5.0 or later kernel headers + - New README.md file + - Rewrite legacy service functions in terms of systemctl + - Consolidate and update end of event detection to a common function + - Split off rule loading from auditd.service into audit-rules.service + - Refactor libaudit.h to split out logging functions and record numbers + - Speed up aureport --summary reports + - Limit libaudit python bindings to logging functions + - Add a metrics function for auparse + - Change auditctl to use pidfd_send_signal for signaling auditd + - Adjust watches to optimize syscalls hooked when watch file access + - Drop nispom rules + - Add intepretations for fsconfig, fsopen, fsmount, & move_mount + - Many code fixups (cgzones) + - Update syscall and interpretation tables to the 6.8 kernel + (from v3.1.2) + - When processing a run level change, make auditd exit + - In auditd, fix return code when rules added in immutable mode + - In auparse, when files are given, also consider EUID for access + - Auparse now interprets unnamed/anonymous sockets (Enzo Matsumiya) + - Disable Python bindings from setting rules due to swig bug (S. Trofimovich) + - Update all lookup tables for the 6.5 kernel + - Don't be as paranoid about auditctl -R file permissions + - In ausearch, correct subject/object search to be an and if both are given + - Adjust formats for 64 bit time_t + - Fix segfault in python bindings around the feed API + - Add feed_has_data, get_record_num, and get/goto_field_num to python bindings + +- Update spec: + * Move rules-related files into new subpackage `audit-rules': + * Files moved: + - /sbin/auditctl, /sbin/augenrules, + /etc/audit/{audit.rules,rules.d/audit.rules,audit-stop.rules} + - manpages for auditctl, augenrules, and audit.rules + - /etc/audit is now owned by `audit-rules' as well + * Add new file /usr/lib/systemd/system/audit-rules.service + * Remove in-house create-augenrules-service.patch that generated + augenrules.service systemd unit service + * Remove ownership of /usr/share/audit + * Create /usr/share/audit-rules directory on %install + * Remove audit-userspace-517-compat.patch (fixed upstream) + * Remove libev-werror.patch (fixed upstream) + * Remove audit-allow-manual-stop.patch (fixed upstream) + * Add fix-auparse-test.patch (downstream): + Upstream tests uses a static value (42) for 'gdm' uid/gid (based + on Fedora values, apparently). Replace these occurrences with + 'unknown(123456)' + * Replace '--with-python' with '--with-python3' on %configure + * Remove autrace and auvirt references (upstream) + * Replace README with README.md +- Drop `--enable-systemd' from %configure as SysV-style scripts + aren't supported in upstream since + 113ae191758c ("Drop support for SysVinit") + ------------------------------------------------------------------- Mon Aug 5 08:50:50 UTC 2024 - Thorsten Kukuk diff --git a/audit-secondary.spec b/audit-secondary.spec index 6140594..119abee 100644 --- a/audit-secondary.spec +++ b/audit-secondary.spec @@ -1,7 +1,7 @@ # # spec file for package audit-secondary # -# Copyright (c) 2024 SUSE LLC +# Copyright (c) 2025 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -22,7 +22,7 @@ # The seperation is required to minimize unnecessary build cycles. %define _name audit Name: audit-secondary -Version: 3.1.1 +Version: 4.0.2 Release: 0 Summary: Linux kernel audit subsystem utilities License: GPL-2.0-or-later @@ -32,16 +32,15 @@ Source0: https://people.redhat.com/sgrubb/audit/%{_name}-%{version}.tar.g Source1: system-group-audit.conf Patch1: audit-plugins-path.patch Patch2: audit-no-gss.patch -Patch3: audit-allow-manual-stop.patch -Patch4: audit-ausearch-do-not-require-tclass.patch -Patch5: change-default-log_group.patch -Patch6: libev-werror.patch -Patch7: harden_auditd.service.patch -Patch8: change-default-log_format.patch -Patch9: fix-hardened-service.patch -Patch10: enable-stop-rules.patch -Patch11: create-augenrules-service.patch -Patch12: audit-userspace-517-compat.patch +Patch3: audit-ausearch-do-not-require-tclass.patch +Patch4: change-default-log_group.patch +Patch5: harden_auditd.service.patch +Patch6: change-default-log_format.patch +Patch7: fix-hardened-service.patch +Patch8: enable-stop-rules.patch +Patch9: fix-auparse-test.patch +Patch10: auditd.service-fix-plugin-termination.patch +Patch11: audit-allow-manual-stop.patch BuildRequires: audit-devel = %{version} BuildRequires: autoconf >= 2.12 BuildRequires: kernel-headers >= 2.6.30 @@ -71,6 +70,7 @@ Summary: User Space Tools for Kernel Auditing License: LGPL-2.1-or-later Group: System/Monitoring Requires: %{_name}-libs = %{version} +Requires: %{_name}-rules = %{version} Requires: coreutils Requires: group(audit) %{?systemd_ordering} @@ -80,10 +80,20 @@ The audit package contains the user space utilities for storing and processing the audit records generated by the audit subsystem in the Linux kernel. +%package -n audit-rules +Summary: Rules and utilities for audit +License: LGPL-2.1-or-later +Requires: