rpms/audit
5
0
Fork 0
Code Issues Pull Requests Releases Activity

- Add kernel release string to DEAMON_START events

Browse Source 
- Fix keep_logs when num_logs option disabled (#325561)
- Fix auparse to handle node fields for syscall records
- Update system-config-audit to version 0.4.5 (Miloslav Trmac)
- Add keyword week-ago to aureport & ausearch start/end times
- Fix audit log permissions on rotate. If group is root 0400, otherwise
    0440
- Add RACF zos remote audispd plugin (Klaus Kiwi)
- Add event queue overflow action to audispd
This commit is contained in:
Steve Grubb 2007-12-27 21:50:31 +00:00
parent fed3183375
commit 597027a35e
3 changed files with 95 additions and 82 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

61
audit-1.6.3-noretry.patch
View File

@ -1,61 +0,0 @@
diff -urp audit-1.6.2.orig/audisp/audispd.c audit-1.6.2/audisp/audispd.c
--- audit-1.6.2.orig/audisp/audispd.c 2007-10-17 13:56:22.000000000 -0400
+++ audit-1.6.2/audisp/audispd.c 2007-10-17 14:13:49.000000000 -0400
@@ -369,7 +369,6 @@ int main(int argc, char *argv[])
conf = plist_get_cur(&plugin_conf);
while (conf) {
free_pconfig(conf->p);
- free(conf->p);
conf = plist_next(&plugin_conf);
}
plist_clear(&plugin_conf);
diff -urp audit-1.6.2.orig/lib/lookup_table.c audit-1.6.2/lib/lookup_table.c
--- audit-1.6.2.orig/lib/lookup_table.c 2007-10-17 13:56:22.000000000 -0400
+++ audit-1.6.2/lib/lookup_table.c 2007-10-17 13:56:49.000000000 -0400
@@ -483,7 +483,7 @@ int audit_name_to_msg_type(const char *m
strncpy(buf, msg_type + 8, len);
errno = 0;
return strtol(buf, NULL, 10);
- } else if (isdigit(msg_type)) {
+ } else if (isdigit(*msg_type)) {
errno = 0;
return strtol(msg_type, NULL, 10);
}
diff -urp audit-1.6.2.orig/lib/msg_typetab.h audit-1.6.2/lib/msg_typetab.h
--- audit-1.6.2.orig/lib/msg_typetab.h 2007-10-17 13:56:22.000000000 -0400
+++ audit-1.6.2/lib/msg_typetab.h 2007-10-17 13:57:27.000000000 -0400
@@ -92,7 +92,7 @@ _S(AUDIT_KERNEL_OTHER, "KE
_S(AUDIT_FD_PAIR, "FD_PAIR" )
_S(AUDIT_OBJ_PID, "OBJ_PID" )
_S(AUDIT_TTY, "TTY" )
-//_S(AUDIT_EOE, "EOE" )
+_S(AUDIT_EOE, "EOE" )
_S(AUDIT_AVC, "AVC" )
_S(AUDIT_SELINUX_ERR, "SELINUX_ERR" )
_S(AUDIT_AVC_PATH, "AVC_PATH" )
diff -urp audit-1.6.2.orig/src/auditd.c audit-1.6.2/src/auditd.c
--- audit-1.6.2.orig/src/auditd.c 2007-10-17 13:56:22.000000000 -0400
+++ audit-1.6.2/src/auditd.c 2007-10-17 13:59:32.000000000 -0400
@@ -127,16 +127,18 @@ static void distribute_event(struct audi
/* End of Event is for realtime interface - skip local logging of it */
if (rep->reply.type != AUDIT_EOE) {
+ int yield = rep->reply.type <= AUDIT_LAST_DAEMON &&
+ rep->reply.type >= AUDIT_FIRST_DAEMON ? 1 : 0;
+
/* Write to local disk */
enqueue_event(rep);
- if (rep->reply.type <= AUDIT_LAST_DAEMON &&
- rep->reply.type >= AUDIT_FIRST_DAEMON)
+ if (yield)
pthread_yield(); /* Let other thread try to log it. */
}
/* Last chance to send...maybe the pipe is empty now. */
- if (attempt)
- dispatch_event(&rep->reply, attempt);
+// if (attempt)
+// dispatch_event(&rep->reply, attempt);
}
/*

