import audit-3.0.7-2.el8.2

2022-05-10 03:19:21 -04:00 · 2022-05-10 03:19:21 -04:00 · 71d19ea425
commit 71d19ea425
parent 5ed1707830
8 changed files with 109 additions and 149 deletions
--- a/.audit.metadata
+++ b/.audit.metadata
@ -1 +1 @@
-fe9807c29de893c8e8bc4df8624e00a98ab2b32a SOURCES/audit-3.0-alpha9.tar.gz
+7c485e7c97eb25f7413eaf1dd3edb03ad0b2619f SOURCES/audit-3.0.7.tar.gz
--- a/.gitignore
+++ b/.gitignore
@ -1 +1 @@
-SOURCES/audit-3.0-alpha9.tar.gz
+SOURCES/audit-3.0.7.tar.gz
--- a/SOURCES/audit-3.0-bpf-record.patch
+++ b/SOURCES/audit-3.0-bpf-record.patch
@ -1,38 +0,0 @@
-From 9e0cf4082ddbefab8558ce1349e22f6f1777040d Mon Sep 17 00:00:00 2001
-From: olsajiri <42811547+olsajiri@users.noreply.github.com>
-Date: Wed, 11 Dec 2019 17:57:39 +0100
-Subject: [PATCH] Add support for AUDIT_BPF event (#104)
-
-Signed-off-by: Jiri Olsa <jolsa@redhat.com>
---
- lib/libaudit.h    | 4 ++++
- lib/msg_typetab.h | 1 +
- 2 files changed, 5 insertions(+)
-
-diff --git a/lib/libaudit.h b/lib/libaudit.h
-index ac22e2c..0eea55f 100644
--- a/lib/libaudit.h
-+++ b/lib/libaudit.h
-@@ -290,6 +290,10 @@ extern "C" {
- #define AUDIT_TIME_ADJNTPVAL	1333 /* NTP value adjustment */
- #endif
- 
-+#ifndef AUDIT_BPF
-+#define AUDIT_BPF		1334 /* BPF load/unload */
-+#endif
-+
- #ifndef AUDIT_MAC_CALIPSO_ADD
- #define AUDIT_MAC_CALIPSO_ADD	1418 /* NetLabel: add CALIPSO DOI entry */
- #endif
-diff --git a/lib/msg_typetab.h b/lib/msg_typetab.h
-index d668f34..81b1ea5 100644
--- a/lib/msg_typetab.h
-+++ b/lib/msg_typetab.h
-@@ -125,6 +125,7 @@ _S(AUDIT_KERN_MODULE,                "KERN_MODULE"                   )
- _S(AUDIT_FANOTIFY,                   "FANOTIFY"                      )
- _S(AUDIT_TIME_INJOFFSET,             "TIME_INJOFFSET"                )
- _S(AUDIT_TIME_ADJNTPVAL,             "TIME_ADJNTPVAL"                )
-+_S(AUDIT_BPF,                        "BPF"                           )
- _S(AUDIT_AVC,                        "AVC"                           )
- _S(AUDIT_SELINUX_ERR,                "SELINUX_ERR"                   )
- _S(AUDIT_AVC_PATH,                   "AVC_PATH"                      )
--- a/SOURCES/audit-3.0-clang-warnings.patch
+++ b/SOURCES/audit-3.0-clang-warnings.patch
@ -1,36 +0,0 @@
-commit b4b63a18e044e507b9091f01aef91d4b3beff97d
-Author: Steve Grubb <sgrubb@redhat.com>
-Date:   Mon Nov 4 16:54:44 2019 -0500
-
-    Fix 2 clang reported warnings
-
-diff --git a/audisp/plugins/syslog/audisp-syslog.c b/audisp/plugins/syslog/audisp-syslog.c
-index 2515e0b..9daa021 100644
--- a/audisp/plugins/syslog/audisp-syslog.c
-+++ b/audisp/plugins/syslog/audisp-syslog.c
-@@ -181,7 +181,7 @@ static inline void write_syslog(char *s)
- 			mptr = stpcpy(mptr, fval ? fval : "?");
- 			mptr = stpcpy(mptr, " ");
- 			rc = auparse_next_field(au);
-			if (!header && strcmp(fname, "type") == 0) {
-+			if (!header && fname && strcmp(fname, "type") == 0) {
- 				mptr = stpcpy(mptr, "msg=audit(");
- 
- 				time_t t = auparse_get_time(au);
-diff --git a/src/ausearch-lol.c b/src/ausearch-lol.c
-index 54452e8..e709456 100644
--- a/src/ausearch-lol.c
-+++ b/src/ausearch-lol.c
-@@ -324,8 +324,11 @@ int lol_add_record(lol *lo, char *buff)
- 	}
- 
- 	// Eat standalone EOE, main event was already marked complete
-	if (e.type == AUDIT_EOE)
