rpms/audit
7
0
Fork 0
Code Issues Pull Requests Releases Activity

import audit-3.0-0.13.20190507gitf58ec40.el8

Browse Source
This commit is contained in:
CentOS Sources 2019-11-05 16:29:04 -05:00 committed by Andrew Lukoshko
parent bf4d714ac6
commit 8b1f895570
16 changed files with 319 additions and 791 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.audit.metadata
View File

@ -1 +1 @@
6968c30d9bb05d3f44413d1cd944ca8cbf3cf8c4 SOURCES/audit-3.0-alpha5.tar.gz
5205dd634a26512d69d75ca27171c70b70f102f0 SOURCES/audit-3.0-alpha8.tar.gz

2
.gitignore vendored
View File

@ -1 +1 @@
SOURCES/audit-3.0-alpha5.tar.gz
SOURCES/audit-3.0-alpha8.tar.gz

140
SOURCES/30-ospp-v42.rules Normal file
View File

@ -0,0 +1,140 @@
## The purpose of these rules is to meet the requirements for Operating
## System Protection Profile (OSPP)v4.2. These rules depends on having
## 10-base-config.rules, 11-loginuid.rules, and 43-module-load.rules installed.
## Successful/Unsuccessful file creation (open with O_CREAT)
-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
-a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
-a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
-a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
-a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
-a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
-a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
-a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create
-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create
-a always,exit -F arch=b32 -S open -F a1&0100 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create
-a always,exit -F arch=b64 -S open -F a1&0100 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create
-a always,exit -F arch=b32 -S creat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create
-a always,exit -F arch=b64 -S creat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create
## Successful/Unsuccessful file modifications (open for write or truncate)
-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
-a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
-a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
-a always,exit -F arch=b32 -S truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
-a always,exit -F arch=b64 -S truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
-a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
-a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
-a always,exit -F arch=b32 -S truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
-a always,exit -F arch=b64 -S truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification
-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification
-a always,exit -F arch=b32 -S open -F a1&01003 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification
-a always,exit -F arch=b64 -S open -F a1&01003 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification
-a always,exit -F arch=b32 -S truncate,ftruncate -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification
-a always,exit -F arch=b64 -S truncate,ftruncate -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification
## Successful/Unsuccessful file access (any other opens) This has to go last.
-a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-access
-a always,exit -F arch=b64 -S open,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-access
-a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-access
-a always,exit -F arch=b64 -S open,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-access
# These next two are likely to result in a whole lot of events
-a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-access
-a always,exit -F arch=b64 -S open,openat,open_by_handle_at -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-access
## Successful/Unsuccessful file delete
-a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
-a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
-a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
-a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
-a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-delete
-a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-delete
## Successful/Unsuccessful permission change
-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-perm-change
-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-perm-change
-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-perm-change
-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-perm-change
-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-perm-change
-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-perm-change
## Successful/Unsuccessful ownership change
-a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-perm-change
-a always,exit -F arch=b64 -S lchown,fchown,chown,fchownat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-perm-change
-a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-perm-change
-a always,exit -F arch=b64 -S lchown,fchown,chown,fchownat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-perm-change
-a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-perm-change
-a always,exit -F arch=b64 -S lchown,fchown,chown,fchownat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-perm-change
## User add delete modify. This is covered by pam. However, someone could
## open a file and directly create or modify a user, so we'll watch passwd and
## shadow for writes
-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify
-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify
-a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify
-a always,exit -F arch=b64 -S open -F a1&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify
-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify
-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify
-a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify
-a always,exit -F arch=b64 -S open -F a1&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify
## User enable and disable. This is entirely handled by pam.
## Group add delete modify. This is covered by pam. However, someone could
## open a file and directly create or modify a user, so we'll watch group and
## gshadow for writes
-a always,exit -F path=/etc/passwd -F perm=wa -F auid>=1000 -F auid!=unset -F key=user-modify
-a always,exit -F path=/etc/shadow -F perm=wa -F auid>=1000 -F auid!=unset -F key=user-modify
-a always,exit -F path=/etc/group -F perm=wa -F auid>=1000 -F auid!=unset -F key=group-modify
-a always,exit -F path=/etc/gshadow -F perm=wa -F auid>=1000 -F auid!=unset -F key=group-modify
## Use of special rights for config changes. This would be use of setuid
## programs that relate to user accts. This is not all setuid apps because
## requirements are only for ones that affect system configuration.
-a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
-a always,exit -F path=/usr/sbin/usernetctl -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
-a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
-a always,exit -F path=/usr/sbin/seunshare -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
-a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
-a always,exit -F path=/usr/bin/newuidmap -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
-a always,exit -F path=/usr/bin/newgidmap -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
-a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
-a always,exit -F path=/usr/bin/at -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
## Privilege escalation via su or sudo. This is entirely handled by pam.
## Audit log access
-a always,exit -F dir=/var/log/audit/ -F perm=r -F auid>=1000 -F auid!=unset -F key=access-audit-trail
## Attempts to Alter Process and Session Initiation Information
-a always,exit -F path=/var/run/utmp -F perm=wa -F auid>=1000 -F auid!=unset -F key=session
-a always,exit -F path=/var/log/btmp -F perm=wa -F auid>=1000 -F auid!=unset -F key=session
-a always,exit -F path=/var/log/wtmp -F perm=wa -F auid>=1000 -F auid!=unset -F key=session
## Attempts to modify MAC controls
-a always,exit -F dir=/etc/selinux/ -F perm=wa -F auid>=1000 -F auid!=unset -F key=MAC-policy
## Software updates. This is entirely handled by rpm.
## System start and shutdown. This is entirely handled by systemd
## Kernel Module loading. This is handled in 43-module-load.rules
## Application invocation. The requirements list an optional requirement
## FPT_SRP_EXT.1 Software Restriction Policies. This event is intended to
## state results from that policy. This would be handled entirely by
## that daemon.

