From 71d19ea425ae7458d667de6fc9c0b40d697fdff8 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Tue, 10 May 2022 03:19:21 -0400 Subject: [PATCH] import audit-3.0.7-2.el8.2 --- .audit.metadata | 2 +- .gitignore | 2 +- SOURCES/audit-3.0-bpf-record.patch | 38 --------- SOURCES/audit-3.0-clang-warnings.patch | 36 --------- SOURCES/audit-3.0-user-event.patch | 35 -------- SOURCES/audit-3.0.8-auparse-path-norm.patch | 31 ++++++++ SOURCES/audit-3.0.8-drop-protecthome.patch | 26 ++++++ SPECS/audit.spec | 88 ++++++++++++--------- 8 files changed, 109 insertions(+), 149 deletions(-) delete mode 100644 SOURCES/audit-3.0-bpf-record.patch delete mode 100644 SOURCES/audit-3.0-clang-warnings.patch delete mode 100644 SOURCES/audit-3.0-user-event.patch create mode 100644 SOURCES/audit-3.0.8-auparse-path-norm.patch create mode 100644 SOURCES/audit-3.0.8-drop-protecthome.patch diff --git a/.audit.metadata b/.audit.metadata index 363ea1c..ed32e02 100644 --- a/.audit.metadata +++ b/.audit.metadata @@ -1 +1 @@ -fe9807c29de893c8e8bc4df8624e00a98ab2b32a SOURCES/audit-3.0-alpha9.tar.gz +7c485e7c97eb25f7413eaf1dd3edb03ad0b2619f SOURCES/audit-3.0.7.tar.gz diff --git a/.gitignore b/.gitignore index de9fa84..945427a 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/audit-3.0-alpha9.tar.gz +SOURCES/audit-3.0.7.tar.gz diff --git a/SOURCES/audit-3.0-bpf-record.patch b/SOURCES/audit-3.0-bpf-record.patch deleted file mode 100644 index eabf31d..0000000 --- a/SOURCES/audit-3.0-bpf-record.patch +++ /dev/null @@ -1,38 +0,0 @@ -From 9e0cf4082ddbefab8558ce1349e22f6f1777040d Mon Sep 17 00:00:00 2001 -From: olsajiri <42811547+olsajiri@users.noreply.github.com> -Date: Wed, 11 Dec 2019 17:57:39 +0100 -Subject: [PATCH] Add support for AUDIT_BPF event (#104) - -Signed-off-by: Jiri Olsa ---- - lib/libaudit.h | 4 ++++ - lib/msg_typetab.h | 1 + - 2 files changed, 5 insertions(+) - -diff --git a/lib/libaudit.h b/lib/libaudit.h -index ac22e2c..0eea55f 100644 ---- a/lib/libaudit.h -+++ b/lib/libaudit.h -@@ -290,6 +290,10 @@ extern "C" { - #define AUDIT_TIME_ADJNTPVAL 1333 /* NTP value adjustment */ - #endif - -+#ifndef AUDIT_BPF -+#define AUDIT_BPF 1334 /* BPF load/unload */ -+#endif -+ - #ifndef AUDIT_MAC_CALIPSO_ADD - #define AUDIT_MAC_CALIPSO_ADD 1418 /* NetLabel: add CALIPSO DOI entry */ - #endif -diff --git a/lib/msg_typetab.h b/lib/msg_typetab.h -index d668f34..81b1ea5 100644 ---- a/lib/msg_typetab.h -+++ b/lib/msg_typetab.h -@@ -125,6 +125,7 @@ _S(AUDIT_KERN_MODULE, "KERN_MODULE" ) - _S(AUDIT_FANOTIFY, "FANOTIFY" ) - _S(AUDIT_TIME_INJOFFSET, "TIME_INJOFFSET" ) - _S(AUDIT_TIME_ADJNTPVAL, "TIME_ADJNTPVAL" ) -+_S(AUDIT_BPF, "BPF" ) - _S(AUDIT_AVC, "AVC" ) - _S(AUDIT_SELINUX_ERR, "SELINUX_ERR" ) - _S(AUDIT_AVC_PATH, "AVC_PATH" ) diff --git a/SOURCES/audit-3.0-clang-warnings.patch b/SOURCES/audit-3.0-clang-warnings.patch deleted file mode 100644 index a8bea31..0000000 --- a/SOURCES/audit-3.0-clang-warnings.patch +++ /dev/null @@ -1,36 +0,0 @@ -commit b4b63a18e044e507b9091f01aef91d4b3beff97d -Author: Steve Grubb -Date: Mon Nov 4 16:54:44 2019 -0500 - - Fix 2 clang reported warnings - -diff --git a/audisp/plugins/syslog/audisp-syslog.c b/audisp/plugins/syslog/audisp-syslog.c -index 2515e0b..9daa021 100644 ---- a/audisp/plugins/syslog/audisp-syslog.c -+++ b/audisp/plugins/syslog/audisp-syslog.c -@@ -181,7 +181,7 @@ static inline void write_syslog(char *s) - mptr = stpcpy(mptr, fval ? fval : "?"); - mptr = stpcpy(mptr, " "); - rc = auparse_next_field(au); -- if (!header && strcmp(fname, "type") == 0) { -+ if (!header && fname && strcmp(fname, "type") == 0) { - mptr = stpcpy(mptr, "msg=audit("); - - time_t t = auparse_get_time(au); -diff --git a/src/ausearch-lol.c b/src/ausearch-lol.c -index 54452e8..e709456 100644 ---- a/src/ausearch-lol.c -+++ b/src/ausearch-lol.c -@@ -324,8 +324,11 @@ int lol_add_record(lol *lo, char *buff) - } - - // Eat standalone EOE, main event was already marked complete -- if (e.type == AUDIT_EOE) -+ if (e.type == AUDIT_EOE) { -+ free((char *)e.node); -+ free(n.message); - return 0; -+ } - - // Create new event and fill it in - l = malloc(sizeof(llist)); diff --git a/SOURCES/audit-3.0-user-event.patch b/SOURCES/audit-3.0-user-event.patch deleted file mode 100644 index 99aaf0f..0000000 --- a/SOURCES/audit-3.0-user-event.patch +++ /dev/null @@ -1,35 +0,0 @@ -diff --git a/src/auditctl.c b/src/auditctl.c -index ac08e47..1150911 100644 ---- a/src/auditctl.c -+++ b/src/auditctl.c -@@ -809,6 +809,7 @@ static int setopt(int count, int lineno, char *vars[]) - retval = -1; - } else { - const char*s = optarg; -+ char *umsg; - while (*s) { - if (*s < 32) { - audit_msg(LOG_ERR, -@@ -817,11 +818,18 @@ static int setopt(int count, int lineno, char *vars[]) - } - s++; - } -+ if (asprintf(&umsg, "text=%s", optarg) < 0) { -+ audit_msg(LOG_ERR, "Can't create user event"); -+ return -1; -+ } - if (audit_log_user_message( fd, AUDIT_USER, -- optarg, NULL, NULL, NULL, 1) <= 0) -- retval = -1; -- else -- return -2; // success - no reply for this -+ umsg, NULL, NULL, NULL, 1) <= 0) -+ retval = -1; -+ else { -+ free(umsg); -+ return -2; // success - no reply for this -+ } -+ free(umsg); - } - break; - case 'R': diff --git a/SOURCES/audit-3.0.8-auparse-path-norm.patch b/SOURCES/audit-3.0.8-auparse-path-norm.patch new file mode 100644 index 0000000..2fb20fb --- /dev/null +++ b/SOURCES/audit-3.0.8-auparse-path-norm.patch @@ -0,0 +1,31 @@ +From becc1c297279f757835943e2cad63992134511f9 Mon Sep 17 00:00:00 2001 +From: Sergio Correia +Date: Mon, 7 Mar 2022 13:11:09 -0300 +Subject: [PATCH] auparse: fix off-by-one issue in path_norm() (#242) + +When defining dest = rpath + 1, we end up having the first char of +`dest' as NULL -- since `rpath' points to `working', which is a static +buffer. + +With the first char as NULL, path_norm() ends up producing an empty string. + +This commit fixes the issue reported in this [1] mailing list post. + +[1] https://listman.redhat.com/archives/linux-audit/2022-February/018844.html +--- + auparse/interpret.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/auparse/interpret.c b/auparse/interpret.c +index c8a0d96dd..df593c44c 100644 +--- a/auparse/interpret.c ++++ b/auparse/interpret.c +@@ -895,7 +895,7 @@ static char *path_norm(const char *name) + return strdup(name); + + rpath = working; +- dest = rpath + 1; ++ dest = rpath; + rpath_limit = rpath + PATH_MAX; + + for (start = name; *start; start = end) { diff --git a/SOURCES/audit-3.0.8-drop-protecthome.patch b/SOURCES/audit-3.0.8-drop-protecthome.patch new file mode 100644 index 0000000..a9a70de --- /dev/null +++ b/SOURCES/audit-3.0.8-drop-protecthome.patch @@ -0,0 +1,26 @@ +From c426507a501efde0367a09a81e917d1d10722b78 Mon Sep 17 00:00:00 2001 +From: Sergio Correia +Date: Thu, 31 Mar 2022 15:00:57 -0300 +Subject: [PATCH] Drop ProtectHome from auditd.service as it interferes with + rules + +Upstream: https://github.com/linux-audit/audit-userspace/commit/12cf14ed +--- + init.d/auditd.service | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/init.d/auditd.service b/init.d/auditd.service +index e801281..0a4c498 100644 +--- a/init.d/auditd.service ++++ b/init.d/auditd.service +@@ -36,7 +36,6 @@ MemoryDenyWriteExecute=true + LockPersonality=true + ProtectControlGroups=true + ProtectKernelModules=true +-ProtectHome=true + RestrictRealtime=true + + [Install] +-- +2.35.1 + diff --git a/SPECS/audit.spec b/SPECS/audit.spec index 0d837a0..642f580 100644 --- a/SPECS/audit.spec +++ b/SPECS/audit.spec @@ -2,17 +2,17 @@ Summary: User space tools for kernel auditing Name: audit -Version: 3.0 -Release: 0.17.20191104git1c2f876%{?dist} +Version: 3.0.7 +Release: 2%{?dist}.2 License: GPLv2+ URL: http://people.redhat.com/sgrubb/audit/ -Source0: http://people.redhat.com/sgrubb/audit/%{name}-%{version}-alpha9.tar.gz +Source0: http://people.redhat.com/sgrubb/audit/%{name}-%{version}.tar.gz Source1: https://www.gnu.org/licenses/lgpl-2.1.txt -Patch1: audit-3.0-clang-warnings.patch -Patch2: audit-3.0-user-event.patch -Patch3: audit-3.0-bpf-record.patch -BuildRequires: gcc swig +Patch1: audit-3.0.8-auparse-path-norm.patch +Patch2: audit-3.0.8-drop-protecthome.patch + +BuildRequires: gcc swig make BuildRequires: openldap-devel BuildRequires: krb5-devel libcap-ng-devel BuildRequires: kernel-headers >= 2.6.29 @@ -33,7 +33,7 @@ Summary: Dynamic library for libaudit License: LGPLv2+ %description libs -The audit-libs package contains the dynamic libraries needed for +The audit-libs package contains the dynamic libraries needed for applications to use the audit framework. %package libs-devel @@ -85,14 +85,13 @@ Management Facility) database, through an IBM Tivoli Directory Server %prep %setup -q +cp %{SOURCE1} . %patch1 -p1 %patch2 -p1 -%patch3 -p1 -cp %{SOURCE1} . %build -%configure --sbindir=/sbin --libdir=/%{_lib} --with-python=no \ - --with-python3=yes \ +%configure --with-python=no \ + --with-python3=yes \ --enable-gssapi-krb5=yes --with-arm --with-aarch64 \ --with-libcap-ng=yes --enable-zos-remote \ --enable-systemd @@ -108,26 +107,13 @@ mkdir -p --mode=0700 $RPM_BUILD_ROOT/%{_var}/log/audit mkdir -p $RPM_BUILD_ROOT/%{_var}/spool/audit make DESTDIR=$RPM_BUILD_ROOT install -mkdir -p $RPM_BUILD_ROOT/%{_libdir} -curdir=`pwd` -cd $RPM_BUILD_ROOT/%{_libdir} -LIBNAME=`basename \`ls $RPM_BUILD_ROOT/%{_lib}/libaudit.so.1.*.*\`` -ln -s ../../%{_lib}/$LIBNAME libaudit.so -LIBNAME=`basename \`ls $RPM_BUILD_ROOT/%{_lib}/libauparse.so.0.*.*\`` -ln -s ../../%{_lib}/$LIBNAME libauparse.so -cd $curdir # Remove these items so they don't get picked up. -rm -f $RPM_BUILD_ROOT/%{_lib}/libaudit.so -rm -f $RPM_BUILD_ROOT/%{_lib}/libauparse.so -rm -f $RPM_BUILD_ROOT/%{_lib}/libaudit.a -rm -f $RPM_BUILD_ROOT/%{_lib}/libauparse.a +rm -f $RPM_BUILD_ROOT/%{_libdir}/libaudit.a +rm -f $RPM_BUILD_ROOT/%{_libdir}/libauparse.a find $RPM_BUILD_ROOT -name '*.la' -delete find $RPM_BUILD_ROOT/%{_libdir}/python?.?/site-packages -name '*.a' -delete -# Move the pkgconfig file -mv $RPM_BUILD_ROOT/%{_lib}/pkgconfig $RPM_BUILD_ROOT%{_libdir} - # On platforms with 32 & 64 bit libs, we need to coordinate the timestamp touch -r ./audit.spec $RPM_BUILD_ROOT/etc/libaudit.conf touch -r ./audit.spec $RPM_BUILD_ROOT/usr/share/man/man5/libaudit.conf.5.gz @@ -164,8 +150,8 @@ fi %files libs %{!?_licensedir:%global license %%doc} %license lgpl-2.1.txt -/%{_lib}/libaudit.so.1* -/%{_lib}/libauparse.* +%{_libdir}/libaudit.so.1* +%{_libdir}/libauparse.