-+	if (e.type == AUDIT_EOE) {
-+		free((char *)e.node);
-+		free(n.message);
- 		return 0;
-+	}
- 
- 	// Create new event and fill it in
- 	l = malloc(sizeof(llist));
--- a/SOURCES/audit-3.0-user-event.patch
+++ b/SOURCES/audit-3.0-user-event.patch
@ -1,35 +0,0 @@
-diff --git a/src/auditctl.c b/src/auditctl.c
-index ac08e47..1150911 100644
--- a/src/auditctl.c
-+++ b/src/auditctl.c
-@@ -809,6 +809,7 @@ static int setopt(int count, int lineno, char *vars[])
- 			retval = -1;
- 		} else {
- 			const char*s = optarg;
-+			char *umsg;
- 			while (*s) {
- 				if (*s < 32) {
- 					audit_msg(LOG_ERR,
-@@ -817,11 +818,18 @@ static int setopt(int count, int lineno, char *vars[])
- 				}
- 				s++;
- 			}
-+			if (asprintf(&umsg, "text=%s", optarg) < 0) {
-+				audit_msg(LOG_ERR, "Can't create user event");
-+				return -1;
-+			}
- 			if (audit_log_user_message( fd, AUDIT_USER,
-					optarg, NULL, NULL, NULL, 1) <= 0)
-			retval = -1;
-		else
-			return -2;  // success - no reply for this
-+					umsg, NULL, NULL, NULL, 1) <= 0)
-+				retval = -1;
-+			else {
-+				free(umsg);
-+				return -2;  // success - no reply for this
-+			}
-+			free(umsg);
- 		}
- 		break;
- 	case 'R':
--- a/SOURCES/audit-3.0.8-auparse-path-norm.patch
+++ b/SOURCES/audit-3.0.8-auparse-path-norm.patch
@ -0,0 +1,31 @@
+From becc1c297279f757835943e2cad63992134511f9 Mon Sep 17 00:00:00 2001
+From: Sergio Correia <scorreia@redhat.com>
+Date: Mon, 7 Mar 2022 13:11:09 -0300
+Subject: [PATCH] auparse: fix off-by-one issue in path_norm() (#242)
+
+When defining dest = rpath + 1, we end up having the first char of
+`dest' as NULL -- since `rpath' points to `working', which is a static
+buffer.
+
+With the first char as NULL, path_norm() ends up producing an empty string.
+
+This commit fixes the issue reported in this [1] mailing list post.
+
+[1] https://listman.redhat.com/archives/linux-audit/2022-February/018844.html
+---
+ auparse/interpret.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/auparse/interpret.c b/auparse/interpret.c
+index c8a0d96dd..df593c44c 100644
+--- a/auparse/interpret.c
+++ b/auparse/interpret.c
+@@ -895,7 +895,7 @@ static char *path_norm(const char *name)
+ 		return strdup(name);
+ 
+ 	rpath = working;
+-	dest = rpath + 1;
+	dest = rpath;
+ 	rpath_limit = rpath + PATH_MAX;
+ 
+ 	for (start = name; *start; start = end) {
--- a/SOURCES/audit-3.0.8-drop-protecthome.patch
+++ b/SOURCES/audit-3.0.8-drop-protecthome.patch
@ -0,0 +1,26 @@
+From c426507a501efde0367a09a81e917d1d10722b78 Mon Sep 17 00:00:00 2001
+From: Sergio Correia <scorreia@redhat.com>
+Date: Thu, 31 Mar 2022 15:00:57 -0300
+Subject: [PATCH] Drop ProtectHome from auditd.service as it interferes with
+ rules
+
+Upstream: https://github.com/linux-audit/audit-userspace/commit/12cf14ed
+---
+ init.d/auditd.service | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/init.d/auditd.service b/init.d/auditd.service
+index e801281..0a4c498 100644
+--- a/init.d/auditd.service
+++ b/init.d/auditd.service
+@@ -36,7 +36,6 @@ MemoryDenyWriteExecute=true
+ LockPersonality=true
+ ProtectControlGroups=true
+ ProtectKernelModules=true
+-ProtectHome=true
+ RestrictRealtime=true
+ 
+ [Install]
+-- 
+2.35.1
+
--- a/SPECS/audit.spec
+++ b/SPECS/audit.spec
@ -2,17 +2,17 @@

