Commit Graph

279 Commits

Author SHA1 Message Date
dmalcolm
892aad8b84 - Rebuilt for
https://fedoraproject.org/wiki/Features/Python_2.7/MassRebuild
2010-07-22 00:39:06 +00:00
Adam Jackson
9347513a78 autoreconf so the makefile change takes effect 2010-02-16 22:11:08 +00:00
Adam Jackson
f3577bed94 - audit-2.0.4-add-needed.patch: Fix FTBFS for --no-add-needed 2010-02-16 21:50:10 +00:00
Steve Grubb
e2190be046 - Split out static libs (#556039) 2010-01-29 18:57:22 +00:00
Steve Grubb
36cd75f988 - Split out static libs (#556039) 2010-01-29 18:46:25 +00:00
Steve Grubb
5e1075d12f - New upstream release 2009-12-08 15:44:08 +00:00
Steve Grubb
b1c2e57a32 - New upstream release 2009-10-17 19:29:28 +00:00
Steve Grubb
05d70ed917 - New upstream release 2009-10-16 17:14:38 +00:00
Steve Grubb
028898f181 - New upstream release 2009-10-16 17:09:20 +00:00
Steve Grubb
52a4831e16 - New upstream release 2009-09-28 19:55:04 +00:00
Steve Grubb
964f2cbd9f - New upstream release 2009-08-21 14:57:14 +00:00
Steve Grubb
1c13929628 - New upstream release 2009-08-19 19:23:25 +00:00
Steve Grubb
ad21c8a37c - New upstream release 2009-08-19 19:16:54 +00:00
Steve Grubb
7b312bdccc - New upstream release 2009-08-19 19:06:41 +00:00
Steve Grubb
ff137c5b6c add temporary compat package 2009-08-19 18:51:56 +00:00
Steve Grubb
b9f018d58e - New upstream release 2009-08-18 18:13:00 +00:00
Steve Grubb
0d9d3c9ee2 fix the release numbers 2009-07-29 23:52:26 +00:00
Jesse Keating
827754ea8c - Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild 2009-07-24 17:33:31 +00:00
Steve Grubb
e76832c90f - New upstream release
- Fix problem with negative uids in audit rules on 32 bit systems
- Update tty keystroke interpretations (Miloslav Trmač)
2009-04-21 19:02:44 +00:00
Steve Grubb
943e1d4bec - Drop some debug code in libev 2009-04-03 19:42:16 +00:00
Steve Grubb
cdf3b383d3 - Apply patch from dwalsh moving audit.py file to arch specific python dir 2009-03-17 18:30:16 +00:00
Steve Grubb
e29b4b64db Adjusted the patch level 2009-02-26 23:59:43 +00:00
Steve Grubb
6578fabf5e - Handle audit=0 boot option for 2.6.29 kernel (#487541) 2009-02-26 21:44:35 +00:00
Steve Grubb
60481bc88a - New upstream release 2009-02-24 22:04:42 +00:00
Steve Grubb
311514cc09 - New upstream release 2009-02-24 21:36:08 +00:00
Jesse Keating
58d4476524 - Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild 2009-02-24 03:11:20 +00:00
Steve Grubb
46e327bbf6 Fix syslog conf packaging 2009-01-24 15:03:04 +00:00
Steve Grubb
24bca3bf6d - Add crypto event definitions 2009-01-13 22:12:58 +00:00
Steve Grubb
506ae42a34 - Add crypto event definitions 2009-01-13 22:01:45 +00:00
Steve Grubb
730f430ddb Add crypto event definitions 2009-01-13 21:51:42 +00:00
Steve Grubb
ea367a7cf2 - New upstream release 2009-01-10 21:10:21 +00:00
Steve Grubb
c28fd1e4b9 - Fix bz 476798 - "auditd -n" does not work 2008-12-17 15:06:51 +00:00
Steve Grubb
0784c5c460 - New upstream release 2008-12-13 13:52:26 +00:00
Ignacio Vazquez-Abrams
4f9c1b187f Rebuild for Python 2.6 2008-11-29 16:36:38 +00:00
Steve Grubb
26bdc0669a - New upstream release 2008-11-05 20:54:11 +00:00
Steve Grubb
333ae898aa - Update specfile requires to include dist 2008-10-28 14:35:27 +00:00