114
audit.spec
View File

@ -1,15 +1,16 @@
%define sca_version 0.4.3 %define sca_version 0.4.5
%define sca_release 8 %define sca_release 1
%define selinux_variants mls strict targeted
%define selinux_policyver %(rpm -q selinux-policy | sed -e 's,^selinux-policy-\\([^/]*\\)$,\\1,')
Summary: User space tools for 2.6 kernel auditing Summary: User space tools for 2.6 kernel auditing
Name: audit Name: audit
Version: 1.6.2 Version: 1.6.3
Release: 4%{?dist} Release: 1%{?dist}
License: GPLv2+ License: GPLv2+
Group: System Environment/Daemons Group: System Environment/Daemons
URL: http://people.redhat.com/sgrubb/audit/ URL: http://people.redhat.com/sgrubb/audit/
Source0: %{name}-%{version}.tar.gz Source0: %{name}-%{version}.tar.gz
Patch1: audit-1.6.3-noretry.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
BuildRequires: gettext-devel intltool libtool swig python-devel BuildRequires: gettext-devel intltool libtool swig python-devel
BuildRequires: kernel-headers >= 2.6.18 BuildRequires: kernel-headers >= 2.6.18
@ -55,6 +56,27 @@ Requires: %{name}-libs = %{version}-%{release}
The audit-libs-python package contains the bindings so that libaudit The audit-libs-python package contains the bindings so that libaudit
and libauparse can be used by python. and libauparse can be used by python.
%package -n audispd-plugins
Summary: Plugins for the audit event dispatcher
License: GPLv2+
Group: System Environment/Daemons
BuildRequires: openldap-devel
BuildRequires: checkpolicy selinux-policy-devel
Requires: %{name} = %{version}-%{release}
Requires: %{name}-libs = %{version}-%{release}
Requires: openldap
%if "%{selinux_policyver}" != ""
Requires: selinux-policy >= %{selinux_policyver}
%endif
Requires(post): /usr/sbin/semodule /sbin/restorecon
Requires(postun): /usr/sbin/semodule
%description -n audispd-plugins
The audispd-plugins package provides plugins for the real-time
interface to the audit system, audispd. These plugins can do things
like relay events to remote machines or analyze events for suspicious
behavior.
%package -n system-config-audit %package -n system-config-audit
Summary: Utility for editing audit configuration Summary: Utility for editing audit configuration
Version: %{sca_version} Version: %{sca_version}
@ -64,27 +86,42 @@ Group: Applications/System
Requires: pygtk2-libglade usermode usermode-gtk Requires: pygtk2-libglade usermode usermode-gtk
%description -n system-config-audit %description -n system-config-audit
An utility for editing audit configuration. A graphical utility for editing audit configuration.
%prep %prep
%setup -q %setup -q
%patch1 -p1 mkdir zos-remote-policy
cp -p audisp/plugins/zos-remote/policy/audispd-zos-remote.* zos-remote-policy
%build %build
(cd system-config-audit; ./autogen.sh) (cd system-config-audit; ./autogen.sh)
aclocal && autoconf && autoheader && automake aclocal && autoconf && autoheader && automake
%configure --sbindir=/sbin --libdir=/%{_lib} %configure --sbindir=/sbin --libdir=/%{_lib}
make make
cd zos-remote-policy
for selinuxvariant in %{selinux_variants}
do
make NAME=${selinuxvariant} -f /usr/share/selinux/devel/Makefile
mv audispd-zos-remote.pp audispd-zos-remote.pp.${selinuxvariant}
make NAME=${selinuxvariant} -f /usr/share/selinux/devel/Makefile clean