gawk +Recommends: audit = %{version}-%{release} + +%description -n audit-rules +The audit rules package contains the rules and utilities to load audit rules. + %package -n system-group-audit Summary: System group 'audit' License: LGPL-2.1-or-later Group: System/Fhs +BuildArch: noarch %sysusers_requires %description -n system-group-audit @@ -148,7 +158,6 @@ export LDFLAGS="-Wl,-z,relro,-z,now" %ifarch arm --with-arm \ %endif - --enable-systemd \ --libexecdir=%{_libexecdir}/%{_name} \ --with-apparmor \ --with-libwrap \ @@ -162,7 +171,8 @@ export LDFLAGS="-Wl,-z,relro,-z,now" %sysusers_generate_pre %{SOURCE1} audit system-group-audit.conf %install -%make_install +# Set $PYTHON3 here so py-compile works correctly on distros that doesn't ship /usr/bin/python +%make_install PYTHON3=$(realpath %__python3) mkdir -p %{buildroot}%{_localstatedir}/log/audit/ touch %{buildroot}%{_localstatedir}/log/audit/audit.log @@ -173,7 +183,8 @@ install -m 0644 %{SOURCE1} %{buildroot}%{_sysusersdir}/ # post copy runs mkdir -p %{buildroot}%{_sysconfdir}/%{_name}/ mkdir -p %{buildroot}%{_sysconfdir}/%{_name}/rules.d/ -touch %{buildroot}%{_sysconfdir}/{auditd.conf,audit.rules} %{buildroot}%{_sysconfdir}/audit/auditd.conf +mkdir -p %{buildroot}%{_datadir}/%{_name}-rules +touch %{buildroot}%{_sysconfdir}/audit/{auditd.conf,audit.rules} # On platforms with 32 & 64 bit libs, we need to coordinate the timestamp touch -r ./audit.spec %{buildroot}%{_sysconfdir}/libaudit.conf # Starting with audit 2.5 no config is installed so start with no rules @@ -201,7 +212,7 @@ rm -rf %{buildroot}/%{_mandir}/man3 #USR-MERGE %if 0%{?suse_version} < 1550 mkdir %{buildroot}/sbin/ -for prog in auditctl auditd ausearch autrace aureport augenrules; do +for prog in auditctl auditd ausearch aureport augenrules; do ln -s %{_sbindir}/$prog %{buildroot}/sbin/$prog done %endif @@ -211,95 +222,119 @@ done ln -s service %{buildroot}%{_sbindir}/rcauditd %endif chmod 0644 %{buildroot}%{_unitdir}/auditd.service -chmod 0644 %{buildroot}%{_unitdir}/augenrules.service %check %make_build check %post -n audit -# Save existing audit files if any (from old locations) +# Save existing auditd.conf if any (from old locations) if [ -f %{_sysconfdir}/auditd.conf ]; then mv %{_sysconfdir}/audit/auditd.conf %{_sysconfdir}/audit/auditd.conf.new mv %{_sysconfdir}/auditd.conf %{_sysconfdir}/audit/auditd.conf fi -if [ -f %{_sysconfdir}/audit.rules ]; then - mv %{_sysconfdir}/audit.rules %{_sysconfdir}/audit/audit.rules -elif [ ! -f %{_sysconfdir}/audit/audit.rules ]; then - cp %{_sysconfdir}/audit/rules.d/audit.rules %{_sysconfdir}/audit/audit.rules -fi %service_add_post auditd.service -%service_add_post augenrules.service + +%post -n audit-rules +if [ -f %{_sysconfdir}/audit.rules ]; then + # If /etc/audit.rules exists, move into the expected default place /etc/audit/audit.rules. + mv %{_sysconfdir}/audit.rules %{_sysconfdir}/%{_name}/audit.rules +else + # We only expect /etc/audit/audit.rules to exist. If it doesn't, augenrules --load will create + # it with the rules in /etc/audit/rules.d. + # + # If /etc/audit/rules.d is empty, copy the default rules file (no-rules). + files=`ls /etc/audit/rules.d/ 2>/dev/null | wc -w` + if [ "$files" -eq 0 ] ; then + touch %{_sysconfdir}/%{_name}/audit.rules + install -m 0600 %{_datadir}/audit-rules/10-no-audit.rules %{_sysconfdir}/%{_name}/rules.d/audit.rules + # Make the new rules active + fi + augenrules --load +fi +%service_add_post audit-rules.service %pre -n audit %service_add_pre auditd.service -%service_add_pre augenrules.service + +%pre -n audit-rules +%service_add_pre audit-rules.service %pre -n system-group-audit -f audit.pre %preun -n audit %service_del_preun auditd.service -%service_del_preun augenrules.service + +%preun -n audit-rules +# If uninstalling, delete the rules loaded in the kernel +if [ $1 -eq 0 ]; then + auditctl -D > /dev/null 2>&1 +fi +%service_del_preun audit-rules.service %postun -n audit %service_del_postun auditd.service -%service_del_postun augenrules.service + +%postun -n audit-rules +%service_del_postun audit-rules.service %files -n audit %license COPYING -%doc README ChangeLog init.d/auditd.cron -%attr(644,root,root) %{_mandir}/man8/auditctl.8.gz +%doc README.md ChangeLog init.d/auditd.cron %attr(644,root,root) %{_mandir}/man8/auditd.8.gz %attr(644,root,root) %{_mandir}/man8/aureport.8.gz %attr(644,root,root) %{_mandir}/man8/ausearch.8.gz -%attr(644,root,root) %{_mandir}/man8/autrace.8.gz %attr(644,root,root) %{_mandir}/man8/aulast.8.gz %attr(644,root,root) %{_mandir}/man8/aulastlog.8.gz %attr(644,root,root) %{_mandir}/man8/ausyscall.8.gz -%attr(644,root,root) %{_mandir}/man7/audit.rules.7.gz %attr(644,root,root) %{_mandir}/man5/auditd.conf.5.gz %attr(644,root,root) %{_mandir}/man5/ausearch-expression.5.gz -%attr(644,root,root) %{_mandir}/man8/auvirt.8.gz -%attr(644,root,root) %{_mandir}/man8/augenrules.8.gz %attr(644,root,root) %{_mandir}/man8/audisp-af_unix.8.gz %if 0%{?suse_version} < 1550 -/sbin/auditctl /sbin/auditd /sbin/ausearch -/sbin/autrace -/sbin/augenrules /sbin/aureport %endif -%attr(750,root,root) %{_sbindir}/auditctl %attr(750,root,root) %{_sbindir}/auditd %attr(755,root,root) %{_sbindir}/ausearch -%attr(750,root,root) %{_sbindir}/autrace -%attr(750,root,root) %{_sbindir}/augenrules %attr(750,root,root) %{_sbindir}/audisp-syslog %attr(755,root,root) %{_bindir}/aulast %attr(755,root,root) %{_bindir}/aulastlog %attr(755,root,root) %{_bindir}/ausyscall %attr(755,root,root) %{_sbindir}/aureport %attr(755,root,root) %{_sbindir}/audisp-af_unix -%attr(755,root,root) %{_bindir}/auvirt %dir %attr(750,root,root) %{_sysconfdir}/audit -%attr(750,root,root) %dir %{_sysconfdir}/audit/plugins.d +%dir %attr(750,root,root) %{_sysconfdir}/audit/plugins.d %config(noreplace) %attr(640,root,root) %{_sysconfdir}/audit/plugins.d/af_unix.conf %config(noreplace) %attr(640,root,root) %{_sysconfdir}/audit/plugins.d/syslog.conf %ghost %{_sysconfdir}/auditd.conf -%ghost %{_sysconfdir}/audit.rules %config(noreplace) %attr(640,root,root) %{_sysconfdir}/audit/auditd.conf -%dir %attr(750,root,root) %{_sysconfdir}/audit/rules.d -%config(noreplace) %attr(640,root,root) %{_sysconfdir}/audit/rules.d/audit.rules -%config(noreplace) %attr(640,root,root) %{_sysconfdir}/audit/audit-stop.rules %dir %attr(750,root,audit) %{_localstatedir}/log/audit %ghost %config(noreplace) %attr(640,root,audit) %{_localstatedir}/log/audit/audit.log %dir %attr(700,root,root) %{_localstatedir}/spool/audit %{_unitdir}/auditd.service -%{_unitdir}/augenrules.service %if 0%{?suse_version} < 1550 %{_sbindir}/rcauditd %endif -%{_datadir}/audit/ + +%files -n audit-rules +%dir %attr(755,root,root) %{_datadir}/audit-rules +%attr(644,root,root) %{_datadir}/audit-rules/* +%attr(644,root,root) %{_mandir}/man8/auditctl.8.gz +%attr(644,root,root) %{_mandir}/man8/augenrules.8.gz +%attr(644,root,root) %{_mandir}/man7/audit.rules.7.gz +%if 0%{?suse_version} < 1550 +/sbin/auditctl +/sbin/augenrules +%endif +%attr(750,root,root) %{_sbindir}/auditctl +%attr(750,root,root) %{_sbindir}/augenrules +%attr(644,root,root) %{_unitdir}/audit-rules.service +%dir %attr(750,root,root) %{_sysconfdir}/audit +%ghost %{_sysconfdir}/audit.rules +%dir %attr(750,root,root) %{_sysconfdir}/audit/rules.d +%ghost %config(noreplace) %attr(640,root,root) %{_sysconfdir}/audit/rules.d/audit.rules +%ghost %config(noreplace) %attr(640,root,root) %{_sysconfdir}/audit/audit.rules +%config(noreplace) %attr(640,root,root) %{_sysconfdir}/audit/audit-stop.rules %files -n system-group-audit %{_sysusersdir}/system-group-audit.conf @@ -308,12 +343,13 @@ fi %files -n python2-audit %attr(755,root,root) %{python2_sitearch}/_audit.so %attr(755,root,root) %{python2_sitearch}/auparse.so -%{python2_sitearch}/audit.py* +%attr(644,root,root) %{python2_sitearch}/audit.py* %endif %if %{with python3} %files -n python3-audit %attr(755,root,root) %{python3_sitearch}/* +%attr(644,root,root) %{python3_sitearch}/audit.py* %endif %files -n audit-audispd-plugins @@ -323,13 +359,17 @@ fi %attr(644,root,root) %{_mandir}/man5/auditd-plugins.5.gz %attr(644,root,root) %{_mandir}/man8/audisp-remote.8.gz %attr(644,root,root) %{_mandir}/man8/audisp-syslog.8.gz +%attr(644,root,root) %{_mandir}/man8/audisp-filter.8.gz %attr(750,root,root) %dir %{_sysconfdir}/audit %attr(750,root,root) %dir %{_sysconfdir}/audit/plugins.d %config(noreplace) %attr(640,root,root) %{_sysconfdir}/audit/plugins.d/audispd-zos-remote.conf %config(noreplace) %attr(640,root,root) %{_sysconfdir}/audit/zos-remote.conf %attr(750,root,root) %{_sbindir}/audisp-remote %attr(750,root,root) %{_sbindir}/audispd-zos-remote +%attr(750,root,root) %{_sbindir}/audisp-filter %config(noreplace) %attr(640,root,root) %{_sysconfdir}/audit/audisp-remote.conf %config(noreplace) %attr(640,root,root) %{_sysconfdir}/audit/plugins.d/au-remote.conf +%config(noreplace) %attr(640,root,root) %{_sysconfdir}/audit/audisp-filter.conf +%config(noreplace) %attr(640,root,root) %{_sysconfdir}/audit/plugins.d/filter.conf %changelog diff --git a/audit-userspace-517-compat.patch b/audit-userspace-517-compat.patch deleted file mode 100644 index 6d3b72e..0000000 --- a/audit-userspace-517-compat.patch +++ /dev/null @@ -1,38 +0,0 @@ -From: Sergei Trofimovich -Date: Wed, 23 Mar 2022 07:27:05 +0000 -Subject: [PATCH] auditswig.i: avoid setter generation for audit_rule_data::buf -References: https://github.com/linux-audit/audit-userspace/issues/252 -Git-commit: https://github.com/linux-audit/audit-userspace/pull/253/commits/beed138222421a2eb4212d83cb889404bd7efc49 -Git-repo: [if different from https://github.com/linux-audit/audit-userspace.git] -Patch-mainline: submitted for review upstream - -As it's a flexible array generated code was never safe to use. -With kernel's https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=ed98ea2128b6fd83bce13716edf8f5fe6c47f574 -change it's a build failure now: - - audit> audit_wrap.c:5010:15: error: invalid use of flexible array member - audit> 