- Fix output of keys in ausearch interpretted mode
- Fix ausearch/report --start now to not be reset to midnight - audispd now has a priority boost config option - Look for laddr in avcs reported via prelude - Detect page 0 mmaps and alert via prelude
This commit is contained in:
parent
f2add7b4d6
commit
b4b03fa176
@ -88,3 +88,4 @@ audit-1.6.8.tar.gz
|
|||||||
audit-1.6.9.tar.gz
|
audit-1.6.9.tar.gz
|
||||||
audit-1.7.tar.gz
|
audit-1.7.tar.gz
|
||||||
audit-1.7.1.tar.gz
|
audit-1.7.1.tar.gz
|
||||||
|
audit-1.7.3.tar.gz
|
||||||
|
@ -1,21 +0,0 @@
|
|||||||
diff -urp audit-1.7.2.orig/src/ausearch-parse.c audit-1.7.2/src/ausearch-parse.c
|
|
||||||
--- audit-1.7.2.orig/src/ausearch-parse.c 2008-04-09 14:26:27.000000000 -0400
|
|
||||||
+++ audit-1.7.2/src/ausearch-parse.c 2008-04-17 10:44:10.000000000 -0400
|
|
||||||
@@ -1208,6 +1212,17 @@ static int parse_avc(const lnode *n, sea
|
|
||||||
term = str + 6;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
+ if (event_filename) {
|
|
||||||
+ // do we have a path?
|
|
||||||
+ str = strstr(term, " path=");
|
|
||||||
+ if (str) {
|
|
||||||
+ str += 6;
|
|
||||||
+ rc = common_path_parser(s, str);
|
|
||||||
+ if (rc)
|
|
||||||
+ goto err;
|
|
||||||
+ term += 7;
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
if (event_subject) {
|
|
||||||
// scontext
|
|
||||||
str = strstr(term, "scontext=");
|
|
@ -1,29 +0,0 @@
|
|||||||
diff -urp audit-1.7.2/lib/audit_logging.c audit-1.7.3/lib/audit_logging.c
|
|
||||||
--- audit-1.7.2/lib/audit_logging.c 2008-04-01 12:25:33.000000000 -0400
|
|
||||||
+++ audit-1.7.3/lib/audit_logging.c 2008-04-11 17:07:24.000000000 -0400
|
|
||||||
@@ -633,7 +633,6 @@ int audit_log_user_command(int audit_fd,
|
|
||||||
// We borrow the commname buffer
|
|
||||||
if (getcwd(commname, PATH_MAX) == NULL)
|
|
||||||
strcpy(commname, "?");
|
|
||||||
- strcpy(cwdname, commname);
|
|
||||||
p = commname;
|
|
||||||
len = strlen(commname);
|
|
||||||
while (*p) {
|
|
||||||
@@ -644,6 +643,8 @@ int audit_log_user_command(int audit_fd,
|
|
||||||
}
|
|
||||||
p++;
|
|
||||||
}
|
|
||||||
+ if (cwdenc == 0)
|
|
||||||
+ strcpy(cwdname, commname);
|
|
||||||
|
|
||||||
len = strlen(cmd);
|
|
||||||
// Trim the trailing carriage return and spaces
|
|
||||||
@@ -665,6 +666,8 @@ int audit_log_user_command(int audit_fd,
|
|
||||||
}
|
|
||||||
p++;
|
|
||||||
}
|
|
||||||
+ if (cmdenc == 0)
|
|
||||||
+ strcpy(commname, cmd);
|
|
||||||
free(cmd);
|
|
||||||
|
|
||||||
// Make the format string
|
|
@ -1,114 +0,0 @@
|
|||||||
diff -urp audit-1.7.2.orig/audisp/plugins/prelude/audisp-prelude.c audit-1.7.2/audisp/plugins/prelude/audisp-prelude.c
|
|
||||||
--- audit-1.7.2.orig/audisp/plugins/prelude/audisp-prelude.c 2008-04-07 16:57:12.000000000 -0400
|
|
||||||
+++ audit-1.7.2/audisp/plugins/prelude/audisp-prelude.c 2008-04-18 14:23:06.000000000 -0400
|
|
||||||
@@ -228,7 +228,8 @@ int main(int argc, char *argv[])
|
|
||||||
return -1;
|
|
||||||
}
|
|
||||||
|
|
||||||
- syslog(LOG_INFO, "audisp-prelude is ready for events");
|
|
||||||
+ if (mode != M_TEST)
|
|
||||||
+ syslog(LOG_INFO, "audisp-prelude is ready for events");
|
|
||||||
do {
|
|
||||||
/* Load configuration */
|
|
||||||
if (hup) {
|
|
||||||
@@ -248,9 +249,10 @@ int main(int argc, char *argv[])
|
|
||||||
/* Flush any accumulated events from queue */
|
|
||||||
auparse_flush_feed(au);
|
|
||||||
|
|
||||||
- syslog(LOG_INFO, "audisp-prelude is exiting on stop request");
|
|
||||||
