import CS audit-3.1.5-7.el9

2025-09-15 11:41:29 +00:00 · 2025-09-15 11:41:29 +00:00 · 851f687c6a
commit 851f687c6a
parent 657e11e5db
9 changed files with 1465 additions and 1 deletions
--- a/SOURCES/afunix-memleak.patch
+++ b/SOURCES/afunix-memleak.patch
@ -0,0 +1,12 @@
+diff --git a/audisp/plugins/af_unix/audisp-af_unix.c b/audisp/plugins/af_unix/audisp-af_unix.c
+index 578533f52..e2e7dc7ef 100644
+--- a/audisp/plugins/af_unix/audisp-af_unix.c
+++ b/audisp/plugins/af_unix/audisp-af_unix.c
+@@ -253,6 +253,7 @@ void read_audit_record(int ifd)
+ 					do {
+ 						rc = write(conn, str, str_len);
+ 					} while (rc < 0 && errno == EINTR);
+					free(str);
+ 				} else if (format == F_BINARY) {
+ 					struct iovec vec[2];
+ 
--- a/SOURCES/ausearch-DAEMON_END.patch
+++ b/SOURCES/ausearch-DAEMON_END.patch
@ -0,0 +1,15 @@
+diff --git a/src/ausearch-parse.c b/src/ausearch-parse.c
+index 7d9731842..e77fbf129 100644
+--- a/src/ausearch-parse.c
+++ b/src/ausearch-parse.c
+@@ -1549,7 +1549,9 @@ static int parse_daemon1(const lnode *n, search_items *s)
+ 
+ 	// uid - optional
+ 	if (event_uid != -1) {
+-		ptr = term;
+		// As the uid= field may happen in different orders, e.g. both before
+		// and after pid=, let us search for the uid from the beginning.
+		term = mptr;
+ 		str = strstr(term, " uid=");
+ 		if (str) {
+ 			ptr = str + 5;
--- a/SOURCES/ausearch-checkpoint-race.patch
+++ b/SOURCES/ausearch-checkpoint-race.patch
@ -0,0 +1,35 @@
+diff --git a/src/ausearch.c b/src/ausearch.c
+index 3bf95b5a..cf77ba14 100644
+--- a/src/ausearch.c
+++ b/src/ausearch.c
+@@ -464,6 +464,17 @@ static int process_log_fd(void)
+ 		if ((ret != 0)||(entries->cnt == 0))
+ 			break;
+ 
+		/*
+		 * If we are checkpointing, decide if we output this event.
+		 * We need to do it as early as here. The chkpt_input_levent event
+		 * might not match the entries, so we need to ensure that we don't
+		 * skip the event that is the checkpoint event. That is the marking point
+		 * from which we start outputting events. Leaving that event out will produce
+		 * empty results.
+		 */
+		if (checkpt_filename)
+			do_output = chkpt_output_decision(&entries->e);
+
+ 		/*
+  		 * We flush all events on the last log file being processed.
+  		 * Thus incomplete events are 'carried forward' to be
+@@ -471,12 +482,6 @@ static int process_log_fd(void)
+  		 * in the next file we are about to process.
+  		 */
+ 		if (match(entries)) {
+-			/*
+-			 * If we are checkpointing, decide if we output
+-			 * this event
+-			 */
+-			if (checkpt_filename)
+-				do_output = chkpt_output_decision(&entries->e);
+ 
+ 			if (do_output == 1) {
+ 				found = 1;
--- a/SOURCES/end-of-event-check.patch
+++ b/SOURCES/end-of-event-check.patch
--- a/SOURCES/end-of-event-gdm.patch
+++ b/SOURCES/end-of-event-gdm.patch
@ -0,0 +1,219 @@
+From 23eb05485637dd51e5898ece17324921308de085 Mon Sep 17 00:00:00 2001
+From: Cropi <alakatos@redhat.com>
+Date: Wed, 2 Apr 2025 14:12:36 +0200
+Subject: [PATCH] test suite: replace auid=42 with auid=0
+
+Executing make check, the test case expected the system
+to have user gdm with id of 42, which might not be true in all cases.