244
SOURCES/audit-3.0-af_unix-plugin.patch
View File

@ -1,244 +0,0 @@
diff -urp audit-3.0.orig/audisp/audispd-builtins.c audit-3.0/audisp/audispd-builtins.c
--- audit-3.0.orig/audisp/audispd-builtins.c 2018-08-31 17:05:48.000000000 -0400
+++ audit-3.0/audisp/audispd-builtins.c 2018-12-06 20:01:06.922443361 -0500
@@ -35,12 +35,17 @@
#include <sys/uio.h> // writev
#include <fcntl.h>
#include <stdio.h>
+#include "ev.h"
#include "audispd-pconfig.h"
#include "audispd-builtins.h"
+// Global data
+extern struct ev_loop *loop;
+
// Local data
static volatile int sock = -1, conn = -1;
static char *path = NULL;
+static struct ev_io af_unix_watcher;
// Local prototypes
static void init_af_unix(const plugin_conf_t *conf);
@@ -63,21 +68,37 @@ void stop_builtin(plugin_conf_t *conf)
syslog(LOG_ERR, "Unknown builtin %s", conf->path);
}
-static void af_unix_accept(int fd)
+static int watching = 0;
+static void stop_watching(void)
+{
+ if (watching) {
+ ev_io_stop(loop, &af_unix_watcher);
+ watching = 0;
+ }
+}
+
+static void af_unix_accept(struct ev_loop *l, struct ev_io *_io, int revents)
{
int cmd;
do {
- conn = accept(fd, NULL, NULL);
+ conn = accept(_io->fd, NULL, NULL);
} while (conn < 0 && errno == EINTR);
// De-register since this is intended to be one listener
if (conn >= 0)
- remove_event(fd);
+ stop_watching();
cmd = fcntl(conn, F_GETFD);
fcntl(conn, F_SETFD, cmd|FD_CLOEXEC);
}
+static void start_watching(void)
+{
+ ev_io_init(&af_unix_watcher, af_unix_accept, sock, EV_READ);
+ ev_io_start(loop, &af_unix_watcher);
+ watching = 1;
+}
+
static int create_af_unix_socket(const char *path, int mode)
{
struct sockaddr_un addr;
@@ -122,8 +143,8 @@ static int create_af_unix_socket(const c
// Make socket listening...won't block
(void)listen(sock, 5);
- // Register socket with poll
- add_event(sock, af_unix_accept);
+ // Register socket with libev
+ start_watching();
return 0;
}
@@ -213,7 +234,8 @@ void send_af_unix_string(const char *s,
if (rc < 0 && errno == EPIPE) {
close(conn);
conn = -1;
- add_event(sock, af_unix_accept);
+ stop_watching();
+ start_watching();
}
}
}
@@ -237,7 +259,8 @@ void send_af_unix_binary(event_t *e)
if (rc < 0 && errno == EPIPE) {
close(conn);
conn = -1;
- add_event(sock, af_unix_accept);
+ stop_watching();
+ start_watching();
}
}
}
@@ -250,10 +273,13 @@ void destroy_af_unix(void)
conn = -1;
did_something = 1;
}
+ stop_watching();
if (sock >= 0) {
+
close(sock);
sock = -1;
did_something = 1;
+
}
if (path) {
unlink(path);
diff -urp audit-3.0.orig/audisp/audispd-builtins.h audit-3.0/audisp/audispd-builtins.h
--- audit-3.0.orig/audisp/audispd-builtins.h 2018-08-31 17:05:48.000000000 -0400
+++ audit-3.0/audisp/audispd-builtins.h 2018-12-06 20:01:06.922443361 -0500
@@ -33,10 +33,5 @@ void send_af_unix_string(const char *s,
void send_af_unix_binary(event_t *e);
void destroy_af_unix(void);
-typedef void (*poll_callback_ptr)(int fd);
-int add_event(int fd, poll_callback_ptr cb);
-int remove_event(int fd);
-
-
#endif
diff -urp audit-3.0.orig/audisp/audispd.c audit-3.0/audisp/audispd.c
--- audit-3.0.orig/audisp/audispd.c 2018-08-31 17:05:48.000000000 -0400
+++ audit-3.0/audisp/audispd.c 2018-12-06 20:01:06.922443361 -0500
@@ -31,7 +31,6 @@
#include <pthread.h>
#include <dirent.h>
#include <fcntl.h>
-#include <sys/poll.h>
#include <netdb.h>
#include <arpa/inet.h>
#include <limits.h>
@@ -578,43 +577,6 @@ static int event_loop(void)
return 1;
}
-static struct pollfd pfd[4];
-static poll_callback_ptr pfd_cb[4];
-static volatile int pfd_cnt=0;
-int add_event(int fd, poll_callback_ptr cb)
-{
- if (pfd_cnt > 3)
- return -1;
-
- pfd[pfd_cnt].fd = fd;
- pfd[pfd_cnt].events = POLLIN;
- pfd[pfd_cnt].revents = 0;
- pfd_cb[pfd_cnt] = cb;
- pfd_cnt++;
- return 0;
-}
-
-int remove_event(int fd)
-{
- int start, i;
- if (pfd_cnt == 0)
- return -1;
-
- for (start=0; start < pfd_cnt; start++) {
- if (pfd[start].fd == fd)
- break;
- }
- for (i=start; i<(pfd_cnt-1); i++) {
- pfd[i].events = pfd[i+1].events;
- pfd[i].revents = pfd[i+1].revents;
- pfd[i].fd = pfd[i+1].fd;
- pfd_cb[i] = pfd_cb[i+1];
- }
-
- pfd_cnt--;
- return 0;
-}
-
/* returns > 0 if plugins and 0 if none */
int libdisp_active(void)
{
diff -urp audit-3.0.orig/audisp/Makefile.am audit-3.0/audisp/Makefile.am
--- audit-3.0.orig/audisp/Makefile.am 2018-08-31 17:05:48.000000000 -0400
+++ audit-3.0/audisp/Makefile.am 2018-12-06 20:01:06.922443361 -0500
@@ -22,7 +22,7 @@
SUBDIRS = plugins
CONFIG_CLEAN_FILES = *.rej *.orig
-AM_CPPFLAGS = -D_GNU_SOURCE -fPIC -DPIC -I${top_srcdir} -I${top_srcdir}/lib -I${top_srcdir}/src
+AM_CPPFLAGS = -D_GNU_SOURCE -fPIC -DPIC -I${top_srcdir} -I${top_srcdir}/lib -I${top_srcdir}/src -I${top_srcdir}/src/libev
LIBS = -L${top_builddir}/lib -laudit
LDADD = -lpthread
@@ -30,5 +30,6 @@ noinst_HEADERS = audispd-pconfig.h audis
queue.h audispd-builtins.h libdisp.h
libdisp_a_SOURCES = audispd.c audispd-pconfig.c queue.c \
audispd-llist.c audispd-builtins.c
+libdisp_a_CFLAGS = -fno-strict-aliasing
noinst_LIBRARIES = libdisp.a
diff -urp audit-3.0.orig/src/auditd.c audit-3.0/src/auditd.c
--- audit-3.0.orig/src/auditd.c 2018-12-06 19:41:21.076570614 -0500
+++ audit-3.0/src/auditd.c 2018-12-06 20:01:06.923443360 -0500
@@ -580,6 +580,7 @@ static void close_pipes(void)
close(pipefds[1]);
}
+struct ev_loop *loop;
int main(int argc, char *argv[])
{
struct sigaction sa;
@@ -597,7 +598,6 @@ int main(int argc, char *argv[])
enum startup_state opt_startup = startup_enable;
extern char *optarg;
extern int optind;
- struct ev_loop *loop;
struct ev_io netlink_watcher;
struct ev_io pipe_watcher;
struct ev_signal sigterm_watcher;
@@ -748,14 +748,6 @@ int main(int argc, char *argv[])
return 1;
}
- if (init_dispatcher(&config)) {
- if (pidfile)
- unlink(pidfile);
- tell_parent(FAILURE);
- free_config(&config);
- return 1;
- }
-
/* Get machine name ready for use */
if (resolve_node(&config)) {
if (pidfile)
@@ -891,6 +883,14 @@ int main(int argc, char *argv[])
/* Depending on value of opt_startup (-s) set initial audit state */
loop = ev_default_loop (EVFLAG_NOENV);
+ if (init_dispatcher(&config)) {
+ if (pidfile)
+ unlink(pidfile);
+ tell_parent(FAILURE);
+ free_config(&config);
+ return 1;
+ }
+
if (!opt_aggregate_only) {
ev_io_init (&netlink_watcher, netlink_handler, fd, EV_READ);
ev_io_start (loop, &netlink_watcher);