 Summary: User space tools for kernel auditing
 Name: audit
-Version: 3.0
-Release: 0.17.20191104git1c2f876%{?dist}
+Version: 3.0.7
+Release: 2%{?dist}.2
 License: GPLv2+
 URL: http://people.redhat.com/sgrubb/audit/
-Source0: http://people.redhat.com/sgrubb/audit/%{name}-%{version}-alpha9.tar.gz
+Source0: http://people.redhat.com/sgrubb/audit/%{name}-%{version}.tar.gz
 Source1: https://www.gnu.org/licenses/lgpl-2.1.txt
-Patch1: audit-3.0-clang-warnings.patch
-Patch2: audit-3.0-user-event.patch
-Patch3: audit-3.0-bpf-record.patch

-BuildRequires: gcc swig
+Patch1: audit-3.0.8-auparse-path-norm.patch
+Patch2: audit-3.0.8-drop-protecthome.patch
+
+BuildRequires: gcc swig make
 BuildRequires: openldap-devel
 BuildRequires: krb5-devel libcap-ng-devel
 BuildRequires: kernel-headers >= 2.6.29
@ -85,14 +85,13 @@ Management Facility) database, through an IBM Tivoli Directory Server

 %prep
 %setup -q
+cp %{SOURCE1} .
 %patch1 -p1
 %patch2 -p1
-%patch3 -p1
-cp %{SOURCE1} .

 %build
-%configure --sbindir=/sbin --libdir=/%{_lib} --with-python=no \
-           --with-python3=yes \
+%configure --with-python=no \
+	   --with-python3=yes \
 	   --enable-gssapi-krb5=yes --with-arm --with-aarch64 \
 	   --with-libcap-ng=yes --enable-zos-remote \
 	   --enable-systemd
@ -108,26 +107,13 @@ mkdir -p --mode=0700 $RPM_BUILD_ROOT/%{_var}/log/audit
 mkdir -p $RPM_BUILD_ROOT/%{_var}/spool/audit
 make DESTDIR=$RPM_BUILD_ROOT install

-mkdir -p $RPM_BUILD_ROOT/%{_libdir}
-curdir=`pwd`
-cd $RPM_BUILD_ROOT/%{_libdir}
-LIBNAME=`basename \`ls $RPM_BUILD_ROOT/%{_lib}/libaudit.so.1.*.*\``
-ln -s ../../%{_lib}/$LIBNAME libaudit.so
-LIBNAME=`basename \`ls $RPM_BUILD_ROOT/%{_lib}/libauparse.so.0.*.*\``
-ln -s ../../%{_lib}/$LIBNAME libauparse.so
-cd $curdir
 # Remove these items so they don't get picked up.
-rm -f $RPM_BUILD_ROOT/%{_lib}/libaudit.so
-rm -f $RPM_BUILD_ROOT/%{_lib}/libauparse.so
-rm -f $RPM_BUILD_ROOT/%{_lib}/libaudit.a
-rm -f $RPM_BUILD_ROOT/%{_lib}/libauparse.a
+rm -f $RPM_BUILD_ROOT/%{_libdir}/libaudit.a
+rm -f $RPM_BUILD_ROOT/%{_libdir}/libauparse.a

 find $RPM_BUILD_ROOT -name '*.la' -delete
 find $RPM_BUILD_ROOT/%{_libdir}/python?.?/site-packages -name '*.a' -delete

-# Move the pkgconfig file
-mv $RPM_BUILD_ROOT/%{_lib}/pkgconfig $RPM_BUILD_ROOT%{_libdir}
-
 # On platforms with 32 & 64 bit libs, we need to coordinate the timestamp
 touch -r ./audit.spec $RPM_BUILD_ROOT/etc/libaudit.conf
 touch -r ./audit.spec $RPM_BUILD_ROOT/usr/share/man/man5/libaudit.conf.5.gz
@ -164,8 +150,8 @@ fi
 %files libs
 %{!?_licensedir:%global license %%doc}
 %license lgpl-2.1.txt
-/%{_lib}/libaudit.so.1*
-/%{_lib}/libauparse.*
+%{_libdir}/libaudit.so.1*
+%{_libdir}/libauparse.*
 %config(noreplace) %attr(640,root,root) /etc/libaudit.conf
 %{_mandir}/man5/libaudit.conf.5.gz