5010 | arg1->buf = (char [])(char *)memcpy(malloc((size)*sizeof(char)), (const char *)(arg2), sizeof(char)*(size)); - audit> | ^ - -Let's avoid setter generation entirely. - -Closes: https://github.com/linux-audit/audit-userspace/issues/252 ---- - bindings/swig/src/auditswig.i | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/bindings/swig/src/auditswig.i b/bindings/swig/src/auditswig.i -index 21aafca31..9a2c5661d 100644 ---- a/bindings/swig/src/auditswig.i -+++ b/bindings/swig/src/auditswig.i -@@ -39,6 +39,10 @@ signed - #define __attribute(X) /*nothing*/ - typedef unsigned __u32; - typedef unsigned uid_t; -+/* Sidestep SWIG's limitation of handling c99 Flexible arrays by not: -+ * generating setters against them: https://github.com/swig/swig/issues/1699 -+ */ -+%ignore audit_rule_data::buf; - %include "/usr/include/linux/audit.h" - #define __extension__ /*nothing*/ - %include diff --git a/audit.changes b/audit.changes index c05a79e..87955b9 100644 --- a/audit.changes +++ b/audit.changes @@ -1,3 +1,84 @@ +------------------------------------------------------------------- +Tue Jun 10 14:23:54 UTC 2025 - Wolfgang Frisch + +- Refresh systemd service patches: + - audit-allow-manual-stop.patch + - auditd.service-fix-plugin-termination.patch + - enable-stop-rules.patch + - fix-hardened-service.patch + - harden_auditd.service.patch + +- Update to 4.0.2 + - Fix musl C builds + - Many code cleanups (Yugend) + - Use atomic variables if available for signal related flags + - Dont rotate audit logs when auditd is in debug mode + - Fix a couple memory leaks on error paths + - Correct output when displaying rules with exe/path/dir (Attila Lakatos) + - Fix auparse lookup test to not use the system libaupaurse + - Improve auparse metrics + - Update auparse normalizer for recent syscalls + - Make status report uniform + +- Update to 4.0.1 + - Update TRUSTED_APP interpretation to look for known fields + - In auditd plugins, allow variable amount of arguments (Attila Lakatos) + - Fix augenrules to work correctly when kernel is in immutable mode + - Add ausearch_cur_event to auparse library (Attila Lakatos) + - Add audisp-filter plugin (Attila Lakatos) + - Improve sorting speed of aureport --summary reports + - auditd & audit-rules.service pick up paths automatically (Laurent Bigonville) + - Update auparse normalizer for new syscalls + +------------------------------------------------------------------- +Fri Oct 4 16:04:56 UTC 2024 - Enzo Matsumiya + +- Update audit.spec: add requirement for 'awk' package (bsc#1231236) + +------------------------------------------------------------------- +Tue Sep 17 18:20:58 UTC 2024 - Enzo Matsumiya + +- Update to 4.0 + - Drop python2 support + - Drop auvirt and autrace programs + - Drop SysVinit support + - Require the use of the 5.0 or later kernel headers + - New README.md file + - Rewrite legacy service functions in terms of systemctl + - Consolidate and update end of event detection to a common function + - Split off rule loading from auditd.service into audit-rules.service + - Refactor libaudit.h to split out logging functions and record numbers + - Speed up aureport --summary reports + - Limit libaudit python bindings to logging functions + - Add a metrics function for auparse + - Change auditctl to use pidfd_send_signal for signaling auditd + - Adjust watches to optimize syscalls hooked when watch file access + - Drop nispom rules + - Add intepretations for fsconfig, fsopen, fsmount, & move_mount + - Many code fixups (cgzones) + - Update syscall and interpretation tables to the 6.8 kernel + (from v3.1.2) + - When processing a run level change, make auditd exit + - In auditd, fix return code when rules added in immutable mode + - In auparse, when files are given, also consider EUID for access + - Auparse now interprets unnamed/anonymous sockets (Enzo Matsumiya) + - Disable Python bindings from setting rules due to swig bug (S. Trofimovich) + - Update all lookup tables for the 6.5 kernel + - Don't be as paranoid about auditctl -R file permissions + - In ausearch, correct subject/object search to be an and if both are given + - Adjust formats for 64 bit time_t + - Fix segfault in python bindings around the feed API + - Add feed_has_data, get_record_num, and get/goto_field_num to python bindings + +- Update spec: + * Add fix-auparse-test.patch (downstream): + Upstream tests uses a static value (42) for 'gdm' uid/gid (based + on Fedora values, apparently). Replace these occurrences with + 'unknown(123456)' + * Replace '--with-python' with '--with-python3' on %configure + * Add new headers 'audit_logging.h' and 'audit-records.h' for + audit-devel + ------------------------------------------------------------------- Mon Jul 3 08:33:52 UTC 2023 - Paolo Stivanin diff --git a/audit.spec b/audit.spec index b8069e2..4733f60 100644 --- a/audit.spec +++ b/audit.spec @@ -1,7 +1,7 @@ # # spec file for package audit # -# Copyright (c) 2024 SUSE LLC +# Copyright (c) 2025 