12
SOURCES/audit-3.0-auditd-stop.patch
View File

@ -1,12 +0,0 @@
diff -ur audit-3.0.orig/init.d/auditd.stop audit-3.0/init.d/auditd.stop
--- audit-3.0.orig/init.d/auditd.stop 2018-08-31 17:05:48.000000000 -0400
+++ audit-3.0/init.d/auditd.stop 2018-12-08 17:15:59.916950477 -0500
@@ -10,7 +10,7 @@
. /etc/init.d/functions
printf "Stopping logging: "
-killproc $prog -TERM
+killproc -d 1 $prog -TERM
RETVAL=$?
echo
exit $RETVAL

21
SOURCES/audit-3.0-ausearch-buffer-fix.patch
View File

@ -1,21 +0,0 @@
diff -urp audit-3.0.orig/src/ausearch-lol.c audit-3.0/src/ausearch-lol.c
--- audit-3.0.orig/src/ausearch-lol.c 2018-08-31 17:05:48.000000000 -0400
+++ audit-3.0/src/ausearch-lol.c 2018-12-06 19:38:21.208589916 -0500
@@ -277,7 +277,7 @@ int lol_add_record(lol *lo, char *buff)
if (n.tlen > MAX_AUDIT_MESSAGE_LENGTH)
n.tlen = MAX_AUDIT_MESSAGE_LENGTH;
} else
- n.tlen = MAX_AUDIT_MESSAGE_LENGTH;
+ n.tlen = n.mlen;
fmt = LF_ENRICHED;
} else {
ptr = strrchr(n.message, 0x0a);
@@ -287,7 +287,7 @@ int lol_add_record(lol *lo, char *buff)
if (n.mlen > MAX_AUDIT_MESSAGE_LENGTH)
n.mlen = MAX_AUDIT_MESSAGE_LENGTH;
} else
- n.mlen = MAX_AUDIT_MESSAGE_LENGTH;
+ n.mlen = strlen(n.message);
n.interp = NULL;
n.tlen = n.mlen;
fmt = LF_RAW;

12
SOURCES/audit-3.0-cap_audit_read.patch
View File

@ -1,12 +0,0 @@
diff -urp audit-3.0.orig/src/auditd.c audit-3.0/src/auditd.c
--- audit-3.0.orig/src/auditd.c 2018-08-31 17:05:48.000000000 -0400
+++ audit-3.0/src/auditd.c 2018-12-06 19:41:21.076570614 -0500
@@ -665,7 +665,7 @@ int main(int argc, char *argv[])
#ifndef DEBUG
/* Make sure we can do our job. Containers may not give you
* capabilities, so we revert to a uid check for that case. */
- if (!audit_can_control() || !audit_can_read()) {
+ if (!audit_can_control()) {
if (!config.local_events && geteuid() == 0)
;
else {

