import audit-3.0-0.17.20191104git1c2f876.el8
This commit is contained in:
parent
8b1f895570
commit
5ed1707830
@ -1 +1 @@
|
||||
5205dd634a26512d69d75ca27171c70b70f102f0 SOURCES/audit-3.0-alpha8.tar.gz
|
||||
fe9807c29de893c8e8bc4df8624e00a98ab2b32a SOURCES/audit-3.0-alpha9.tar.gz
|
||||
|
2
.gitignore
vendored
2
.gitignore
vendored
@ -1 +1 @@
|
||||
SOURCES/audit-3.0-alpha8.tar.gz
|
||||
SOURCES/audit-3.0-alpha9.tar.gz
|
||||
|
@ -1,140 +0,0 @@
|
||||
## The purpose of these rules is to meet the requirements for Operating
|
||||
## System Protection Profile (OSPP)v4.2. These rules depends on having
|
||||
## 10-base-config.rules, 11-loginuid.rules, and 43-module-load.rules installed.
|
||||
|
||||
## Successful/Unsuccessful file creation (open with O_CREAT)
|
||||
-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
|
||||
-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
|
||||
-a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
|
||||
-a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
|
||||
-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
|
||||
-a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
|
||||
-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
|
||||
-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
|
||||
-a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
|
||||
-a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
|
||||
-a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
|
||||
-a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
|
||||
-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create
|
||||
-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create
|
||||
-a always,exit -F arch=b32 -S open -F a1&0100 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create
|
||||
-a always,exit -F arch=b64 -S open -F a1&0100 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create
|
||||
-a always,exit -F arch=b32 -S creat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create
|
||||
-a always,exit -F arch=b64 -S creat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create
|
||||
|
||||
## Successful/Unsuccessful file modifications (open for write or truncate)
|
||||
-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
|
||||
-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
|
||||
-a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
|
||||
-a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
|
||||
-a always,exit -F arch=b32 -S truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
|
||||
-a always,exit -F arch=b64 -S truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
|
||||
-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
|
||||
-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
|
||||
-a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
|
||||
-a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
|
||||
-a always,exit -F arch=b32 -S truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
|
||||
-a always,exit -F arch=b64 -S truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
|
||||
-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification
|
||||
-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification
|
||||
-a always,exit -F arch=b32 -S open -F a1&01003 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification
|
||||
-a always,exit -F arch=b64 -S open -F a1&01003 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification
|
||||
-a always,exit -F arch=b32 -S truncate,ftruncate -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification
|
||||
-a always,exit -F arch=b64 -S truncate,ftruncate -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification
|
||||
|
||||
## Successful/Unsuccessful file access (any other opens) This has to go last.
|
||||
-a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-access
|
||||
-a always,exit -F arch=b64 -S open,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-access
|
||||
-a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-access
|
||||
-a always,exit -F arch=b64 -S open,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-access
|
||||
# These next two are likely to result in a whole lot of events
|
||||
-a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-access
|
||||
-a always,exit -F arch=b64 -S open,openat,open_by_handle_at -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-access
|
||||
|
||||
## Successful/Unsuccessful file delete
|
||||
-a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
|
||||
-a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
|
||||
-a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
|
||||
-a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
|
||||
-a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-delete
|
||||
-a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-delete
|
||||
|
||||
## Successful/Unsuccessful permission change
|
||||
-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-perm-change
|
||||
-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-perm-change
|
||||
-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-perm-change
|
||||
-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-perm-change
|
||||
-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-perm-change
|
||||
-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-perm-change
|
||||
|
||||
## Successful/Unsuccessful ownership change
|
||||
-a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-perm-change
|
||||
-a always,exit -F arch=b64 -S lchown,fchown,chown,fchownat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-perm-change
|
||||
-a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-perm-change
|
||||
-a always,exit -F arch=b64 -S lchown,fchown,chown,fchownat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-perm-change
|
||||
-a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-perm-change
|
||||
-a always,exit -F arch=b64 -S lchown,fchown,chown,fchownat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-perm-change
|
||||
|
||||
## User add delete modify. This is covered by pam. However, someone could
|
||||
## open a file and directly create or modify a user, so we'll watch passwd and
|
||||
## shadow for writes
|
||||
-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify
|
||||
-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify
|
||||
-a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify
|
||||
-a always,exit -F arch=b64 -S open -F a1&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify
|
||||
-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify
|
||||
-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify
|
||||
-a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify
|
||||
-a always,exit -F arch=b64 -S open -F a1&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify
|
||||
|
||||
## User enable and disable. This is entirely handled by pam.
|
||||
|
||||
## Group add delete modify. This is covered by pam. However, someone could
|
||||
## open a file and directly create or modify a user, so we'll watch group and
|
||||
## gshadow for writes
|
||||
-a always,exit -F path=/etc/passwd -F perm=wa -F auid>=1000 -F auid!=unset -F key=user-modify
|
||||
-a always,exit -F path=/etc/shadow -F perm=wa -F auid>=1000 -F auid!=unset -F key=user-modify
|
||||
-a always,exit -F path=/etc/group -F perm=wa -F auid>=1000 -F auid!=unset -F key=group-modify
|
||||
-a always,exit -F path=/etc/gshadow -F perm=wa -F auid>=1000 -F auid!=unset -F key=group-modify
|
||||
|
||||
|
||||
## Use of special rights for config changes. This would be use of setuid
|
||||
## programs that relate to user accts. This is not all setuid apps because
|
||||
## requirements are only for ones that affect system configuration.
|
||||
-a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
|
||||
-a always,exit -F path=/usr/sbin/usernetctl -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
|
||||
-a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
|
||||
-a always,exit -F path=/usr/sbin/seunshare -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
|
||||
-a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
|
||||
-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
|
||||
-a always,exit -F path=/usr/bin/newuidmap -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
|
||||
-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
|
||||
-a always,exit -F path=/usr/bin/newgidmap -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
|
||||
-a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
|
||||
-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
|
||||
-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
|
||||
-a always,exit -F path=/usr/bin/at -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
|
||||
|
||||
## Privilege escalation via su or sudo. This is entirely handled by pam.
|
||||
|
||||
## Audit log access
|
||||
-a always,exit -F dir=/var/log/audit/ -F perm=r -F auid>=1000 -F auid!=unset -F key=access-audit-trail
|
||||
## Attempts to Alter Process and Session Initiation Information
|
||||
-a always,exit -F path=/var/run/utmp -F perm=wa -F auid>=1000 -F auid!=unset -F key=session
|
||||
-a always,exit -F path=/var/log/btmp -F perm=wa -F auid>=1000 -F auid!=unset -F key=session
|
||||
-a always,exit -F path=/var/log/wtmp -F perm=wa -F auid>=1000 -F auid!=unset -F key=session
|
||||
|
||||
## Attempts to modify MAC controls
|
||||
-a always,exit -F dir=/etc/selinux/ -F perm=wa -F auid>=1000 -F auid!=unset -F key=MAC-policy