if (mode == M_TEST)
|
|
||||||
puts("audisp-prelude is exiting on stop request");
|
|
||||||
+ else
|
|
||||||
+ syslog(LOG_INFO, "audisp-prelude is exiting on stop request");
|
|
||||||
|
|
||||||
/* Cleanup subsystems */
|
|
||||||
if (client)
|
|
||||||
@@ -609,7 +611,7 @@ static int get_login_exe_info(auparse_st
|
|
||||||
base = basename(exe);
|
|
||||||
ret = prelude_string_new(&name_str);
|
|
||||||
PRELUDE_FAIL_CHECK;
|
|
||||||
- ret = prelude_string_set_ref(name_str, base);
|
|
||||||
+ ret = prelude_string_set_dup(name_str, base);
|
|
||||||
PRELUDE_FAIL_CHECK;
|
|
||||||
idmef_process_set_name(process, name_str);
|
|
||||||
}
|
|
||||||
@@ -708,7 +710,7 @@ static int get_comm_info(auparse_state_t
|
|
||||||
char *base = basename(exe);
|
|
||||||
ret = prelude_string_new(&name_str);
|
|
||||||
PRELUDE_FAIL_CHECK;
|
|
||||||
- ret = prelude_string_set_ref(name_str, base);
|
|
||||||
+ ret = prelude_string_set_dup(name_str, base);
|
|
||||||
idmef_process_set_name(process, name_str);
|
|
||||||
}
|
|
||||||
}
|
|
||||||
@@ -760,7 +762,7 @@ static int get_file_info(auparse_state_t
|
|
||||||
ret = prelude_string_new(&str);
|
|
||||||
PRELUDE_FAIL_CHECK;
|
|
||||||
|
|
||||||
- ret = prelude_string_set_ref(str, path);
|
|
||||||
+ ret = prelude_string_set_dup(str, path);
|
|
||||||
PRELUDE_FAIL_CHECK;
|
|
||||||
if (path[0] == '/') {
|
|
||||||
char *base;
|
|
||||||
@@ -772,7 +774,7 @@ static int get_file_info(auparse_state_t
|
|
||||||
base = "/";
|
|
||||||
ret = prelude_string_new(&name_str);
|
|
||||||
PRELUDE_FAIL_CHECK;
|
|
||||||
- ret = prelude_string_set_ref(name_str, base);
|
|
||||||
+ ret = prelude_string_set_dup(name_str, base);
|
|
||||||
PRELUDE_FAIL_CHECK;
|
|
||||||
idmef_file_set_name(file, name_str);
|
|
||||||
} else
|
|
||||||
@@ -1811,7 +1813,7 @@ static void handle_event(auparse_state_t
|
|
||||||
rc = 0;
|
|
||||||
switch (type) {
|
|
||||||
case AUDIT_AVC:
|
|
||||||
- case AUDIT_USER_AVC:
|
|
||||||
+// case AUDIT_USER_AVC:
|
|
||||||
if (config.avcs == E_NO)
|
|
||||||
break;
|
|
||||||
if (config.avcs_act != A_IDMEF)
|
|
||||||
diff -urp audit-1.7.2.orig/auparse/auparse.c audit-1.7.2/auparse/auparse.c
|
|
||||||
--- audit-1.7.2.orig/auparse/auparse.c 2008-04-08 12:37:09.000000000 -0400
|
|
||||||
+++ audit-1.7.2/auparse/auparse.c 2008-04-18 14:10:36.000000000 -0400
|
|
||||||
@@ -1130,6 +1130,7 @@ int auparse_first_record(auparse_state_t
|
|
||||||
return rc;
|
|
||||||
}
|
|
||||||
aup_list_first(&au->le);
|
|
||||||
+ aup_list_first_field(&au->le);
|
|
||||||
|
|
||||||
return 1;
|
|
||||||
}
|
|
||||||
@@ -1236,7 +1237,22 @@ const char *auparse_find_field(auparse_s
|
|
||||||
{
|
|
||||||
free(au->find_field);
|
|
||||||
au->find_field = strdup(name);
|
|
||||||
- return auparse_find_field_next(au);
|
|
||||||
+
|
|
||||||
+ if (au->le.e.sec) {
|
|
||||||
+ const char *cur_name;
|
|
||||||
+ rnode *r;
|
|
||||||
+
|
|
||||||
+ // look at current record before moving
|
|
||||||
+ r = aup_list_get_cur(&au->le);
|
|
||||||
+ if (r == NULL)
|
|
||||||
+ return NULL;
|
|
||||||
+ cur_name = nvlist_get_cur_name(&r->nv);
|
|
||||||
+ if (cur_name && strcmp(cur_name, name) == 0)
|
|
||||||
+ return nvlist_get_cur_val(&r->nv);
|
|
||||||
+
|
|
||||||
+ return auparse_find_field_next(au);
|
|
||||||
+ }
|
|
||||||
+ return NULL;
|
|
||||||
}
|
|
||||||
|
|
||||||
/* Increment 1 location and then scan for next field */
|
|
||||||
@@ -1258,6 +1274,8 @@ const char *auparse_find_field_next(aupa
|
|
