rpms/audit
6
0
Fork 0
Code Issues Pull Requests Releases Activity

Compare commits

base: rpms:c10s
Branches Tags
rpms:c8
rpms:c8s
rpms:c10
rpms:c9
rpms:c10s
rpms:c9s
rpms:c9-beta
rpms:c9s-permtab
rpms:c8-beta
rpms:imports/c8/audit-3.1.2-1.el8_10.1
rpms:imports/c10/audit-4.0.3-1.el10_0
rpms:imports/c9/audit-3.1.5-4.el9
rpms:imports/c10s/audit-4.0.3-4.el10
rpms:imports/c9-beta/audit-3.1.5-4.el9
rpms:imports/c10s/audit-4.0.3-1.el10
rpms:imports/c9/audit-3.1.5-1.el9
rpms:imports/c10s/audit-4.0-10.el10
rpms:imports/c9-beta/audit-3.1.5-1.el9
rpms:imports/c10s/audit-4.0-9.el10
rpms:imports/c8/audit-3.1.2-1.el8
rpms:imports/c9/audit-3.1.2-2.el9
rpms:imports/c8/audit-3.0.7-5.el8
rpms:imports/c9/audit-3.0.7-104.el9
rpms:imports/c8-beta/audit-3.0.7-5.el8
rpms:imports/c9-beta/audit-3.0.7-104.el9
rpms:imports/c9/audit-3.0.7-103.el9
rpms:imports/c8/audit-3.0.7-4.el8
rpms:imports/c9-beta/audit-3.0.7-103.el9
rpms:imports/c8-beta/audit-3.0.7-4.el8
rpms:imports/c9/audit-3.0.7-101.el9_0.2
rpms:imports/c8/audit-3.0.7-2.el8.2
rpms:imports/c8s/audit-3.0.7-4.el8
rpms:imports/c9-beta/audit-3.0.7-101.el9_0.1
rpms:imports/c8-beta/audit-3.0.7-2.el8
rpms:imports/c8s/audit-3.0.7-3.el8
rpms:imports/c9-beta/audit-3.0.7-100.el9
rpms:imports/c8s/audit-3.0.7-2.el8
rpms:imports/c8s/audit-3.0.7-1.el8
rpms:imports/c9-beta/audit-3.0.5-5.el9
rpms:imports/c9-beta/audit-3.0.5-3.el9_b
rpms:imports/c8-beta/audit-3.0-0.17.20191104git1c2f876.el8
rpms:imports/c8-beta/audit-3.0-0.16.20191104git1c2f876.el8
rpms:imports/c8-beta/audit-3.0-0.11.20190507gitf58ec40.el8
rpms:imports/c8s/audit-3.0-0.17.20191104git1c2f876.el8
rpms:imports/c8/audit-3.0-0.17.20191104git1c2f876.el8
rpms:imports/c8/audit-3.0-0.13.20190507gitf58ec40.el8
rpms:imports/c8/audit-3.0-0.10.20180831git0047a6c.el8
..
compare: rpms:c8
Branches Tags
rpms:c8
rpms:c8s
rpms:c10
rpms:c9
rpms:c10s
rpms:c9s
rpms:c9-beta
rpms:c9s-permtab
rpms:c8-beta
rpms:imports/c8/audit-3.1.2-1.el8_10.1
rpms:imports/c10/audit-4.0.3-1.el10_0
rpms:imports/c9/audit-3.1.5-4.el9
rpms:imports/c10s/audit-4.0.3-4.el10
rpms:imports/c9-beta/audit-3.1.5-4.el9
rpms:imports/c10s/audit-4.0.3-1.el10
rpms:imports/c9/audit-3.1.5-1.el9
rpms:imports/c10s/audit-4.0-10.el10
rpms:imports/c9-beta/audit-3.1.5-1.el9
rpms:imports/c10s/audit-4.0-9.el10
rpms:imports/c8/audit-3.1.2-1.el8
rpms:imports/c9/audit-3.1.2-2.el9
rpms:imports/c8/audit-3.0.7-5.el8
rpms:imports/c9/audit-3.0.7-104.el9
rpms:imports/c8-beta/audit-3.0.7-5.el8
rpms:imports/c9-beta/audit-3.0.7-104.el9
rpms:imports/c9/audit-3.0.7-103.el9
rpms:imports/c8/audit-3.0.7-4.el8
rpms:imports/c9-beta/audit-3.0.7-103.el9
rpms:imports/c8-beta/audit-3.0.7-4.el8
rpms:imports/c9/audit-3.0.7-101.el9_0.2
rpms:imports/c8/audit-3.0.7-2.el8.2
rpms:imports/c8s/audit-3.0.7-4.el8
rpms:imports/c9-beta/audit-3.0.7-101.el9_0.1
rpms:imports/c8-beta/audit-3.0.7-2.el8
rpms:imports/c8s/audit-3.0.7-3.el8
rpms:imports/c9-beta/audit-3.0.7-100.el9
rpms:imports/c8s/audit-3.0.7-2.el8
rpms:imports/c8s/audit-3.0.7-1.el8
rpms:imports/c9-beta/audit-3.0.5-5.el9
rpms:imports/c9-beta/audit-3.0.5-3.el9_b
rpms:imports/c8-beta/audit-3.0-0.17.20191104git1c2f876.el8
rpms:imports/c8-beta/audit-3.0-0.16.20191104git1c2f876.el8
rpms:imports/c8-beta/audit-3.0-0.11.20190507gitf58ec40.el8
rpms:imports/c8s/audit-3.0-0.17.20191104git1c2f876.el8
rpms:imports/c8/audit-3.0-0.17.20191104git1c2f876.el8
rpms:imports/c8/audit-3.0-0.13.20190507gitf58ec40.el8
rpms:imports/c8/audit-3.0-0.10.20180831git0047a6c.el8

No commits in common. "c10s" and "c8" have entirely different histories.
c10s ... c8

19 changed files with 635 additions and 1599 deletions
Show Stats Expand all files Collapse all files

1
.audit.metadata Normal file
View File

@ -0,0 +1 @@
45cffb1ded9a57a79b33547f58228131d3eb14a6 SOURCES/audit-3.1.2.tar.gz

1
.fmf/version
View File

@ -1 +0,0 @@
1

182
.gitignore vendored
View File

@ -1,181 +1 @@
audit-0.5.tar.gz
audit-0.6.2.tar.gz
audit-0.5.5.tar.gz
audit-0.6.3.tar.gz
audit-0.6.4.tar.gz
audit-0.6.5.tar.gz
audit-0.6.6.tar.gz
audit-0.6.7.tar.gz
audit-0.6.8.tar.gz
audit-0.6.9.tar.gz
audit-0.6.10.tar.gz
audit-0.6.11.tar.gz
audit-0.6.12.tar.gz
audit-0.7.tar.gz
audit-0.7.1.tar.gz
audit-0.7.2.tar.gz
audit-0.7.3.tar.gz
audit-0.7.4.tar.gz
audit-0.8.1.tar.gz
audit-0.8.2.tar.gz
audit-0.9.2.tar.gz
audit-0.9.3.tar.gz
audit-0.9.4.tar.gz
audit-0.9.5.tar.gz
audit-0.9.6.tar.gz
audit-0.9.7.tar.gz
audit-0.9.8.tar.gz
audit-0.9.9.tar.gz
audit-0.9.10.tar.gz
audit-0.9.11.tar.gz
audit-0.9.12.tar.gz
audit-0.9.13.tar.gz
audit-0.9.14.tar.gz
audit-0.9.15.tar.gz
audit-0.9.16.tar.gz
audit-0.9.17.tar.gz
audit-0.9.18.tar.gz
audit-0.9.19.tar.gz
audit-0.9.20.tar.gz
audit-1.0.tar.gz
audit-1.0.1.tar.gz
audit-1.0.2.tar.gz
audit-1.0.3.tar.gz
audit-1.0.4.tar.gz
audit-1.0.5.tar.gz
audit-1.0.6.tar.gz
audit-1.0.7.tar.gz
audit-1.0.8.tar.gz
audit-1.0.9.tar.gz
audit-1.0.10.tar.gz
audit-1.0.12.tar.gz
audit-1.1.tar.gz
audit-1.1.1.tar.gz
audit-1.1.2.tar.gz
audit-1.1.3.tar.gz
audit-1.1.4.tar.gz
audit-1.1.5.tar.gz
audit-1.1.6.tar.gz
audit-1.2.tar.gz
audit-1.2.1.tar.gz
audit-1.2.2.tar.gz
audit-1.2.3.tar.gz
audit-1.2.4.tar.gz
audit-1.2.5.tar.gz
audit-1.2.6.tar.gz
audit-1.2.7.tar.gz
audit-1.2.8.tar.gz
audit-1.2.9.tar.gz
audit-1.3.tar.gz
audit-1.3.1.tar.gz
audit-1.4.tar.gz
audit-1.4.1.tar.gz
audit-1.4.2.tar.gz
audit-1.5.tar.gz
audit-1.5.1.tar.gz
audit-1.5.2.tar.gz
audit-1.5.3.tar.gz
audit-1.5.5.tar.gz
audit-1.5.6.tar.gz
audit-1.6.tar.gz
audit-1.6.1.tar.gz
audit-1.6.2.tar.gz
audit-1.6.4.tar.gz
audit-1.6.5.tar.gz
audit-1.6.6.tar.gz
audit-1.6.7.tar.gz
audit-1.6.8.tar.gz
audit-1.6.9.tar.gz
audit-1.7.tar.gz
audit-1.7.1.tar.gz
audit-1.7.3.tar.gz
audit-1.7.4.tar.gz
audit-1.7.5.tar.gz
audit-1.7.6.tar.gz
audit-1.7.7.tar.gz
audit-1.7.8.tar.gz
audit-1.7.9.tar.gz
audit-1.7.10.tar.gz
audit-1.7.11.tar.gz
audit-1.7.12.tar.gz
audit-1.7.13.tar.gz
audit-2.0.tar.gz
audit-1.8.tar.gz
audit-2.0.1.tar.gz
audit-2.0.3.tar.gz
audit-2.0.4.tar.gz
/audit-2.0.5.tar.gz
/audit-2.0.6.tar.gz
/audit-2.1.tar.gz
/audit-2.1.1.tar.gz
/audit-2.1.2.tar.gz
/audit-2.1.3.tar.gz
/audit-2.2.tar.gz
/audit-2.2.1.tar.gz
/audit-2.2.2.tar.gz
/audit-2.3.tar.gz
/audit-2.3.1.tar.gz
/audit-2.3.2.tar.gz
/audit-2.3.3.tar.gz
/audit-2.3.4.tar.gz
/audit-2.3.5.tar.gz
/audit-2.3.6.tar.gz
/audit-2.3.7.tar.gz
/audit-2.3.8svn20140801.tar.gz
/audit-2.3.8.svn20140801.tar.gz
/audit-2.3.8.svn20140802.tar.gz
/audit-2.3.8.svn20140803.tar.gz
/audit-2.4.tar.gz
/audit-2.4.1.tar.gz
/audit-2.4.2.tar.gz
/audit-2.4.3.tar.gz
/audit-2.4.4.tar.gz
/audit-2.4.5.tar.gz
/audit-2.5.tar.gz
/audit-2.5.1.tar.gz
/audit-2.5.2.tar.gz
/audit-2.6.tar.gz
/audit-2.6.1.tar.gz
/audit-2.6.2.tar.gz
/audit-2.6.3.tar.gz
/audit-2.6.4.tar.gz
/audit-2.6.5.tar.gz
/audit-2.6.6.tar.gz
/audit-2.6.7.tar.gz
/audit-2.7.tar.gz
/audit-2.7.1.tar.gz
/audit-2.7.2.tar.gz
/audit-2.7.3.tar.gz
/audit-2.7.4.tar.gz
/audit-2.7.5.tar.gz
/audit-2.7.6.tar.gz
/audit-2.7.7.tar.gz
/audit-2.7.8.tar.gz
/audit-2.8.tar.gz
/audit-2.8.1.tar.gz
/audit-2.8.2.tar.gz
/audit-2.8.3.tar.gz
/audit-2.8.4.tar.gz
/audit-3.0-alpha.tar.gz
/audit-3.0-alpha2.tar.gz
/audit-3.0-alpha3.tar.gz
/audit-3.0-alpha5.tar.gz
/audit-3.0-alpha6.tar.gz
/audit-3.0-alpha7.tar.gz
/audit-3.0-alpha8.tar.gz
/audit-3.0-alpha9.tar.gz
/audit-3.0.tar.gz
/audit-3.0.1.tar.gz
/audit-3.0.2.tar.gz
/audit-3.0.3.tar.gz
/audit-3.0.4.tar.gz
/audit-3.0.5.tar.gz
/audit-3.0.6.tar.gz
/audit-3.0.7.tar.gz
/audit-3.0.8.tar.gz
/audit-3.0.9.tar.gz
/audit-3.1.tar.gz
/audit-3.1.1.tar.gz
/audit-3.1.2.tar.gz
/audit-4.0.tar.gz
/v4.0.3.tar.gz
SOURCES/audit-3.1.2.tar.gz