Steve Grubb
fb25688f94 - Fix ausearch/report recent and now time keyword lookups (#468668) 2008-10-27 17:41:01 +00:00
Steve Grubb
fd868dc9dc Update requires 2008-10-25 14:25:47 +00:00
Steve Grubb
5431994a68 - If kernel is in immutable mode, auditd should not send enable command 2008-10-25 13:08:31 +00:00
Steve Grubb
43fc1794e1 - Fix ausearch interpretting i386 syscalls on x86_64 machine 2008-10-24 19:29:23 +00:00
Steve Grubb
0961553dfe - Fix segfault when using file input to aureport
- Quieten down messages about missing gssapi support
2008-10-23 20:07:02 +00:00
Steve Grubb
c183a174e4 - Disable GSSAPI support until its reworked as plugin
- Interpret TTY audit data in auparse (Miloslav Trmač)
- Extract terminal from USER_AVC events for ausearch/report (Peng Haitao)
- Add USER_AVCs to aureport's avc reporting (Peng Haitao)
- Short circuit hostname resolution in libaudit if host is empty
- If log_group and user are not root, don't check dispatcher perms
- Fix a bug when executing "ausearch -te today PM"
- Add --exit search option to ausearch
- Fix parsing config file when kerberos is disabled
2008-10-22 18:21:46 +00:00
Steve Grubb
0983360c7f - Remove selinux policy for zos-remote 2008-10-16 19:54:50 +00:00
Steve Grubb
0a9e32d94a Disable testing of ppc 2008-09-17 20:49:00 +00:00
Steve Grubb
fffe22aac3 - Bug fixes for GSSAPI code in remote logging (DJ Delorie)
- Add watched syscall support to audisp-prelude
- Enable tcp_wrappers support in auditd
2008-09-17 20:12:32 +00:00
Steve Grubb
baa6b19d1f Don't do make check just yet 2008-09-11 23:11:08 +00:00
Steve Grubb
0f4ff3fca4 - Add subject to audit daemon events (Chu Li)
- Add tcp_wrappers support for auditd
- Updated syscall tables for 2.6.27 kernel
- Audit connect/disconnect of remote clients
- Add GSS/Kerberos encryption to the remote protocol (DJ Delorie)
2008-09-11 22:51:16 +00:00
Steve Grubb
0e1966b810 fix zos selinux policy file 2008-08-31 16:54:48 +00:00
Steve Grubb
8955505fb2 couple spec file updates 2008-08-25 21:24:14 +00:00
Steve Grubb
dce82d1b97 - Update system-config-audit to 0.4.8
- Whole lot of bug fixes - see ChangeLog for details
- Reimplement auditd main loop using libev
- Add TCP listener to auditd to receive remote events
- Fix scheduler problem (#457061)
2008-08-25 20:05:09 +00:00
Steve Grubb
8b5ee23989 - Move ausearch-expression to main package (#453437) 2008-07-04 00:55:30 +00:00
Steve Grubb
a94ab1c00d - Fix interpreting of keys in syscall records
- Don't error on name=(null) PATH records in ausearch/report
- Add key report to aureport
- Update system-config-audit to 0.4.7 (Miloslav Trmac)
- Add support for the filetype field option in auditctl new to 2.6.26
    kernels
2008-05-19 18:02:47 +00:00
Steve Grubb
b4b03fa176 - Fix output of keys in ausearch interpretted mode
- Fix ausearch/report --start now to not be reset to midnight
- audispd now has a priority boost config option
- Look for laddr in avcs reported via prelude
- Detect page 0 mmaps and alert via prelude
2008-05-09 18:37:00 +00:00
Steve Grubb
f2add7b4d6 - Fix overflow in audit_log_user_command, better (#438840)
- ausearch was not matching path in avc records
- audisp-prelude attempt to reposition index after examining each type