||||||
if (nvlist_find_name(&r->nv, au->find_field))
|
|
||||||
return nvlist_get_cur_val(&r->nv);
|
|
||||||
r = aup_list_next(&au->le);
|
|
||||||
+ if (r)
|
|
||||||
+ aup_list_first_field(&au->le);
|
|
||||||
}
|
|
||||||
}
|
|
||||||
return NULL;
|
|
19
audit.spec
19
audit.spec
@ -1,20 +1,17 @@
|
|||||||
%define sca_version 0.4.6
|
%define sca_version 0.4.6
|
||||||
%define sca_release 6
|
%define sca_release 7
|
||||||
%define selinux_variants mls strict targeted
|
%define selinux_variants mls strict targeted
|
||||||
%define selinux_policyver 3.2.5
|
%define selinux_policyver 3.2.5
|
||||||
%{!?python_sitelib: %define python_sitelib %(%{__python} -c "from distutils.sysconfig import get_python_lib; print get_python_lib()")}
|
%{!?python_sitelib: %define python_sitelib %(%{__python} -c "from distutils.sysconfig import get_python_lib; print get_python_lib()")}
|
||||||
|
|
||||||
Summary: User space tools for 2.6 kernel auditing
|
Summary: User space tools for 2.6 kernel auditing
|
||||||
Name: audit
|
Name: audit
|
||||||
Version: 1.7.2
|
Version: 1.7.3
|
||||||
Release: 6%{?dist}
|
Release: 1%{?dist}
|
||||||
License: GPLv2+
|
License: GPLv2+
|
||||||
Group: System Environment/Daemons
|
Group: System Environment/Daemons
|
||||||
URL: http://people.redhat.com/sgrubb/audit/
|
URL: http://people.redhat.com/sgrubb/audit/
|
||||||
Source0: http://people.redhat.com/sgrubb/audit/%{name}-%{version}.tar.gz
|
Source0: http://people.redhat.com/sgrubb/audit/%{name}-%{version}.tar.gz
|
||||||
Patch1: audit-1.7.3-cmd.patch
|
|
||||||
Patch2: audit-1.7.2-avc.patch
|
|
||||||
Patch3: audit-1.7.3-prelude.patch
|
|
||||||
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
|
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
|
||||||
BuildRequires: gettext-devel intltool libtool swig python-devel
|
BuildRequires: gettext-devel intltool libtool swig python-devel
|
||||||
BuildRequires: kernel-headers >= 2.6.18
|
BuildRequires: kernel-headers >= 2.6.18
|
||||||
@ -98,9 +95,6 @@ A graphical utility for editing audit configuration.
|
|||||||
|
|
||||||
%prep
|
%prep
|
||||||
%setup -q
|
%setup -q
|
||||||
%patch1 -p1
|
|
||||||
%patch2 -p1
|
|
||||||
%patch3 -p1
|
|
||||||
mkdir zos-remote-policy
|
mkdir zos-remote-policy
|
||||||
cp -p audisp/plugins/zos-remote/policy/audispd-zos-remote.* zos-remote-policy
|
cp -p audisp/plugins/zos-remote/policy/audispd-zos-remote.* zos-remote-policy
|
||||||
|
|
||||||
@ -328,6 +322,13 @@ fi
|
|||||||
%config(noreplace) %{_sysconfdir}/security/console.apps/system-config-audit-server
|
%config(noreplace) %{_sysconfdir}/security/console.apps/system-config-audit-server
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Fri May 09 2008 Steve Grubb <sgrubb@redhat.com> 1.7.3-1
|
||||||
|
- Fix output of keys in ausearch interpretted mode
|
||||||
|
- Fix ausearch/report --start now to not be reset to midnight
|
||||||
|
- audispd now has a priority boost config option
|
||||||
|
- Look for laddr in avcs reported via prelude
|
||||||
|
- Detect page 0 mmaps and alert via prelude
|
||||||
|
|
||||||
* Fri Apr 18 2008 Steve Grubb <sgrubb@redhat.com> 1.7.2-6
|
* Fri Apr 18 2008 Steve Grubb <sgrubb@redhat.com> 1.7.2-6
|
||||||
- Fix overflow in audit_log_user_command, better (#438840)
|
- Fix overflow in audit_log_user_command, better (#438840)
|
||||||
- ausearch was not matching path in avc records
|
- ausearch was not matching path in avc records
|
||||||
|
Loading…
Reference in New Issue
Block a user