71
SOURCES/audit-3.0-chkconfig.patch Normal file
View File

@ -0,0 +1,71 @@
commit d1c80e0217a049441cdad42428254270904f8694
Author: Steve Grubb <sgrubb@redhat.com>
Date: Fri Jul 5 12:58:03 2019 -0400
Remove dependency on chkconfig
diff --git a/init.d/auditd.reload b/init.d/auditd.reload
index b9c9c6c..9c30295 100644
--- a/init.d/auditd.reload
+++ b/init.d/auditd.reload
@@ -7,7 +7,7 @@ test $(id -u) = 0 || exit 4
PATH=/sbin:/bin:/usr/bin:/usr/sbin
prog="auditd"
-. /etc/init.d/functions
+. /etc/rc.d/init.d/functions
printf "Reconfiguring: "
/sbin/augenrules --load
diff --git a/init.d/auditd.resume b/init.d/auditd.resume
index 8185cd1..f1d2157 100644
--- a/init.d/auditd.resume
+++ b/init.d/auditd.resume
@@ -7,7 +7,7 @@ test $(id -u) = 0 || exit 4
PATH=/sbin:/bin:/usr/bin:/usr/sbin
prog="auditd"
-. /etc/init.d/functions
+. /etc/rc.d/init.d/functions
printf "Resuming logging: "
killproc $prog -USR2
diff --git a/init.d/auditd.rotate b/init.d/auditd.rotate
index a627a43..2b13cf7 100644
--- a/init.d/auditd.rotate
+++ b/init.d/auditd.rotate
@@ -7,7 +7,7 @@ test $(id -u) = 0 || exit 4
PATH=/sbin:/bin:/usr/bin:/usr/sbin
prog="auditd"
-. /etc/init.d/functions
+. /etc/rc.d/init.d/functions
printf "Rotating logs: "
killproc $prog -USR1
diff --git a/init.d/auditd.state b/init.d/auditd.state
index 6e9e69e..c7e291e 100644
--- a/init.d/auditd.state
+++ b/init.d/auditd.state
@@ -8,7 +8,7 @@ test $(id -u) = 0 || exit 4
PATH=/sbin:/bin:/usr/bin:/usr/sbin
prog="auditd"
state_file="/var/run/auditd.state"
-. /etc/init.d/functions
+. /etc/rc.d/init.d/functions
printf "Getting auditd internal state: "
killproc $prog -CONT
diff --git a/init.d/auditd.stop b/init.d/auditd.stop
index 6550fae..70aaeef 100644
--- a/init.d/auditd.stop
+++ b/init.d/auditd.stop
@@ -7,7 +7,7 @@ test $(id -u) = 0 || exit 4
PATH=/sbin:/bin:/usr/bin:/usr/sbin
prog="auditd"
-. /etc/init.d/functions
+. /etc/rc.d/init.d/functions
pid="$(__pids_pidof "$prog")"
printf "Stopping logging: "

104
SOURCES/audit-3.0-docs.patch
View File

@ -1,104 +0,0 @@
diff -ur audit-3.0.orig/docs/auparse_normalize.3 audit-3.0/docs/auparse_normalize.3
--- audit-3.0.orig/docs/auparse_normalize.3 2018-08-31 17:05:48.000000000 -0400
+++ audit-3.0/docs/auparse_normalize.3 2018-12-06 19:27:33.636659407 -0500
@@ -25,7 +25,8 @@
.SH "SEE ALSO"
-.BR
+.BR auparse_normalize_subject_primary (3) ,
+.BR auparse_normalize_object_primary (3).
.SH AUTHOR
Steve Grubb
diff -ur audit-3.0.orig/rules/30-ospp-v42.rules audit-3.0/rules/30-ospp-v42.rules
--- audit-3.0.orig/rules/30-ospp-v42.rules 2018-08-31 17:05:48.000000000 -0400
+++ audit-3.0/rules/30-ospp-v42.rules 2018-12-06 19:27:33.656659405 -0500
@@ -3,20 +3,28 @@
## 10-base-config.rules, 11-loginuid.rules, and 43-module-load.rules installed.
## Unsuccessful file creation (open with O_CREAT)
--a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
--a always,exit -F arch=b64 -S open,openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
--a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
--a always,exit -F arch=b64 -S open,openat,open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
+-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
+-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
+-a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
+-a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
+-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
+-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
+-a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
+-a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
## Unsuccessful file modifications (open for write or truncate)
--a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
--a always,exit -F arch=b64 -S open,openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
--a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
--a always,exit -F arch=b64 -S open,openat,open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
+-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
+-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
+-a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
+-a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
+-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
+-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
+-a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
+-a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-a always,exit -F arch=b32 -S truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-a always,exit -F arch=b64 -S truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-a always,exit -F arch=b32 -S truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
@@ -47,16 +55,30 @@
-a always,exit -F arch=b64 -S lchown,fchown,chown,fchownat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
## User add delete modify. This is covered by pam. However, someone could
-## open a file and directly create a user, so we'll watch passwd for writes
--a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify
--a always,exit -F arch=b64 -S open,openat,open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify
+## open a file and directly create or modify a user, so we'll watch passwd and
+## shadow for writes
+-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify
+-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify
+-a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify
+-a always,exit -F arch=b64 -S open -F a1&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify
+-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify
+-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify
+-a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify
+-a always,exit -F arch=b64 -S open -F a1&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify
## User enable and disable. This is entirely handled by pam.
## Group add delete modify. This is covered by pam. However, someone could
-## open a file and directly create a user, so we'll watch group for writes
--a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F a2&03 -F path=/etc/group -F auid>=1000 -F auid!=unset -F key=group-modify
--a always,exit -F arch=b64 -S open,openat,open_by_handle_at -F a2&03 -F path=/etc/group -F auid>=1000 -F auid!=unset -F key=group-modify
+## open a file and directly create or modify a user, so we'll watch group and
+## gshadow for writes
+-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&03 -F path=/etc/group -F auid>=1000 -F auid!=unset -F key=group-modify
+-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&03 -F path=/etc/group -F auid>=1000 -F auid!=unset -F key=group-modify
+-a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/group -F auid>=1000 -F auid!=unset -F key=group-modify
+-a always,exit -F arch=b64 -S open -F a1&03 -F path=/etc/group -F auid>=1000 -F auid!=unset -F key=group-modify
+-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&03 -F path=/etc/gshadow -F auid>=1000 -F auid!=unset -F key=group-modify
+-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&03 -F path=/etc/gshadow -F auid>=1000 -F auid!=unset -F key=group-modify
+-a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/gshadow -F auid>=1000 -F auid!=unset -F key=group-modify
+-a always,exit -F arch=b64 -S open -F a1&03 -F path=/etc/gshadow -F auid>=1000 -F auid!=unset -F key=group-modify
## Use of special rights for config changes. This would be use of setuid
## programs that relate to user accts. This is not all setuid apps because
diff -ur audit-3.0.orig/rules/30-pci-dss-v31.rules audit-3.0/rules/30-pci-dss-v31.rules
--- audit-3.0.orig/rules/30-pci-dss-v31.rules 2018-08-31 17:05:48.000000000 -0400
+++ audit-3.0/rules/30-pci-dss-v31.rules 2018-12-06 19:27:33.656659405 -0500
@@ -41,8 +41,8 @@
## ausearch --start today -m user_auth,user_chauthtok -i
## 10.2.5.b All elevation of privileges is logged
--a always,exit -F arch=b64 -S setuid -Fa0=0 -F exe=/usr/bin/su -F key=10.2.5.b-elevated-privs-session
--a always,exit -F arch=b32 -S setuid -Fa0=0 -F exe=/usr/bin/su -F key=10.2.5.b-elevated-privs-session
+-a always,exit -F arch=b64 -S setuid -F a0=0 -F exe=/usr/bin/su -F key=10.2.5.b-elevated-privs-session
+-a always,exit -F arch=b32 -S setuid -F a0=0 -F exe=/usr/bin/su -F key=10.2.5.b-elevated-privs-session
-a always,exit -F arch=b64 -S setresuid -F a0=0 -F exe=/usr/bin/sudo -F key=10.2.5.b-elevated-privs-session
-a always,exit -F arch=b32 -S setresuid -F a0=0 -F exe=/usr/bin/sudo -F key=10.2.5.b-elevated-privs-session
-a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -F key=10.2.5.b-elevated-privs-setuid