|
||||
|
||||
## Software updates. This is entirely handled by rpm.
|
||||
|
||||
## System start and shutdown. This is entirely handled by systemd
|
||||
|
||||
## Kernel Module loading. This is handled in 43-module-load.rules
|
||||
|
||||
## Application invocation. The requirements list an optional requirement
|
||||
## FPT_SRP_EXT.1 Software Restriction Policies. This event is intended to
|
||||
## state results from that policy. This would be handled entirely by
|
||||
## that daemon.
|
||||
|
38
SOURCES/audit-3.0-bpf-record.patch
Normal file
38
SOURCES/audit-3.0-bpf-record.patch
Normal file
@ -0,0 +1,38 @@
|
||||
From 9e0cf4082ddbefab8558ce1349e22f6f1777040d Mon Sep 17 00:00:00 2001
|
||||
From: olsajiri <42811547+olsajiri@users.noreply.github.com>
|
||||
Date: Wed, 11 Dec 2019 17:57:39 +0100
|
||||
Subject: [PATCH] Add support for AUDIT_BPF event (#104)
|
||||
|
||||
Signed-off-by: Jiri Olsa <jolsa@redhat.com>
|
||||
---
|
||||
lib/libaudit.h | 4 ++++
|
||||
lib/msg_typetab.h | 1 +
|
||||
2 files changed, 5 insertions(+)
|
||||
|
||||
diff --git a/lib/libaudit.h b/lib/libaudit.h
|
||||
index ac22e2c..0eea55f 100644
|
||||
--- a/lib/libaudit.h
|
||||
+++ b/lib/libaudit.h
|
||||
@@ -290,6 +290,10 @@ extern "C" {
|
||||
#define AUDIT_TIME_ADJNTPVAL 1333 /* NTP value adjustment */
|
||||
#endif
|
||||
|
||||
+#ifndef AUDIT_BPF
|
||||
+#define AUDIT_BPF 1334 /* BPF load/unload */
|
||||
+#endif
|
||||
+
|
||||
#ifndef AUDIT_MAC_CALIPSO_ADD
|
||||
#define AUDIT_MAC_CALIPSO_ADD 1418 /* NetLabel: add CALIPSO DOI entry */
|
||||
#endif
|
||||
diff --git a/lib/msg_typetab.h b/lib/msg_typetab.h
|
||||
index d668f34..81b1ea5 100644
|
||||
--- a/lib/msg_typetab.h
|
||||
+++ b/lib/msg_typetab.h
|
||||
@@ -125,6 +125,7 @@ _S(AUDIT_KERN_MODULE, "KERN_MODULE" )
|
||||
_S(AUDIT_FANOTIFY, "FANOTIFY" )
|
||||
_S(AUDIT_TIME_INJOFFSET, "TIME_INJOFFSET" )
|
||||
_S(AUDIT_TIME_ADJNTPVAL, "TIME_ADJNTPVAL" )
|
||||
+_S(AUDIT_BPF, "BPF" )
|
||||
_S(AUDIT_AVC, "AVC" )
|
||||
_S(AUDIT_SELINUX_ERR, "SELINUX_ERR" )
|
||||
_S(AUDIT_AVC_PATH, "AVC_PATH" )
|
@ -1,71 +0,0 @@
|
||||
commit d1c80e0217a049441cdad42428254270904f8694
|
||||
Author: Steve Grubb <sgrubb@redhat.com>
|
||||
Date: Fri Jul 5 12:58:03 2019 -0400
|
||||
|
||||
Remove dependency on chkconfig
|
||||
|
||||
diff --git a/init.d/auditd.reload b/init.d/auditd.reload
|
||||
index b9c9c6c..9c30295 100644
|
||||
--- a/init.d/auditd.reload
|
||||
+++ b/init.d/auditd.reload
|
||||
@@ -7,7 +7,7 @@ test $(id -u) = 0 || exit 4
|
||||
|
||||
PATH=/sbin:/bin:/usr/bin:/usr/sbin
|
||||
prog="auditd"
|
||||
-. /etc/init.d/functions
|
||||
+. /etc/rc.d/init.d/functions
|
||||
|
||||
printf "Reconfiguring: "
|
||||
/sbin/augenrules --load
|
||||
diff --git a/init.d/auditd.resume b/init.d/auditd.resume
|
||||
index 8185cd1..f1d2157 100644
|
||||
--- a/init.d/auditd.resume
|
||||
+++ b/init.d/auditd.resume
|
||||
@@ -7,7 +7,7 @@ test $(id -u) = 0 || exit 4
|
||||
|
||||
PATH=/sbin:/bin:/usr/bin:/usr/sbin
|
||||
prog="auditd"
|
||||
-. /etc/init.d/functions
|
||||
+. /etc/rc.d/init.d/functions
|
||||
|
||||
printf "Resuming logging: "
|
||||
killproc $prog -USR2
|
||||
diff --git a/init.d/auditd.rotate b/init.d/auditd.rotate
|
||||
index a627a43..2b13cf7 100644
|
||||
--- a/init.d/auditd.rotate