77
SOURCES/augenrules-immutable.patch Normal file
View File

@ -0,0 +1,77 @@
diff -up audit-3.1.2/init.d/augenrules.orig audit-3.1.2/init.d/augenrules
--- audit-3.1.2/init.d/augenrules.orig 2025-03-31 12:33:04.141223438 +0200
+++ audit-3.1.2/init.d/augenrules 2025-03-31 12:33:29.280457333 +0200
@@ -32,10 +32,11 @@ ASuffix="prev"
OnlyCheck=0
LoadRules=0
RETVAL=0
-usage="Usage: $0 [--check|--load]"
+cmd="$0"
+usage="Usage: $cmd [--check|--load]"
# Delete the interim file on faults
-trap 'rm -f ${TmpRules}; exit 1' 1 2 3 13 15
+trap 'rm -f ${TmpRules}; exit 1' HUP INT QUIT PIPE TERM
try_load() {
if [ $LoadRules -eq 1 ] ; then
@@ -44,6 +45,14 @@ try_load() {
fi
}
+# Check if audit is in immutable mode - exit if so
+check_immutable () {
+ if [ "$(auditctl -s | awk '$1 == "enabled" { print $2 }')" = "2" ] ; then
+ echo "$cmd: Audit system is in immutable mode - exiting with no changes"
+ exit 0
+ fi
+}
+
while [ $# -ge 1 ]
do
if [ "$1" = "--check" ] ; then
@@ -59,7 +68,7 @@ done
# Check environment
if [ ! -d ${SourceRulesDir} ]; then
- echo "$0: No rules directory - ${SourceRulesDir}"
+ echo "$cmd: No rules directory - ${SourceRulesDir}"
rm -f "${TmpRules}"
try_load
exit 1
@@ -101,7 +110,7 @@ END {
# If empty then quit
if [ ! -s "${TmpRules}" ]; then
- echo "$0: No rules"
+ echo "$cmd: No rules"
rm -f "${TmpRules}"
try_load
exit $RETVAL
@@ -110,17 +119,19 @@ fi
# If the same then quit
cmp -s "${TmpRules}" ${DestinationFile} > /dev/null 2>&1
if [ $? -eq 0 ]; then
- echo "$0: No change"
+ echo "$cmd: No change"
rm -f "${TmpRules}"
+ check_immutable
try_load
exit $RETVAL
elif [ $OnlyCheck -eq 1 ] ; then
- echo "$0: Rules have changed and should be updated"
+ echo "$cmd: Rules have changed and should be updated"
rm -f "${TmpRules}"
exit 0
fi
# Otherwise we install the new file
+check_immutable
if [ -f ${DestinationFile} ]; then
cp ${DestinationFile} ${DestinationFile}.${ASuffix}
fi
@@ -135,3 +146,4 @@ rm -f "${TmpRules}"
try_load
exit $RETVAL
+

0
lgpl-2.1.txt → SOURCES/lgpl-2.1.txt
View File

14
SOURCES/protected-kernel-modules.patch Normal file
View File

@ -0,0 +1,14 @@
diff --git a/init.d/auditd.service b/init.d/auditd.service
index 8210c60eb..dd7ec694b 100644
--- a/init.d/auditd.service
+++ b/init.d/auditd.service
@@ -38,7 +38,8 @@ MemoryDenyWriteExecute=true
LockPersonality=true
# The following control prevents rules on /proc so its off by default
#ProtectControlGroups=true
-ProtectKernelModules=true
+## The following control prevents rules on /usr/lib/modules/ its off by default
+#ProtectKernelModules=true
RestrictRealtime=true
[Install]