+In case the user was not present, ID to name translation failed, thus
+make check exited with error.
+---
+ auparse/test/auparse_test.ref    | 18 +++++++++---------
+ auparse/test/auparse_test.ref.py | 18 +++++++++---------
+ auparse/test/test.log            |  4 ++--
+ auparse/test/test2.log           |  4 ++--
+ 4 files changed, 22 insertions(+), 22 deletions(-)
+
+diff --git a/auparse/test/auparse_test.ref b/auparse/test/auparse_test.ref
+index dbeddf22..455dbb3a 100644
+--- a/auparse/test/auparse_test.ref
+++ b/auparse/test/auparse_test.ref
+@@ -188,7 +188,7 @@ event 4 has 3 records
+         uid=0 (root)
+         subj=system_u:system_r:init_t:s0 (system_u:system_r:init_t:s0)
+         old-auid=4294967295 (unset)
+-        auid=42 (gdm)
+        auid=0 (root)
+         tty=(none) ((none))
+         old-ses=4294967295 (4294967295)
+         ses=1 (1)
+@@ -209,7 +209,7 @@ event 4 has 3 records
+         items=0 (0)
+         ppid=1 (1)
+         pid=2288 (2288)
+-        auid=42 (gdm)
+        auid=0 (root)
+         uid=0 (root)
+         gid=0 (root)
+         euid=0 (root)
+@@ -389,7 +389,7 @@ event 4 has 3 records
+         uid=0 (root)
+         subj=system_u:system_r:init_t:s0 (system_u:system_r:init_t:s0)
+         old-auid=4294967295 (unset)
+-        auid=42 (gdm)
+        auid=0 (root)
+         tty=(none) ((none))
+         old-ses=4294967295 (4294967295)
+         ses=1 (1)
+@@ -410,7 +410,7 @@ event 4 has 3 records
+         items=0 (0)
+         ppid=1 (1)
+         pid=2288 (2288)
+-        auid=42 (gdm)
+        auid=0 (root)
+         uid=0 (root)
+         gid=0 (root)
+         euid=0 (root)
+@@ -587,7 +587,7 @@ event 11 has 3 records
+         uid=0 (root)
+         subj=system_u:system_r:init_t:s0 (system_u:system_r:init_t:s0)
+         old-auid=4294967295 (unset)
+-        auid=42 (gdm)
+        auid=0 (root)
+         tty=(none) ((none))
+         old-ses=4294967295 (4294967295)
+         ses=1 (1)
+@@ -608,7 +608,7 @@ event 11 has 3 records
+         items=0 (0)
+         ppid=1 (1)
+         pid=2288 (2288)
+-        auid=42 (gdm)
+        auid=0 (root)
+         uid=0 (root)
+         gid=0 (root)
+         euid=0 (root)
+@@ -699,7 +699,7 @@ Test 6 Done
+ 
+ Starting Test 7, compound search...
+ Found type = USER_START
+-Found auid = 42
+Found auid = 0
+ Test 7 Done
+ 
+ Starting Test 8, regex search...
