testing/audit
SHA256
3
0
Fork 0
forked from pool/audit
Code Pull Requests Activity
main
audit/enable-stop-rules.patch
Enzo Matsumiya 7e1b0e83b8 Accepting request 1043243 from home:ematsumiya:branches:security 
- Enable build for ARM (32-bit)
- Update to version 3.0.9:
  * In auditd, release the async flush lock on stop
  * Don't allow auditd to log directly into /var/log when log_group is non-zero
  * Cleanup krb5 memory leaks on error paths
  * Update auditd.cron to use auditctl --signal
  * In auparse, if too many fields, realloc array bigger (Paul Wolneykien)
  * In auparse, special case kernel module name interpretation
  * If overflow_action is ignore, don't treat as an error
  (3.0.8)
  * Add gcc function attributes for access and allocation
  * Add some more man pages (MIZUTA Takeshi)
  * In auditd, change the reinitializing of the plugin queue
  * Fix path normalization in auparse (Sergio Correia)
  * In libaudit, handle ECONNREFUSED for network uid/gid lookups (Enzo Matsumiya)
  * In audisp-remote, fix hang with disk_low_action=suspend (Enzo Matsumiya)
  * Drop ProtectHome from auditd.service as it interferes with rules
  (3.0.7)
  * Add support for the OPENAT2 record type (Richard Guy Briggs)
  * In auditd, close the logging file descriptor when logging is suspended
  * Update the capabilities lookup table to match 5.16 kernel
  * Improve interpretation of renamat & faccessat family of syscalls
  * Update syscall table for the 5.16 kernel
  * Reduce dependency from initscripts to initscripts-service
- Refresh patches (context adjusment):
  * audit-allow-manual-stop.patch
  * audit-ausearch-do-not-require-tclass.patch
  * audit-no-gss.patch
  * enable-stop-rules.patch
  * fix-hardened-service.patch
  * harden_auditd.service.patch
- Remove patches (fixed by version update):
  * libaudit-fix-unhandled-ECONNREFUSED-from-getpwnam-25.patch
  * audisp-remote-fix-hang-with-disk_low_action-suspend-.patch
- Enable build for ARM (32-bit)
- Update to version 3.0.9:
  * In auditd, release the async flush lock on stop
  * Don't allow auditd to log directly into /var/log when log_group is non-zero
  * Cleanup krb5 memory leaks on error paths
  * Update auditd.cron to use auditctl --signal
  * In auparse, if too many fields, realloc array bigger (Paul Wolneykien)
  * In auparse, special case kernel module name interpretation
  * If overflow_action is ignore, don't treat as an error
  (3.0.8)
  * Add gcc function attributes for access and allocation
  * Add some more man pages (MIZUTA Takeshi)
  * In auditd, change the reinitializing of the plugin queue
  * Fix path normalization in auparse (Sergio Correia)
  * In libaudit, handle ECONNREFUSED for network uid/gid lookups (Enzo Matsumiya)
  * In audisp-remote, fix hang with disk_low_action=suspend (Enzo Matsumiya)
  * Drop ProtectHome from auditd.service as it interferes with rules
  (3.0.7)
  * Add support for the OPENAT2 record type (Richard Guy Briggs)
  * In auditd, close the logging file descriptor when logging is suspended
  * Update the capabilities lookup table to match 5.16 kernel
  * Improve interpretation of renamat & faccessat family of syscalls
  * Update syscall table for the 5.16 kernel
  * Reduce dependency from initscripts to initscripts-service
- Refresh patches (context adjusment):
  * audit-allow-manual-stop.patch
  * audit-ausearch-do-not-require-tclass.patch
  * audit-no-gss.patch
  * enable-stop-rules.patch
  * fix-hardened-service.patch
  * harden_auditd.service.patch
- Remove patches (fixed by version update):
  * libaudit-fix-unhandled-ECONNREFUSED-from-getpwnam-25.patch
  * audisp-remote-fix-hang-with-disk_low_action-suspend-.patch

OBS-URL: https://build.opensuse.org/request/show/1043243
OBS-URL: https://build.opensuse.org/package/show/security/audit?expand=0&rev=141
2022-12-19 19:54:31 +00:00

30 lines
1.4 KiB
Diff
Raw Permalink Blame History

From: Enzo Matsumiya <ematsumiya@suse.de>
Subject: init.d/auditd.service: enable ExecStopPost directive in auditd.service
References: bsc#1190227
This has caused confusion for customers when relating stopping auditd service
is the same as stopping system auditing. This is completely understandable, but
it's by design, so kauditd can keep filling its queues for any other userspace
daemon to consume.
Disable audit when auditd.service stops, so kauditd stops logging/running.
Signed-off-by: Enzo Matsumiya <ematsumiya@suse.de>
Index: audit-3.0.9/init.d/auditd.service
===================================================================
--- audit-3.0.9.orig/init.d/auditd.service
+++ audit-3.0.9/init.d/auditd.service
@@ -25,9 +25,9 @@ ExecStart=/sbin/auditd
## NOTE: augenrules expect any rules to be added to /etc/audit/rules.d/
ExecStartPost=-/sbin/augenrules --load
#ExecStartPost=-/sbin/auditctl -R /etc/audit/audit.rules
-# By default we don't clear the rules on exit. To enable this, uncomment
+# By default we clear the rules on exit. To disable this, comment
# the next line after copying the file to /etc/systemd/system/auditd.service
-#ExecStopPost=/sbin/auditctl -R /etc/audit/audit-stop.rules
+ExecStopPost=/sbin/auditctl -R /etc/audit/audit-stop.rules
Restart=on-failure
# Do not restart for intentional exits. See EXIT CODES section in auditd(8).
RestartPreventExitStatus=2 4 6
View Git Blame Copy Permalink