From d0505052ce4ea81a3885b42b70a62a8b82f8e557 Mon Sep 17 00:00:00 2001 From: Steve Grubb Date: Thu, 17 Apr 2008 21:14:24 +0000 Subject: [PATCH] - Fix overflow in audit_log_user_command, better (#438840) - ausearch was not matching path in avc records - audisp-prelude attempt to reposition index after examining each type - correct building of mls policy --- audit-1.7.2-avc.patch | 21 +++++++++++++++++++++ audit-1.7.3-cmd.patch | 29 +++++++++++++++++++++++++++++ audit-1.7.3-prelude.patch | 33 +++++++++++++++++++++++++++++++++ audit.spec | 27 ++++++++++++++++++++++----- sources | 2 +- 5 files changed, 106 insertions(+), 6 deletions(-) create mode 100644 audit-1.7.2-avc.patch create mode 100644 audit-1.7.3-cmd.patch create mode 100644 audit-1.7.3-prelude.patch diff --git a/audit-1.7.2-avc.patch b/audit-1.7.2-avc.patch new file mode 100644 index 0000000..1687052 --- /dev/null +++ b/audit-1.7.2-avc.patch @@ -0,0 +1,21 @@ +diff -urp audit-1.7.2.orig/src/ausearch-parse.c audit-1.7.2/src/ausearch-parse.c +--- audit-1.7.2.orig/src/ausearch-parse.c 2008-04-09 14:26:27.000000000 -0400 ++++ audit-1.7.2/src/ausearch-parse.c 2008-04-17 10:44:10.000000000 -0400 +@@ -1208,6 +1212,17 @@ static int parse_avc(const lnode *n, sea + term = str + 6; + } + } ++ if (event_filename) { ++ // do we have a path? ++ str = strstr(term, " path="); ++ if (str) { ++ str += 6; ++ rc = common_path_parser(s, str); ++ if (rc) ++ goto err; ++ term += 7; ++ } ++ } + if (event_subject) { + // scontext + str = strstr(term, "scontext="); diff --git a/audit-1.7.3-cmd.patch b/audit-1.7.3-cmd.patch new file mode 100644 index 0000000..3e5ef50 --- /dev/null +++ b/audit-1.7.3-cmd.patch @@ -0,0 +1,29 @@ +diff -urp audit-1.7.2/lib/audit_logging.c audit-1.7.3/lib/audit_logging.c +--- audit-1.7.2/lib/audit_logging.c 2008-04-01 12:25:33.000000000 -0400 ++++ audit-1.7.3/lib/audit_logging.c 2008-04-11 17:07:24.000000000 -0400 +@@ -633,7 +633,6 @@ int audit_log_user_command(int audit_fd, + // We borrow the commname buffer + if (getcwd(commname, PATH_MAX) == NULL) + strcpy(commname, "?"); +- strcpy(cwdname, commname); + p = commname; + len = strlen(commname); + while (*p) { +@@ -644,6 +643,8 @@ int audit_log_user_command(int audit_fd, + } + p++; + } ++ if (cwdenc == 0) ++ strcpy(cwdname, commname); + + len = strlen(cmd); + // Trim the trailing carriage return and spaces +@@ -665,6 +666,8 @@ int audit_log_user_command(int audit_fd, + } + p++; + } ++ if (cmdenc == 0) ++ strcpy(commname, cmd); + free(cmd); + + // Make the format string diff --git a/audit-1.7.3-prelude.patch b/audit-1.7.3-prelude.patch new file mode 100644 index 0000000..1922001 --- /dev/null +++ b/audit-1.7.3-prelude.patch @@ -0,0 +1,33 @@ +diff -urp audit-1.7.2.orig/audisp/plugins/prelude/audisp-prelude.c audit-1.7.2/audisp/plugins/prelude/audisp-prelude.c +--- audit-1.7.2.orig/audisp/plugins/prelude/audisp-prelude.c 2008-04-07 16:57:12.000000000 -0400 ++++ audit-1.7.2/audisp/plugins/prelude/audisp-prelude.c 2008-04-17 16:27:51.000000000 -0400 +@@ -228,7 +228,8 @@ int main(int argc, char *argv[]) + return -1; + } + +- syslog(LOG_INFO, "audisp-prelude is ready for events"); ++ if (mode != M_TEST) ++ syslog(LOG_INFO, "audisp-prelude is ready for events"); + do { + /* Load configuration */ + if (hup) { +@@ -248,9 +249,10 @@ int main(int argc, char *argv[]) + /* Flush any accumulated events from queue */ + auparse_flush_feed(au); + +- syslog(LOG_INFO, "audisp-prelude is exiting on stop request"); + if (mode == M_TEST) + puts("audisp-prelude is exiting on stop request"); ++ else ++ syslog(LOG_INFO, "audisp-prelude is exiting on stop request"); + + /* Cleanup subsystems */ + if (client) +@@ -1938,6 +1940,7 @@ static void handle_event(auparse_state_t + break; + case AUDIT_SYSCALL: + handle_watched_syscalls(au, &idmef, &alert); ++ goto_record_type(au, AUDIT_SYSCALL); + break; + default: + break; diff --git a/audit.spec b/audit.spec index eab7d14..87ce944 100644 --- a/audit.spec +++ b/audit.spec @@ -1,17 +1,20 @@ %define sca_version 0.4.6 -%define sca_release 5 +%define sca_release 6 %define selinux_variants mls strict targeted %define selinux_policyver 3.2.5 %{!?python_sitelib: %define python_sitelib %(%{__python} -c "from distutils.sysconfig import get_python_lib; print get_python_lib()")} Summary: User space tools for 2.6 kernel auditing Name: audit -Version: 1.7.1 -Release: 1%{?dist} +Version: 1.7.2 +Release: 2%{?dist} License: GPLv2+ Group: System Environment/Daemons URL: http://people.redhat.com/sgrubb/audit/ Source0: http://people.redhat.com/sgrubb/audit/%{name}-%{version}.tar.gz +Patch1: audit-1.7.3-cmd.patch +Patch2: audit-1.7.2-avc.patch +Patch3: audit-1.7.3-prelude.patch BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) BuildRequires: gettext-devel intltool libtool swig python-devel BuildRequires: kernel-headers >= 2.6.18 @@ -95,6 +98,9 @@ A graphical utility for editing audit configuration. %prep %setup -q +%patch1 -p1 +%patch2 -p1 +%patch3 -p1 mkdir zos-remote-policy cp -p audisp/plugins/zos-remote/policy/audispd-zos-remote.* zos-remote-policy @@ -106,9 +112,14 @@ make %{?_smp_mflags} cd zos-remote-policy for selinuxvariant in %{selinux_variants} do - make NAME=${selinuxvariant} -f /usr/share/selinux/devel/Makefile + if [ "${selinuxvariant}" = "mls" ]; then + TYPE=mls-mls + else + TYPE=${selinuxvariant}-mcs + fi + make -f /usr/share/selinux/devel/Makefile mv audispd-zos-remote.pp audispd-zos-remote.pp.${selinuxvariant} - make NAME=${selinuxvariant} -f /usr/share/selinux/devel/Makefile clean + make -f /usr/share/selinux/devel/Makefile clean done cd - @@ -315,6 +326,12 @@ fi %config(noreplace) %{_sysconfdir}/security/console.apps/system-config-audit-server %changelog +* Tue Apr 08 2008 Steve Grubb 1.7.2-2 +- Fix overflow in audit_log_user_command, better (#438840) +- ausearch was not matching path in avc records +- audisp-prelude attempt to reposition index after examining each type +- correct building of mls policy + * Tue Apr 08 2008 Steve Grubb 1.7.1-1 - Fix buffer overflow in audit_log_user_command, again (#438840) - Fix memory leak in EOE code in auditd (#440075) diff --git a/sources b/sources index dda9fe4..7faf5b4 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -c9d9fcfc19bdc131cc7bcf53b9b2dba4 audit-1.7.1.tar.gz +1415749e73fbee34ff5f5f78ab92386a audit-1.7.2.tar.gz