+@@ -874,7 +874,7 @@ event 4 has 3 records
+         uid=0 (root)
+         subj=system_u:system_r:init_t:s0 (system_u:system_r:init_t:s0)
+         old-auid=4294967295 (unset)
+-        auid=42 (gdm)
+        auid=0 (root)
+         tty=(none) ((none))
+         old-ses=4294967295 (4294967295)
+         ses=1 (1)
+@@ -895,7 +895,7 @@ event 4 has 3 records
+         items=0 (0)
+         ppid=1 (1)
+         pid=2288 (2288)
+-        auid=42 (gdm)
+        auid=0 (root)
+         uid=0 (root)
+         gid=0 (root)
+         euid=0 (root)
+diff --git a/auparse/test/auparse_test.ref.py b/auparse/test/auparse_test.ref.py
+index 83dc47ad..73b2a099 100644
+--- a/auparse/test/auparse_test.ref.py
+++ b/auparse/test/auparse_test.ref.py
+@@ -180,7 +180,7 @@ event 4 has 3 records
+         uid=0 (root)
+         subj=system_u:system_r:init_t:s0 (system_u:system_r:init_t:s0)
+         old-auid=4294967295 (unset)
+-        auid=42 (gdm)
+        auid=0 (root)
+         tty=(none) ((none))
+         old-ses=4294967295 (4294967295)
+         ses=1 (1)
+@@ -201,7 +201,7 @@ event 4 has 3 records
+         items=0 (0)
+         ppid=1 (1)
+         pid=2288 (2288)
+-        auid=42 (gdm)
+        auid=0 (root)
+         uid=0 (root)
+         gid=0 (root)
+         euid=0 (root)
+@@ -381,7 +381,7 @@ event 4 has 3 records
+         uid=0 (root)
+         subj=system_u:system_r:init_t:s0 (system_u:system_r:init_t:s0)
+         old-auid=4294967295 (unset)
+-        auid=42 (gdm)
+        auid=0 (root)
+         tty=(none) ((none))
+         old-ses=4294967295 (4294967295)
+         ses=1 (1)
+@@ -402,7 +402,7 @@ event 4 has 3 records
+         items=0 (0)
+         ppid=1 (1)
+         pid=2288 (2288)
+-        auid=42 (gdm)
+        auid=0 (root)
+         uid=0 (root)
+         gid=0 (root)
+         euid=0 (root)
+@@ -579,7 +579,7 @@ event 11 has 3 records
+         uid=0 (root)
+         subj=system_u:system_r:init_t:s0 (system_u:system_r:init_t:s0)
+         old-auid=4294967295 (unset)
+-        auid=42 (gdm)
+        auid=0 (root)
+         tty=(none) ((none))
+         old-ses=4294967295 (4294967295)
+         ses=1 (1)
+@@ -600,7 +600,7 @@ event 11 has 3 records
+         items=0 (0)
+         ppid=1 (1)
+         pid=2288 (2288)
+-        auid=42 (gdm)
+        auid=0 (root)
+         uid=0 (root)
+         gid=0 (root)
+         euid=0 (root)
+@@ -691,7 +691,7 @@ Test 6 Done
+ 
+ Starting Test 7, compound search...
+ Found type = USER_START
+-Found auid = 42
+Found auid = 0
+ Test 7 Done
+ 
+ Starting Test 8, regex search...
+@@ -864,7 +864,7 @@ event 4 has 3 records
+         uid=0 (root)
+         subj=system_u:system_r:init_t:s0 (system_u:system_r:init_t:s0)
+         old-auid=4294967295 (unset)
+-        auid=42 (gdm)
+        auid=0 (root)
+         tty=(none) ((none))
+         old-ses=4294967295 (4294967295)
+         ses=1 (1)
+@@ -885,7 +885,7 @@ event 4 has 3 records
+         items=0 (0)
+         ppid=1 (1)
+         pid=2288 (2288)
+-        auid=42 (gdm)
+        auid=0 (root)
+         uid=0 (root)
+         gid=0 (root)
+         euid=0 (root)
+diff --git a/auparse/test/test.log b/auparse/test/test.log
+index cef1838d..24e0557f 100644