* %config(noreplace) %attr(640,root,root) /etc/libaudit.conf %{_mandir}/man5/libaudit.conf.5.gz @@ -188,6 +174,7 @@ fi %doc README ChangeLog init.d/auditd.cron %{!?_licensedir:%global license %%doc} %license COPYING +%attr(755,root,root) %{_datadir}/%{name} %attr(644,root,root) %{_datadir}/%{name}/sample-rules/* %attr(644,root,root) %{_mandir}/man8/auditctl.8.gz %attr(644,root,root) %{_mandir}/man8/auditd.8.gz @@ -203,12 +190,12 @@ fi %attr(644,root,root) %{_mandir}/man5/auditd.conf.5.gz %attr(644,root,root) %{_mandir}/man5/ausearch-expression.5.gz %attr(644,root,root) %{_mandir}/man5/auditd-plugins.5.gz -%attr(755,root,root) /sbin/auditctl -%attr(755,root,root) /sbin/auditd -%attr(755,root,root) /sbin/ausearch -%attr(755,root,root) /sbin/aureport -%attr(750,root,root) /sbin/autrace -%attr(755,root,root) /sbin/augenrules +%attr(755,root,root) %{_sbindir}/auditctl +%attr(755,root,root) %{_sbindir}/auditd +%attr(755,root,root) %{_sbindir}/ausearch +%attr(755,root,root) %{_sbindir}/aureport +%attr(750,root,root) %{_sbindir}/autrace +%attr(755,root,root) %{_sbindir}/augenrules %attr(755,root,root) %{_bindir}/aulast %attr(755,root,root) %{_bindir}/aulastlog %attr(755,root,root) %{_bindir}/ausyscall @@ -222,6 +209,7 @@ fi %attr(750,root,root) %{_libexecdir}/initscripts/legacy-actions/auditd/rotate %attr(750,root,root) %{_libexecdir}/initscripts/legacy-actions/auditd/state %attr(750,root,root) %{_libexecdir}/initscripts/legacy-actions/auditd/stop +%attr(750,root,root) %{_libexecdir}/audit-functions %ghost %{_localstatedir}/run/auditd.state %attr(-,root,-) %dir %{_var}/log/audit %attr(750,root,root) %dir /etc/audit @@ -237,8 +225,8 @@ fi %config(noreplace) %attr(640,root,root) /etc/audit/audisp-remote.conf %config(noreplace) %attr(640,root,root) /etc/audit/plugins.d/au-remote.conf %config(noreplace) %attr(640,root,root) /etc/audit/plugins.d/syslog.conf -%attr(750,root,root) /sbin/audisp-remote -%attr(750,root,root) /sbin/audisp-syslog +%attr(750,root,root) %{_sbindir}/audisp-remote +%attr(750,root,root) %{_sbindir}/audisp-syslog %attr(700,root,root) %dir %{_var}/spool/audit %attr(644,root,root) %{_mandir}/man5/audisp-remote.conf.5.gz %attr(644,root,root) %{_mandir}/man8/audisp-remote.8.gz @@ -249,9 +237,33 @@ fi %attr(644,root,root) %{_mandir}/man5/zos-remote.conf.5.gz %config(noreplace) %attr(640,root,root) /etc/audit/plugins.d/audispd-zos-remote.conf %config(noreplace) %attr(640,root,root) /etc/audit/zos-remote.conf -%attr(750,root,root) /sbin/audispd-zos-remote +%attr(750,root,root) %{_sbindir}/audispd-zos-remote %changelog +* Thu Mar 31 2022 Sergio Correia - 3.0.7-2.2 +- Drop ProtectHome from auditd.service as it interferes with rules + Resolves: rhbz#2070705 - Default systemd service config blocks audit watch rules in some directories + +* Mon Mar 14 2022 Sergio Correia - 3.0.7-2.1 +- Fix path normalization in auparse + Resolves: rhbz#2061726 - auparse missing information when used with --format-text + +* Tue Feb 22 2022 Sergio Correia - 3.0.7-2 +- Adjust sample-rules dir permissions + Resolves: rhbz#2054727 - /usr/share/audit/sample-rules is no longer readable by non-root users + +* Tue Jan 25 2022 Sergio Correia - 3.0.7-1 +- New upstream release - 3.0.7 + Related: rhbz#1939406 + +* Thu Jan 13 2022 Sergio Correia - 3.0.5-1 +- Rebase audit package on 8.6 + Resolves: rhbz#1939406 + Resolves: rhbz#1906065 + Resolves: rhbz#1921447 + Resolves: rhbz#1927884 + Resolves: rhbz#1921658 + * Wed Jan 08 2020 Steve Grubb 3.0-0.17.20191104git1c2f876 resolves: rhbz#1757986 - Rebase audit package on 8.2 for updates (bpf patch)