|
||||
+++ b/init.d/auditd.rotate
|
||||
@@ -7,7 +7,7 @@ test $(id -u) = 0 || exit 4
|
||||
|
||||
PATH=/sbin:/bin:/usr/bin:/usr/sbin
|
||||
prog="auditd"
|
||||
-. /etc/init.d/functions
|
||||
+. /etc/rc.d/init.d/functions
|
||||
|
||||
printf "Rotating logs: "
|
||||
killproc $prog -USR1
|
||||
diff --git a/init.d/auditd.state b/init.d/auditd.state
|
||||
index 6e9e69e..c7e291e 100644
|
||||
--- a/init.d/auditd.state
|
||||
+++ b/init.d/auditd.state
|
||||
@@ -8,7 +8,7 @@ test $(id -u) = 0 || exit 4
|
||||
PATH=/sbin:/bin:/usr/bin:/usr/sbin
|
||||
prog="auditd"
|
||||
state_file="/var/run/auditd.state"
|
||||
-. /etc/init.d/functions
|
||||
+. /etc/rc.d/init.d/functions
|
||||
|
||||
printf "Getting auditd internal state: "
|
||||
killproc $prog -CONT
|
||||
diff --git a/init.d/auditd.stop b/init.d/auditd.stop
|
||||
index 6550fae..70aaeef 100644
|
||||
--- a/init.d/auditd.stop
|
||||
+++ b/init.d/auditd.stop
|
||||
@@ -7,7 +7,7 @@ test $(id -u) = 0 || exit 4
|
||||
|
||||
PATH=/sbin:/bin:/usr/bin:/usr/sbin
|
||||
prog="auditd"
|
||||
-. /etc/init.d/functions
|
||||
+. /etc/rc.d/init.d/functions
|
||||
pid="$(__pids_pidof "$prog")"
|
||||
|
||||
printf "Stopping logging: "
|
36
SOURCES/audit-3.0-clang-warnings.patch
Normal file
36
SOURCES/audit-3.0-clang-warnings.patch
Normal file
@ -0,0 +1,36 @@
|
||||
commit b4b63a18e044e507b9091f01aef91d4b3beff97d
|
||||
Author: Steve Grubb <sgrubb@redhat.com>
|
||||
Date: Mon Nov 4 16:54:44 2019 -0500
|
||||
|
||||
Fix 2 clang reported warnings
|
||||
|
||||
diff --git a/audisp/plugins/syslog/audisp-syslog.c b/audisp/plugins/syslog/audisp-syslog.c
|
||||
index 2515e0b..9daa021 100644
|
||||
--- a/audisp/plugins/syslog/audisp-syslog.c
|
||||
+++ b/audisp/plugins/syslog/audisp-syslog.c
|
||||
@@ -181,7 +181,7 @@ static inline void write_syslog(char *s)
|
||||
mptr = stpcpy(mptr, fval ? fval : "?");
|
||||
mptr = stpcpy(mptr, " ");
|
||||
rc = auparse_next_field(au);
|
||||
- if (!header && strcmp(fname, "type") == 0) {
|
||||
+ if (!header && fname && strcmp(fname, "type") == 0) {
|
||||
mptr = stpcpy(mptr, "msg=audit(");
|
||||
|
||||
time_t t = auparse_get_time(au);
|
||||
diff --git a/src/ausearch-lol.c b/src/ausearch-lol.c
|
||||
index 54452e8..e709456 100644
|
||||
--- a/src/ausearch-lol.c
|
||||
+++ b/src/ausearch-lol.c
|
||||
@@ -324,8 +324,11 @@ int lol_add_record(lol *lo, char *buff)
|
||||
}
|
||||
|
||||
// Eat standalone EOE, main event was already marked complete
|
||||
- if (e.type == AUDIT_EOE)
|
||||
+ if (e.type == AUDIT_EOE) {
|
||||
+ free((char *)e.node);
|
||||
+ free(n.message);
|
||||
return 0;
|
||||
+ }
|
||||
|
||||
// Create new event and fill it in
|
||||
l = malloc(sizeof(llist));
|
@ -1,63 +0,0 @@
|
||||
diff -urp audit-3.0.orig/audisp/plugins/remote/audisp-remote.c audit-3.0/audisp/plugins/remote/audisp-remote.c
|
||||
--- audit-3.0.orig/audisp/plugins/remote/audisp-remote.c 2019-06-07 17:08:36.000000000 -0400
|
||||
+++ audit-3.0/audisp/plugins/remote/audisp-remote.c 2019-07-13 11:37:45.000000000 -0400
|
||||
@@ -1,5 +1,5 @@
|
||||
/* audisp-remote.c --
|
||||
- * Copyright 2008-2012,2016,2018 Red Hat Inc., Durham, North Carolina.
|
||||
+ * Copyright 2008-2012,2016,2018,2019 Red Hat Inc., Durham, North Carolina.
|
||||
* All Rights Reserved.