+--- a/auparse/test/test.log
+++ b/auparse/test/test.log
+@@ -4,8 +4,8 @@ type=CWD msg=audit(1170021493.977:293):  cwd="/var/spool/postfix"
+ type=PATH msg=audit(1170021493.977:293): item=0 name="maildrop" inode=14911367 dev=03:07 mode=040730 ouid=890 ogid=891 rdev=00:00 obj=system_u:object_r:postfix_spool_maildrop_t:s0
+ type=USER_ACCT msg=audit(1170021601.340:294): user pid=13015 uid=0 auid=4294967295 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM: accounting acct=root : exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
+ type=CRED_ACQ msg=audit(1170021601.342:295): user pid=13015 uid=0 auid=4294967295 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM: setcred acct=root : exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
+-type=LOGIN msg=audit(1170021601.343:296): pid=2288 uid=0 subj=system_u:system_r:init_t:s0 old-auid=4294967295 auid=42 tty=(none) old-ses=4294967295 ses=1 res=1
+-type=SYSCALL msg=audit(1170021601.343:296): arch=c000003e syscall=1 success=yes exit=2 a0=8 a1=7fffa7aede20 a2=2 a3=0 items=0 ppid=1 pid=2288 auid=42 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="(systemd)" exe="/usr/lib/systemd/systemd" subj=system_u:system_r:init_t:s0 key=(null)
+type=LOGIN msg=audit(1170021601.343:296): pid=2288 uid=0 subj=system_u:system_r:init_t:s0 old-auid=4294967295 auid=0 tty=(none) old-ses=4294967295 ses=1 res=1
+type=SYSCALL msg=audit(1170021601.343:296): arch=c000003e syscall=1 success=yes exit=2 a0=8 a1=7fffa7aede20 a2=2 a3=0 items=0 ppid=1 pid=2288 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="(systemd)" exe="/usr/lib/systemd/systemd" subj=system_u:system_r:init_t:s0 key=(null)
+ type=PROCTITLE msg=audit(1170021601.343:296): proctitle="(systemd)"
+ type=USER_START msg=audit(1170021601.344:297): user pid=13015 uid=0 auid=0 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM: session open acct=root : exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron res=success)'
+ type=CRED_DISP msg=audit(1170021601.364:298): user pid=13015 uid=0 auid=0 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM: setcred acct=root : exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron res=success)'
+diff --git a/auparse/test/test2.log b/auparse/test/test2.log
+index 63aadaa9..a2f3e755 100644
+--- a/auparse/test/test2.log
+++ b/auparse/test/test2.log
+@@ -4,8 +4,8 @@ type=CWD msg=audit(1170021493.977:283):  cwd="/var/spool/postfix"
+ type=PATH msg=audit(1170021493.977:283): item=0 name="maildrop" inode=14911367 dev=03:07 mode=040730 ouid=890 ogid=891 rdev=00:00 obj=system_u:object_r:postfix_spool_maildrop_t:s0
+ type=USER_ACCT msg=audit(1170021601.340:284): user pid=13015 uid=0 auid=4294967295 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM: accounting acct=root : exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
+ type=CRED_ACQ msg=audit(1170021601.342:285): user pid=13015 uid=0 auid=4294967295 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM: setcred acct=root : exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
+-type=LOGIN msg=audit(1170021601.343:286): pid=2288 uid=0 subj=system_u:system_r:init_t:s0 old-auid=4294967295 auid=42 tty=(none) old-ses=4294967295 ses=1 res=1