542
SPECS/audit.spec Normal file
View File

@ -0,0 +1,542 @@
%{!?python_sitearch: %define python_sitearch %(%{__python} -c "from distutils.sysconfig import get_python_lib; print get_python_lib(1)")}
Summary: User space tools for kernel auditing
Name: audit
Version: 3.1.2
Release: 1%{?dist}.1
License: GPLv2+
URL: http://people.redhat.com/sgrubb/audit/
Source0: http://people.redhat.com/sgrubb/audit/%{name}-%{version}.tar.gz
Source1: https://www.gnu.org/licenses/lgpl-2.1.txt
Patch0: protected-kernel-modules.patch
Patch1: augenrules-immutable.patch
BuildRequires: gcc swig make
BuildRequires: openldap-devel
BuildRequires: krb5-devel libcap-ng-devel
BuildRequires: kernel-headers >= 2.6.29
BuildRequires: systemd
#BuildRequires: autoconf automake libtool
Requires: %{name}-libs%{?_isa} = %{version}-%{release}
Requires(post): systemd coreutils
Requires(preun): systemd initscripts
Requires(postun): systemd coreutils initscripts
%description
The audit package contains the user space utilities for
storing and searching the audit records generated by
the audit subsystem in the Linux 2.6 and later kernels.
%package libs
Summary: Dynamic library for libaudit
License: LGPLv2+
%description libs
The audit-libs package contains the dynamic libraries needed for
applications to use the audit framework.
%package libs-devel
Summary: Header files for libaudit
License: LGPLv2+
Requires: %{name}-libs%{?_isa} = %{version}-%{release}
Requires: kernel-headers >= 2.6.29
%description libs-devel
The audit-libs-devel package contains the header files needed for
developing applications that need to use the audit framework libraries.
%package -n python3-audit
Summary: Python3 bindings for libaudit
License: LGPLv2+
BuildRequires: python3-devel
Requires: %{name}-libs%{?_isa} = %{version}-%{release}
Provides: audit-libs-python3 = %{version}-%{release}
Provides: audit-libs-python3%{?_isa} = %{version}-%{release}
Obsoletes: audit-libs-python3 < %{version}-%{release}
%description -n python3-audit
The python3-audit package contains the bindings so that libaudit
and libauparse can be used by python3.
%package -n audispd-plugins
Summary: Plugins for the audit event dispatcher
License: GPLv2+
Requires: %{name}%{?_isa} = %{version}-%{release}
Requires: %{name}-libs%{?_isa} = %{version}-%{release}
%description -n audispd-plugins
The audispd-plugins package provides plugins for the real-time
interface to the audit system, audispd. These plugins can do things
like relay events to remote machines.
%package -n audispd-plugins-zos
Summary: z/OS plugin for the audit event dispatcher
License: GPLv2+
Requires: %{name}%{?_isa} = %{version}-%{release}
Requires: %{name}-libs%{?_isa} = %{version}-%{release}
Requires: openldap
%description -n audispd-plugins-zos
The audispd-plugins-zos package provides a plugin that will forward all
incoming audit events, as they happen, to a configured z/OS SMF (Service
Management Facility) database, through an IBM Tivoli Directory Server
(ITDS) set for Remote Audit service.
%prep
%setup -q
%patch -P 0 -p1
%patch -P 1 -p1
cp %{SOURCE1} .
#autoreconf -fv --install
%build
%configure --with-python=no \
--with-python3=yes \
--enable-gssapi-krb5=yes --with-arm --with-aarch64 \
--with-libcap-ng=yes --without-golang --enable-zos-remote \
--enable-systemd
make CFLAGS="%{optflags}" %{?_smp_mflags}
%install
mkdir -p $RPM_BUILD_ROOT/{sbin,etc/audit/plugins.d,etc/audit/rules.d}
mkdir -p $RPM_BUILD_ROOT/%{_mandir}/{man5,man8}
mkdir -p $RPM_BUILD_ROOT/%{_lib}
mkdir -p $RPM_BUILD_ROOT/%{_libdir}/audit
mkdir -p --mode=0700 $RPM_BUILD_ROOT/%{_var}/log/audit
mkdir -p $RPM_BUILD_ROOT/%{_var}/spool/audit
make DESTDIR=$RPM_BUILD_ROOT install
# Remove these items so they don't get picked up.
rm -f $RPM_BUILD_ROOT/%{_libdir}/libaudit.a
rm -f $RPM_BUILD_ROOT/%{_libdir}/libauparse.a
find $RPM_BUILD_ROOT -name '*.la' -delete
find $RPM_BUILD_ROOT/%{_libdir}/python?.?/site-packages -name '*.a' -delete || true
# On platforms with 32 & 64 bit libs, we need to coordinate the timestamp
touch -r ./audit.spec $RPM_BUILD_ROOT/etc/libaudit.conf
touch -r ./audit.spec $RPM_BUILD_ROOT/usr/share/man/man5/libaudit.conf.5.gz
%check
make check
# Get rid of make files so that they don't get packaged.
rm -f rules/Makefile*
%post
# Copy default rules into place on new installation
files=`ls /etc/audit/rules.d/ 2>/dev/null | wc -w`
if [ "$files" -eq 0 ] ; then
if [ -e %{_datadir}/%{name}/sample-rules/10-base-config.rules ] ; then
cp %{_datadir}/%{name}/sample-rules/10-base-config.rules /etc/audit/rules.d/audit.rules
else
touch /etc/audit/rules.d/audit.rules
fi
chmod 0600 /etc/audit/rules.d/audit.rules
fi
%systemd_post auditd.service
%preun
%systemd_preun auditd.service
if [ $1 -eq 0 ]; then
/sbin/service auditd stop > /dev/null 2>&1
fi
%postun
if [ $1 -ge 1 ]; then
/sbin/service auditd condrestart > /dev/null 2>&1 || :
fi
%files libs
%{!?_licensedir:%global license %%doc}
%license lgpl-2.1.txt
%{_libdir}/libaudit.so.1*
%{_libdir}/libauparse.*
%config(noreplace) %attr(640,root,root) /etc/libaudit.conf
%{_mandir}/man5/libaudit.conf.5.gz
%files libs-devel
%doc contrib/plugin
%{_libdir}/libaudit.so
%{_libdir}/libauparse.so
%{_includedir}/libaudit.h
%{_includedir}/auparse.h
%{_includedir}/auparse-defs.h
%{_datadir}/aclocal/audit.m4
%{_libdir}/pkgconfig/audit.pc
%{_libdir}/pkgconfig/auparse.pc
%{_mandir}/man3/*
%files -n python3-audit
%attr(755,root,root) %{python3_sitearch}/*
%files
%doc README ChangeLog init.d/auditd.cron
%{!?_licensedir:%global license %%doc}
%license COPYING
%attr(755,root,root) %{_datadir}/%{name}
%attr(644,root,root) %{_datadir}/%{name}/sample-rules/*
%attr(644,root,root) %{_mandir}/man8/auditctl.8.gz
%attr(644,root,root) %{_mandir}/man8/auditd.8.gz
%attr(644,root,root) %{_mandir}/man8/aureport.8.gz
%attr(644,root,root) %{_mandir}/man8/ausearch.8.gz
%attr(644,root,root) %{_mandir}/man8/autrace.8.gz
%attr(644,root,root) %{_mandir}/man8/aulast.8.gz
%attr(644,root,root) %{_mandir}/man8/aulastlog.8.gz
%attr(644,root,root) %{_mandir}/man8/auvirt.8.gz
%attr(644,root,root) %{_mandir}/man8/augenrules.8.gz
%attr(644,root,root) %{_mandir}/man8/ausyscall.8.gz
%attr(644,root,root) %{_mandir}/man7/audit.rules.7.gz
%attr(644,root,root) %{_mandir}/man5/auditd.conf.5.gz
%attr(644,root,root) %{_mandir}/man5/ausearch-expression.5.gz
%attr(644,root,root) %{_mandir}/man5/auditd-plugins.5.gz
%attr(755,root,root) %{_sbindir}/auditctl
%attr(755,root,root) %{_sbindir}/auditd
%attr(755,root,root) %{_sbindir}/ausearch
%attr(755,root,root) %{_sbindir}/aureport
%attr(750,root,root) %{_sbindir}/autrace
%attr(755,root,root) %{_sbindir}/augenrules
%attr(755,root,root) %{_bindir}/aulast
%attr(755,root,root) %{_bindir}/aulastlog
%attr(755,root,root) %{_bindir}/ausyscall
%attr(755,root,root) %{_bindir}/auvirt
%attr(644,root,root) %{_unitdir}/auditd.service
%attr(750,root,root) %dir %{_libexecdir}/initscripts/legacy-actions/auditd
%attr(750,root,root) %{_libexecdir}/initscripts/legacy-actions/auditd/condrestart
%attr(750,root,root) %{_libexecdir}/initscripts/legacy-actions/auditd/reload
%attr(750,root,root) %{_libexecdir}/initscripts/legacy-actions/auditd/restart
%attr(750,root,root) %{_libexecdir}/initscripts/legacy-actions/auditd/resume
%attr(750,root,root) %{_libexecdir}/initscripts/legacy-actions/auditd/rotate
%attr(750,root,root) %{_libexecdir}/initscripts/legacy-actions/auditd/state
%attr(750,root,root) %{_libexecdir}/initscripts/legacy-actions/auditd/stop
%attr(750,root,root) %{_libexecdir}/audit-functions
%ghost %{_localstatedir}/run/auditd.state
%attr(-,root,-) %dir %{_var}/log/audit
%attr(750,root,root) %dir /etc/audit
%attr(750,root,root) %dir /etc/audit/rules.d
%attr(750,root,root) %dir /etc/audit/plugins.d
%config(noreplace) %attr(640,root,root) /etc/audit/auditd.conf
%ghost %config(noreplace) %attr(600,root,root) /etc/audit/rules.d/audit.rules
%ghost %config(noreplace) %attr(640,root,root) /etc/audit/audit.rules
%config(noreplace) %attr(640,root,root) /etc/audit/audit-stop.rules
%config(noreplace) %attr(640,root,root) /etc/audit/plugins.d/af_unix.conf
%files -n audispd-plugins
%config(noreplace) %attr(640,root,root) /etc/audit/audisp-remote.conf
%config(noreplace) %attr(640,root,root) /etc/audit/plugins.d/au-remote.conf
%config(noreplace) %attr(640,root,root) /etc/audit/plugins.d/syslog.conf
%config(noreplace) %attr(640,root,root) /etc/audit/plugins.d/af_unix.conf
%attr(750,root,root) %{_sbindir}/audisp-remote
%attr(750,root,root) %{_sbindir}/audisp-syslog
%attr(750,root,root) %{_sbindir}/audisp-af_unix
%attr(700,root,root) %dir %{_var}/spool/audit
%attr(644,root,root) %{_mandir}/man5/audisp-remote.conf.5.gz
%attr(644,root,root) %{_mandir}/man8/audisp-remote.8.gz
%attr(644,root,root) %{_mandir}/man8/audisp-syslog.8.gz
%attr(644,root,root) %{_mandir}/man8/audisp-af_unix.8.gz
%files -n audispd-plugins-zos
%attr(644,root,root) %{_mandir}/man8/audispd-zos-remote.8.gz
%attr(644,root,root) %{_mandir}/man5/zos-remote.conf.5.gz
%config(noreplace) %attr(640,root,root) /etc/audit/plugins.d/audispd-zos-remote.conf
%config(noreplace) %attr(640,root,root) /etc/audit/zos-remote.conf
%attr(750,root,root) %{_sbindir}/audispd-zos-remote
%changelog
* Mon Mar 31 2025 Attila Lakatos <alakatos@redhat.com> - 3.1.2-1.1
- Allow defining rules for /usr/lib/modules dir
Resolves: RHEL-59013
- augenrules: fix return code if immutable mode is set
Resolves: RHEL-40109
* Sat Oct 21 2023 Sergio Correia <scorreia@redhat.com> - 3.1.2-1
- Rebase audit to latest upstream release
Resolves: RHEL-15001
* Thu Jun 22 2023 Radovan Sroka <rsroka@redhat.com> - 3.0.7-5
- Introduce new fanotify record fields
Resolves: rhbz#2216668
- invalid use of flexible array member
Resolves: rhbz#2116867
* Mon May 02 2022 Sergio Correia <scorreia@redhat.com> - 3.0.7-4
- Drop ProtectHome from auditd.service as it interferes with rules
Resolves: rhbz#2071727 - Default systemd service config blocks audit watch rules in some directories
* Mon Mar 14 2022 Sergio Correia <scorreia@redhat.com> - 3.0.7-3
- Fix path normalization in auparse
Resolves: rhbz#2062612 - auparse missing information when used with --format-text
* Tue Feb 22 2022 Sergio Correia <scorreia@redhat.com> - 3.0.7-2