done
cd -
%install %install
rm -rf $RPM_BUILD_ROOT rm -rf $RPM_BUILD_ROOT
mkdir -p $RPM_BUILD_ROOT/{sbin,etc/{sysconfig,audispd/plugins.d,rc.d/init.d}} mkdir -p $RPM_BUILD_ROOT/{sbin,etc/{sysconfig,audispd/plugins.d,rc.d/init.d}}
mkdir -p $RPM_BUILD_ROOT/%{_mandir}/man8 mkdir -p $RPM_BUILD_ROOT/%{_mandir}/{man5,man8}
mkdir -p $RPM_BUILD_ROOT/%{_lib} mkdir -p $RPM_BUILD_ROOT/%{_lib}
mkdir -p $RPM_BUILD_ROOT/%{_libdir}/audit mkdir -p $RPM_BUILD_ROOT/%{_libdir}/audit
mkdir -p $RPM_BUILD_ROOT/%{_var}/log/audit mkdir -p $RPM_BUILD_ROOT/%{_var}/log/audit
make DESTDIR=$RPM_BUILD_ROOT install make DESTDIR=$RPM_BUILD_ROOT install
make -C system-config-audit DESTDIR=$RPM_BUILD_ROOT install-fedora make -C system-config-audit DESTDIR=$RPM_BUILD_ROOT install-fedora
for selinuxvariant in %{selinux_variants}
do
install -d $RPM_BUILD_ROOT/%{_datadir}/selinux/${selinuxvariant}
install -p -m 644 zos-remote-policy/audispd-zos-remote.pp.${selinuxvariant} \
$RPM_BUILD_ROOT/%{_datadir}/selinux/${selinuxvariant}/audispd-zos-remote.pp
done
mkdir -p $RPM_BUILD_ROOT/%{_libdir} mkdir -p $RPM_BUILD_ROOT/%{_libdir}
# This winds up in the wrong place when libtool is involved # This winds up in the wrong place when libtool is involved
@ -112,16 +149,23 @@ touch -r ./audit.spec $RPM_BUILD_ROOT/etc/libaudit.conf
%find_lang system-config-audit %find_lang system-config-audit
# Remove the plugin stuff for now #% check
rm -f $RPM_BUILD_ROOT/etc/audisp/plugins.d/au-ids.conf #make check
rm -f $RPM_BUILD_ROOT/etc/audisp/plugins.d/remote.conf
rm -f $RPM_BUILD_ROOT/sbin/audisp-ids
%clean %clean
rm -rf $RPM_BUILD_ROOT rm -rf $RPM_BUILD_ROOT
%post libs -p /sbin/ldconfig %post libs -p /sbin/ldconfig
%post -n audispd-plugins
for selinuxvariant in %{selinux_variants}
do
/usr/sbin/semodule -s $selinuxvariant \
-i %{_datadir}/selinux/$selinuxvariant/audispd-zos-remote.pp \
&> /dev/null || :
done
/sbin/restorecon -F /sbin/audispd-zos-remote /etc/audisp/zos-remote.conf
%post %post
/sbin/chkconfig --add auditd /sbin/chkconfig --add auditd
if [ -f /etc/auditd.conf ]; then if [ -f /etc/auditd.conf ]; then
@ -148,6 +192,14 @@ fi
%postun libs %postun libs
/sbin/ldconfig 2>/dev/null /sbin/ldconfig 2>/dev/null
%postun -n audispd-plugins
if [ $1 -eq 0 ]; then
for selinuxvariant in %{selinux_variants}
do
/usr/sbin/semodule -s $selinuxvariant -r audispd-zos-remote &>/dev/null || :
done
fi
%postun %postun
if [ $1 -ge 1 ]; then if [ $1 -ge 1 ]; then
/sbin/service auditd condrestart > /dev/null 2>&1 || : /sbin/service auditd condrestart > /dev/null 2>&1 || :
@ -175,13 +227,20 @@ fi
%defattr(-,root,root) %defattr(-,root,root)
%{_libdir}/python?.?/site-packages/_audit.so %{_libdir}/python?.?/site-packages/_audit.so
%{_libdir}/python?.?/site-packages/auparse.so %{_libdir}/python?.?/site-packages/auparse.so
%{_libdir}/python?.?/site-packages/auparse-*.egg-info
/usr/lib/python?.?/site-packages/audit.py* /usr/lib/python?.?/site-packages/audit.py*
%files %files
%defattr(-,root,root,-) %defattr(-,root,root,-)
%doc README COPYING ChangeLog contrib/capp.rules contrib/nispom.rules contrib/lspp.rules init.d/auditd.cron %doc README COPYING ChangeLog contrib/capp.rules contrib/nispom.rules contrib/lspp.rules init.d/auditd.cron
