rpms/audit
7
0
Fork 0
Code Issues Pull Requests Releases Activity

New upstream major release

Browse Source
This commit is contained in:
Steve Grubb 2024-01-18 07:31:09 -05:00
parent c81b8a0bab
commit e13026e4fe
7 changed files with 59 additions and 401 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored
View File

@ -177,3 +177,4 @@ audit-2.0.4.tar.gz
/audit-3.1.tar.gz
/audit-3.1.1.tar.gz
/audit-3.1.2.tar.gz
/audit-4.0.tar.gz

285
audit-3.9-1-aureport.patch
View File

@ -1,285 +0,0 @@
commit 5ccc65eba1807c12e603c4bdf6590d91cc52499a
Author: Steve Grubb <sgrubb@redhat.com>
Date: Sat Sep 2 09:58:46 2023 -0400
Speed up aureport --summary reports
diff --git a/src/ausearch-string.c b/src/ausearch-string.c
index 8dbec53..484c232 100644
--- a/src/ausearch-string.c
+++ b/src/ausearch-string.c
@@ -1,27 +1,28 @@
/*
-* ausearch-string.c - Minimal linked list library for strings
-* Copyright (c) 2005,2008,2014 Red Hat Inc., Durham, North Carolina.
-* All Rights Reserved.
-*
-* This software may be freely redistributed and/or modified under the
-* terms of the GNU General Public License as published by the Free
-* Software Foundation; either version 2, or (at your option) any
-* later version.
-*
-* This program is distributed in the hope that it will be useful,
-* but WITHOUT ANY WARRANTY; without even the implied warranty of
-* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-* GNU General Public License for more details.
-*
-* You should have received a copy of the GNU General Public License
-* along with this program; see the file COPYING. If not, write to the
-* Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor
-* Boston, MA 02110-1335, USA.
-*
-* Authors:
-* Steve Grubb <sgrubb@redhat.com>
-*/
-
+ * ausearch-string.c - Minimal linked list library for strings
+ * Copyright (c) 2005,2008,2014,2023 Red Hat Inc.
+ * All Rights Reserved.
+ *
+ * This software may be freely redistributed and/or modified under the
+ * terms of the GNU General Public License as published by the Free
+ * Software Foundation; either version 2, or (at your option) any
+ * later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; see the file COPYING. If not, write to the
+ * Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor
+ * Boston, MA 02110-1335, USA.
+ *
+ * Authors:
+ * Steve Grubb <sgrubb@redhat.com>
+ */
+
+#pragma GCC optimize("O3,inline")
#include "ausearch-string.h"
#include <stdlib.h>
#include <string.h>
@@ -31,28 +32,10 @@ void slist_create(slist *l)
{
l->head = NULL;
l->cur = NULL;
+ l->last = NULL;
l->cnt = 0;
}
-void slist_last(slist *l)
-{
- register snode* cur;
-
- if (l->head == NULL)
- return;
-
- // Try using cur so that we don't have to start at beginnning
- if (l->cur)
- cur = l->cur;
- else
- cur = l->head;
-
- // Loop until no next value
- while (cur->next)
- cur = cur->next;
- l->cur = cur;
-}
-
snode *slist_next(slist *l)
{
if (l->cur == NULL)
@@ -80,14 +63,14 @@ void slist_append(slist *l, snode *node)
newnode->hits = node->hits;
newnode->next = NULL;
- // Make sure cursor is at the end
- slist_last(l);
-
- // if we are at top, fix this up
- if (l->head == NULL)
+ // if the top is empty, add it there
+ if (l->head == NULL) {
l->head = newnode;
- else // Otherwise add pointer to newnode
- l->cur->next = newnode;
+ l->last = newnode;
+ } else { // Otherwise put at the end
+ l->last->next = newnode;
+ l->last = newnode;
+ }
// make newnode current
l->cur = newnode;
@@ -109,25 +92,25 @@ void slist_clear(slist* l)
}
l->head = NULL;
l->cur = NULL;
+ l->last = NULL;
l->cnt = 0;
}
-/* This function dominates the timing of aureport. Needs to be more efficient */
int slist_add_if_uniq(slist *l, const char *str)