- Adjust sample-rules dir permissions
Resolves: rhbz#2054727 - /usr/share/audit/sample-rules is no longer readable by non-root users
* Tue Jan 25 2022 Sergio Correia <scorreia@redhat.com> - 3.0.7-1
- New upstream release - 3.0.7
Related: rhbz#1939406
* Thu Jan 13 2022 Sergio Correia <scorreia@redhat.com> - 3.0.5-1
- Rebase audit package on 8.6
Resolves: rhbz#1939406
Resolves: rhbz#1906065
Resolves: rhbz#1921447
Resolves: rhbz#1927884
Resolves: rhbz#1921658
* Wed Jan 08 2020 Steve Grubb <sgrubb@redhat.com> 3.0-0.17.20191104git1c2f876
resolves: rhbz#1757986 - Rebase audit package on 8.2 for updates (bpf patch)
* Thu Nov 28 2019 Steve Grubb <sgrubb@redhat.com> 3.0-0.16.20191104git1c2f876
resolves: rhbz#1497279 - Add option to interpret fields in audit syslog plugin
* Mon Nov 04 2019 Steve Grubb <sgrubb@redhat.com> 3.0-0.15.20191104git1c2f876
resolves: rhbz#1757986 - Rebase audit package on 8.2 for updates
resolves: rhbz#1767054 - move audit rules to shared data directory
resolves: rhbz#1746018 - Breakup 30-ospp-v42.rules into more granular files
resolves: rhbz#1740798 - auditctl(8) needs clarification for backlog_limit
resolves: rhbz#1497279 - Add option to interpret fields in audit syslog plugin
* Thu Jul 25 2019 Steve Grubb <sgrubb@redhat.com> 3.0-0.13.20190607gitf58ec40
resolves: rhbz#1695638 - Rebase audit package to pick up latest bugfixes
* Sat Jul 13 2019 Steve Grubb <sgrubb@redhat.com> 3.0-0.12.20190607gitf58ec40
resolves: rhbz#1695638 - Rebase audit package to pick up latest bugfixes
* Mon Jun 10 2019 Steve Grubb <sgrubb@redhat.com> 3.0-0.11.20190607gitf58ec40
resolves: rhbz#1643567 - service auditd stop exits prematurely
resolves: rhbz#1693470 - libauparse memory leak
resolves: rhbz#1694071 - ausearch doesn't record device/inode details checkpointing a single file
resolves: rhbz#1695638 - Rebase audit package to pick up latest bugfixes
resolves: rhbz#1705894 - aureport aborts when using a specific input
resolves: rhbz#1706045 - RFE: Backport support for new audit record types
resolves: rhbz#1715852 - RFE: provide a way to filter on network address family
* Wed Jan 09 2019 Steve Grubb <sgrubb@redhat.com> 3.0-0.10.20180831git0047a6c
resolves: rhbz#1655270] Message "audit: backlog limit exceeded" reported
- Fix annobin failure
* Fri Dec 07 2018 Steve Grubb <sgrubb@redhat.com> 3.0-0.8.20180831git0047a6c
resolves: rhbz#1639745 - build requires go-toolset-7 which is not available
resolves: rhbz#1643567 - service auditd stop exits prematurely
resolves: rhbz#1616428 - Update git snapshot of audit package
- Remove static libs subpackage
* Fri Aug 31 2018 Steve Grubb <sgrubb@redhat.com> 3.0-0.5.20180831git0047a6c
resolves: rhbz#1616428 - Update git snapshot of audit package
* Wed Aug 08 2018 Steve Grubb <sgrubb@redhat.com> 3.0-0.2.20180808git77fbcf3
resolves: rhbz#1567357 New upstream feature prerelease
* Tue Jul 17 2018 Steve Grubb <sgrubb@redhat.com> 3.0-0.1.20180717gitacd53d1
- New upstream feature prerelease
* Tue Jun 26 2018 Steve Grubb <sgrubb@redhat.com> 2.8.4-2
- Fix segfault on shutdown
* Tue Jun 19 2018 Steve Grubb <sgrubb@redhat.com> 2.8.4-1
- New upstream bugfix release
* Wed May 30 2018 Steve Grubb <sgrubb@redhat.com> 2.8.3-1
- New upstream bugfix release
- Remove Python2 support
* Fri Apr 13 2018 Tom Stellard <tstellar@redhat.com> - 2.7.8-2
- Use go-toolset-7 instead of golang
- Package now must be built with: rhpkg --release rhel-8.0-go-toolset
* Mon Sep 18 2017 Steve Grubb <sgrubb@redhat.com> 2.7.8-1
- New upstream bugfix release
* Wed Aug 02 2017 Fedora Release Engineering <releng@fedoraproject.org> - 2.7.7-5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
* Wed Jul 26 2017 Fedora Release Engineering <releng@fedoraproject.org> - 2.7.7-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
* Fri Jul 14 2017 Steve Grubb <sgrubb@redhat.com> 2.7.7-3
- undo scratch build
* Fri Jun 16 2017 Steve Grubb <sgrubb@redhat.com> 2.7.7-1
- New upstream bugfix release
* Wed Apr 19 2017 Steve Grubb <sgrubb@redhat.com> 2.7.6-1
- New upstream bugfix release
* Mon Apr 10 2017 Steve Grubb <sgrubb@redhat.com> 2.7.5-1
- New upstream bugfix release
* Tue Mar 28 2017 Steve Grubb <sgrubb@redhat.com> 2.7.4-1
- New upstream feature and bugfix release
* Fri Feb 24 2017 Steve Grubb <sgrubb@redhat.com> 2.7.3-1
- New upstream feature and bugfix release
* Mon Feb 13 2017 Steve Grubb <sgrubb@redhat.com> 2.7.2-2
- Fix ausearch csv output
* Mon Feb 13 2017 Steve Grubb <sgrubb@redhat.com> 2.7.2-1
- New upstream feature and bugfix release
* Fri Feb 10 2017 Fedora Release Engineering <releng@fedoraproject.org> - 2.7.1-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
* Fri Jan 13 2017 Steve Grubb <sgrubb@redhat.com> 2.7.1-1
- New upstream bugfix release
* Mon Dec 19 2016 Miro Hrončok <mhroncok@redhat.com> - 2.7-2
- Rebuild for Python 3.6
* Thu Dec 15 2016 Steve Grubb <sgrubb@redhat.com> 2.7-1
- New upstream feature release
* Sun Sep 11 2016 Steve Grubb <sgrubb@redhat.com> 2.6.7-1
- New upstream bugfix release
* Mon Aug 01 2016 Steve Grubb <sgrubb@redhat.com> 2.6.6-1
- New upstream bugfix release
* Thu Jul 21 2016 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.6.5-3
- https://fedoraproject.org/wiki/Changes/golang1.7
* Tue Jul 19 2016 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.6.5-2
- https://fedoraproject.org/wiki/Changes/Automatic_Provides_for_Python_RPM_Packages
* Thu Jul 14 2016 Steve Grubb <sgrubb@redhat.com> 2.6.5-1
- New upstream bugfix release
* Fri Jul 08 2016 Steve Grubb <sgrubb@redhat.com> 2.6.4-2
- Correct size information of dispatched event
* Fri Jul 08 2016 Steve Grubb <sgrubb@redhat.com> 2.6.4-1
- New upstream bugfix release
* Tue Jul 05 2016 Steve Grubb <sgrubb@redhat.com> 2.6.3-2
- Fix sockaddr event interpretation
* Tue Jul 05 2016 Steve Grubb <sgrubb@redhat.com> 2.6.3-1
- New upstream bugfix release
* Fri Jul 01 2016 Steve Grubb <sgrubb@redhat.com> 2.6.2-1
- New upstream bugfix release
- Fixes 1351954 - prevents virtual machine from starting up in GNOME Boxes
* Tue Jun 28 2016 Steve Grubb <sgrubb@redhat.com> 2.6.1-1
- New upstream bugfix release
* Wed Jun 22 2016 Steve Grubb <sgrubb@redhat.com> 2.6-3
- New upstream release
* Fri Apr 29 2016 Steve Grubb <sgrubb@redhat.com> 2.5.2-1
- New upstream release
* Thu Apr 28 2016 Steve Grubb <sgrubb@redhat.com> 2.5.1-2
- Refactor plugins to split out zos-remote to lower dependencies
* Wed Apr 13 2016 Steve Grubb <sgrubb@redhat.com> 2.5.1-1
- New upstream release
* Fri Mar 18 2016 Steve Grubb <sgrubb@redhat.com> 2.5-4
- Fixes #1313152 - post script fails on dnf --setopt=tsflags=nodocs install
* Mon Feb 22 2016 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.5-3
- https://fedoraproject.org/wiki/Changes/golang1.6
* Wed Feb 03 2016 Fedora Release Engineering <releng@fedoraproject.org> - 2.5-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
* Mon Jan 11 2016 Steve Grubb <sgrubb@redhat.com> 2.5-1
- New upstream release
- Fixes #1241565 - still logs way too much
- Fixes #1238051 - audit.rules should be generated from by augenrules
* Fri Dec 18 2015 Steve Grubb <sgrubb@redhat.com> 2.4.4-1
- New upstream bugfix release
* Wed Nov 04 2015 Robert Kuska <rkuska@redhat.com> - 2.4.4-3
- Rebuilt for Python3.5 rebuild
* Wed Sep 16 2015 Peter Robinson <pbrobinson@fedoraproject.org> 2.4.4-2
- Fix FTBFS with hardened flags by using the distro CFLAGS
- Tighten deps with the _isa macro
- Use goarches macro to define supported GO architectures
- Minor cleanups
* Thu Aug 13 2015 Steve Grubb <sgrubb@redhat.com> 2.4.4-1
- New upstream bugfix release
- Fixes CVE-2015-5186 Audit: log terminal emulator escape sequences handling
* Thu Jul 16 2015 Steve Grubb <sgrubb@redhat.com> 2.4.3-1
- New upstream bugfix release
- Adds python3 support
* Wed Jun 17 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.4.2-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild
* Tue Apr 28 2015 Steve Grubb <sgrubb@redhat.com> 2.4.2-1
- New upstream bugfix release
* Sat Feb 21 2015 Till Maas <opensource@till.name> - 2.4.1-2
- Rebuilt for Fedora 23 Change
https://fedoraproject.org/wiki/Changes/Harden_all_packages_with_position-independent_code
* Tue Oct 28 2014 Steve Grubb <sgrubb@redhat.com> 2.4.1-1
- New upstream feature and bugfix release
* Mon Oct 06 2014 Karsten Hopp <karsten@redhat.com> 2.4-2
- bump release and rebuild for upgradepath
* Sun Aug 24 2014 Steve Grubb <sgrubb@redhat.com> 2.4-1
- New upstream feature and bugfix release
* Fri Aug 15 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.3.8-0.3.svn20140803
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild
* Mon Aug 4 2014 Peter Robinson <pbrobinson@fedoraproject.org> 2.3.8-0.2.svn20140803
- aarch64/PPC/s390 don't have golang
* Sat Aug 02 2014 Steve Grubb <sgrubb@redhat.com> 2.3.8-0.1.svn20140803
- New upstream svn snapshot
* Tue Jul 22 2014 Steve Grubb <sgrubb@redhat.com> 2.3.7-4
- Bug 1117953 - Per fesco#1311, please disable syscall auditing by default
* Fri Jul 11 2014 Tom Callaway <spot@fedoraproject.org> - 2.3.7-3
- mark license files properly
* Sat Jun 07 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.3.7-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild
* Tue Jun 03 2014 Steve Grubb <sgrubb@redhat.com> 2.3.7-1
- New upstream bugfix release
* Fri Apr 11 2014 Steve Grubb <sgrubb@redhat.com> 2.3.6-1
- New upstream bugfix/enhancement release
* Mon Mar 17 2014 Steve Grubb <sgrubb@redhat.com> 2.3.5-1
- New upstream bugfix/enhancement release
* Thu Feb 27 2014 Steve Grubb <sgrubb@redhat.com> 2.3.4-1
- New upstream bugfix/enhancement release
* Thu Jan 16 2014 Steve Grubb <sgrubb@redhat.com> 2.3.3-1
- New upstream bugfix/enhancement release
* Mon Jul 29 2013 Steve Grubb <sgrubb@redhat.com> 2.3.2-1
- New upstream bugfix/enhancement release
* Fri Jun 21 2013 Steve Grubb <sgrubb@redhat.com> 2.3.1-3
- Drop prelude support
* Fri May 31 2013 Steve Grubb <sgrubb@redhat.com> 2.3.1-2
- Fix unknown lvalue in auditd.service (#969345)
* Thu May 30 2013 Steve Grubb <sgrubb@redhat.com> 2.3.1-1
- New upstream bugfix/enhancement release
* Fri May 03 2013 Steve Grubb <sgrubb@redhat.com> 2.3-2
- If no rules exist, copy shipped rules into place