@ -188,6 +174,7 @@ fi
 %doc README ChangeLog init.d/auditd.cron
 %{!?_licensedir:%global license %%doc}
 %license COPYING
+%attr(755,root,root) %{_datadir}/%{name}
 %attr(644,root,root) %{_datadir}/%{name}/sample-rules/*
 %attr(644,root,root) %{_mandir}/man8/auditctl.8.gz
 %attr(644,root,root) %{_mandir}/man8/auditd.8.gz
@ -203,12 +190,12 @@ fi
 %attr(644,root,root) %{_mandir}/man5/auditd.conf.5.gz
 %attr(644,root,root) %{_mandir}/man5/ausearch-expression.5.gz
 %attr(644,root,root) %{_mandir}/man5/auditd-plugins.5.gz
-%attr(755,root,root) /sbin/auditctl
-%attr(755,root,root) /sbin/auditd
-%attr(755,root,root) /sbin/ausearch
-%attr(755,root,root) /sbin/aureport
-%attr(750,root,root) /sbin/autrace
-%attr(755,root,root) /sbin/augenrules
+%attr(755,root,root) %{_sbindir}/auditctl
+%attr(755,root,root) %{_sbindir}/auditd
+%attr(755,root,root) %{_sbindir}/ausearch
+%attr(755,root,root) %{_sbindir}/aureport
+%attr(750,root,root) %{_sbindir}/autrace
+%attr(755,root,root) %{_sbindir}/augenrules
 %attr(755,root,root) %{_bindir}/aulast
 %attr(755,root,root) %{_bindir}/aulastlog
 %attr(755,root,root) %{_bindir}/ausyscall
@ -222,6 +209,7 @@ fi
 %attr(750,root,root) %{_libexecdir}/initscripts/legacy-actions/auditd/rotate
 %attr(750,root,root) %{_libexecdir}/initscripts/legacy-actions/auditd/state
 %attr(750,root,root) %{_libexecdir}/initscripts/legacy-actions/auditd/stop
+%attr(750,root,root) %{_libexecdir}/audit-functions
 %ghost %{_localstatedir}/run/auditd.state
 %attr(-,root,-) %dir %{_var}/log/audit
 %attr(750,root,root) %dir /etc/audit
@ -237,8 +225,8 @@ fi
 %config(noreplace) %attr(640,root,root) /etc/audit/audisp-remote.conf
 %config(noreplace) %attr(640,root,root) /etc/audit/plugins.d/au-remote.conf
 %config(noreplace) %attr(640,root,root) /etc/audit/plugins.d/syslog.conf
-%attr(750,root,root) /sbin/audisp-remote
-%attr(750,root,root) /sbin/audisp-syslog
+%attr(750,root,root) %{_sbindir}/audisp-remote
+%attr(750,root,root) %{_sbindir}/audisp-syslog
 %attr(700,root,root) %dir %{_var}/spool/audit
 %attr(644,root,root) %{_mandir}/man5/audisp-remote.conf.5.gz
 %attr(644,root,root) %{_mandir}/man8/audisp-remote.8.gz
@ -249,9 +237,33 @@ fi
 %attr(644,root,root) %{_mandir}/man5/zos-remote.conf.5.gz
 %config(noreplace) %attr(640,root,root) /etc/audit/plugins.d/audispd-zos-remote.conf
 %config(noreplace) %attr(640,root,root) /etc/audit/zos-remote.conf
-%attr(750,root,root) /sbin/audispd-zos-remote
+%attr(750,root,root) %{_sbindir}/audispd-zos-remote

 %changelog
+* Thu Mar 31 2022 Sergio Correia <scorreia@redhat.com> - 3.0.7-2.2
+- Drop ProtectHome from auditd.service as it interferes with rules
+  Resolves: rhbz#2070705 - Default systemd service config blocks audit watch rules in some directories
+
+* Mon Mar 14 2022 Sergio Correia <scorreia@redhat.com> - 3.0.7-2.1
+- Fix path normalization in auparse
+  Resolves: rhbz#2061726 - auparse missing information when used with --format-text
+
+* Tue Feb 22 2022 Sergio Correia <scorreia@redhat.com> - 3.0.7-2
+- Adjust sample-rules dir permissions
+  Resolves: rhbz#2054727 - /usr/share/audit/sample-rules is no longer readable by non-root users
+
+* Tue Jan 25 2022 Sergio Correia <scorreia@redhat.com> - 3.0.7-1
+- New upstream release - 3.0.7
+  Related: rhbz#1939406
+
+* Thu Jan 13 2022 Sergio Correia <scorreia@redhat.com> - 3.0.5-1
+- Rebase audit package on 8.6
+  Resolves: rhbz#1939406
+  Resolves: rhbz#1906065
+  Resolves: rhbz#1921447
+  Resolves: rhbz#1927884
+  Resolves: rhbz#1921658
+
 * Wed Jan 08 2020 Steve Grubb <sgrubb@redhat.com> 3.0-0.17.20191104git1c2f876
 resolves: rhbz#1757986 - Rebase audit package on 8.2 for updates (bpf patch)