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or modify
|
||||
@@ -98,7 +98,7 @@ static int ar_write (int, const void *,
|
||||
credentials. These are the ones we talk to the server with. */
|
||||
gss_ctx_id_t my_context;
|
||||
|
||||
-#define KEYTAB_NAME "/etc/audisp/audisp-remote.key"
|
||||
+#define KEYTAB_NAME "/etc/audit/audisp-remote.key"
|
||||
#define CCACHE_NAME "MEMORY:audisp-remote"
|
||||
|
||||
#define REQ_FLAGS GSS_C_MUTUAL_FLAG | GSS_C_REPLAY_FLAG | GSS_C_INTEG_FLAG | GSS_C_CONF_FLAG
|
||||
@@ -978,7 +989,14 @@ static int negotiate_credentials (void)
|
||||
|
||||
static int stop_sock(void)
|
||||
{
|
||||
+
|
||||
if (sock >= 0) {
|
||||
+ if (USE_GSS) {
|
||||
+ OM_uint32 minor_status;
|
||||
+ gss_delete_sec_context(&minor_status, &my_context,
|
||||
+ GSS_C_NO_BUFFER);
|
||||
+ my_context = GSS_C_NO_CONTEXT;
|
||||
+ }
|
||||
shutdown(sock, SHUT_RDWR);
|
||||
close(sock);
|
||||
}
|
||||
@@ -995,11 +1013,8 @@ static int stop_transport(void)
|
||||
switch (config.transport)
|
||||
{
|
||||
case T_TCP:
|
||||
- rc = stop_sock();
|
||||
- break;
|
||||
case T_KRB5:
|
||||
- // FIXME: shutdown kerberos
|
||||
- rc = -1;
|
||||
+ rc = stop_sock();
|
||||
break;
|
||||
default:
|
||||
rc = -1;
|
||||
@@ -1142,6 +1157,7 @@ static int init_transport(void)
|
||||
switch (config.transport)
|
||||
{
|
||||
case T_TCP:
|
||||
+ case T_KRB5:
|
||||
rc = init_sock();
|
||||
// We set this so that it will retry the connection
|
||||
if (rc == ET_TEMPORARY)
|
||||
@@ -1589,6 +1605,7 @@ static int relay_event(const char *s, si
|
||||
switch (config.transport)
|
||||
{
|
||||
case T_TCP:
|
||||
+ case T_KRB5:
|
||||
rc = relay_sock(s, len);
|
||||
break;
|
||||
default:
|
@ -1,14 +0,0 @@
|
||||
diff --git a/docs/auditctl.8 b/docs/auditctl.8
|
||||
index 2c970cf..043a9d6 100644
|
||||
--- a/docs/auditctl.8
|
||||
+++ b/docs/auditctl.8
|
||||
@@ -210,6 +210,9 @@ Process ID
|
||||
.B ppid
|
||||
Parent's Process ID
|
||||
.TP
|
||||
+.B saddr_fam
|
||||
+Address family number as found in /usr/include/bits/socket.h. For example, IPv4 would be 2 and IPv6 would be 10.