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -23,7 +23,7 @@ %endif Name: audit -Version: 3.1.1 +Version: 4.0.2 Release: 0 Summary: Linux kernel audit subsystem utilities License: GPL-2.0-or-later @@ -33,11 +33,13 @@ Source0: https://people.redhat.com/sgrubb/audit/%{name}-%{version}.tar.gz Source1: baselibs.conf Source2: README-BEFORE-ADDING-PATCHES Patch0: change-default-log_group.patch +Patch1: fix-auparse-test.patch BuildRequires: autoconf >= 2.12 BuildRequires: kernel-headers >= 2.6.30 BuildRequires: libtool BuildRequires: pkgconfig BuildRequires: tcpd-devel +Requires: gawk Requires: libaudit1 = %{version} Requires: libauparse0 = %{version} Provides: bundled(libev) = 4.33 @@ -98,12 +100,11 @@ export LDFLAGS="-Wl,-z,relro,-z,now" %ifarch arm --with-arm \ %endif - --enable-systemd \ --libexecdir=%{_libexecdir}/%{name} \ --with-apparmor \ --with-libcap-ng=no \ --disable-static \ - --with-python=no \ + --with-python3=no \ --disable-zos-remote %make_build -C common @@ -178,6 +179,8 @@ find %{buildroot} -type f -name "*.la" -delete -print %{_libdir}/libaudit.so %{_libdir}/libauparse.so %{_includedir}/libaudit.h +%{_includedir}/audit_logging.h +%{_includedir}/audit-records.h %{_includedir}/auparse.h %{_includedir}/auparse-defs.h %{_mandir}/man3/* diff --git a/auditd.service-fix-plugin-termination.patch b/auditd.service-fix-plugin-termination.patch new file mode 100644 index 0000000..a958e7e --- /dev/null +++ b/auditd.service-fix-plugin-termination.patch @@ -0,0 +1,14 @@ +--- + init.d/auditd.service | 1 + + 1 file changed, 1 insertion(+) + +--- audit-4.0.2.orig/init.d/auditd.service.in 2024-08-08 19:40:19.000000000 +0200 ++++ audit-4.0.2/init.d/auditd.service.in 2025-06-12 12:07:18.450305682 +0200 +@@ -32,6 +32,7 @@ + Restart=on-failure + ## Do not restart for intentional exits. See EXIT CODES section in auditd(8). + RestartPreventExitStatus=2 4 6 ++KillMode=mixed + + ### Security Settings ### + MemoryDenyWriteExecute=true diff --git a/create-augenrules-service.patch b/create-augenrules-service.patch deleted file mode 100644 index 3064bc1..0000000 --- a/create-augenrules-service.patch +++ /dev/null @@ -1,97 +0,0 @@ -Index: audit-3.1.1/init.d/augenrules.service -=================================================================== ---- /dev/null -+++ audit-3.1.1/init.d/augenrules.service -@@ -0,0 +1,29 @@ -+[Unit] -+Description=auditd rules generation -+After=auditd.service -+Documentation=man:augenrules(8) -+ -+[Service] -+Type=oneshot -+## NOTE: augenrules expect any rules to be added to /etc/audit/rules.d/ -+ExecStart=/sbin/augenrules --load -+# We need RemainAfterExit=true so augenrules is called again -+# in case auditd.service is restarted. -+RemainAfterExit=true -+ -+### Security Settings ### -+MemoryDenyWriteExecute=true -+LockPersonality=true -+ProtectControlGroups=true -+ProtectKernelModules=true -+ProtectHome=true -+RestrictRealtime=true -+# for details please see -+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort -+ProtectSystem=full -+PrivateDevices=true -+ProtectHostname=true -+ProtectClock=true -+ProtectKernelTunables=true -+ProtectKernelLogs=true -+ReadWritePaths=/etc/audit -Index: audit-3.1.1/init.d/auditd.service -=================================================================== ---- audit-3.1.1.orig/init.d/auditd.service -+++ audit-3.1.1/init.d/auditd.service -@@ -15,15 +15,16 @@ ConditionKernelCommandLine=!audit=0 - ConditionKernelCommandLine=!audit=off - - Documentation=man:auditd(8) https://github.com/linux-audit/audit-documentation -+Requires=augenrules.service -+# This unit clears rules on stop, so make sure that augenrules runs again -+PropagatesStopTo=augenrules.service - - [Service] - Type=forking - PIDFile=/run/auditd.pid - ExecStart=/sbin/auditd --## To not use augenrules, copy this file to /etc/systemd/system/auditd.service --## and comment/delete the next line and uncomment the auditctl line. --## NOTE: augenrules expect any rules to be added to /etc/audit/rules.d/ --ExecStartPost=-/sbin/augenrules --load -+## To not use augenrules: copy this file to /etc/systemd/system/auditd.service, -+## uncomment the next line, and comment the Requires=augenrules.service above. - #ExecStartPost=-/sbin/auditctl -R /etc/audit/audit.rules - # By default we clear the rules on exit. To disable this, comment - # the next line after copying the file to /etc/systemd/system/auditd.service -@@ -47,7 +48,6 @@ ProtectClock=true - ProtectKernelTunables=true - ProtectKernelLogs=true - # end of automatic additions --ReadWritePaths=/etc/audit - - [Install] - WantedBy=multi-user.target -Index: audit-3.1.1/init.d/Makefile.am -=================================================================== ---- audit-3.1.1.orig/init.d/Makefile.am -+++ audit-3.1.1/init.d/Makefile.am -@@ -26,7 +26,8 @@ EXTRA_DIST = auditd.init auditd.service - auditd.cron libaudit.conf auditd.condrestart \ - auditd.reload auditd.restart auditd.resume \ - auditd.rotate auditd.state auditd.stop \ -- audit-stop.rules augenrules