%attr(0644,root,root) %{_mandir}/man8/* %attr(644,root,root) %{_mandir}/man8/audispd.8.gz
%attr(0644,root,root) %{_mandir}/man5/* %attr(644,root,root) %{_mandir}/man8/auditctl.8.gz
%attr(644,root,root) %{_mandir}/man8/auditd.8.gz
%attr(644,root,root) %{_mandir}/man8/aureport.8.gz
%attr(644,root,root) %{_mandir}/man8/ausearch.8.gz
%attr(644,root,root) %{_mandir}/man8/autrace.8.gz
%attr(644,root,root) %{_mandir}/man5/auditd.conf.5.gz
%attr(644,root,root) %{_mandir}/man5/audispd.conf.5.gz
%attr(750,root,root) /sbin/auditctl %attr(750,root,root) /sbin/auditctl
%attr(750,root,root) /sbin/auditd %attr(750,root,root) /sbin/auditd
%attr(755,root,root) /sbin/ausearch %attr(755,root,root) /sbin/ausearch
@ -199,7 +258,19 @@ fi
%config(noreplace) %attr(640,root,root) /etc/sysconfig/auditd %config(noreplace) %attr(640,root,root) /etc/sysconfig/auditd
%config(noreplace) %attr(640,root,root) /etc/audisp/audispd.conf %config(noreplace) %attr(640,root,root) /etc/audisp/audispd.conf
%attr(640,root,root) /etc/audisp/plugins.d/af_unix.conf %attr(640,root,root) /etc/audisp/plugins.d/af_unix.conf
%files -n audispd-plugins
%defattr(-,root,root,-)
%attr(640,root,root) /etc/audisp/plugins.d/syslog.conf %attr(640,root,root) /etc/audisp/plugins.d/syslog.conf
%attr(640,root,root) /etc/audisp/plugins.d/au-ids.conf
%attr(640,root,root) /etc/audisp/plugins.d/remote.conf
%attr(750,root,root) /sbin/audisp-ids
%attr(644,root,root) %{_mandir}/man8/audispd-zos-remote.8.gz
%attr(644,root,root) %{_mandir}/man5/zos-remote.conf.5.gz
%config(noreplace) %attr(640,root,root) /etc/audisp/plugins.d/audispd-zos-remote.conf
%config(noreplace) %attr(640,root,root) /etc/audisp/zos-remote.conf
%attr(750,root,root) /sbin/audispd-zos-remote
%attr(755,root,root) %{_datadir}/selinux/*/audispd-zos-remote.pp
%files -n system-config-audit -f system-config-audit.lang %files -n system-config-audit -f system-config-audit.lang
%defattr(-,root,root,-) %defattr(-,root,root,-)
@ -217,12 +288,15 @@ fi
%config(noreplace) %{_sysconfdir}/security/console.apps/system-config-audit-server %config(noreplace) %{_sysconfdir}/security/console.apps/system-config-audit-server
%changelog %changelog
* Wed Oct 17 2007 Steve Grubb <sgrubb@redhat.com> 1.6.2-4 * Thu Dec 27 2007 Steve Grubb <sgrubb@redhat.com> 1.6.3-1
- Fix race between threads accessing common data in auditd - Add kernel release string to DEAMON_START events
- Fix double free in event dispatcher. - Fix keep_logs when num_logs option disabled (#325561)
- Fix auparse to handle node fields for syscall records
* Fri Oct 5 2007 Steve Grubb <sgrubb@redhat.com> 1.6.2-3 - Update system-config-audit to version 0.4.5 (Miloslav Trmac)
- Fix syscall name to number conversion in libaudit. - Add keyword week-ago to aureport & ausearch start/end times
- Fix audit log permissions on rotate. If group is root 0400, otherwise 0440
- Add RACF zos remote audispd plugin (Klaus Kiwi)
- Add event queue overflow action to audispd
* Mon Oct 1 2007 Steve Grubb <sgrubb@redhat.com> 1.6.2-2 * Mon Oct 1 2007 Steve Grubb <sgrubb@redhat.com> 1.6.2-2
- Don't retry if the rt queue is full. - Don't retry if the rt queue is full.

2
sources
View File

@ -1 +1 @@
a95dbfa22e65669e4449f3accbe84aef audit-1.6.2.tar.gz 11f7c682093cea6aa6b2e6be93f9d0e3 audit-1.6.3.tar.gz