rpms/audit
7
0
Fork 0
Code Issues Pull Requests Releases Activity

import audit-3.0-0.17.20191104git1c2f876.el8

Browse Source
This commit is contained in:
CentOS Sources 2020-04-28 05:41:39 -04:00 committed by Andrew Lukoshko
parent 8b1f895570
commit 5ed1707830
10 changed files with 140 additions and 307 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.audit.metadata
View File

@ -1 +1 @@
5205dd634a26512d69d75ca27171c70b70f102f0 SOURCES/audit-3.0-alpha8.tar.gz
fe9807c29de893c8e8bc4df8624e00a98ab2b32a SOURCES/audit-3.0-alpha9.tar.gz

2
.gitignore vendored
View File

@ -1 +1 @@
SOURCES/audit-3.0-alpha8.tar.gz
SOURCES/audit-3.0-alpha9.tar.gz

140
SOURCES/30-ospp-v42.rules
View File

@ -1,140 +0,0 @@
## The purpose of these rules is to meet the requirements for Operating
## System Protection Profile (OSPP)v4.2. These rules depends on having
## 10-base-config.rules, 11-loginuid.rules, and 43-module-load.rules installed.
## Successful/Unsuccessful file creation (open with O_CREAT)
-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
-a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
-a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
-a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
-a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
-a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
-a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
-a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create
-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create
-a always,exit -F arch=b32 -S open -F a1&0100 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create
-a always,exit -F arch=b64 -S open -F a1&0100 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create
-a always,exit -F arch=b32 -S creat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create
-a always,exit -F arch=b64 -S creat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create
## Successful/Unsuccessful file modifications (open for write or truncate)
-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
-a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
-a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
-a always,exit -F arch=b32 -S truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
-a always,exit -F arch=b64 -S truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
-a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
-a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
-a always,exit -F arch=b32 -S truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
-a always,exit -F arch=b64 -S truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification
-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification
-a always,exit -F arch=b32 -S open -F a1&01003 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification
-a always,exit -F arch=b64 -S open -F a1&01003 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification
-a always,exit -F arch=b32 -S truncate,ftruncate -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification
-a always,exit -F arch=b64 -S truncate,ftruncate -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification
## Successful/Unsuccessful file access (any other opens) This has to go last.
-a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-access
-a always,exit -F arch=b64 -S open,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-access
-a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-access
-a always,exit -F arch=b64 -S open,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-access
# These next two are likely to result in a whole lot of events
-a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-access
-a always,exit -F arch=b64 -S open,openat,open_by_handle_at -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-access
## Successful/Unsuccessful file delete
-a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
-a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
-a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
-a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
-a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-delete
-a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-delete
## Successful/Unsuccessful permission change
-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-perm-change
-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-perm-change
-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-perm-change
-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-perm-change
-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-perm-change
-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-perm-change
## Successful/Unsuccessful ownership change
-a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-perm-change
-a always,exit -F arch=b64 -S lchown,fchown,chown,fchownat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-perm-change
-a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-perm-change
-a always,exit -F arch=b64 -S lchown,fchown,chown,fchownat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-perm-change
-a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-perm-change
-a always,exit -F arch=b64 -S lchown,fchown,chown,fchownat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-perm-change
## User add delete modify. This is covered by pam. However, someone could
## open a file and directly create or modify a user, so we'll watch passwd and
## shadow for writes
-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify
-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify
-a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify
-a always,exit -F arch=b64 -S open -F a1&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify
-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify
-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify
-a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify
-a always,exit -F arch=b64 -S open -F a1&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify
## User enable and disable. This is entirely handled by pam.
## Group add delete modify. This is covered by pam. However, someone could
## open a file and directly create or modify a user, so we'll watch group and
## gshadow for writes
-a always,exit -F path=/etc/passwd -F perm=wa -F auid>=1000 -F auid!=unset -F key=user-modify
-a always,exit -F path=/etc/shadow -F perm=wa -F auid>=1000 -F auid!=unset -F key=user-modify
-a always,exit -F path=/etc/group -F perm=wa -F auid>=1000 -F auid!=unset -F key=group-modify
-a always,exit -F path=/etc/gshadow -F perm=wa -F auid>=1000 -F auid!=unset -F key=group-modify
## Use of special rights for config changes. This would be use of setuid
## programs that relate to user accts. This is not all setuid apps because
## requirements are only for ones that affect system configuration.
-a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
-a always,exit -F path=/usr/sbin/usernetctl -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
-a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
-a always,exit -F path=/usr/sbin/seunshare -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
-a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
-a always,exit -F path=/usr/bin/newuidmap -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
-a always,exit -F path=/usr/bin/newgidmap -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
-a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
-a always,exit -F path=/usr/bin/at -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
## Privilege escalation via su or sudo. This is entirely handled by pam.
## Audit log access
-a always,exit -F dir=/var/log/audit/ -F perm=r -F auid>=1000 -F auid!=unset -F key=access-audit-trail
## Attempts to Alter Process and Session Initiation Information
-a always,exit -F path=/var/run/utmp -F perm=wa -F auid>=1000 -F auid!=unset -F key=session
-a always,exit -F path=/var/log/btmp -F perm=wa -F auid>=1000 -F auid!=unset -F key=session
-a always,exit -F path=/var/log/wtmp -F perm=wa -F auid>=1000 -F auid!=unset -F key=session
## Attempts to modify MAC controls
-a always,exit -F dir=/etc/selinux/ -F perm=wa -F auid>=1000 -F auid!=unset -F key=MAC-policy
## Software updates. This is entirely handled by rpm.
## System start and shutdown. This is entirely handled by systemd
## Kernel Module loading. This is handled in 43-module-load.rules
## Application invocation. The requirements list an optional requirement
## FPT_SRP_EXT.1 Software Restriction Policies. This event is intended to
## state results from that policy. This would be handled entirely by
## that daemon.