63
SOURCES/audit-3.0-krb-remote-fixup.patch Normal file
View File

@ -0,0 +1,63 @@
diff -urp audit-3.0.orig/audisp/plugins/remote/audisp-remote.c audit-3.0/audisp/plugins/remote/audisp-remote.c
--- audit-3.0.orig/audisp/plugins/remote/audisp-remote.c 2019-06-07 17:08:36.000000000 -0400
+++ audit-3.0/audisp/plugins/remote/audisp-remote.c 2019-07-13 11:37:45.000000000 -0400
@@ -1,5 +1,5 @@
/* audisp-remote.c --
- * Copyright 2008-2012,2016,2018 Red Hat Inc., Durham, North Carolina.
+ * Copyright 2008-2012,2016,2018,2019 Red Hat Inc., Durham, North Carolina.
* All Rights Reserved.
*
* This program is free software; you can redistribute it and/or modify
@@ -98,7 +98,7 @@ static int ar_write (int, const void *,
credentials. These are the ones we talk to the server with. */
gss_ctx_id_t my_context;
-#define KEYTAB_NAME "/etc/audisp/audisp-remote.key"
+#define KEYTAB_NAME "/etc/audit/audisp-remote.key"
#define CCACHE_NAME "MEMORY:audisp-remote"
#define REQ_FLAGS GSS_C_MUTUAL_FLAG | GSS_C_REPLAY_FLAG | GSS_C_INTEG_FLAG | GSS_C_CONF_FLAG
@@ -978,7 +989,14 @@ static int negotiate_credentials (void)
static int stop_sock(void)
{
+
if (sock >= 0) {
+ if (USE_GSS) {
+ OM_uint32 minor_status;
+ gss_delete_sec_context(&minor_status, &my_context,
+ GSS_C_NO_BUFFER);
+ my_context = GSS_C_NO_CONTEXT;
+ }
shutdown(sock, SHUT_RDWR);
close(sock);
}
@@ -995,11 +1013,8 @@ static int stop_transport(void)
switch (config.transport)
{
case T_TCP:
- rc = stop_sock();
- break;
case T_KRB5:
- // FIXME: shutdown kerberos
- rc = -1;
+ rc = stop_sock();
break;
default:
rc = -1;
@@ -1142,6 +1157,7 @@ static int init_transport(void)
switch (config.transport)
{
case T_TCP:
+ case T_KRB5:
rc = init_sock();
// We set this so that it will retry the connection
if (rc == ET_TEMPORARY)
@@ -1589,6 +1605,7 @@ static int relay_event(const char *s, si
switch (config.transport)
{
case T_TCP:
+ case T_KRB5:
rc = relay_sock(s, len);
break;
default:

12
SOURCES/audit-3.0-libev-remove-cold.patch
View File

@ -1,12 +0,0 @@
diff -urp audit-3.0.orig/src/libev/ev.c audit-3.0/src/libev/ev.c
--- audit-3.0.orig/src/libev/ev.c 2019-01-03 12:25:16.000000000 -0500
+++ audit-3.0/src/libev/ev.c 2019-01-09 10:58:20.437560972 -0500
@@ -901,7 +901,7 @@ typedef int ecb_bool;
#if ECB_GCC_VERSION(4,3)
#define ecb_artificial ecb_attribute ((__artificial__))
#define ecb_hot ecb_attribute ((__hot__))
- #define ecb_cold ecb_attribute ((__cold__))
+ #define ecb_cold
#else
#define ecb_artificial
#define ecb_hot