|
||||
+.TP
|
||||
.B sessionid
|
||||
User's login session ID
|
||||
.TP
|
35
SOURCES/audit-3.0-user-event.patch
Normal file
35
SOURCES/audit-3.0-user-event.patch
Normal file
@ -0,0 +1,35 @@
|
||||
diff --git a/src/auditctl.c b/src/auditctl.c
|
||||
index ac08e47..1150911 100644
|
||||
--- a/src/auditctl.c
|
||||
+++ b/src/auditctl.c
|
||||
@@ -809,6 +809,7 @@ static int setopt(int count, int lineno, char *vars[])
|
||||
retval = -1;
|
||||
} else {
|
||||
const char*s = optarg;
|
||||
+ char *umsg;
|
||||
while (*s) {
|
||||
if (*s < 32) {
|
||||
audit_msg(LOG_ERR,
|
||||
@@ -817,11 +818,18 @@ static int setopt(int count, int lineno, char *vars[])
|
||||
}
|
||||
s++;
|
||||
}
|
||||
+ if (asprintf(&umsg, "text=%s", optarg) < 0) {
|
||||
+ audit_msg(LOG_ERR, "Can't create user event");
|
||||
+ return -1;
|
||||
+ }
|
||||
if (audit_log_user_message( fd, AUDIT_USER,
|
||||
- optarg, NULL, NULL, NULL, 1) <= 0)
|
||||
- retval = -1;
|
||||
- else
|
||||
- return -2; // success - no reply for this
|
||||
+ umsg, NULL, NULL, NULL, 1) <= 0)
|
||||
+ retval = -1;
|
||||
+ else {
|
||||
+ free(umsg);
|
||||
+ return -2; // success - no reply for this
|
||||
+ }
|
||||
+ free(umsg);
|
||||
}
|
||||
break;
|
||||
case 'R':
|
@ -1,24 +1,24 @@
|
||||
%{!?python_sitearch: %define python_sitearch %(%{__python} -c "from distutils.sysconfig import get_python_lib; print get_python_lib(1)")}
|
||||
|
||||
Summary: User space tools for 2.6 kernel auditing
|
||||
Summary: User space tools for kernel auditing
|
||||
Name: audit
|
||||
Version: 3.0
|
||||
Release: 0.13.20190507gitf58ec40%{?dist}
|
||||
Release: 0.17.20191104git1c2f876%{?dist}
|
||||
License: GPLv2+
|
||||
URL: http://people.redhat.com/sgrubb/audit/
|
||||
Source0: http://people.redhat.com/sgrubb/audit/%{name}-%{version}-alpha8.tar.gz
|
||||
Source0: http://people.redhat.com/sgrubb/audit/%{name}-%{version}-alpha9.tar.gz
|
||||
Source1: https://www.gnu.org/licenses/lgpl-2.1.txt
|
||||
Source2: 30-ospp-v42.rules
|
||||
Patch1: audit-3.0-saddr_fam-doc.patch
|
||||
Patch2: audit-3.0-chkconfig.patch
|
||||
Patch3: audit-3.0-krb-remote-fixup.patch
|
||||
Patch1: audit-3.0-clang-warnings.patch
|
||||
Patch2: audit-3.0-user-event.patch
|
||||
Patch3: audit-3.0-bpf-record.patch
|
||||
|
||||
BuildRequires: gcc swig
|
||||
BuildRequires: openldap-devel
|
||||
BuildRequires: krb5-devel libcap-ng-devel
|
||||
BuildRequires: kernel-headers >= 2.6.29
|
||||
Requires: %{name}-libs%{?_isa} = %{version}-%{release}
|
||||
BuildRequires: systemd
|
||||
|
||||
Requires: %{name}-libs%{?_isa} = %{version}-%{release}
|
||||
Requires(post): systemd coreutils
|
||||
Requires(preun): systemd initscripts
|
||||
Requires(postun): systemd coreutils initscripts
|
||||
@ -89,15 +89,13 @@ Management Facility) database, through an IBM Tivoli Directory Server
|
||||
%patch2 -p1
|
||||
%patch3 -p1
|
||||
cp %{SOURCE1} .