+-type=SYSCALL msg=audit(1170021601.343:286): arch=c000003e syscall=1 success=yes exit=2 a0=8 a1=7fffa7aede20 a2=2 a3=0 items=0 ppid=1 pid=2288 auid=42 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="(systemd)" exe="/usr/lib/systemd/systemd" subj=system_u:system_r:init_t:s0 key=(null)
+type=LOGIN msg=audit(1170021601.343:286): pid=2288 uid=0 subj=system_u:system_r:init_t:s0 old-auid=4294967295 auid=0 tty=(none) old-ses=4294967295 ses=1 res=1
+type=SYSCALL msg=audit(1170021601.343:286): arch=c000003e syscall=1 success=yes exit=2 a0=8 a1=7fffa7aede20 a2=2 a3=0 items=0 ppid=1 pid=2288 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="(systemd)" exe="/usr/lib/systemd/systemd" subj=system_u:system_r:init_t:s0 key=(null)
+ type=PROCTITLE msg=audit(1170021601.343:286): proctitle="(systemd)"
+ type=USER_START msg=audit(1170021601.344:287): user pid=13015 uid=0 auid=0 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM: session open acct=root : exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron res=success)'
+ type=CRED_DISP msg=audit(1170021601.364:288): user pid=13015 uid=0 auid=0 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM: setcred acct=root : exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron res=success)'
+-- 
+2.49.0
+
--- a/SOURCES/end-of-event.patch
+++ b/SOURCES/end-of-event.patch
@ -0,0 +1,60 @@
+From d6aac5857a7aea11a7fc95926d587ecc824b6152 Mon Sep 17 00:00:00 2001
+From: Cropi <alakatos@redhat.com>
+Date: Wed, 2 Apr 2025 11:04:37 +0200
+Subject: [PATCH] Update end of event detection
+
+---
+ auparse/auparse.c  | 5 ++++-
+ src/ausearch-lol.c | 6 +++++-
+ 2 files changed, 9 insertions(+), 2 deletions(-)
+
+diff --git a/auparse/auparse.c b/auparse/auparse.c
+index c3e1fb9e..1b0c5a39 100644
+--- a/auparse/auparse.c
+++ b/auparse/auparse.c
+@@ -319,7 +319,9 @@ static void au_check_events(auparse_state_t *au, time_t sec)
+                         } else if ( // FIXME: Check this v remains true
+ 				r->type == AUDIT_PROCTITLE ||
+ 				r->type == AUDIT_EOE ||
+-				r->type < AUDIT_FIRST_EVENT ||
+				(r->type > AUDIT_LOGIN &&
+					r->type < AUDIT_FIRST_EVENT) ||
+				r->type == AUDIT_USER ||
+ 				r->type >= AUDIT_FIRST_ANOM_MSG ||
+ 				r->type == AUDIT_KERNEL ||
+ 				(r->type >= AUDIT_MAC_UNLBL_ALLOW &&
+@@ -332,6 +334,7 @@ static void au_check_events(auparse_state_t *au, time_t sec)
+         }
+ }
+ 
+
+ /*
+  * au_terminate_all_events - Mark all events in 'BUILD' state to be COMPLETE
+  *
+diff --git a/src/ausearch-lol.c b/src/ausearch-lol.c
+index 31c5ff2e..e2a6017d 100644
+--- a/src/ausearch-lol.c
+++ b/src/ausearch-lol.c
+@@ -259,7 +259,10 @@ static void check_events(lol *lo, time_t sec)
+ 				cur->status = L_COMPLETE;
+ 				ready++;
+ 			} else if (cur->l->e.type == AUDIT_PROCTITLE ||
+-				    cur->l->e.type < AUDIT_FIRST_EVENT ||
+				    cur->l->e.type == AUDIT_EOE ||
+				    (cur->l->e.type > AUDIT_LOGIN &&
+				        cur->l->e.type < AUDIT_FIRST_EVENT) ||
+				    cur->l->e.type == AUDIT_USER ||
+ 				    cur->l->e.type >= AUDIT_FIRST_ANOM_MSG ||
+ 				    cur->l->e.type == AUDIT_KERNEL ||
+ 				    (cur->l->e.type >= AUDIT_MAC_UNLBL_ALLOW &&