232
SOURCES/audit-3.0-network-orig-events.patch
View File

@ -1,232 +0,0 @@
diff -urp audit-3.0.orig/src/auditd.c audit-3.0/src/auditd.c
--- audit-3.0.orig/src/auditd.c 2018-12-06 20:01:06.923443360 -0500
+++ audit-3.0/src/auditd.c 2018-12-06 20:17:19.030339043 -0500
@@ -214,24 +214,35 @@ static void cont_handler(struct ev_loop
static int extract_type(const char *str)
{
- const char *tptr, *ptr2, *ptr = str;
+ char tmp, *ptr2, *ptr = str;
+ int type;
if (*str == 'n') {
ptr = strchr(str+1, ' ');
if (ptr == NULL)
return -1; // Malformed - bomb out
ptr++;
}
+
// ptr should be at 't'
ptr2 = strchr(ptr, ' ');
- // get type=xxx in a buffer
- tptr = strndupa(ptr, ptr2 - ptr);
+
// find =
- str = strchr(tptr, '=');
- if (str == NULL)
+ str = strchr(ptr, '=');
+ if (str == NULL || str >= ptr2)
return -1; // Malformed - bomb out
+
// name is 1 past
str++;
- return audit_name_to_msg_type(str);
+
+ // Save character & terminate string
+ tmp = *ptr2;
+ *ptr2 = 0;
+
+ type = audit_name_to_msg_type(str);
+
+ *ptr2 = tmp; // Restore character
+
+ return type;
}
void distribute_event(struct auditd_event *e)
@@ -250,18 +261,22 @@ void distribute_event(struct auditd_even
route = 0;
else { // We only need the original type if its being routed
e->reply.type = extract_type(e->reply.message);
- char *p = strchr(e->reply.message,
- AUDIT_INTERP_SEPARATOR);
- if (p)
- proto = AUDISP_PROTOCOL_VER2;
- else
- proto = AUDISP_PROTOCOL_VER;
+ // Treat everything from the network as VER2
+ // because they are already formatted. This is
+ // important when it gets to the dispatcher which
+ // can strip node= when its VER1.
+ proto = AUDISP_PROTOCOL_VER2;
}
- } else if (e->reply.type != AUDIT_DAEMON_RECONFIG)
- // All other events need formatting
+ } else if (e->reply.type != AUDIT_DAEMON_RECONFIG) {
+ // All other local events need formatting
format_event(e);
- else
+
+ // If the event has been formatted with node, upgrade
+ // to VER2 so that the dispatcher honors the formatting
+ if (config.node_name_format != N_NONE)
+ proto = AUDISP_PROTOCOL_VER2;
+ } else
route = 0; // Don't DAEMON_RECONFIG events until after enqueue
/* End of Event is for realtime interface - skip local logging of it */
@@ -748,6 +763,17 @@ int main(int argc, char *argv[])
return 1;
}
+ /* Startup libev and dispatcher */
+ loop = ev_default_loop(EVFLAG_NOENV);
+ if (init_dispatcher(&config)) {
+ if (pidfile)
+ unlink(pidfile);
+ tell_parent(FAILURE);
+ free_config(&config);
+ ev_default_destroy();
+ return 1;
+ }
+
/* Get machine name ready for use */
if (resolve_node(&config)) {
if (pidfile)
@@ -755,6 +781,7 @@ int main(int argc, char *argv[])
shutdown_dispatcher();
tell_parent(FAILURE);
free_config(&config);
+ ev_default_destroy();
return 1;
}
@@ -766,6 +793,7 @@ int main(int argc, char *argv[])
shutdown_dispatcher();
tell_parent(FAILURE);
free_config(&config);
+ ev_default_destroy();
return 1;
}
fcntl(pipefds[0], F_SETFD, FD_CLOEXEC);
@@ -785,6 +813,7 @@ int main(int argc, char *argv[])
tell_parent(FAILURE);
close_pipes();
free_config(&config);
+ ev_default_destroy();
return 1;
}
if (getsubj(subj))
@@ -811,6 +840,7 @@ int main(int argc, char *argv[])
tell_parent(FAILURE);
close_pipes();
free_config(&config);
+ ev_default_destroy();
return 1;
}
}
@@ -821,6 +851,7 @@ int main(int argc, char *argv[])
/* let config manager init */
init_config_manager();
+ /* Depending on value of opt_startup (-s) set initial audit state */
if (opt_startup != startup_nochange && !opt_aggregate_only &&
(audit_is_enabled(fd) < 2) &&
audit_set_enabled(fd, (int)opt_startup) < 0) {
@@ -849,6 +880,7 @@ int main(int argc, char *argv[])
tell_parent(FAILURE);
close_pipes();
free_config(&config);
+ ev_default_destroy();
return 1;
}
@@ -877,20 +909,11 @@ int main(int argc, char *argv[])
tell_parent(FAILURE);
close_pipes();
free_config(&config);
+ ev_default_destroy();
return 1;
}
- /* Depending on value of opt_startup (-s) set initial audit state */
- loop = ev_default_loop (EVFLAG_NOENV);
-
- if (init_dispatcher(&config)) {
- if (pidfile)
- unlink(pidfile);
- tell_parent(FAILURE);
- free_config(&config);
- return 1;
- }
-
+ /* Start up all the handlers */
if (!opt_aggregate_only) {
ev_io_init (&netlink_watcher, netlink_handler, fd, EV_READ);
ev_io_start (loop, &netlink_watcher);
diff -urp audit-3.0.orig/src/auditd-dispatch.c audit-3.0/src/auditd-dispatch.c
--- audit-3.0.orig/src/auditd-dispatch.c 2018-08-31 17:05:48.000000000 -0400
+++ audit-3.0/src/auditd-dispatch.c 2018-12-06 20:17:09.769340037 -0500
@@ -70,6 +70,7 @@ int dispatch_event(const struct audit_re
if (!libdisp_active())
return 0;
+ // Translate event into dispatcher format
e = malloc(sizeof(event_t));
if (e == NULL)
return -1;
@@ -78,6 +79,7 @@ int dispatch_event(const struct audit_re
e->hdr.hlen = sizeof(struct audit_dispatcher_header);
e->hdr.type = rep->type;
+ // Network originating events have data at rep->message
if (protocol_ver == AUDISP_PROTOCOL_VER) {
e->hdr.size = rep->msg.nlh.nlmsg_len;
memcpy(e->data, (void*)rep->msg.data, e->hdr.size);
diff -urp audit-3.0.orig/src/auditd-event.c audit-3.0/src/auditd-event.c
--- audit-3.0.orig/src/auditd-event.c 2018-08-31 17:05:48.000000000 -0400
+++ audit-3.0/src/auditd-event.c 2018-12-06 20:17:09.769340037 -0500
@@ -225,8 +225,10 @@ static void replace_event_msg(struct aud
e->reply.message = strndup(buf, MAX_AUDIT_MESSAGE_LENGTH-1);
len = MAX_AUDIT_MESSAGE_LENGTH;
}
- e->reply.msg.nlh.nlmsg_len = e->reply.len;
- e->reply.len = len;
+ // For network originating events, len should be used
+ if (!from_network(e)) // V1 protocol msg size
+ e->reply.msg.nlh.nlmsg_len = e->reply.len;
+ e->reply.len = len; // V2 protocol msg size
}
}
@@ -500,7 +502,7 @@ struct auditd_event *create_event(char *
e->sequence_id = sequence_id;
/* Network originating events need things adjusted to mimic netlink. */
- if (e->ack_func)
+ if (from_network(e))
replace_event_msg(e, msg);
return e;
@@ -570,7 +572,7 @@ void handle_event(struct auditd_event *e
static void send_ack(const struct auditd_event *e, int ack_type,
const char *msg)
{
- if (e->ack_func) {
+ if (from_network(e)) {
unsigned char header[AUDIT_RMW_HEADER_SIZE];
AUDIT_RMW_PACK_HEADER(header, 0, ack_type, strlen(msg),
diff -urp audit-3.0.orig/src/auditd-event.h audit-3.0/src/auditd-event.h
--- audit-3.0.orig/src/auditd-event.h 2018-08-31 17:05:48.000000000 -0400
+++ audit-3.0/src/auditd-event.h 2018-12-06 20:17:09.769340037 -0500
@@ -36,6 +36,9 @@ struct auditd_event {
unsigned long sequence_id;
};
+static inline int from_network(const struct auditd_event *e)
+{ if (e && e->ack_func) return 1; return 0; };
+
#include "auditd-config.h"
int dispatch_network_events(void);