|
||||
## overwrite 30-ospp-v42.rules
|
||||
cp -f %{SOURCE2} rules/
|
||||
|
||||
%build
|
||||
%configure --sbindir=/sbin --libdir=/%{_lib} --with-python=no \
|
||||
--with-python3=yes \
|
||||
--enable-gssapi-krb5=yes --with-arm --with-aarch64 \
|
||||
--with-libcap-ng=yes --enable-zos-remote \
|
||||
--enable-systemd
|
||||
--enable-systemd
|
||||
|
||||
make CFLAGS="%{optflags}" %{?_smp_mflags}
|
||||
|
||||
@ -143,8 +141,8 @@ rm -f rules/Makefile*
|
||||
# Copy default rules into place on new installation
|
||||
files=`ls /etc/audit/rules.d/ 2>/dev/null | wc -w`
|
||||
if [ "$files" -eq 0 ] ; then
|
||||
if [ -e /usr/share/doc/audit/rules/10-base-config.rules ] ; then
|
||||
cp /usr/share/doc/audit/rules/10-base-config.rules /etc/audit/rules.d/audit.rules
|
||||
if [ -e %{_datadir}/%{name}/sample-rules/10-base-config.rules ] ; then
|
||||
cp %{_datadir}/%{name}/sample-rules/10-base-config.rules /etc/audit/rules.d/audit.rules
|
||||
else
|
||||
touch /etc/audit/rules.d/audit.rules
|
||||
fi
|
||||
@ -155,12 +153,12 @@ fi
|
||||
%preun
|
||||
%systemd_preun auditd.service
|
||||
if [ $1 -eq 0 ]; then
|
||||
/sbin/service auditd stop > /dev/null 2>&1
|
||||
/sbin/service auditd stop > /dev/null 2>&1
|
||||
fi
|
||||
|
||||
%postun
|
||||
if [ $1 -ge 1 ]; then
|
||||
/sbin/service auditd condrestart > /dev/null 2>&1 || :
|
||||
/sbin/service auditd condrestart > /dev/null 2>&1 || :
|
||||
fi
|
||||
|
||||
%files libs
|
||||
@ -187,9 +185,10 @@ fi
|
||||
%attr(755,root,root) %{python3_sitearch}/*
|
||||
|
||||
%files
|
||||
%doc README ChangeLog rules init.d/auditd.cron
|
||||
%doc README ChangeLog init.d/auditd.cron
|
||||
%{!?_licensedir:%global license %%doc}
|
||||
%license COPYING
|
||||
%attr(644,root,root) %{_datadir}/%{name}/sample-rules/*
|
||||
%attr(644,root,root) %{_mandir}/man8/auditctl.8.gz
|
||||
%attr(644,root,root) %{_mandir}/man8/auditd.8.gz
|
||||
%attr(644,root,root) %{_mandir}/man8/aureport.8.gz
|
||||
@ -209,7 +208,7 @@ fi
|
||||
%attr(755,root,root) /sbin/ausearch
|
||||
%attr(755,root,root) /sbin/aureport
|
||||
%attr(750,root,root) /sbin/autrace
|
||||
%attr(750,root,root) /sbin/augenrules
|
||||
%attr(755,root,root) /sbin/augenrules
|
||||
%attr(755,root,root) %{_bindir}/aulast
|
||||
%attr(755,root,root) %{_bindir}/aulastlog
|
||||
%attr(755,root,root) %{_bindir}/ausyscall
|
||||
@ -253,6 +252,19 @@ fi
|
||||
%attr(750,root,root) /sbin/audispd-zos-remote
|
||||
|
||||
%changelog
|
||||
* Wed Jan 08 2020 Steve Grubb <sgrubb@redhat.com> 3.0-0.17.20191104git1c2f876
|
||||
resolves: rhbz#1757986 - Rebase audit package on 8.2 for updates (bpf patch)
|
||||
|
||||
* Thu Nov 28 2019 Steve Grubb <sgrubb@redhat.com> 3.0-0.16.20191104git1c2f876
|
||||
resolves: rhbz#1497279 - Add option to interpret fields in audit syslog plugin
|
||||
|
||||
* Mon Nov 04 2019 Steve Grubb <sgrubb@redhat.com> 3.0-0.15.20191104git1c2f876
|
||||
resolves: rhbz#1757986 - Rebase audit package on 8.2 for updates
|
||||
resolves: rhbz#1767054 - move audit rules to shared data directory
|
||||
resolves: rhbz#1746018 - Breakup 30-ospp-v42.rules into more granular files
|
||||
resolves: rhbz#1740798 - auditctl(8) needs clarification for backlog_limit
|
||||
resolves: rhbz#1497279 - Add option to interpret fields in audit syslog plugin
|
||||
|
||||
* Thu Jul 25 2019 Steve Grubb <sgrubb@redhat.com> 3.0-0.13.20190607gitf58ec40
|
||||
resolves: rhbz#1695638 - Rebase audit package to pick up latest bugfixes
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user