14
TTY-hostname.patch
View File

@ -1,14 +0,0 @@
diff --git a/lib/audit_logging.c b/lib/audit_logging.c
index 4da95b5e6..f63c37d2c 100644
--- a/lib/audit_logging.c
+++ b/lib/audit_logging.c
@@ -243,7 +243,8 @@ static const char *_get_hostname(const char *ttyn)
{
if (ttyn && ((strncmp(ttyn, "pts", 3) == 0) ||
(strncmp(ttyn, "tty", 3) == 0) ||
- (strncmp(ttyn, "/dev/tty", 8) == 0) )) {
+ (strncmp(ttyn, "/dev/tty", 8) == 0) ||
+ (strncmp(ttyn, "/dev/pts", 8) == 0) )) {
if (_host[0] == 0) {
gethostname(_host, HOSTLEN);
_host[HOSTLEN - 1] = 0;

790
audit.spec
View File

@ -1,790 +0,0 @@
Summary: User space tools for kernel auditing
Name: audit
Version: 4.0.3
Release: 4%{?dist}
License: GPL-2.0-or-later AND LGPL-2.0-or-later
URL: https://github.com/linux-audit/audit-userspace/
Source0: https://github.com/linux-audit/audit-userspace/archive/refs/tags/v%{version}.tar.gz
Source1: https://www.gnu.org/licenses/lgpl-2.1.txt
BuildRequires: make gcc
BuildRequires: autoconf automake libtool
BuildRequires: kernel-headers >= 5.0
BuildRequires: systemd
Patch0: remote-logging-ordering-cycle.patch
Patch1: timebased-log-rotation.patch
Patch2: remove-HALT-spaceleftaction.patch
Patch3: warning-before-HALT.patch
Patch4: TTY-hostname.patch
Patch5: permtab-unsupport-syscalls-v1.patch
Patch6: permtab-unsupport-syscalls-v2.patch
Patch7: ausearch-checkpoint-race.patch
Requires: %{name}-libs%{?_isa} = %{version}-%{release}
Recommends: %{name}-rules%{?_isa} = %{version}-%{release}
Requires(post): systemd coreutils
Requires(preun): systemd
Requires(postun): systemd coreutils
Recommends: initscripts-service
# Placing this here under the assumption that anything using the
# python libraries expects the system to have an audit daemon
Obsoletes: python2-audit < %{version}-%{release}
%description
The audit package contains the user space utilities for
storing and searching the audit records generated by
the audit subsystem in the Linux 2.6 and later kernels.
It includes example rules that you can use.
%package libs
Summary: Dynamic library for libaudit
License: LGPL-2.0-or-later
BuildRequires: libcap-ng-devel
%description libs
The audit-libs package contains the dynamic libraries needed for
applications to use the audit framework.
%package libs-devel
Summary: Header files for libaudit
License: LGPL-2.0-or-later
Requires: %{name}-libs%{?_isa} = %{version}-%{release}
Requires: kernel-headers >= 5.0
%description libs-devel
The audit-libs-devel package contains the header files needed for
developing applications that need to use the audit framework libraries.
%package -n python3-audit
Summary: Python3 bindings for libaudit
License: LGPL-2.0-or-later
BuildRequires: python3-devel python-unversioned-command swig
Requires: %{name}-libs%{?_isa} = %{version}-%{release}
Provides: audit-libs-python3 = %{version}-%{release}
Provides: audit-libs-python3%{?_isa} = %{version}-%{release}
Obsoletes: audit-libs-python3 < %{version}-%{release}
%description -n python3-audit
The python3-audit package contains the bindings so that libaudit
and libauparse can be used by python3.
%package -n audispd-plugins
Summary: Plugins for the audit event dispatcher
License: GPL-2.0-or-later
BuildRequires: krb5-devel libcap-ng-devel
Requires: %{name}%{?_isa} = %{version}-%{release}
Requires: %{name}-libs%{?_isa} = %{version}-%{release}
%description -n audispd-plugins
The audispd-plugins package provides plugins for the real-time
interface to the audit system, audispd. These plugins can do things
like relay events to remote machines.
%package -n audispd-plugins-zos
Summary: z/OS plugin for the audit event dispatcher
License: GPL-2.0-or-later
BuildRequires: openldap-devel libcap-ng-devel
Requires: %{name}%{?_isa} = %{version}-%{release}
Requires: %{name}-libs%{?_isa} = %{version}-%{release}
%description -n audispd-plugins-zos
The audispd-plugins-zos package provides a plugin that will forward all
incoming audit events, as they happen, to a configured z/OS SMF (Service
Management Facility) database, through an IBM Tivoli Directory Server
(ITDS) set for Remote Audit service.
%package rules
Summary: audit rules and utilities
License: GPL-2.0-or-later
Recommends: %{name} = %{version}-%{release}
Requires: %{name}-libs%{?_isa} = %{version}-%{release}
%description rules
The audit rules package contains the rules and utilities to load audit rules.
%prep
%setup -q -n %{name}-userspace-%{version}
%patch -P 0 -p1
%patch -P 1 -p1
%patch -P 2 -p1
%patch -P 3 -p1
%patch -P 4 -p1
%patch -P 5 -p1
%patch -P 6 -p1
%patch -P 7 -p1
cp %{SOURCE1} .
%build
autoreconf -fv --install
# Remove the ids code, its not ready
sed -i 's/ ids / /' audisp/plugins/Makefile.am
sed -i 's/ ids / /' audisp/plugins/Makefile.in
%configure --with-python=no \
--with-python3=yes \
--enable-gssapi-krb5=yes --with-arm --with-aarch64 --with-riscv \
--with-libcap-ng=yes --without-golang --enable-zos-remote \
--enable-experimental --with-io_uring
make CFLAGS="%{optflags}" %{?_smp_mflags}
%install
mkdir -p $RPM_BUILD_ROOT/{sbin,etc/audit/plugins.d,etc/audit/rules.d}
mkdir -p $RPM_BUILD_ROOT/%{_mandir}/{man5,man8}
mkdir -p $RPM_BUILD_ROOT/%{_libdir}/audit
mkdir -p --mode=0700 $RPM_BUILD_ROOT/%{_var}/log/audit
mkdir -p $RPM_BUILD_ROOT/%{_var}/spool/audit
make DESTDIR=$RPM_BUILD_ROOT install
# Remove these items so they don't get picked up.
rm -f $RPM_BUILD_ROOT/%{_libdir}/libaudit.a
rm -f $RPM_BUILD_ROOT/%{_libdir}/libauparse.a
find $RPM_BUILD_ROOT -name '*.la' -delete
find $RPM_BUILD_ROOT/%{_libdir}/python%{python3_version}/site-packages -name '*.a' -delete || true
# On platforms with 32 & 64 bit libs, we need to coordinate the timestamp
touch -r ./audit.spec $RPM_BUILD_ROOT/etc/libaudit.conf
touch -r ./audit.spec $RPM_BUILD_ROOT/usr/share/man/man5/libaudit.conf.5.gz
%check
#make %{?_smp_mflags} check
# Get rid of make files so that they don't get packaged.
rm -f rules/Makefile*
%post
%systemd_post auditd.service
# Do not perform service start/restart when running during an rpm-ostree compose
if [ -f /run/ostree-booted ] ; then
exit 0
fi
# If an upgrade, restart it if it's running
if [ $1 -eq 2 ] ; then
state=$(systemctl status auditd | awk '/Active:/ { print $2 }')
if [ $state = "active" ] ; then
auditctl --signal stop || true
systemctl start auditd
fi
# if an install, start it since preset says we should be running
elif [ $1 -eq 1 ] ; then
systemctl start auditd
fi
%post rules
%systemd_post audit-rules.service
# Copy default rules into place on new installation
files=`ls /etc/audit/rules.d/ 2>/dev/null | wc -w`
if [ "$files" -eq 0 ] ; then
echo "No rules detected, adding default"
%if 0%{?rhel}
if [ -e %{_datadir}/%{name}-rules/10-base-config.rules ] ; then
install -m 0640 -o 0 -g 0 -p %{_datadir}/%{name}-rules/10-base-config.rules /etc/audit/rules.d/audit.rules
%else
# FESCO asked for audit to be off by default. #1117953
if [ -e %{_datadir}/%{name}-rules/10-no-audit.rules ] ; then
install -m 0640 -o 0 -g 0 -p %{_datadir}/%{name}-rules/10-no-audit.rules /etc/audit/rules.d/audit.rules
%endif
else
install -m 0640 -o 0 -g 0 /dev/null /etc/audit/rules.d/audit.rules
fi
# Only load the new rules if not running during an rpm-ostree compose
if [ ! -f /run/ostree-booted ] ; then
# Make the new rules active
augenrules --load || true
fi
fi
%preun
%systemd_preun auditd.service
# If uninstalling, stop it
if [ $1 -eq 0 ] ; then
auditctl --signal stop || true
fi
%preun rules
%systemd_preun audit-rules.service
# If uninstalling, delete the rules loaded in the kernel
if [ $1 -eq 0 ] ; then
auditctl -D > /dev/null 2>&1 || true
fi
%files libs
%{!?_licensedir:%global license %%doc}
%license lgpl-2.1.txt
%{_libdir}/libaudit.so.1*
%{_libdir}/libauparse.*
%config(noreplace) %attr(640,root,root) /etc/libaudit.conf
%{_mandir}/man5/libaudit.conf.5.gz
%files libs-devel
%doc contrib/plugin
%{_libdir}/libaudit.so
%{_libdir}/libauparse.so
%{_includedir}/libaudit.h
%{_includedir}/audit_logging.h
%{_includedir}/audit-records.h
%{_includedir}/auparse.h
%{_includedir}/auparse-defs.h
%{_datadir}/aclocal/audit.m4
%{_libdir}/pkgconfig/audit.pc
%{_libdir}/pkgconfig/auparse.pc
%{_mandir}/man3/*
%{_mandir}/man5/ausearch-expression.5.gz
%files -n python3-audit
%attr(755,root,root) %{python3_sitearch}/*
%files
%doc README.md ChangeLog init.d/auditd.cron
%{!?_licensedir:%global license %%doc}
%license COPYING
%attr(644,root,root) %{_mandir}/man8/auditd.8.gz
%attr(644,root,root) %{_mandir}/man8/aureport.8.gz
%attr(644,root,root) %{_mandir}/man8/ausearch.8.gz
%attr(644,root,root) %{_mandir}/man8/aulast.8.gz
%attr(644,root,root) %{_mandir}/man8/aulastlog.8.gz
%attr(644,root,root) %{_mandir}/man8/ausyscall.8.gz
%attr(644,root,root) %{_mandir}/man5/auditd.conf.5.gz
%attr(644,root,root) %{_mandir}/man5/auditd-plugins.5.gz
%attr(644,root,root) %{_mandir}/man5/auditd.cron.5.gz
%attr(755,root,root) %{_sbindir}/auditd
%attr(755,root,root) %{_sbindir}/ausearch
%attr(755,root,root) %{_sbindir}/aureport
%attr(755,root,root) %{_bindir}/aulast
%attr(755,root,root) %{_bindir}/aulastlog
%attr(755,root,root) %{_bindir}/ausyscall
%attr(644,root,root) %{_unitdir}/auditd.service
%attr(640,root,root) %{_tmpfilesdir}/audit.conf
%attr(750,root,root) %dir %{_libexecdir}/initscripts/legacy-actions/auditd
%attr(750,root,root) %{_libexecdir}/initscripts/legacy-actions/auditd/condrestart
%attr(750,root,root) %{_libexecdir}/initscripts/legacy-actions/auditd/reload
%attr(750,root,root) %{_libexecdir}/initscripts/legacy-actions/auditd/restart
%attr(750,root,root) %{_libexecdir}/initscripts/legacy-actions/auditd/resume
%attr(750,root,root) %{_libexecdir}/initscripts/legacy-actions/auditd/rotate
%attr(750,root,root) %{_libexecdir}/initscripts/legacy-actions/auditd/state
%attr(750,root,root) %{_libexecdir}/initscripts/legacy-actions/auditd/stop