21
SOURCES/audit-3.0-queue-report.patch
View File

@ -1,21 +0,0 @@
diff -urp audit-3.0.orig/audisp/queue.c audit-3.0/audisp/queue.c
--- audit-3.0.orig/audisp/queue.c 2018-08-31 17:05:48.000000000 -0400
+++ audit-3.0/audisp/queue.c 2018-12-06 20:21:22.184312950 -0500
@@ -231,11 +231,12 @@ void increase_queue_depth(unsigned int s
void write_queue_state(FILE *f)
{
- fprintf(f, "current queue depth = %u\n", currently_used);
- fprintf(f, "max queue depth used = %u\n", max_used);
- fprintf(f, "queue size = %u\n", q_depth);
- fprintf(f, "queue overflow detected = %s\n",overflowed ? "yes" : "no");
- fprintf(f, "queueing suspended = %s\n",
+ fprintf(f, "current plugin queue depth = %u\n", currently_used);
+ fprintf(f, "max plugin queue depth used = %u\n", max_used);
+ fprintf(f, "plugin queue size = %u\n", q_depth);
+ fprintf(f, "plugin queue overflow detected = %s\n",
+ overflowed ? "yes" : "no");
+ fprintf(f, "plugin queueing suspended = %s\n",
processing_suspended ? "yes" : "no");
}

14
SOURCES/audit-3.0-saddr_fam-doc.patch Normal file
View File

@ -0,0 +1,14 @@
diff --git a/docs/auditctl.8 b/docs/auditctl.8
index 2c970cf..043a9d6 100644
--- a/docs/auditctl.8
+++ b/docs/auditctl.8
@@ -210,6 +210,9 @@ Process ID
.B ppid
Parent's Process ID
.TP
+.B saddr_fam
+Address family number as found in /usr/include/bits/socket.h. For example, IPv4 would be 2 and IPv6 would be 10.
+.TP
.B sessionid
User's login session ID
.TP

97
SOURCES/audit-3.0-user_avc.patch
View File

@ -1,97 +0,0 @@
diff -ur audit-3.0.orig/src/aureport-options.c audit-3.0/src/aureport-options.c
--- audit-3.0.orig/src/aureport-options.c 2018-08-31 17:05:48.000000000 -0400
+++ audit-3.0/src/aureport-options.c 2018-12-06 19:31:26.945634371 -0500
@@ -85,7 +85,8 @@
R_AVCS, R_SYSCALLS, R_PIDS, R_EVENTS, R_ACCT_MODS,
R_INTERPRET, R_HELP, R_ANOMALY, R_RESPONSE, R_SUMMARY_DET, R_CRYPTO,
R_MAC, R_FAILED, R_SUCCESS, R_ADD, R_DEL, R_AUTH, R_NODE, R_IN_LOGS,
- R_KEYS, R_TTY, R_NO_CONFIG, R_COMM, R_VIRT, R_INTEG, R_ESCAPE };
+ R_KEYS, R_TTY, R_NO_CONFIG, R_COMM, R_VIRT, R_INTEG, R_ESCAPE,
+ R_DEBUG };
static struct nv_pair optiontab[] = {
{ R_AUTH, "-au" },
@@ -98,6 +99,7 @@
{ R_CONFIGS, "--config" },
{ R_CRYPTO, "-cr" },
{ R_CRYPTO, "--crypto" },
+ { R_DEBUG, "--debug" },
{ R_DEL, "--delete" },
{ R_EVENTS, "-e" },
{ R_EVENTS, "--event" },
@@ -731,6 +733,9 @@
case R_DEL:
event_conf_act = C_DEL;
break;
+ case R_DEBUG:
+ event_debug = 1;
+ break;
case R_IN_LOGS:
force_logs = 1;
break;
diff -ur audit-3.0.orig/src/ausearch-parse.c audit-3.0/src/ausearch-parse.c
--- audit-3.0.orig/src/ausearch-parse.c 2018-08-31 17:05:48.000000000 -0400
+++ audit-3.0/src/ausearch-parse.c 2018-12-06 19:31:26.945634371 -0500
@@ -102,7 +102,8 @@
ret = parse_path(n, s);
break;
case AUDIT_USER:
- case AUDIT_FIRST_USER_MSG...AUDIT_LAST_USER_MSG:
+ case AUDIT_FIRST_USER_MSG...AUDIT_USER_END:
+ case AUDIT_USER_CHAUTHTOK...AUDIT_LAST_USER_MSG:
case AUDIT_FIRST_USER_MSG2...AUDIT_LAST_USER_MSG2:
ret = parse_user(n, s);
break;
@@ -136,6 +137,7 @@
avc_parse_path(n, s);
break;
case AUDIT_AVC:
+ case AUDIT_USER_AVC:
ret = parse_avc(n, s);
break;
case AUDIT_NETFILTER_PKT:
@@ -1867,6 +1869,20 @@
*term = ' ';
}
+ // User AVC's are not formatted like a kernel AVC
+ if (n->type == AUDIT_USER_AVC) {
+ rc = parse_user(n, s);
+ if (rc > 20)
+ rc = 0;
+ if (audit_avc_init(s) == 0) {
+ alist_append(s->avc, &an);
+ } else {
+ rc = 10;
+ goto err;
+ }
+ return rc;
+ }
+
// get pid
if (event_pid != -1) {
str = strstr(term, "pid=");
diff -urp audit-3.0.orig/src/ausearch-parse.c audit-3.0/src/ausearch-parse.c
--- audit-3.0.orig/src/ausearch-parse.c 2018-10-03 19:46:52.000000000 -0400
+++ audit-3.0/src/ausearch-parse.c 2018-12-08 15:48:54.350009208 -0500
@@ -1839,8 +1839,10 @@ static int parse_avc(const lnode *n, sea
if (str) {
str += 5;
term = strchr(str, '{');
- if (term == NULL)
- return 1;
+ if (term == NULL) {
+ term = n->message;
+ goto other_avc;
+ }
if (event_success != S_UNSET) {
*term = 0;
// FIXME. Do not override syscall success if already
@@ -1869,6 +1871,7 @@ static int parse_avc(const lnode *n, sea
*term = ' ';
}
+other_avc:
// User AVC's are not formatted like a kernel AVC
if (n->type == AUDIT_USER_AVC) {
rc = parse_user(n, s);