{
snode sn;
- register snode *cur;
+ register snode *cur;
if (str == NULL)
return -1;
- cur = l->head;
+ cur = l->head;
while (cur) {
if (strcmp(str, cur->str) == 0) {
cur->hits++;
l->cur = cur;
return 0;
- } else
+ } else
cur = cur->next;
}
@@ -140,7 +123,7 @@ int slist_add_if_uniq(slist *l, const char *str)
}
// If lprev would be NULL, use l->head
-static void swap_nodes(snode *lprev, snode *left, snode *right)
+static inline void swap_nodes(snode *lprev, snode *left, snode *right)
{
snode *t = right->next;
if (lprev)
@@ -150,17 +133,13 @@ static void swap_nodes(snode *lprev, snode *left, snode *right)
}
// This will sort the list from most hits to least
-void slist_sort_by_hits(slist *l)
+static void old_sort_by_hits(slist *l)
{
register snode* cur, *prev;
-
- if (l->cnt <= 1)
- return;
-
prev = cur = l->head;
while (cur && cur->next) {
- /* If the next node is bigger */
+ // If the next node is bigger
if (cur->hits < cur->next->hits) {
if (cur == l->head) {
// Update the actual list head
@@ -180,3 +159,82 @@ void slist_sort_by_hits(slist *l)
l->cur = l->head;
}
+// Merge two sorted lists
+static snode* slist_merge_sorted_lists(snode *a, snode *b)
+{
+ snode dummy;
+ snode *tail = &dummy;
+ dummy.next = NULL;
+
+ while (a && b) {
+ if (a->hits >= b->hits) {
+ tail->next = a;
+ a = a->next;
+ } else {
+ tail->next = b;
+ b = b->next;
+ }
+ tail = tail->next;
+ }
+ tail->next = a ? a : b;
+ return dummy.next;
+}
+
+// Split the list into two halves
+static void slist_split_list(snode *head, snode **front, snode **back)
+{
+ snode *fast, *slow;
+ slow = head;
+ fast = head->next;
+
+ while (fast) {
+ fast = fast->next;
+ if (fast) {
+ slow = slow->next;
+ fast = fast->next;
+ }
+ }
+
+ *front = head;
+ *back = slow->next;
+ slow->next = NULL;
+}
+
+// Merge sort for linked list
+static void slist_merge_sort(snode **head_ref)
+{
+ snode *head = *head_ref;
+ snode *a, *b;
+
+ if (!head || !head->next)
+ return;
+
+ slist_split_list(head, &a, &b);
+
+ slist_merge_sort(&a);
+ slist_merge_sort(&b);
+
+ *head_ref = slist_merge_sorted_lists(a, b);
+}
+
+// This function dominates aureport --summary --kind output
+void slist_sort_by_hits(slist *l)
+{
+ if (l->cnt <= 1)
+ return;
+
+ // If the list is small, use old algorithm because
+ // the new one has some overhead that makes it slower
+ // until the list is big enough that the inefficiencies
+ // of the old algorithm cause slowness. The value chosen
+ // below is just a guess. At 100, the old algorithm is
+ // faster. At 1000, the new one is 5x faster.
+ if (l->cnt < 200)
+ return old_sort_by_hits(l);
+
+ slist_merge_sort(&l->head);
+
+ // End with cur pointing at first record
+ l->cur = l->head;
+}
+
diff --git a/src/ausearch-string.h b/src/ausearch-string.h
index 1cfc4a6..5fcf1ee 100644
--- a/src/ausearch-string.h
+++ b/src/ausearch-string.h
@@ -1,6 +1,6 @@
/*
* ausearch-string.h - Header file for ausearch-string.c
-* Copyright (c) 2005,2008 Red Hat Inc., Durham, North Carolina.
+* Copyright (c) 2005,2008,2023 Red Hat Inc.
* All Rights Reserved.
*
* This software may be freely redistributed and/or modified under the
@@ -15,7 +15,7 @@
*
* You should have received a copy of the GNU General Public License
* along with this program; see the file COPYING. If not, write to the
-* Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor
+* Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor
* Boston, MA 02110-1335, USA.
*
* Authors:
@@ -41,6 +41,7 @@ typedef struct _snode{
typedef struct {
snode *head; // List head
snode *cur; // Pointer to current node
+ snode *last; // Pointer to current node
unsigned int cnt; // How many items in this list
} slist;