38
SOURCES/audit-3.0-bpf-record.patch Normal file
View File

@ -0,0 +1,38 @@
From 9e0cf4082ddbefab8558ce1349e22f6f1777040d Mon Sep 17 00:00:00 2001
From: olsajiri <42811547+olsajiri@users.noreply.github.com>
Date: Wed, 11 Dec 2019 17:57:39 +0100
Subject: [PATCH] Add support for AUDIT_BPF event (#104)
Signed-off-by: Jiri Olsa <jolsa@redhat.com>
---
lib/libaudit.h | 4 ++++
lib/msg_typetab.h | 1 +
2 files changed, 5 insertions(+)
diff --git a/lib/libaudit.h b/lib/libaudit.h
index ac22e2c..0eea55f 100644
--- a/lib/libaudit.h
+++ b/lib/libaudit.h
@@ -290,6 +290,10 @@ extern "C" {
#define AUDIT_TIME_ADJNTPVAL 1333 /* NTP value adjustment */
#endif
+#ifndef AUDIT_BPF
+#define AUDIT_BPF 1334 /* BPF load/unload */
+#endif
+
#ifndef AUDIT_MAC_CALIPSO_ADD
#define AUDIT_MAC_CALIPSO_ADD 1418 /* NetLabel: add CALIPSO DOI entry */
#endif
diff --git a/lib/msg_typetab.h b/lib/msg_typetab.h
index d668f34..81b1ea5 100644
--- a/lib/msg_typetab.h
+++ b/lib/msg_typetab.h
@@ -125,6 +125,7 @@ _S(AUDIT_KERN_MODULE, "KERN_MODULE" )
_S(AUDIT_FANOTIFY, "FANOTIFY" )
_S(AUDIT_TIME_INJOFFSET, "TIME_INJOFFSET" )
_S(AUDIT_TIME_ADJNTPVAL, "TIME_ADJNTPVAL" )
+_S(AUDIT_BPF, "BPF" )
_S(AUDIT_AVC, "AVC" )
_S(AUDIT_SELINUX_ERR, "SELINUX_ERR" )
_S(AUDIT_AVC_PATH, "AVC_PATH" )