audit-functions -+ audit-stop.rules augenrules audit-functions \ -+ augenrules.service - libconfig = libaudit.conf - if ENABLE_SYSTEMD - initdir = /usr/lib/systemd/system -@@ -54,6 +55,7 @@ if ENABLE_SYSTEMD - mkdir -p ${DESTDIR}${legacydir} - mkdir -p ${DESTDIR}${libexecdir} - $(INSTALL_SCRIPT) -D -m 644 ${srcdir}/auditd.service ${DESTDIR}${initdir} -+ $(INSTALL_SCRIPT) -D -m 644 ${srcdir}/augenrules.service ${DESTDIR}${initdir} - $(INSTALL_SCRIPT) -D -m 750 ${srcdir}/auditd.rotate ${DESTDIR}${legacydir}/rotate - $(INSTALL_SCRIPT) -D -m 750 ${srcdir}/auditd.resume ${DESTDIR}${legacydir}/resume - $(INSTALL_SCRIPT) -D -m 750 ${srcdir}/auditd.reload ${DESTDIR}${legacydir}/reload -@@ -72,6 +74,7 @@ uninstall-hook: - rm ${DESTDIR}${sysconfdir}/${libconfig} - if ENABLE_SYSTEMD - rm ${DESTDIR}${initdir}/auditd.service -+ rm ${DESTDIR}${initdir}/augenrules.service - rm ${DESTDIR}${legacydir}/rotate - rm ${DESTDIR}${legacydir}/resume - rm ${DESTDIR}${legacydir}/reload diff --git a/enable-stop-rules.patch b/enable-stop-rules.patch index 5ef0d37..bd8bdd2 100644 --- a/enable-stop-rules.patch +++ b/enable-stop-rules.patch @@ -11,19 +11,20 @@ Disable audit when auditd.service stops, so kauditd stops logging/running. Signed-off-by: Enzo Matsumiya -Index: audit-3.0.9/init.d/auditd.service -=================================================================== ---- audit-3.0.9.orig/init.d/auditd.service -+++ audit-3.0.9/init.d/auditd.service -@@ -25,9 +25,9 @@ ExecStart=/sbin/auditd - ## NOTE: augenrules expect any rules to be added to /etc/audit/rules.d/ - ExecStartPost=-/sbin/augenrules --load - #ExecStartPost=-/sbin/auditctl -R /etc/audit/audit.rules --# By default we don't clear the rules on exit. To enable this, uncomment +--- + init.d/auditd.service | 4 ++++ + 1 file changed, 4 insertions(+) + +--- audit-4.0.2.orig/init.d/auditd.service.in 2024-08-08 19:40:19.000000000 +0200 ++++ audit-4.0.2/init.d/auditd.service.in 2025-06-12 12:04:22.896698211 +0200 +@@ -29,6 +29,10 @@ + Type=forking + PIDFile=@runstatedir@/auditd.pid + ExecStart=@sbindir@/auditd ++ExecStartPost=-@sbindir@/augenrules --load +# By default we clear the rules on exit. To disable this, comment - # the next line after copying the file to /etc/systemd/system/auditd.service --#ExecStopPost=/sbin/auditctl -R /etc/audit/audit-stop.rules -+ExecStopPost=/sbin/auditctl -R /etc/audit/audit-stop.rules ++# the next line after copying the file to /etc/systemd/system/auditd.service ++ExecStopPost=@sbindir@/auditctl -R /etc/audit/audit-stop.rules Restart=on-failure - # Do not restart for intentional exits. See EXIT CODES section in auditd(8). + ## Do not restart for intentional exits. See EXIT CODES section in auditd(8). RestartPreventExitStatus=2 4 6 diff --git a/fix-auparse-test.patch b/fix-auparse-test.patch new file mode 100644 index 0000000..5c0826f --- /dev/null +++ b/fix-auparse-test.patch @@ -0,0 +1,223 @@ +--- + auparse/test/auparse_test.c | 2 +- + auparse/test/auparse_test.py | 2 +- + auparse/test/auparse_test.ref | 18 +++++++++--------- + auparse/test/auparse_test.ref.py | 18 +++++++++--------- + auparse/test/test.log | 4 ++-- + auparse/test/test2.log | 4 ++-- + 6 files changed, 24 insertions(+), 24 deletions(-) + +--- a/auparse/test/auparse_test.c ++++ b/auparse/test/auparse_test.c +@@ -162,7 +162,7 @@ void compound_search(ausearch_rule_t how + exit(1); + } + } else { +- if (ausearch_add_item(au, "auid", "=", "42", ++ if (ausearch_add_item(au, "auid", "=", "123456", + AUSEARCH_RULE_CLEAR)){ + printf("ausearch_add_item 4 error - %s\n", + strerror(errno)); +--- a/auparse/test/auparse_test.py ++++ b/auparse/test/auparse_test.py +@@ -112,7 +112,7 @@ def compound_search(au, how): + au.search_add_item("pid", "=", "13015", how) + au.search_add_item("type", "=", "USER_START", how) + else: +- au.search_add_item("auid", "=", "42", auparse.AUSEARCH_RULE_CLEAR) ++ au.search_add_item("auid", "=", "123456", auparse.AUSEARCH_RULE_CLEAR) + # should stop on this one + au.search_add_item("auid", "=", "0", how) + au.search_add_item("auid", "=", "500", how) +--- a/auparse/test/auparse_test.ref ++++ b/auparse/test/auparse_test.ref +@@ -188,7 +188,7 @@ event 4 has 3 records + uid=0 (root) + subj=system_u:system_r:init_t:s0 (system_u:system_r:init_t:s0) + old-auid=4294967295 (unset) +- auid=42 (gdm) ++ auid=123456 (unknown(123456)) + tty=(none) ((none)) + old-ses=4294967295 (4294967295) + ses=1 (1) +@@ -209,7 +209,7 @@ event 4 has 3 records + items=0 (0) + ppid=1 (1) + pid=2288 (2288) +- auid=42 (gdm) ++ auid=123456 (unknown(123456)) + uid=0 (root) + gid=0 (root) + euid=0 (root) +@@ -389,7 +389,7 @@ event 4 has 3 records + uid=0 (root) + subj=system_u:system_r:init_t:s0 (system_u:system_r:init_t:s0) + old-auid=4294967295 (unset) +- auid=42 (gdm) ++ auid=123456 (unknown(123456)) + tty=(none) ((none)) + old-ses=4294967295 (4294967295) + ses=1 (1) +@@ -410,7 +410,7 @@ event 4 has 3 records + items=0 (0) + ppid=1 (1) + pid=2288 (2288) +- auid=42 (gdm) ++ auid=123456 (unknown(123456)) + uid=0 (root) + gid=0 (root) + euid=0 (root) +@@ -587,7 +587,7 @@ event 11 has 3 records + uid=0 (root) + subj=system_u:system_r:init_t:s0 (system_u:system_r:init_t:s0) + old-auid=4294967295 (unset) +- auid=42 (gdm) ++ auid=123456 (unknown(123456)) + tty=(none) ((none)) + old-ses=4294967295 (4294967295) + ses=1 (1) +@@ -608,7 +608,7 @@ event 11 has 3 records + items=0 (0) + ppid=1 (1) + pid=2288 (2288) +- auid=42 (gdm) ++ auid=123456 (unknown(123456)) + uid=0 (root) + gid=0 (root) + euid=0 (root) +@@ -699,7 +699,7 @@ Test 6 Done + + Starting Test 7, compound search... + Found type = USER_START +-Found auid = 42 ++Found auid = 123456 + Test 7 Done + + Starting Test 8, regex search... +@@ -874,7 +874,7 @@ event 4 has 3 records + uid=0 (root) + subj=system_u:system_r:init_t:s0 (system_u:system_r:init_t:s0) + old-auid=4294967295 (unset) +- auid=42 (gdm) ++ auid=123456 (unknown(123456)) + tty=(none) ((none)) + old-ses=4294967295 (4294967295) + ses=1 (1) +@@ -895,7 +895,7 @@ event 4 has 3 records + items=0 (0) + ppid=1 (1) + pid=2288 (2288) +- auid=42 (gdm) ++ auid=123456 (unknown(123456)) + uid=0 (root) + gid=0 (root) + euid=0 (root) +--- a/auparse/test/auparse_test.ref.py ++++ b/auparse/test/auparse_test.ref.py +@@ -180,7 +180,7 @@ event 4 has 3 records + uid=0 (root) + subj=system_u:system_r:init_t:s0 (system_u:system_r:init_t:s0) + old-auid=4294967295 (unset) +- auid=42 (gdm) ++ auid=123456 (unknown(123456)) + tty=(none) ((none)) + old-ses=4294967295 (4294967295) + ses=1 (1) +@@ -201,7 +201,7 @@ event 4 has 3 records + items=0 (0) + ppid=1 (1) + pid=2288 (2288) +- auid=42 (gdm) ++ auid=123456 (unknown(123456)) + uid=0 (root) + gid=0 (root) + euid=0 (root) +@@ -381,7 +381,7 @@ event 4 has 3 records + uid=0 (root) + subj=system_u:system_r:init_t:s0 (system_u:system_r:init_t:s0) + old-auid=4294967295 (unset) +- auid=42 (gdm) ++ auid=123456 (unknown(123456)) + tty=(none) ((none)) + old-ses=4294967295 (4294967295) + ses=1 (1) +@@ -402,7 +402,7 @@ event 4 has 3 records + items=0 (0) + ppid=1 (1) + pid=2288 (2288) +- auid=42 (gdm) ++ auid=123456 (unknown(123456)) + uid=0 (root) + gid=0 (root) + euid=0 (root) +@@ -579,7 +579,7 @@ event 11 has 3 records + uid=0 (root) + subj=system_u:system_r:init_t:s0 (system_u:system_r:init_t:s0) + old-auid=4294967295 (unset) +- auid=42 (gdm) ++ auid=123456 (unknown(123456)) + tty=(none) ((none)) + old-ses=4294967295 (4294967295) + ses=1 (1) +@@ -600,7 +600,7 @@ event 11 has 3 records + items=0 (0) + ppid=1 (1) + pid=2288 (2288) +- auid=42 (gdm) ++ auid=123456 (unknown(123456)) + uid=0 (root) + gid=0 (root) + euid=0 (root) +@@ -691,7 +691,7 @@ Test 6 Done + + Starting Test 7, compound search... + Found type = USER_START +-Found auid = 42 ++Found auid = 123456 + Test 7 Done + + Starting Test 8, regex search... +@@ -864,7 +864,7 @@ event 4 has 3 records + uid=0 (root) + subj=system_u:system_r:init_t:s0 (system_u:system_r:init_t:s0) + old-auid=4294967295 (unset) +- auid=42 (gdm) ++ auid=123456 (unknown(123456)) + tty=(none) ((none)) + old-ses=4294967295 (4294967295) + ses=1 (1) +@@ -885,7 +885,7 @@ event 4 has 3 records + items=0 (0) + ppid=1 (1) + pid=2288 (2288) +- auid=42 (gdm) ++ auid=123456 (unknown(123456)) + uid=0 (root) + gid=0 (root) + euid=0 (root) +--- a/auparse/test/test2.log ++++ b/auparse/test/test2.log +@@ -4,8 +4,8 @@ type=CWD msg=audit(1170021493.977:283): + type=PATH msg=audit(1170021493.977:283): item=0 name="maildrop" inode=14911367 dev=03:07 mode=040730 ouid=890 ogid=891 rdev=00:00 obj=system_u:object_r:postfix_spool_maildrop_t:s0 + type=USER_ACCT msg=audit(1170021601.340:284): user pid=13015 uid=0 auid=4294967295 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM: accounting acct=root : exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success' + type=CRED_ACQ msg=audit(1170021601.342:285): user pid=13015 uid=0 auid=4294967295 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM: setcred acct=root : exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success' +-type=LOGIN msg=audit(1170021601.343:286): pid=2288 uid=0 subj=system_u:system_r:init_t:s0 old-auid=4294967295 auid=42 tty=(none) old-ses=4294967295 ses=1 res=1 +-type=SYSCALL msg=audit(1170021601.343:286): arch=c000003e syscall=1 success=yes exit=2 a0=8 a1=7fffa7aede20 a2=2 a3=0 items=0 ppid=1 pid=2288 auid=42 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="(systemd)" exe="/usr/lib/systemd/systemd" subj=system_u:system_r:init_t:s0 key=(null) ++type=LOGIN msg=audit(1170021601.343:286): pid=2288 uid=0 subj=system_u:system_r:init_t:s0 old-auid=4294967295 auid=123456 tty=(none) old-ses=4294967295 ses=1 res=1 ++type=SYSCALL msg=audit(1170021601.343:286): arch=c000003e syscall=1 success=yes exit=2 a0=8 a1=7fffa7aede20 a2=2 a3=0 items=0 ppid=1 pid=2288 auid=123456 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="(systemd)" exe="/usr/lib/systemd/systemd" subj=system_u:system_r:init_t:s0 key=(null) + type=PROCTITLE