19
audit-3.9-2-no-io_uring.patch
View File

@ -1,19 +0,0 @@
commit b4cc077dac3e9bee1df59ee04cb2c466bc603033
Author: Steve Grubb <sgrubb@redhat.com>
Date: Wed Nov 1 15:14:25 2023 -0400
completely disable io_uring code in libev
diff --git a/src/libev/ev.c b/src/libev/ev.c
index a4ef36f..c4a0070 100644
--- a/src/libev/ev.c
+++ b/src/libev/ev.c
@@ -128,7 +128,7 @@
# if HAVE_LINUX_FS_H && HAVE_SYS_TIMERFD_H && HAVE_KERNEL_RWF_T
# ifndef EV_USE_IOURING
-# define EV_USE_IOURING EV_FEATURE_BACKENDS
+# define EV_USE_IOURING 0 // Intentionally drop the io_uring backend
# endif
# else
# undef EV_USE_IOURING

25
audit-3.9-4-fix-leak.patch
View File

@ -1,25 +0,0 @@
commit e1b75c41b3bd4f7de981b1c89b3a23c64cda53e1
Author: cgzones <cgzones@googlemail.com>
Date: Wed Nov 1 20:35:40 2023 +0100
lib: close audit socket in load_feature_bitmap() (#334)
diff --git a/lib/libaudit.c b/lib/libaudit.c
index 0a52285..72b25a9 100644
--- a/lib/libaudit.c
+++ b/lib/libaudit.c
@@ -657,12 +657,14 @@ static void load_feature_bitmap(void)
/* Found it... */
features_bitmap = rep.status->feature_bitmap;
+ audit_close(fd);
return;
}
}
}
#endif
features_bitmap = AUDIT_FEATURES_UNSUPPORTED;
+ audit_close(fd);
}
uint32_t audit_get_features(void)

19
audit-3.9-5-mk-static.patch
View File

@ -1,19 +0,0 @@
commit 73c9ce37b15a963c6e609906d232b0a6ea9c741f
Author: Steve Grubb <sgrubb@redhat.com>
Date: Wed Nov 1 17:22:47 2023 -0400
declare file local function static
diff --git a/lib/libaudit.c b/lib/libaudit.c
index 72b25a9..cfbad1d 100644
--- a/lib/libaudit.c
+++ b/lib/libaudit.c
@@ -997,7 +997,7 @@ uint32_t audit_get_session(void)
return ses;
}
-int audit_rule_syscall_data(struct audit_rule_data *rule, int scall)
+static int audit_rule_syscall_data(struct audit_rule_data *rule, int scall)
{
int word = AUDIT_WORD(scall);
int bit = AUDIT_BIT(scall);