71
SOURCES/audit-3.0-chkconfig.patch
View File

@ -1,71 +0,0 @@
commit d1c80e0217a049441cdad42428254270904f8694
Author: Steve Grubb <sgrubb@redhat.com>
Date: Fri Jul 5 12:58:03 2019 -0400
Remove dependency on chkconfig
diff --git a/init.d/auditd.reload b/init.d/auditd.reload
index b9c9c6c..9c30295 100644
--- a/init.d/auditd.reload
+++ b/init.d/auditd.reload
@@ -7,7 +7,7 @@ test $(id -u) = 0 || exit 4
PATH=/sbin:/bin:/usr/bin:/usr/sbin
prog="auditd"
-. /etc/init.d/functions
+. /etc/rc.d/init.d/functions
printf "Reconfiguring: "
/sbin/augenrules --load
diff --git a/init.d/auditd.resume b/init.d/auditd.resume
index 8185cd1..f1d2157 100644
--- a/init.d/auditd.resume
+++ b/init.d/auditd.resume
@@ -7,7 +7,7 @@ test $(id -u) = 0 || exit 4
PATH=/sbin:/bin:/usr/bin:/usr/sbin
prog="auditd"
-. /etc/init.d/functions
+. /etc/rc.d/init.d/functions
printf "Resuming logging: "
killproc $prog -USR2
diff --git a/init.d/auditd.rotate b/init.d/auditd.rotate
index a627a43..2b13cf7 100644
--- a/init.d/auditd.rotate
+++ b/init.d/auditd.rotate
@@ -7,7 +7,7 @@ test $(id -u) = 0 || exit 4
PATH=/sbin:/bin:/usr/bin:/usr/sbin
prog="auditd"
-. /etc/init.d/functions
+. /etc/rc.d/init.d/functions
printf "Rotating logs: "
killproc $prog -USR1
diff --git a/init.d/auditd.state b/init.d/auditd.state
index 6e9e69e..c7e291e 100644
--- a/init.d/auditd.state
+++ b/init.d/auditd.state
@@ -8,7 +8,7 @@ test $(id -u) = 0 || exit 4
PATH=/sbin:/bin:/usr/bin:/usr/sbin
prog="auditd"
state_file="/var/run/auditd.state"
-. /etc/init.d/functions
+. /etc/rc.d/init.d/functions
printf "Getting auditd internal state: "
killproc $prog -CONT
diff --git a/init.d/auditd.stop b/init.d/auditd.stop
index 6550fae..70aaeef 100644
--- a/init.d/auditd.stop
+++ b/init.d/auditd.stop
@@ -7,7 +7,7 @@ test $(id -u) = 0 || exit 4
PATH=/sbin:/bin:/usr/bin:/usr/sbin
prog="auditd"
-. /etc/init.d/functions
+. /etc/rc.d/init.d/functions
pid="$(__pids_pidof "$prog")"
printf "Stopping logging: "

36
SOURCES/audit-3.0-clang-warnings.patch Normal file
View File

@ -0,0 +1,36 @@
commit b4b63a18e044e507b9091f01aef91d4b3beff97d
Author: Steve Grubb <sgrubb@redhat.com>
Date: Mon Nov 4 16:54:44 2019 -0500
Fix 2 clang reported warnings
diff --git a/audisp/plugins/syslog/audisp-syslog.c b/audisp/plugins/syslog/audisp-syslog.c
index 2515e0b..9daa021 100644
--- a/audisp/plugins/syslog/audisp-syslog.c
+++ b/audisp/plugins/syslog/audisp-syslog.c
@@ -181,7 +181,7 @@ static inline void write_syslog(char *s)
mptr = stpcpy(mptr, fval ? fval : "?");
mptr = stpcpy(mptr, " ");
rc = auparse_next_field(au);
- if (!header && strcmp(fname, "type") == 0) {
+ if (!header && fname && strcmp(fname, "type") == 0) {
mptr = stpcpy(mptr, "msg=audit(");
time_t t = auparse_get_time(au);
diff --git a/src/ausearch-lol.c b/src/ausearch-lol.c
index 54452e8..e709456 100644
--- a/src/ausearch-lol.c
+++ b/src/ausearch-lol.c
@@ -324,8 +324,11 @@ int lol_add_record(lol *lo, char *buff)
}
// Eat standalone EOE, main event was already marked complete
- if (e.type == AUDIT_EOE)
+ if (e.type == AUDIT_EOE) {
+ free((char *)e.node);
+ free(n.message);
return 0;
+ }
// Create new event and fill it in
l = malloc(sizeof(llist));