+@@ -272,6 +275,7 @@ static void check_events(lol *lo, time_t sec)
+ 	}
+ }
+ 
+
+ // This function adds a new record to an existing linked list
+ // or creates a new one if its a new event
+ int lol_add_record(lol *lo, char *buff)
+-- 
+2.49.0
+
--- a/SOURCES/interpret-tty-data.patch
+++ b/SOURCES/interpret-tty-data.patch
@ -0,0 +1,13 @@
+diff --git a/auparse/interpret.c b/auparse/interpret.c
+index ad949c90f..5c182ae69 100644
+--- a/auparse/interpret.c
+++ b/auparse/interpret.c
+@@ -331,7 +331,7 @@ static void key_escape(const char *orig, char *dest, auparse_esc_t escape_mode)
+ static int is_hex_string(const char *str)
+ {
+ 	while (*str) {
+-		if (!isdigit((unsigned char)*str))
+		if (!isxdigit((unsigned char)*str))
+ 			return 0;
+ 		str++;
+ 	}
--- a/SOURCES/tty-hostname.patch
+++ b/SOURCES/tty-hostname.patch
@ -0,0 +1,14 @@
+diff --git a/lib/audit_logging.c b/lib/audit_logging.c
+index f89a13bb0..70205b332 100644
+--- a/lib/audit_logging.c
+++ b/lib/audit_logging.c
+@@ -243,7 +243,8 @@ static const char *_get_hostname(const char *ttyn)
+ {
+ 	if (ttyn && ((strncmp(ttyn, "pts", 3) == 0) ||
+ 		(strncmp(ttyn, "tty", 3) == 0) ||
+-		(strncmp(ttyn, "/dev/tty", 8) == 0) )) {
+		(strncmp(ttyn, "/dev/tty", 8) == 0) ||
+		(strncmp(ttyn, "/dev/pts", 8) == 0) )) {
+ 		if (_host[0] == 0) {
+ 			gethostname(_host, HOSTLEN);
+ 			_host[HOSTLEN - 1] = 0;
--- a/SPECS/audit.spec
+++ b/SPECS/audit.spec
@ -2,7 +2,7 @@
 Summary: User space tools for kernel auditing
 Name: audit
 Version: 3.1.5
-Release: 4%{?dist}
+Release: 7%{?dist}
 License: GPLv2+
 URL: http://people.redhat.com/sgrubb/audit/
 Source0: http://people.redhat.com/sgrubb/audit/%{name}-%{version}.tar.gz
@ -16,6 +16,14 @@ Patch5: disable-protectkernmelmodules.patch
 Patch6: remote-logging-ordering-cycle.patch
 Patch7: permtab-filter-unsupport.patch
 Patch8: auditctl-permtab.patch
+Patch9: interpret-tty-data.patch
+Patch10: tty-hostname.patch
+Patch11: ausearch-DAEMON_END.patch
+Patch12: afunix-memleak.patch
+Patch13: end-of-event.patch
+Patch14: end-of-event-check.patch
+Patch15: end-of-event-gdm.patch
+Patch16: ausearch-checkpoint-race.patch

 BuildRequires: make gcc swig
 BuildRequires: openldap-devel
@ -106,6 +114,14 @@ cp %{SOURCE1} .
 %patch -P 6 -p1
 %patch -P 7 -p1
 %patch -P 8 -p1
+%patch -P 9 -p1
+%patch -P 10 -p1
+%patch -P 11 -p1
+%patch -P 12 -p1
+%patch -P 13 -p1
+%patch -P 14 -p1
+%patch -P 15 -p1
+%patch -P 16 -p1

 autoreconf -fv --install

@ -294,6 +310,21 @@ fi
 %attr(750,root,root) %{_sbindir}/audispd-zos-remote

 %changelog
+* Fri Apr 11 2025 Attila Lakatos <alakatos@redhat.com> - 3.1.5-7
+- ausearch-checkpoint race condition fix
+  Resolves: RHEL-86897
+
+* Wed Apr 02 2025 Attila Lakatos <alakatos@redhat.com> - 3.1.5-6
+- Update end of event detection mechanism
+  Resolves: RHEL-78323
+
+* Fri Mar 28 2025 Attila Lakatos <alakatos@redhat.com> - 3.1.5-5
+- ausearch: correct search for DAEMON related events
+- allow hex digits when interpreting tty data
+  Resolves: RHEL-82279
+- Fix TTY hostname in log messages
+  Resolves: RHEL-78323
+
 * Tue Feb 11 2025 Attila Lakatos <alakatos@redhat.com> - 3.1.5-4
 - auditctl: correct buffer in filter_supported_syscalls to avoid overflow
  Resolves: RHEL-59585