109
audit.spec
View File

@ -1,28 +1,23 @@
Summary: User space tools for kernel auditing
Name: audit
Version: 3.1.2
Release: 5%{?dist}
Version: 4.0
Release: 1%{?dist}
License: GPL-2.0-or-later AND LGPL-2.0-or-later
URL: http://people.redhat.com/sgrubb/audit/
Source0: http://people.redhat.com/sgrubb/audit/%{name}-%{version}.tar.gz
Source1: https://www.gnu.org/licenses/lgpl-2.1.txt
Patch1: audit-3.9-1-aureport.patch
Patch2: audit-3.9-2-no-io_uring.patch
Patch3: audit-3.9-4-fix-leak.patch
Patch4: audit-3.9-5-mk-static.patch
BuildRequires: make gcc
BuildRequires: krb5-devel
BuildRequires: kernel-headers >= 2.6.29
BuildRequires: kernel-headers >= 5.0
BuildRequires: systemd
BuildRequires: autoconf automake libtool
Requires: %{name}-libs%{?_isa} = %{version}-%{release}
Requires(post): systemd coreutils procps-ng
Requires: %{name}-rules%{?_isa} = %{version}-%{release}
Requires(post): systemd coreutils
Requires(preun): systemd
Recommends: initscripts-service
Requires(postun): systemd coreutils
Recommends: initscripts-service
# Placing this here under the assumption that anything using the
# python libraries expects the system to have an audit daemon
@ -32,6 +27,7 @@ Obsoletes: python2-audit < %{version}-%{release}
The audit package contains the user space utilities for
storing and searching the audit records generated by
the audit subsystem in the Linux 2.6 and later kernels.
It includes example rules that you can use.
%package libs
Summary: Dynamic library for libaudit
@ -46,7 +42,7 @@ applications to use the audit framework.
Summary: Header files for libaudit
License: LGPL-2.0-or-later
Requires: %{name}-libs%{?_isa} = %{version}-%{release}
Requires: kernel-headers >= 2.6.29
Requires: kernel-headers >= 5.0
%description libs-devel
The audit-libs-devel package contains the header files needed for
@ -55,7 +51,7 @@ developing applications that need to use the audit framework libraries.
%package -n python3-audit
Summary: Python3 bindings for libaudit
License: LGPL-2.0-or-later
BuildRequires: python3-devel python-setuptools swig
BuildRequires: python3-devel python-unversioned-command swig
Requires: %{name}-libs%{?_isa} = %{version}-%{release}
Provides: audit-libs-python3 = %{version}-%{release}
Provides: audit-libs-python3%{?_isa} = %{version}-%{release}
@ -90,13 +86,17 @@ incoming audit events, as they happen, to a configured z/OS SMF (Service
Management Facility) database, through an IBM Tivoli Directory Server
(ITDS) set for Remote Audit service.
%package rules
Summary: audit rules and utilities
License: GPL-2.0-or-later
Recommends: %{name} = %{version}-%{release}
%description rules
The audit rules package contains the rules and utilities to load audit rules.
%prep
%setup -q
cp %{SOURCE1} .
%patch 1 -p1
%patch 2 -p1
%patch 3 -p1
%patch 4 -p1
# Remove the ids code, its not ready
sed -i 's/ ids / /' audisp/plugins/Makefile.am
@ -114,7 +114,6 @@ make CFLAGS="%{optflags}" %{?_smp_mflags}
%install
mkdir -p $RPM_BUILD_ROOT/{sbin,etc/audit/plugins.d,etc/audit/rules.d}
mkdir -p $RPM_BUILD_ROOT/%{_mandir}/{man5,man8}
mkdir -p $RPM_BUILD_ROOT/%{_lib}
mkdir -p $RPM_BUILD_ROOT/%{_libdir}/audit
mkdir -p --mode=0700 $RPM_BUILD_ROOT/%{_var}/log/audit
mkdir -p $RPM_BUILD_ROOT/%{_var}/spool/audit