%ghost %{_localstatedir}/run/auditd.state
%attr(-,root,-) %dir %{_var}/log/audit
%attr(750,root,root) %dir /etc/audit/plugins.d
%config(noreplace) %attr(640,root,root) /etc/audit/auditd.conf
%files rules
%attr(755,root,root) %dir %{_datadir}/%{name}-rules
%attr(644,root,root) %{_datadir}/%{name}-rules/*
%attr(644,root,root) %{_mandir}/man8/auditctl.8.gz
%attr(644,root,root) %{_mandir}/man8/augenrules.8.gz
%attr(644,root,root) %{_mandir}/man7/audit.rules.7.gz
%attr(755,root,root) %{_sbindir}/auditctl
%attr(755,root,root) %{_sbindir}/augenrules
%attr(644,root,root) %{_unitdir}/audit-rules.service
%attr(750,root,root) %dir /etc/audit
%attr(750,root,root) %dir /etc/audit/rules.d
%ghost %config(noreplace) %attr(640,root,root) /etc/audit/rules.d/audit.rules
%ghost %config(noreplace) %attr(640,root,root) /etc/audit/audit.rules
%config(noreplace) %attr(640,root,root) /etc/audit/audit-stop.rules
%files -n audispd-plugins
%config(noreplace) %attr(640,root,root) /etc/audit/audisp-remote.conf
%config(noreplace) %attr(640,root,root) /etc/audit/plugins.d/au-remote.conf
%config(noreplace) %attr(640,root,root) /etc/audit/plugins.d/syslog.conf
%config(noreplace) %attr(640,root,root) /etc/audit/audisp-statsd.conf
%config(noreplace) %attr(640,root,root) /etc/audit/plugins.d/au-statsd.conf
%config(noreplace) %attr(640,root,root) /etc/audit/plugins.d/af_unix.conf
%config(noreplace) %attr(640,root,root) /etc/audit/audisp-filter.conf
%config(noreplace) %attr(640,root,root) /etc/audit/plugins.d/filter.conf
%attr(750,root,root) %{_sbindir}/audisp-remote
%attr(750,root,root) %{_sbindir}/audisp-syslog
%attr(750,root,root) %{_sbindir}/audisp-af_unix
%attr(750,root,root) %{_sbindir}/audisp-statsd
%attr(750,root,root) %{_sbindir}/audisp-filter
%attr(700,root,root) %dir %{_var}/spool/audit
%attr(644,root,root) %{_mandir}/man5/audisp-remote.conf.5.gz
%attr(644,root,root) %{_mandir}/man8/audisp-remote.8.gz
%attr(644,root,root) %{_mandir}/man8/audisp-syslog.8.gz
%attr(644,root,root) %{_mandir}/man8/audisp-af_unix.8.gz
%attr(644,root,root) %{_mandir}/man8/audisp-statsd.8.gz
%attr(644,root,root) %{_mandir}/man8/audisp-filter.8.gz
%files -n audispd-plugins-zos
%attr(644,root,root) %{_mandir}/man8/audispd-zos-remote.8.gz
%attr(644,root,root) %{_mandir}/man5/zos-remote.conf.5.gz
%config(noreplace) %attr(640,root,root) /etc/audit/plugins.d/audispd-zos-remote.conf
%config(noreplace) %attr(640,root,root) /etc/audit/zos-remote.conf
%attr(750,root,root) %{_sbindir}/audispd-zos-remote
%changelog
* Fri Apr 11 2025 Attila Lakatos <alakatos@redhat.com> - 4.0.3-4
- ausearch-checkpoint race condition fix
Resolves: RHEL-86896
* Fri Apr 04 2025 Attila Lakatos <alakatos@redhat.com> - 4.0.3-3
- Adjust dependency between audit and audit-rules
Resolves: RHEL-77141
* Fri Mar 28 2025 Attila Lakatos <alakatos@redhat.com> - 4.0.3-2
- Add auditd.cron (5) man page for time-based log rotation description
Resolves: RHEL-77141
- Remove HALT from space_left_action
- Broadcast warning to users when auditd is about to halt
Resolves: RHEL-73111
- Fix TTY hostname in log messages
Resolves: RHEL-79476
- permtab: remove unsupported syscalls from rules
Resolves: RHEL-59560
- Restore permission on audit.rules
* Wed Jan 08 2025 Attila Lakatos <alakatos@redhat.com> - 4.0.3-1
- Rebase to 4.0.3
- Pluginst must have .conf suffix, otherwise skipped
Resolves: RHEL-58838
- ausearch checkpoint inode fix
Resolves: RHEL-62333
- Audisp-filter: filter audit events and forward them to other plugins
Resolves: RHEL-5199
- Log to console when system is halted due to audit not having enough storage
Resolves: RHEL-990
- auditctl: remove misleasing error with --input file
Resolves: RHEL-5200
- Remove ProtectKernelModules=true from service file
Resolves: RHEL-59571
- Update syscall tables to reflect current kernel
Resolves: RHEL-46969
- af_unix: Restore old behavior
Resolves: RHEL-39955
- Add systemd-tempfiles.d for audit when root fs is read-only
Resolves: RHEL-45311
- ausearch fix error reporting
Resolves: RHEL-32808
- Resolve ordering cycle when using remote logging
Resolves: RHEL-59561
* Tue Oct 29 2024 Troy Dawson <tdawson@redhat.com> - 4.0-10
- Bump release for October 2024 mass rebuild:
Resolves: RHEL-64018
* Mon Jun 24 2024 Troy Dawson <tdawson@redhat.com> - 4.0-9
- Bump release for June 2024 mass rebuild
* Sun Feb 04 2024 Timothée Ravier <tim@siosm.fr> - 4.0-8
- Fix 'install' calls in post scriptlet
* Thu Jan 25 2024 Steve Grubb <sgrubb@redhat.com> 4.0-7
- Don't do "live" operations during rpm-ostree composes
* Wed Jan 24 2024 Steve Grubb <sgrubb@redhat.com> 4.0-5
- Auditd is stopping during upgrade (bz 2259610)
* Mon Jan 22 2024 Fedora Release Engineering <releng@fedoraproject.org> - 4.0-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
* Fri Jan 19 2024 Fedora Release Engineering <releng@fedoraproject.org> - 4.0-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
* Tue Jan 16 2024 Steve Grubb <sgrubb@redhat.com> 4.0-1
- New upstream major release
* Sat Nov 04 2023 Steve Grubb <sgrubb@redhat.com> 3.1.2-5
- Bug fixes pulled from upstrean
* Wed Sep 13 2023 Dusty Mabe <dusty@dustymabe.com> 3.1.2-4
- Remove initscripts-service from Requires(postun)
* Fri Sep 01 2023 Steve Grubb <sgrubb@redhat.com> 3.1.2-3
- Change initscrips-service to a Recommends
* Sat Aug 26 2023 Steve Grubb <sgrubb@redhat.com> 3.1.2-2
- SPDX Migration
* Sun Aug 06 2023 Steve Grubb <sgrubb@redhat.com> 3.1.2-1
- New upstream release
* Wed Jul 19 2023 Fedora Release Engineering <releng@fedoraproject.org> - 3.1.1-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
* Tue Jun 13 2023 Python Maint <python-maint@redhat.com> - 3.1.1-3
- Rebuilt for Python 3.12
* Tue May 09 2023 Davide Cavalca <dcavalca@fedoraproject.org> 3.1.1-2
- Install the base ruleset on RHEL
* Thu Apr 27 2023 Steve Grubb <sgrubb@redhat.com> 3.1.1-1
- New upstream release
* Thu Feb 09 2023 Steve Grubb <sgrubb@redhat.com> 3.1-2
- New upstream feature release
* Wed Jan 18 2023 Fedora Release Engineering <releng@fedoraproject.org> - 3.0.9-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
* Thu Dec 22 2022 Steve Grubb <sgrubb@redhat.com> 3.0.9-2
- BuildRequires python-setuptools
- SPDX Migration
* Mon Aug 29 2022 Steve Grubb <sgrubb@redhat.com> 3.0.9-1
- New upstream bugfix release
* Wed Jul 20 2022 Fedora Release Engineering <releng@fedoraproject.org> - 3.0.8-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
* Mon Jun 13 2022 Python Maint <python-maint@redhat.com> - 3.0.8-2
- Rebuilt for Python 3.11
* Tue Mar 29 2022 Steve Grubb <sgrubb@redhat.com> 3.0.8-1
- New upstream bugfix release
* Thu Feb 24 2022 Steve Grubb <sgrubb@redhat.com> 3.0.7-3
- Undo fix to libaudit.h before installing
* Mon Feb 14 2022 Steve Grubb <sgrubb@redhat.com> 3.0.7-2
- Adjust sample-rules dir permissions
- Add support for new access/dealloc function attributes
- Adjust compile flags for less warnings
* Sun Jan 23 2022 Steve Grubb <sgrubb@redhat.com> 3.0.7-1
- New upstream bugfix and feature release
* Wed Jan 19 2022 Fedora Release Engineering <releng@fedoraproject.org> - 3.0.6-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
* Wed Jan 05 2022 Steve Grubb <sgrubb@redhat.com> 3.0.6-2
- Require initscripts-service instead of initscripts
* Fri Oct 01 2021 Steve Grubb <sgrubb@redhat.com> 3.0.6-1
- New upstream bugfix release
* Tue Sep 14 2021 Steve Grubb <sgrubb@redhat.com> 3.0.5-3
- Move BuildRequires around to what actually needs it
* Tue Sep 14 2021 Steve Grubb <sgrubb@redhat.com> 3.0.5-2
- Drop IPX interpretation support
* Wed Aug 11 2021 Steve Grubb <sgrubb@redhat.com> 3.0.5-1
- New upstream bugfix release
* Sun Aug 08 2021 Steve Grubb <sgrubb@redhat.com> 3.0.4-1
- New upstream feature release
* Wed Jul 21 2021 Fedora Release Engineering <releng@fedoraproject.org> - 3.0.3-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
* Wed Jul 14 2021 Steve Grubb <sgrubb@redhat.com> 3.0.3-1
- New upstream feature release
* Thu Jun 24 2021 Sergio Correia <scorreia@redhat.com> - 3.0.2-2
- Do not use custom sbindir and libdir in configure
* Thu Jun 10 2021 Steve Grubb <sgrubb@redhat.com> 3.0.2-1
- New upstream feature and bugfix release
* Fri Jun 04 2021 Python Maint <python-maint@redhat.com> - 3.0.1-3
- Rebuilt for Python 3.10
* Thu Feb 18 2021 Steve Grubb <sgrubb@redhat.com> 3.0.1-2
- Add patch fixing segafult in the audisp-statsd plugin
* Fri Feb 12 2021 Steve Grubb <sgrubb@redhat.com> 3.0.1-1
- New upstream feature and bugfix release
- Enable building the audisp-statsd plugin
* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 3.0-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
* Wed Dec 16 2020 Steve Grubb <sgrubb@redhat.com> 3.0-1
- New upstream feature and bugfix release
* Mon Jul 27 2020 Fedora Release Engineering <releng@fedoraproject.org> - 3.0-0.21.20191104git1c2f876
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
* Tue May 26 2020 Miro Hrončok <mhroncok@redhat.com> - 3.0-0.20.20191104git1c2f876
- Rebuilt for Python 3.9
* Thu Mar 12 2020 Steve Grubb <sgrubb@redhat.com> 3.0-0.19.20191104git1c2f876
- Add Obsolete python2-audit (#1783061)
* Wed Jan 29 2020 Steve Grubb <sgrubb@redhat.com> 3.0-0.18.20191104git1c2f876
- Fix multiple definition of `event_node_list' (#1794446)
* Tue Jan 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 3.0-0.17.20191104git1c2f876
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
* Fri Nov 22 2019 Steve Grubb <sgrubb@redhat.com> 3.0-0.16.20191104git1c2f876
- Drop python2 subpackage (#1775076)
* Mon Nov 04 2019 Steve Grubb <sgrubb@redhat.com> 3.0-0.14.20191104git1c2f876
- New upstream git snapshot prerelease
* Thu Oct 03 2019 Miro Hrončok <mhroncok@redhat.com> - 3.0-0.14.20190507gitf58ec40
- Rebuilt for Python 3.8.0rc1 (#1748018)