msg=audit(1170021601.343:286): proctitle="(systemd)" + type=USER_START msg=audit(1170021601.344:287): user pid=13015 uid=0 auid=0 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM: session open acct=root : exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron res=success)' + type=CRED_DISP msg=audit(1170021601.364:288): user pid=13015 uid=0 auid=0 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM: setcred acct=root : exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron res=success)' +--- a/auparse/test/test.log ++++ b/auparse/test/test.log +@@ -4,8 +4,8 @@ type=CWD msg=audit(1170021493.977:293): + type=PATH msg=audit(1170021493.977:293): item=0 name="maildrop" inode=14911367 dev=03:07 mode=040730 ouid=890 ogid=891 rdev=00:00 obj=system_u:object_r:postfix_spool_maildrop_t:s0 + type=USER_ACCT msg=audit(1170021601.340:294): user pid=13015 uid=0 auid=4294967295 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM: accounting acct=root : exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success' + type=CRED_ACQ msg=audit(1170021601.342:295): user pid=13015 uid=0 auid=4294967295 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM: setcred acct=root : exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success' +-type=LOGIN msg=audit(1170021601.343:296): pid=2288 uid=0 subj=system_u:system_r:init_t:s0 old-auid=4294967295 auid=42 tty=(none) old-ses=4294967295 ses=1 res=1 +-type=SYSCALL msg=audit(1170021601.343:296): arch=c000003e syscall=1 success=yes exit=2 a0=8 a1=7fffa7aede20 a2=2 a3=0 items=0 ppid=1 pid=2288 auid=42 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="(systemd)" exe="/usr/lib/systemd/systemd" subj=system_u:system_r:init_t:s0 key=(null) ++type=LOGIN msg=audit(1170021601.343:296): pid=2288 uid=0 subj=system_u:system_r:init_t:s0 old-auid=4294967295 auid=123456 tty=(none) old-ses=4294967295 ses=1 res=1 ++type=SYSCALL msg=audit(1170021601.343:296): arch=c000003e syscall=1 success=yes exit=2 a0=8 a1=7fffa7aede20 a2=2 a3=0 items=0 ppid=1 pid=2288 auid=123456 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="(systemd)" exe="/usr/lib/systemd/systemd" subj=system_u:system_r:init_t:s0 key=(null) + type=PROCTITLE msg=audit(1170021601.343:296): proctitle="(systemd)" + type=USER_START msg=audit(1170021601.344:297): user pid=13015 uid=0 auid=0 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM: session open acct=root : exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron res=success)' + type=CRED_DISP msg=audit(1170021601.364:298): user pid=13015 uid=0 auid=0 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM: setcred acct=root : exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron res=success)' diff --git a/fix-hardened-service.patch b/fix-hardened-service.patch index c7325be..a0c746a 100644 --- a/fix-hardened-service.patch +++ b/fix-hardened-service.patch @@ -12,10 +12,10 @@ Also remove PrivateDevices=true so /dev/* are exposed to auditd. Signed-off-by: Enzo Matsumiya -Index: audit-3.1.1/init.d/auditd.service +Index: audit-3.1.1/init.d/auditd.service.in =================================================================== ---- audit-3.1.1.orig/init.d/auditd.service -+++ audit-3.1.1/init.d/auditd.service +--- audit-3.1.1.orig/init.d/auditd.service.in ++++ audit-3.1.1/init.d/auditd.service.in @@ -42,12 +42,12 @@ RestrictRealtime=true # added automatically, for details please see # https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort diff --git a/harden_auditd.service.patch b/harden_auditd.service.patch index 4eff294..beb1465 100644 --- a/harden_auditd.service.patch +++ b/harden_auditd.service.patch @@ -1,7 +1,7 @@ -Index: audit-3.1.1/init.d/auditd.service +Index: audit-3.1.1/init.d/auditd.service.in =================================================================== ---- audit-3.1.1.orig/init.d/auditd.service -+++ audit-3.1.1/init.d/auditd.service +--- audit-3.1.1.orig/init.d/auditd.service.in ++++ audit-3.1.1/init.d/auditd.service.in @@ -39,6 +39,15 @@ LockPersonality=true #ProtectControlGroups=true ProtectKernelModules=true diff --git a/libev-werror.patch b/libev-werror.patch deleted file mode 100644 index 68b2467..0000000 --- a/libev-werror.patch +++ /dev/null @@ -1,26 +0,0 @@ -From: Jan Engelhardt -Date: 2021-06-02 16:18:03.256597842 +0200 - -Cherry-pick http://cvs.schmorp.de/libev/ev_iouring.c?view=log&r1=1.25 -to fix some terrible code. - -[ 50s] ev_iouring.c: In function 'iouring_sqe_submit': -[ 50s] ev_iouring.c:300:1: error: no return statement in function returning non-void [-Werror=return-type] - ---- - src/libev/ev_iouring.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -Index: audit-3.0.1/src/libev/ev_iouring.c -=================================================================== ---- audit-3.0.1.orig/src/libev/ev_iouring.c -+++ audit-3.0.1/src/libev/ev_iouring.c -@@ -287,7 +287,7 @@ iouring_sqe_get (EV_P) - } - - inline_size --struct io_uring_sqe * -+void - iouring_sqe_submit (EV_P_ struct io_uring_sqe *sqe) - { - unsigned idx = sqe - EV_SQES;