@ -125,55 +124,57 @@ rm -f $RPM_BUILD_ROOT/%{_libdir}/libaudit.a
rm -f $RPM_BUILD_ROOT/%{_libdir}/libauparse.a
find $RPM_BUILD_ROOT -name '*.la' -delete
find $RPM_BUILD_ROOT/%{_libdir}/python%{python3_version}/site-packages -name '*.a' -delete
find $RPM_BUILD_ROOT/%{_libdir}/python%{python3_version}/site-packages -name '*.a' -delete || true
# On platforms with 32 & 64 bit libs, we need to coordinate the timestamp
touch -r ./audit.spec $RPM_BUILD_ROOT/etc/libaudit.conf
touch -r ./audit.spec $RPM_BUILD_ROOT/usr/share/man/man5/libaudit.conf.5.gz
%check
make check
#make %{?_smp_mflags} check
# Get rid of make files so that they don't get packaged.
rm -f rules/Makefile*
%post
%systemd_post auditd.service
%post rules
# Copy default rules into place on new installation
files=`ls /etc/audit/rules.d/ 2>/dev/null | wc -w`
if [ "$files" -eq 0 ] ; then
echo "No rules detected, adding default"
%if 0%{?rhel}
if [ -e %{_datadir}/%{name}/sample-rules/10-base-config.rules ] ; then
cp %{_datadir}/%{name}/sample-rules/10-base-config.rules /etc/audit/rules.d/audit.rules
if [ -e %{_datadir}/%{name}-rules/10-base-config.rules ] ; then
cp %{_datadir}/%{name}-rules/10-base-config.rules /etc/audit/rules.d/audit.rules
%else
# FESCO asked for audit to be off by default. #1117953
if [ -e %{_datadir}/%{name}/sample-rules/10-no-audit.rules ] ; then
cp %{_datadir}/%{name}/sample-rules/10-no-audit.rules /etc/audit/rules.d/audit.rules
if [ -e %{_datadir}/%{name}-rules/10-no-audit.rules ] ; then
cp %{_datadir}/%{name}-rules/10-no-audit.rules /etc/audit/rules.d/audit.rules
%endif
else
touch /etc/audit/rules.d/audit.rules
fi
chmod 0600 /etc/audit/rules.d/audit.rules
fi
%systemd_post auditd.service
%systemd_post audit-rules.service
%preun
%systemd_preun auditd.service
# Prefer script because it waits for auditd to terminate
if [ -e /usr/libexec/initscripts/legacy-actions/auditd/stop ] ; then
/usr/libexec/initscripts/legacy-actions/auditd/stop
else
auditctl --signal stop
if [ $1 -eq 0 ]; then
auditctl --signal stop
fi
%preun rules
%systemd_preun audit-rules.service
if [ $1 -eq 0 ]; then
auditctl -D > /dev/null 2>&1
fi
%postun
if [ $1 -ge 1 ]; then
state=$(systemctl status auditd | awk '/Active:/ { print $2 }')
if [ $state = "active" ] ; then
# Prefer script because it waits for auditd to terminate
if [ -e /usr/libexec/initscripts/legacy-actions/auditd/stop ] ; then
/usr/libexec/initscripts/legacy-actions/auditd/stop
else
auditctl --signal stop
fi
auditctl --signal stop
systemctl start auditd
fi
fi
@ -191,45 +192,37 @@ fi
%{_libdir}/libaudit.so
%{_libdir}/libauparse.so
%{_includedir}/libaudit.h
%{_includedir}/audit_logging.h
%{_includedir}/audit-records.h
%{_includedir}/auparse.h
%{_includedir}/auparse-defs.h
%{_datadir}/aclocal/audit.m4
%{_libdir}/pkgconfig/audit.pc
%{_libdir}/pkgconfig/auparse.pc
%{_mandir}/man3/*
%{_mandir}/man5/ausearch-expression.5.gz
%files -n python3-audit
%attr(755,root,root) %{python3_sitearch}/*
%files
%doc ChangeLog init.d/auditd.cron
%doc README.md ChangeLog init.d/auditd.cron
%{!?_licensedir:%global license %%doc}
%license COPYING
%attr(755,root,root) %{_datadir}/%{name}
%attr(644,root,root) %{_mandir}/man8/auditctl.8.gz
%attr(644,root,root) %{_mandir}/man8/auditd.8.gz