- correct building of mls policy
- Fix auparse iterating in auparse_find_field and next_field
- Don't alert on USER_AVC's - they are not quite right
2008-04-18 20:18:30 +00:00
Steve Grubb
26677d9499 - Fix overflow in audit_log_user_command, better (#438840)
- ausearch was not matching path in avc records
- audisp-prelude attempt to reposition index after examining each type
- correct building of mls policy
- Fix auparse iterating in auparse_find_field and next_field
- Don't alert on USER_AVC's - they are not quite right
2008-04-18 19:47:43 +00:00
Steve Grubb
d0505052ce - Fix overflow in audit_log_user_command, better (#438840)
- ausearch was not matching path in avc records
- audisp-prelude attempt to reposition index after examining each type
- correct building of mls policy
2008-04-17 21:14:24 +00:00
Steve Grubb
0553dafd8a Add directory to locate rules 2008-04-08 17:28:30 +00:00
Steve Grubb
e32261e9dd Get rid of old patches 2008-04-08 17:14:57 +00:00
Steve Grubb
0a9ab60e01 - Fix buffer overflow in audit_log_user_command, again (#438840)
- Fix memory leak in EOE code in auditd (#440075)
- In auditctl, don't use new operators in legacy rule format
- Made a couple corrections in alpha & x86_64 syscall tables (Miloslav
    Trmac)
2008-04-08 17:11:19 +00:00
Steve Grubb
66fff58cc0 - Fix buffer overflow in audit_log_user_command, again (#438840)
- Fix memory leak in EOE code in auditd (#440075)
- In auditctl, don't use new operators in legacy rule format
- Made a couple corrections in alpha & x86_64 syscall tables (Miloslav
    Trmac)
2008-04-08 17:10:03 +00:00
Steve Grubb
13e2090eff - Fix memleak in auditd eoe code 2008-04-05 01:38:01 +00:00
Steve Grubb
5676baffd9 - Remove LSB headers from init scripts
- Fix buffer overflow in audit_log_user_command again
2008-04-01 16:33:34 +00:00
Steve Grubb
89ca632558 update sc-audit release 2008-03-30 19:18:35 +00:00
Steve Grubb
8efb1f0ace - Handle user space avcs in prelude plugin
- Fix watched account login detection for some failed login attempts
- Couple fixups in audit logging functions (Miloslav Trmac)
- Add support in auditctl for virtual keys
- auparse_find_field_next was not iterating correctly, fixed it
- Add idmef alerts for access or execution of watched file
- Fix buffer overflow in audit_log_user_command
- Add basic remote logging plugin - only sends & no flow control
- Update ausearch with interpret fixes from auparse
2008-03-30 19:17:17 +00:00
Steve Grubb
44f663a360 - Apply hidden attribute cleanup patch (Miloslav Trmac)
- Apply auparse expression interface patch (Miloslav Trmac)
- Fix potential memleak in audit event dispatcher
- Update system-config-audit to version 0.4.6 (Miloslav Trmac)
- audisp-prelude alerts now controlled by config file
- Updated syscall table for 2.6.25 kernel
- Apply patch correcting acct field being misencoded (Miloslav Trmac)
- Added watched account login detection for prelude plugin
2008-03-09 23:29:28 +00:00
Steve Grubb
379ed2602a updated spec file for merge review 2008-02-25 11:27:40 +00:00
Steve Grubb
a37b944f0b - Update for gcc 4.3
- Cleanup descriptors in audispd before running plugin
- Fix 'recent' keyword for aureport/search