* Mon Aug 19 2019 Miro Hrončok <mhroncok@redhat.com> - 3.0-0.13.20190507gitf58ec40
- Rebuilt for Python 3.8
* Wed Jul 31 2019 Steve Grubb <sgrubb@redhat.com> 3.0-0.12.20190507gitf58ec40
- Fix 1734953 - audit: FTBFS in Fedora rawhide/f31
* Wed Jul 24 2019 Fedora Release Engineering <releng@fedoraproject.org> - 3.0-0.11.20190507gitf58ec40
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
* Fri Jul 05 2019 Steve Grubb <sgrubb@redhat.com> 3.0-0.10.20190507gitf58ec40
- Add initscripts package to the requires (bz #1727058)
* Mon Jun 10 2019 Steve Grubb <sgrubb@redhat.com> 3.0-0.9.20190507gitf58ec40
- New upstream git snapshot prerelease which fixes several problems
- Fixed 1698130 - removing audit.rpm doesn't stop auditd
* Tue Mar 26 2019 Steve Grubb <sgrubb@redhat.com> 3.0-0.7.20190326git03e7489
- New upstream git snapshot prerelease which fixes a memory leak
* Thu Jan 31 2019 Fedora Release Engineering <releng@fedoraproject.org> - 3.0-0.6.20181218gitbdb72c0
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
* Tue Dec 18 2018 Steve Grubb <sgrubb@redhat.com> 3.0-0.5.20181218gitbdb72c0
- New upstream git snapshot prerelease
- Remove historical ldconfig scriptlet (#1644056)
* Fri Aug 31 2018 Steve Grubb <sgrubb@redhat.com> 3.0-0.4.20180831git0047a6c
- New upstream feature prerelease
* Wed Aug 08 2018 Steve Grubb <sgrubb@redhat.com> 3.0-0.2.20180808git77fbcf3
- New upstream feature prerelease
* Tue Jul 17 2018 Steve Grubb <sgrubb@redhat.com> 3.0-0.1.20180717gitacd53d1
- New upstream feature prerelease
* Thu Jul 12 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2.8.4-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
* Wed Jul 4 2018 Peter Robinson <pbrobinson@fedoraproject.org> 2.8.4-3
- Remove unused sys V initscripts legacy bits
* Mon Jul 02 2018 Miro Hrončok <mhroncok@redhat.com> - 2.8.4-2
- Rebuilt for Python 3.7
* Tue Jun 19 2018 Steve Grubb <sgrubb@redhat.com> 2.8.4-1
- New upstream bugfix release
* Tue Jun 19 2018 Miro Hrončok <mhroncok@redhat.com> - 2.8.3-4
- Rebuilt for Python 3.7
* Tue Apr 10 2018 Pete Walter <pwalter@fedoraproject.org> - 2.8.3-3
- Rename Python 2 and 3 subpackages to python2-audit and python3-audit as per guidelines
* Mon Mar 26 2018 Steve Grubb <sgrubb@redhat.com> 2.8.3-2
- Fix Obsoletion of audit-libs-python not handled properly (#1559674)
* Sat Mar 10 2018 Steve Grubb <sgrubb@redhat.com> 2.8.3-1
- New upstream bugfix release
* Wed Feb 07 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2.8.2-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
* Mon Feb 05 2018 Steve Grubb <sgrubb@redhat.com> 2.8.2-3
- Add a Provides audit-libs-python (#1537864)
- Remove tcp_wrappers support?
* Thu Dec 14 2017 Steve Grubb <sgrubb@redhat.com> 2.8.2-2
- Rename things from python to python2
* Thu Dec 14 2017 Steve Grubb <sgrubb@redhat.com> 2.8.2-1
- New upstream bugfix release
* Thu Oct 12 2017 Steve Grubb <sgrubb@redhat.com> 2.8.1-1
- New upstream bugfix release
* Tue Oct 10 2017 Steve Grubb <sgrubb@redhat.com> 2.8-1
- New upstream feature release
* Mon Sep 18 2017 Steve Grubb <sgrubb@redhat.com> 2.7.8-1
- New upstream bugfix release
* Wed Aug 02 2017 Fedora Release Engineering <releng@fedoraproject.org> - 2.7.7-5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
* Wed Jul 26 2017 Fedora Release Engineering <releng@fedoraproject.org> - 2.7.7-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
* Fri Jul 14 2017 Steve Grubb <sgrubb@redhat.com> 2.7.7-3
- undo scratch build
* Fri Jun 16 2017 Steve Grubb <sgrubb@redhat.com> 2.7.7-1
- New upstream bugfix release
* Wed Apr 19 2017 Steve Grubb <sgrubb@redhat.com> 2.7.6-1
- New upstream bugfix release
* Mon Apr 10 2017 Steve Grubb <sgrubb@redhat.com> 2.7.5-1
- New upstream bugfix release
* Tue Mar 28 2017 Steve Grubb <sgrubb@redhat.com> 2.7.4-1
- New upstream feature and bugfix release
* Fri Feb 24 2017 Steve Grubb <sgrubb@redhat.com> 2.7.3-1
- New upstream feature and bugfix release
* Mon Feb 13 2017 Steve Grubb <sgrubb@redhat.com> 2.7.2-2
- Fix ausearch csv output
* Mon Feb 13 2017 Steve Grubb <sgrubb@redhat.com> 2.7.2-1
- New upstream feature and bugfix release
* Fri Feb 10 2017 Fedora Release Engineering <releng@fedoraproject.org> - 2.7.1-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
* Fri Jan 13 2017 Steve Grubb <sgrubb@redhat.com> 2.7.1-1
- New upstream bugfix release
* Mon Dec 19 2016 Miro Hrončok <mhroncok@redhat.com> - 2.7-2
- Rebuild for Python 3.6
* Thu Dec 15 2016 Steve Grubb <sgrubb@redhat.com> 2.7-1
- New upstream feature release
* Sun Sep 11 2016 Steve Grubb <sgrubb@redhat.com> 2.6.7-1
- New upstream bugfix release
* Mon Aug 01 2016 Steve Grubb <sgrubb@redhat.com> 2.6.6-1
- New upstream bugfix release
* Thu Jul 21 2016 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.6.5-3
- https://fedoraproject.org/wiki/Changes/golang1.7
* Tue Jul 19 2016 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.6.5-2
- https://fedoraproject.org/wiki/Changes/Automatic_Provides_for_Python_RPM_Packages
* Thu Jul 14 2016 Steve Grubb <sgrubb@redhat.com> 2.6.5-1
- New upstream bugfix release
* Fri Jul 08 2016 Steve Grubb <sgrubb@redhat.com> 2.6.4-2
- Correct size information of dispatched event
* Fri Jul 08 2016 Steve Grubb <sgrubb@redhat.com> 2.6.4-1
- New upstream bugfix release
* Tue Jul 05 2016 Steve Grubb <sgrubb@redhat.com> 2.6.3-2
- Fix sockaddr event interpretation
* Tue Jul 05 2016 Steve Grubb <sgrubb@redhat.com> 2.6.3-1
- New upstream bugfix release
* Fri Jul 01 2016 Steve Grubb <sgrubb@redhat.com> 2.6.2-1
- New upstream bugfix release
- Fixes 1351954 - prevents virtual machine from starting up in GNOME Boxes
* Tue Jun 28 2016 Steve Grubb <sgrubb@redhat.com> 2.6.1-1
- New upstream bugfix release
* Wed Jun 22 2016 Steve Grubb <sgrubb@redhat.com> 2.6-3
- New upstream release
* Fri Apr 29 2016 Steve Grubb <sgrubb@redhat.com> 2.5.2-1
- New upstream release
* Thu Apr 28 2016 Steve Grubb <sgrubb@redhat.com> 2.5.1-2
- Refactor plugins to split out zos-remote to lower dependencies
* Wed Apr 13 2016 Steve Grubb <sgrubb@redhat.com> 2.5.1-1
- New upstream release
* Fri Mar 18 2016 Steve Grubb <sgrubb@redhat.com> 2.5-4
- Fixes #1313152 - post script fails on dnf --setopt=tsflags=nodocs install
* Mon Feb 22 2016 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.5-3
- https://fedoraproject.org/wiki/Changes/golang1.6
* Wed Feb 03 2016 Fedora Release Engineering <releng@fedoraproject.org> - 2.5-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
* Mon Jan 11 2016 Steve Grubb <sgrubb@redhat.com> 2.5-1
- New upstream release
- Fixes #1241565 - still logs way too much
- Fixes #1238051 - audit.rules should be generated from by augenrules
* Fri Dec 18 2015 Steve Grubb <sgrubb@redhat.com> 2.4.4-1
- New upstream bugfix release
* Wed Nov 04 2015 Robert Kuska <rkuska@redhat.com> - 2.4.4-3
- Rebuilt for Python3.5 rebuild
* Wed Sep 16 2015 Peter Robinson <pbrobinson@fedoraproject.org> 2.4.4-2
- Fix FTBFS with hardened flags by using the distro CFLAGS
- Tighten deps with the _isa macro
- Use goarches macro to define supported GO architectures
- Minor cleanups
* Thu Aug 13 2015 Steve Grubb <sgrubb@redhat.com> 2.4.4-1
- New upstream bugfix release
- Fixes CVE-2015-5186 Audit: log terminal emulator escape sequences handling
* Thu Jul 16 2015 Steve Grubb <sgrubb@redhat.com> 2.4.3-1
- New upstream bugfix release
- Adds python3 support
* Wed Jun 17 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.4.2-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild
* Tue Apr 28 2015 Steve Grubb <sgrubb@redhat.com> 2.4.2-1
- New upstream bugfix release
* Sat Feb 21 2015 Till Maas <opensource@till.name> - 2.4.1-2
- Rebuilt for Fedora 23 Change
https://fedoraproject.org/wiki/Changes/Harden_all_packages_with_position-independent_code
* Tue Oct 28 2014 Steve Grubb <sgrubb@redhat.com> 2.4.1-1
- New upstream feature and bugfix release
* Mon Oct 06 2014 Karsten Hopp <karsten@redhat.com> 2.4-2
- bump release and rebuild for upgradepath
* Sun Aug 24 2014 Steve Grubb <sgrubb@redhat.com> 2.4-1
- New upstream feature and bugfix release
* Fri Aug 15 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.3.8-0.3.svn20140803
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild
* Mon Aug 4 2014 Peter Robinson <pbrobinson@fedoraproject.org> 2.3.8-0.2.svn20140803
- aarch64/PPC/s390 don't have golang
* Sat Aug 02 2014 Steve Grubb <sgrubb@redhat.com> 2.3.8-0.1.svn20140803
- New upstream svn snapshot
* Tue Jul 22 2014 Steve Grubb <sgrubb@redhat.com> 2.3.7-4
- Bug 1117953 - Per fesco#1311, please disable syscall auditing by default
* Fri Jul 11 2014 Tom Callaway <spot@fedoraproject.org> - 2.3.7-3
- mark license files properly
* Sat Jun 07 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.3.7-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild
* Tue Jun 03 2014 Steve Grubb <sgrubb@redhat.com> 2.3.7-1
- New upstream bugfix release
* Fri Apr 11 2014 Steve Grubb <sgrubb@redhat.com> 2.3.6-1
- New upstream bugfix/enhancement release
* Mon Mar 17 2014 Steve Grubb <sgrubb@redhat.com> 2.3.5-1
- New upstream bugfix/enhancement release
* Thu Feb 27 2014 Steve Grubb <sgrubb@redhat.com> 2.3.4-1
- New upstream bugfix/enhancement release
* Thu Jan 16 2014 Steve Grubb <sgrubb@redhat.com> 2.3.3-1
- New upstream bugfix/enhancement release
* Mon Jul 29 2013 Steve Grubb <sgrubb@redhat.com> 2.3.2-1
- New upstream bugfix/enhancement release
* Fri Jun 21 2013 Steve Grubb <sgrubb@redhat.com> 2.3.1-3
- Drop prelude support
* Fri May 31 2013 Steve Grubb <sgrubb@redhat.com> 2.3.1-2
- Fix unknown lvalue in auditd.service (#969345)
* Thu May 30 2013 Steve Grubb <sgrubb@redhat.com> 2.3.1-1
- New upstream bugfix/enhancement release
* Fri May 03 2013 Steve Grubb <sgrubb@redhat.com> 2.3-2
- If no rules exist, copy shipped rules into place