63
SPECS/audit.spec
View File

@ -3,31 +3,15 @@
Summary: User space tools for 2.6 kernel auditing
Name: audit
Version: 3.0
Release: 0.10.20180831git0047a6c%{?dist}
Release: 0.13.20190507gitf58ec40%{?dist}
License: GPLv2+
URL: http://people.redhat.com/sgrubb/audit/
Source0: http://people.redhat.com/sgrubb/audit/%{name}-%{version}-alpha5.tar.gz
Source0: http://people.redhat.com/sgrubb/audit/%{name}-%{version}-alpha8.tar.gz
Source1: https://www.gnu.org/licenses/lgpl-2.1.txt
# Update documentation and rules
Patch1: audit-3.0-docs.patch
# 1628626 - lightly parse USER_AVC events
Patch2: audit-3.0-user_avc.patch
# Fix a buffer length calculation in ausearch
Patch3: audit-3.0-ausearch-buffer-fix.patch
# Remove CAP_AUDIT_READ from daemon permission checks
Patch4: audit-3.0-cap_audit_read.patch
# Port af_unix plugin to libev
Patch5: audit-3.0-af_unix-plugin.patch
# Make all network originating events VER2 dispatcher protocol
Patch6: audit-3.0-network-orig-events.patch
# Adjust state report for plugin queue
Patch7: audit-3.0-queue-report.patch
# 1643567 - auditd wasn't quite stopped when it was supposed to be
Patch8: audit-3.0-auditd-stop.patch
# In libev, cold functions cause annocheck failures. Remove them.
Patch9: audit-3.0-libev-remove-cold.patch
# Next BuildRequires is only needed for the patching - remove in the future
BuildRequires: autoconf automake
Source2: 30-ospp-v42.rules
Patch1: audit-3.0-saddr_fam-doc.patch
Patch2: audit-3.0-chkconfig.patch
Patch3: audit-3.0-krb-remote-fixup.patch
BuildRequires: gcc swig
BuildRequires: openldap-devel
@ -36,8 +20,8 @@ BuildRequires: kernel-headers >= 2.6.29
Requires: %{name}-libs%{?_isa} = %{version}-%{release}
BuildRequires: systemd
Requires(post): systemd coreutils
Requires(preun): systemd
Requires(postun): systemd coreutils
Requires(preun): systemd initscripts
Requires(postun): systemd coreutils initscripts
%description
The audit package contains the user space utilities for
@ -99,21 +83,14 @@ incoming audit events, as they happen, to a configured z/OS SMF (Service
Management Facility) database, through an IBM Tivoli Directory Server
(ITDS) set for Remote Audit service.
%enable_gotoolset7
%prep
%setup -q
%patch1 -p1
%patch2 -p1
%patch3 -p1
%patch4 -p1
%patch5 -p1
%patch6 -p1
%patch7 -p1
%patch8 -p1
%patch9 -p1
cp %{SOURCE1} .
autoreconf
## overwrite 30-ospp-v42.rules
cp -f %{SOURCE2} rules/
%build
%configure --sbindir=/sbin --libdir=/%{_lib} --with-python=no \
@ -177,6 +154,9 @@ fi
%preun
%systemd_preun auditd.service
if [ $1 -eq 0 ]; then
/sbin/service auditd stop > /dev/null 2>&1
fi
%postun
if [ $1 -ge 1 ]; then
@ -244,7 +224,7 @@ fi
%attr(750,root,root) %{_libexecdir}/initscripts/legacy-actions/auditd/state
%attr(750,root,root) %{_libexecdir}/initscripts/legacy-actions/auditd/stop
%ghost %{_localstatedir}/run/auditd.state
%attr(750,root,root) %dir %{_var}/log/audit
%attr(-,root,-) %dir %{_var}/log/audit
%attr(750,root,root) %dir /etc/audit
%attr(750,root,root) %dir /etc/audit/rules.d
%attr(750,root,root) %dir /etc/audit/plugins.d
@ -273,6 +253,21 @@ fi
%attr(750,root,root) /sbin/audispd-zos-remote
%changelog
* Thu Jul 25 2019 Steve Grubb <sgrubb@redhat.com> 3.0-0.13.20190607gitf58ec40
resolves: rhbz#1695638 - Rebase audit package to pick up latest bugfixes
* Sat Jul 13 2019 Steve Grubb <sgrubb@redhat.com> 3.0-0.12.20190607gitf58ec40
resolves: rhbz#1695638 - Rebase audit package to pick up latest bugfixes
* Mon Jun 10 2019 Steve Grubb <sgrubb@redhat.com> 3.0-0.11.20190607gitf58ec40
resolves: rhbz#1643567 - service auditd stop exits prematurely
resolves: rhbz#1693470 - libauparse memory leak
resolves: rhbz#1694071 - ausearch doesn't record device/inode details checkpointing a single file
resolves: rhbz#1695638 - Rebase audit package to pick up latest bugfixes
resolves: rhbz#1705894 - aureport aborts when using a specific input
resolves: rhbz#1706045 - RFE: Backport support for new audit record types
resolves: rhbz#1715852 - RFE: provide a way to filter on network address family
* Wed Jan 09 2019 Steve Grubb <sgrubb@redhat.com> 3.0-0.10.20180831git0047a6c
resolves: rhbz#1655270] Message "audit: backlog limit exceeded" reported
- Fix annobin failure