- Fix SE Linux policy for zos_remote plugin
- Add event type for group password authentication attempts
- Couple of updates to the translation tables
- Add detection of failed group authentication to audisp-prelude
2008-02-14 19:51:04 +00:00
Steve Grubb
f4110fe9a8 bump release number 2008-01-31 22:27:40 +00:00
Steve Grubb
5ccda98dc4 - In ausearch/report, prefer -if to stdin
- In ausearch/report, add new command line option --input-logs (#428860)
- Updated audisp-prelude based on feedback from prelude-devel
- Added prelude alert for promiscuous socket being opened
- Added prelude alert for SE Linux policy enforcement changes
- Added prelude alerts for Forbidden Login Locations and Time
- Applied patch to auparse fixing error handling of searching by
    interpreted value (Miloslav Trmac)
2008-01-31 22:17:06 +00:00
Steve Grubb
7307aa51db - In ausearch/report, prefer -if to stdin
- In ausearch/report, add new command line option --input-logs (#428860)
- Updated audisp-prelude based on feedback from prelude-devel
- Added prelude alert for promiscuous socket being opened
- Added prelude alert for SE Linux policy enforcement changes
- Added prelude alerts for Forbidden Login Locations and Time
- Applied patch to auparse fixing error handling of searching by
    interpreted value (Miloslav Trmac)
2008-01-31 22:07:21 +00:00
Steve Grubb
9893d2d877 - Add prelude IDS plugin for IDMEF alerts
- Add --user option to aulastlog command
- Use desktop-file-install for system-config-audit
- Avoid touching auditd.conf most of the time (#408501)
2008-01-19 20:59:34 +00:00
Steve Grubb
597b4aeb16 - Updates for spec file review
- Adjust permission on selinux policy file
2008-01-11 20:42:03 +00:00
Steve Grubb
7b5bbccaae - Adjust permission on selinux policy file 2008-01-11 16:14:53 +00:00
Steve Grubb
61abc7b01e - Fix config parser to allow either 0640 or 0600 for audit logs (#427062)
- Check for audit log being writable by owner in auditd
- If auditd logging was suspended, it can be resumed with SIGUSR2 (#251639)
- Updated CAPP, LSPP, and NISPOM rules for new capabilities
- Added aulastlog utility
2008-01-07 20:11:15 +00:00
Steve Grubb
1d5ece1ce9 - Allow 0600 file perms for audit logs 2007-12-31 03:48:17 +00:00
Steve Grubb
1a7594d87f - Allow 0600 file perms for audit logs 2007-12-31 03:29:57 +00:00
Steve Grubb
e8486e1e33 - fchmod of log file was on wrong variable (#426934)
- Allow use of errno strings for exit codes in audit rules
2007-12-29 15:51:09 +00:00
Miloslav Trmac
53106a0572 - Don't fchmod() /dev/null to mode 0400 (#426934) 2007-12-29 00:32:06 +00:00
Steve Grubb
597027a35e - Add kernel release string to DEAMON_START events
- Fix keep_logs when num_logs option disabled (#325561)
- Fix auparse to handle node fields for syscall records
- Update system-config-audit to version 0.4.5 (Miloslav Trmac)
- Add keyword week-ago to aureport & ausearch start/end times
- Fix audit log permissions on rotate. If group is root 0400, otherwise
    0440
- Add RACF zos remote audispd plugin (Klaus Kiwi)
- Add event queue overflow action to audispd
2007-12-27 21:50:31 +00:00
Steve Grubb
fed3183375 - Fix race between threads accessing common data in auditd
- Fix double free in event dispatcher.
