Fix clone syscall interpretation
This commit is contained in:
parent
d5ed9a7726
commit
27e2c9cf8d
69
audit-2.2.4-clone.patch
Normal file
69
audit-2.2.4-clone.patch
Normal file
@ -0,0 +1,69 @@
|
||||
diff -urp audit-2.2.3/auparse/interpret.c audit-2.2.4/auparse/interpret.c
|
||||
--- audit-2.2.3/auparse/interpret.c 2013-03-19 16:28:53.000000000 -0400
|
||||
+++ audit-2.2.4/auparse/interpret.c 2013-03-20 17:09:31.000000000 -0400
|
||||
@@ -1339,6 +1339,8 @@ static const char *print_a0(const char *
|
||||
return print_dirfd(val);
|
||||
else if (strcmp(sys, "futimensat") == 0)
|
||||
return print_dirfd(val);
|
||||
+ else if (strcmp(sys, "clone") == 0)
|
||||
+ return print_clone_flags(val);
|
||||
else if (strcmp(sys, "unshare") == 0)
|
||||
return print_clone_flags(val);
|
||||
}
|
||||
@@ -1441,8 +1443,6 @@ static const char *print_a2(const char *
|
||||
return print_prot(val, 0);
|
||||
else if (strcmp(sys, "socket") == 0)
|
||||
return print_socket_proto(val);
|
||||
- else if (strcmp(sys, "clone") == 0)
|
||||
- return print_clone_flags(val);
|
||||
else if (strcmp(sys, "recvmsg") == 0)
|
||||
return print_recv(val);
|
||||
else if (strcmp(sys, "linkat") == 0)
|
||||
diff -urp audit-2.2.3/contrib/stig.rules audit-2.2.4/contrib/stig.rules
|
||||
--- audit-2.2.3/contrib/stig.rules 2013-03-19 16:28:53.000000000 -0400
|
||||
+++ audit-2.2.4/contrib/stig.rules 2013-03-20 17:09:31.000000000 -0400
|
||||
@@ -177,8 +177,8 @@
|
||||
#-a always,exit -F dir=/home -F uid=0 -F auid>=500 -F auid!=4294967295 -C auid!=obj_uid -F key=power-abuse
|
||||
|
||||
## Optional - log container creation
|
||||
-#-a always,exit -F arch=b32 -S clone -F a2&2080505856 -k container-create
|
||||
-#-a always,exit -F arch=b64 -S clone -F a2&2080505856 -k container-create
|
||||
+#-a always,exit -F arch=b32 -S clone -F a0&2080505856 -k container-create
|
||||
+#-a always,exit -F arch=b64 -S clone -F a0&2080505856 -k container-create
|
||||
|
||||
## Optional - watch for containers that may change their configuration
|
||||
#-a always,exit -F arch=b32 -S setns -S unshare -k container-config
|
||||
diff -urp audit-2.2.3/docs/auditctl.8 audit-2.2.4/docs/auditctl.8
|
||||
--- audit-2.2.3/docs/auditctl.8 2013-03-19 16:28:53.000000000 -0400
|
||||
+++ audit-2.2.4/docs/auditctl.8 2013-03-20 17:09:31.000000000 -0400
|
||||
@@ -63,6 +63,9 @@ Report the kernel's audit subsystem stat
|
||||
.BI \-t
|
||||
Trim the subtrees after a mount command.
|
||||
.TP
|
||||
+.BI \-v
|
||||
+Print the version of auditctl.
|
||||
+.TP
|
||||
.BI \-a\ [ list,action | action,list ]
|
||||
Append rule to the end of \fIlist\fP with \fIaction\fP. Please note the comma separating the two values. Omitting it will cause errors. The fields may be in either order. It could be list,action or action,list. The following describes the valid \fIlist\fP names:
|
||||
.RS
|
||||
diff -urp audit-2.2.3/src/ausearch-report.c audit-2.2.4/src/ausearch-report.c
|
||||
--- audit-2.2.3/src/ausearch-report.c 2013-03-19 16:28:53.000000000 -0400
|
||||
+++ audit-2.2.4/src/ausearch-report.c 2013-03-20 17:09:31.000000000 -0400
|
||||
@@ -1723,6 +1723,8 @@ static void print_a0(const char *val)
|
||||
return print_dirfd(val);
|
||||
else if (strcmp(sys, "futimensat") == 0)
|
||||
return print_dirfd(val);
|
||||
+ else if (strcmp(sys, "clone") == 0)
|
||||
+ return print_clone(val);
|
||||
else if (strcmp(sys, "unshare") == 0)
|
||||
return print_clone(val);
|
||||
else goto normal;
|
||||
@@ -1799,8 +1801,6 @@ static void print_a2(const char *val)
|
||||
return print_prot(val, 0);
|
||||
else if (strcmp(sys, "socket") == 0)
|
||||
return print_socket_proto(val);
|
||||
- else if (strcmp(sys, "clone") == 0)
|
||||
- return print_clone(val);
|
||||
else if (strcmp(sys, "recvmsg") == 0)
|
||||
print_recv(val);
|
||||
else if (strcmp(sys, "linkat") == 0)
|
@ -6,11 +6,12 @@
|
||||
Summary: User space tools for 2.6 kernel auditing
|
||||
Name: audit
|
||||
Version: 2.2.3
|
||||
Release: 1%{?dist}
|
||||
Release: 2%{?dist}
|
||||
License: GPLv2+
|
||||
Group: System Environment/Daemons
|
||||
URL: http://people.redhat.com/sgrubb/audit/
|
||||
Source0: http://people.redhat.com/sgrubb/audit/%{name}-%{version}.tar.gz
|
||||
Patch1: audit-2.2.4-clone.patch
|
||||
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
|
||||
BuildRequires: swig python-devel
|
||||
BuildRequires: tcp_wrappers-devel krb5-devel libcap-ng-devel
|
||||
@ -89,6 +90,7 @@ behavior.
|
||||
|
||||
%prep
|
||||
%setup -q
|
||||
%patch1 -p1
|
||||
|
||||
%build
|
||||
%configure --sbindir=/sbin --libdir=/%{_lib} --with-python=yes --with-prelude --with-libwrap --enable-gssapi-krb5=yes --with-libcap-ng=yes --with-armeb \
|
||||
@ -267,6 +269,9 @@ fi
|
||||
%attr(644,root,root) %{_mandir}/man8/audisp-remote.8.gz
|
||||
|
||||
%changelog
|
||||
* Thu Mar 21 2013 Steve Grubb <sgrubb@redhat.com> 2.2.3-2
|
||||
- Fix clone syscall interpretation
|
||||
|
||||
* Tue Mar 19 2013 Steve Grubb <sgrubb@redhat.com> 2.2.3-1
|
||||
- New upstream bugfix release
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user