63
SOURCES/audit-3.0-krb-remote-fixup.patch
View File

@ -1,63 +0,0 @@
diff -urp audit-3.0.orig/audisp/plugins/remote/audisp-remote.c audit-3.0/audisp/plugins/remote/audisp-remote.c
--- audit-3.0.orig/audisp/plugins/remote/audisp-remote.c 2019-06-07 17:08:36.000000000 -0400
+++ audit-3.0/audisp/plugins/remote/audisp-remote.c 2019-07-13 11:37:45.000000000 -0400
@@ -1,5 +1,5 @@
/* audisp-remote.c --
- * Copyright 2008-2012,2016,2018 Red Hat Inc., Durham, North Carolina.
+ * Copyright 2008-2012,2016,2018,2019 Red Hat Inc., Durham, North Carolina.
* All Rights Reserved.
*
* This program is free software; you can redistribute it and/or modify
@@ -98,7 +98,7 @@ static int ar_write (int, const void *,
credentials. These are the ones we talk to the server with. */
gss_ctx_id_t my_context;
-#define KEYTAB_NAME "/etc/audisp/audisp-remote.key"
+#define KEYTAB_NAME "/etc/audit/audisp-remote.key"
#define CCACHE_NAME "MEMORY:audisp-remote"
#define REQ_FLAGS GSS_C_MUTUAL_FLAG | GSS_C_REPLAY_FLAG | GSS_C_INTEG_FLAG | GSS_C_CONF_FLAG
@@ -978,7 +989,14 @@ static int negotiate_credentials (void)
static int stop_sock(void)
{
+
if (sock >= 0) {
+ if (USE_GSS) {
+ OM_uint32 minor_status;
+ gss_delete_sec_context(&minor_status, &my_context,
+ GSS_C_NO_BUFFER);
+ my_context = GSS_C_NO_CONTEXT;
+ }
shutdown(sock, SHUT_RDWR);
close(sock);
}
@@ -995,11 +1013,8 @@ static int stop_transport(void)
switch (config.transport)
{
case T_TCP:
- rc = stop_sock();
- break;
case T_KRB5:
- // FIXME: shutdown kerberos
- rc = -1;
+ rc = stop_sock();
break;
default:
rc = -1;
@@ -1142,6 +1157,7 @@ static int init_transport(void)
switch (config.transport)
{
case T_TCP:
+ case T_KRB5:
rc = init_sock();
// We set this so that it will retry the connection
if (rc == ET_TEMPORARY)
@@ -1589,6 +1605,7 @@ static int relay_event(const char *s, si
switch (config.transport)
{
case T_TCP:
+ case T_KRB5:
rc = relay_sock(s, len);
break;
default:

14
SOURCES/audit-3.0-saddr_fam-doc.patch
View File

@ -1,14 +0,0 @@
diff --git a/docs/auditctl.8 b/docs/auditctl.8
index 2c970cf..043a9d6 100644
--- a/docs/auditctl.8
+++ b/docs/auditctl.8
@@ -210,6 +210,9 @@ Process ID
.B ppid
Parent's Process ID
.TP
+.B saddr_fam
+Address family number as found in /usr/include/bits/socket.h. For example, IPv4 would be 2 and IPv6 would be 10.
+.TP
.B sessionid
User's login session ID
.TP

35
SOURCES/audit-3.0-user-event.patch Normal file
View File

@ -0,0 +1,35 @@
diff --git a/src/auditctl.c b/src/auditctl.c
index ac08e47..1150911 100644
--- a/src/auditctl.c
+++ b/src/auditctl.c
@@ -809,6 +809,7 @@ static int setopt(int count, int lineno, char *vars[])
retval = -1;
} else {
const char*s = optarg;
+ char *umsg;
while (*s) {
if (*s < 32) {
audit_msg(LOG_ERR,
@@ -817,11 +818,18 @@ static int setopt(int count, int lineno, char *vars[])
}
s++;
}
+ if (asprintf(&umsg, "text=%s", optarg) < 0) {
+ audit_msg(LOG_ERR, "Can't create user event");
+ return -1;
+ }
if (audit_log_user_message( fd, AUDIT_USER,
- optarg, NULL, NULL, NULL, 1) <= 0)
- retval = -1;
- else
- return -2; // success - no reply for this
+ umsg, NULL, NULL, NULL, 1) <= 0)
+ retval = -1;
+ else {
+ free(umsg);
+ return -2; // success - no reply for this
+ }
+ free(umsg);
}
break;
case 'R':