2007-10-17 18:21:53 +00:00
Steve Grubb
0a1d445d1c - Fix syscall name to number conversion in libaudit. 2007-10-05 15:42:18 +00:00
Steve Grubb
eadd98d61f - Don't retry if the rt queue is full. 2007-10-01 18:43:37 +00:00
Steve Grubb
559824bd5d - Add support for searching by posix regular expressions in auparse
- Route DEAMON events into rt interface
- If event pipe is full, try again after doing local logging
- Optionally add node/machine name to records in audit daemon
- Update ausearch/aureport to specify nodes to search on
- Fix segfault interpretting saddr fields in avcs
2007-09-25 15:56:34 +00:00
Steve Grubb
b62f29eb75 - Fix uninitialized variable in auparse (John Dennis) 2007-09-06 18:16:57 +00:00
Steve Grubb
862b73deea - External plugin support in place
- Fix reference counting in auparse python bindings (#263961)
- Moved default af_unix plugin socket to /var/run/audispd_events
2007-09-02 16:49:22 +00:00
Steve Grubb
114d2589bb - Add newline to audispd string formatted events 2007-08-29 17:18:22 +00:00
Steve Grubb
7e0621586c Minor update to spec file 2007-08-28 23:38:25 +00:00
Steve Grubb
d3e971a156 - spec file cleanups
- Update to s-c-audit 0.4.3
2007-08-28 18:34:17 +00:00
Steve Grubb
7c6e7fc655 - Update Licence tags
- Adding perm field should not set syscall added flag in auditctl
- Fix segfault when aureport -if option is used
- Fix auditctl to better check keys on rule lines
- Add support for audit by TTY and other new event types
- Auditd config option for group permission of audit logs
- Swig messed up a variable in ppc's python bindings causing crashes.
    (#251327)
- New audit event dispatcher
- Update syscall tables for 2.6.23 kernel
2007-08-27 20:29:41 +00:00
Steve Grubb
6fd670045b More release version adjustment 2007-07-25 20:39:21 +00:00
Steve Grubb
70c6124734 change sc-audit parameters 2007-07-25 20:25:48 +00:00
Steve Grubb
2837477064 - Fix potential buffer overflow in print clone flags of auparse
- Fix python traceback parsing watches without perm statement (Miloslav
    Trmac)
- Update auditctl to handle legacy kernels when putting a watch on a dir
- Fix acct interpretation in auparse
2007-07-25 20:09:50 +00:00
Miloslav Trmac
be93e36052 - Fix a double free when auditd receives SIGHUP
- Move the system-config-audit menu entry to the Administration menu
2007-07-16 23:30:49 +00:00
Steve Grubb
c56912826f - Add system-config-audit (Miloslav Trmac)
- Correct bug in audit_make_equivalent function (Al Viro)
2007-07-10 23:22:14 +00:00
Steve Grubb
551486a79f - Change buffer size to prevent truncation of DAEMON events with large
labels
- Fix memory leaks in auparse (John Dennis)
- Update syscall tables for 2.6.21 kernel
- Update capp & lspp rules
- New python bindings for libauparse (John Dennis)
2007-05-01 21:43:06 +00:00
Steve Grubb
31f6a34b35 - New event dispatcher (James Antill)
- Apply patches fixing man pages and Makefile.am (Philipp Hahn)
- Apply patch correcting python libs permissions (Philipp Hahn)
- Fix auditd segfault on reload
- Fix bug in auparse library for file pointers and descriptors
- Extract subject information out of daemon events for ausearch
2007-04-05 22:44:18 +00:00
Steve Grubb
8564164f19 - Remove requires kernel-headers for python-libs
- Apply patch to prevent segfaults on auditd reload
2007-03-29 12:19:50 +00:00
Steve Grubb
7044bd306e - Updated autrace to monitor *at syscalls
- Add support in libaudit for AUDIT_BIT_TEST(^) and AUDIT_MASK_TEST (&)
- Finish reworking auditd config parser
- In auparse, interpret open, fcntl, and clone flags
- In auparse, when interpreting execve record types, run args through
    unencode
- Add support for OBJ_PID message type
- Event dispatcher updates
2007-03-20 16:34:48 +00:00
Steve Grubb
9404d1e9db - rebuild 2007-03-02 23:40:38 +00:00
Steve Grubb
dbe1b8311b - NEW audit dispatcher program & plugin framework
- Correct hidden variables in libauparse
- Added NISPOM sample rules
- Verify accessibility of files passed in auparse_init
- Fix bug in parser library interpreting socketcalls
- Add support for stdio FILE pointer in auparse_init
- Adjust init script to allow anyone to status auditd (#230626)
2007-03-02 22:26:36 +00:00