%attr(644,root,root) %{_mandir}/man8/aureport.8.gz
%attr(644,root,root) %{_mandir}/man8/ausearch.8.gz
%attr(644,root,root) %{_mandir}/man8/autrace.8.gz
%attr(644,root,root) %{_mandir}/man8/aulast.8.gz
%attr(644,root,root) %{_mandir}/man8/aulastlog.8.gz
%attr(644,root,root) %{_mandir}/man8/auvirt.8.gz
%attr(644,root,root) %{_mandir}/man8/augenrules.8.gz
%attr(644,root,root) %{_mandir}/man8/ausyscall.8.gz
%attr(644,root,root) %{_mandir}/man7/audit.rules.7.gz
%attr(644,root,root) %{_mandir}/man5/auditd.conf.5.gz
%attr(644,root,root) %{_mandir}/man5/ausearch-expression.5.gz
%attr(644,root,root) %{_mandir}/man5/auditd-plugins.5.gz
%attr(755,root,root) %{_sbindir}/auditctl
%attr(755,root,root) %{_sbindir}/auditd
%attr(755,root,root) %{_sbindir}/ausearch
%attr(755,root,root) %{_sbindir}/aureport
%attr(750,root,root) %{_sbindir}/autrace
%attr(755,root,root) %{_sbindir}/augenrules
%attr(755,root,root) %{_bindir}/aulast
%attr(755,root,root) %{_bindir}/aulastlog
%attr(755,root,root) %{_bindir}/ausyscall
%attr(755,root,root) %{_bindir}/auvirt
%attr(644,root,root) %{_unitdir}/auditd.service
%attr(750,root,root) %dir %{_libexecdir}/initscripts/legacy-actions/auditd
%attr(750,root,root) %{_libexecdir}/initscripts/legacy-actions/auditd/condrestart
@ -239,14 +232,23 @@ fi
%attr(750,root,root) %{_libexecdir}/initscripts/legacy-actions/auditd/rotate
%attr(750,root,root) %{_libexecdir}/initscripts/legacy-actions/auditd/state
%attr(750,root,root) %{_libexecdir}/initscripts/legacy-actions/auditd/stop
%attr(750,root,root) %{_libexecdir}/audit-functions
%ghost %{_localstatedir}/run/auditd.state
%attr(-,root,-) %dir %{_var}/log/audit
%attr(750,root,root) %dir /etc/audit
%attr(750,root,root) %dir /etc/audit/rules.d
%attr(750,root,root) %dir /etc/audit/plugins.d
%config(noreplace) %attr(640,root,root) /etc/audit/auditd.conf
%ghost %config(noreplace) %attr(600,root,root) /etc/audit/rules.d/audit.rules
%files rules
%attr(755,root,root) %dir %{_datadir}/%{name}-rules
%attr(644,root,root) %{_datadir}/%{name}-rules/*
%attr(644,root,root) %{_mandir}/man8/auditctl.8.gz
%attr(644,root,root) %{_mandir}/man8/augenrules.8.gz
%attr(644,root,root) %{_mandir}/man7/audit.rules.7.gz
%attr(755,root,root) %{_sbindir}/auditctl
%attr(755,root,root) %{_sbindir}/augenrules
%attr(644,root,root) %{_unitdir}/audit-rules.service
%attr(750,root,root) %dir /etc/audit
%attr(750,root,root) %dir /etc/audit/rules.d
%ghost %config(noreplace) %attr(640,root,root) /etc/audit/rules.d/audit.rules
%ghost %config(noreplace) %attr(640,root,root) /etc/audit/audit.rules
%config(noreplace) %attr(640,root,root) /etc/audit/audit-stop.rules
@ -276,6 +278,9 @@ fi
%attr(750,root,root) %{_sbindir}/audispd-zos-remote
%changelog
* Tue Jan 16 2024 Steve Grubb <sgrubb@redhat.com> 4.0-1
- New upstream major release
* Sat Nov 04 2023 Steve Grubb <sgrubb@redhat.com> 3.1.2-5
- Bug fixes pulled from upstrean

2
sources
View File

@ -1 +1 @@
SHA512 (audit-3.1.2.tar.gz) = a97003a294ed3671df01e2952688e7d5eef59a35f6891feb53e67c4c7eab9ae8c2d18de41a5b5b20e0ad7156fac93aec05f32f6bc5eea706b42b6f27f676446a
SHA512 (audit-4.0.tar.gz) = 4ed5b216c75c655fd40a74b909d591922a66690bdf2cc5c69a23be3e9b10c8d341fd9b4f496f3ce2a8f99b7d86f0dda13e36387edd845b590ab767a82b4315cc