40
SPECS/audit.spec
View File

@ -1,24 +1,24 @@
%{!?python_sitearch: %define python_sitearch %(%{__python} -c "from distutils.sysconfig import get_python_lib; print get_python_lib(1)")}
Summary: User space tools for 2.6 kernel auditing
Summary: User space tools for kernel auditing
Name: audit
Version: 3.0
Release: 0.13.20190507gitf58ec40%{?dist}
Release: 0.17.20191104git1c2f876%{?dist}
License: GPLv2+
URL: http://people.redhat.com/sgrubb/audit/
Source0: http://people.redhat.com/sgrubb/audit/%{name}-%{version}-alpha8.tar.gz
Source0: http://people.redhat.com/sgrubb/audit/%{name}-%{version}-alpha9.tar.gz
Source1: https://www.gnu.org/licenses/lgpl-2.1.txt
Source2: 30-ospp-v42.rules
Patch1: audit-3.0-saddr_fam-doc.patch
Patch2: audit-3.0-chkconfig.patch
Patch3: audit-3.0-krb-remote-fixup.patch
Patch1: audit-3.0-clang-warnings.patch
Patch2: audit-3.0-user-event.patch
Patch3: audit-3.0-bpf-record.patch
BuildRequires: gcc swig
BuildRequires: openldap-devel
BuildRequires: krb5-devel libcap-ng-devel
BuildRequires: kernel-headers >= 2.6.29
Requires: %{name}-libs%{?_isa} = %{version}-%{release}
BuildRequires: systemd
Requires: %{name}-libs%{?_isa} = %{version}-%{release}
Requires(post): systemd coreutils
Requires(preun): systemd initscripts
Requires(postun): systemd coreutils initscripts
@ -89,8 +89,6 @@ Management Facility) database, through an IBM Tivoli Directory Server
%patch2 -p1
%patch3 -p1
cp %{SOURCE1} .
## overwrite 30-ospp-v42.rules
cp -f %{SOURCE2} rules/
%build
%configure --sbindir=/sbin --libdir=/%{_lib} --with-python=no \
@ -143,8 +141,8 @@ rm -f rules/Makefile*
# Copy default rules into place on new installation
files=`ls /etc/audit/rules.d/ 2>/dev/null | wc -w`
if [ "$files" -eq 0 ] ; then
if [ -e /usr/share/doc/audit/rules/10-base-config.rules ] ; then
cp /usr/share/doc/audit/rules/10-base-config.rules /etc/audit/rules.d/audit.rules
if [ -e %{_datadir}/%{name}/sample-rules/10-base-config.rules ] ; then
cp %{_datadir}/%{name}/sample-rules/10-base-config.rules /etc/audit/rules.d/audit.rules
else
touch /etc/audit/rules.d/audit.rules
fi
@ -187,9 +185,10 @@ fi
%attr(755,root,root) %{python3_sitearch}/*
%files
%doc README ChangeLog rules init.d/auditd.cron
%doc README ChangeLog init.d/auditd.cron
%{!?_licensedir:%global license %%doc}
%license COPYING
%attr(644,root,root) %{_datadir}/%{name}/sample-rules/*
%attr(644,root,root) %{_mandir}/man8/auditctl.8.gz
%attr(644,root,root) %{_mandir}/man8/auditd.8.gz
%attr(644,root,root) %{_mandir}/man8/aureport.8.gz
@ -209,7 +208,7 @@ fi
%attr(755,root,root) /sbin/ausearch
%attr(755,root,root) /sbin/aureport
%attr(750,root,root) /sbin/autrace
%attr(750,root,root) /sbin/augenrules
%attr(755,root,root) /sbin/augenrules
%attr(755,root,root) %{_bindir}/aulast
%attr(755,root,root) %{_bindir}/aulastlog
%attr(755,root,root) %{_bindir}/ausyscall
@ -253,6 +252,19 @@ fi
%attr(750,root,root) /sbin/audispd-zos-remote
%changelog
* Wed Jan 08 2020 Steve Grubb <sgrubb@redhat.com> 3.0-0.17.20191104git1c2f876
resolves: rhbz#1757986 - Rebase audit package on 8.2 for updates (bpf patch)
* Thu Nov 28 2019 Steve Grubb <sgrubb@redhat.com> 3.0-0.16.20191104git1c2f876
resolves: rhbz#1497279 - Add option to interpret fields in audit syslog plugin
* Mon Nov 04 2019 Steve Grubb <sgrubb@redhat.com> 3.0-0.15.20191104git1c2f876
resolves: rhbz#1757986 - Rebase audit package on 8.2 for updates
resolves: rhbz#1767054 - move audit rules to shared data directory
resolves: rhbz#1746018 - Breakup 30-ospp-v42.rules into more granular files
resolves: rhbz#1740798 - auditctl(8) needs clarification for backlog_limit
resolves: rhbz#1497279 - Add option to interpret fields in audit syslog plugin
* Thu Jul 25 2019 Steve Grubb <sgrubb@redhat.com> 3.0-0.13.20190607gitf58ec40
resolves: rhbz#1695638 - Rebase audit package to pick up latest bugfixes