35
ausearch-checkpoint-race.patch
View File

@ -1,35 +0,0 @@
diff --git a/src/ausearch.c b/src/ausearch.c
index 3bf95b5a..cf77ba14 100644
--- a/src/ausearch.c
+++ b/src/ausearch.c
@@ -464,6 +464,17 @@ static int process_log_fd(void)
if ((ret != 0)||(entries->cnt == 0))
break;
+ /*
+ * If we are checkpointing, decide if we output this event.
+ * We need to do it as early as here. The chkpt_input_levent event
+ * might not match the entries, so we need to ensure that we don't
+ * skip the event that is the checkpoint event. That is the marking point
+ * from which we start outputting events. Leaving that event out will produce
+ * empty results.
+ */
+ if (checkpt_filename)
+ do_output = chkpt_output_decision(&entries->e);
+
/*
* We flush all events on the last log file being processed.
* Thus incomplete events are 'carried forward' to be
@@ -471,12 +482,6 @@ static int process_log_fd(void)
* in the next file we are about to process.
*/
if (match(entries)) {
- /*
- * If we are checkpointing, decide if we output
- * this event
- */
- if (checkpt_filename)
- do_output = chkpt_output_decision(&entries->e);
if (do_output == 1) {
found = 1;

12
ci_tests.fmf
View File

@ -1,12 +0,0 @@
/e2e_internal:
plan:
import:
url: https://github.com/RedHat-SP-Security/audit-plans.git
name: /generic/e2e_ci_internal
/rpmverify:
plan:
import:
url: https://github.com/RedHat-SP-Security/audit-plans.git
name: /generic/rpmverify

6
gating.yaml
View File

@ -1,6 +0,0 @@
--- !Policy
product_versions:
- rhel-10
decision_context: osci_compose_gate
rules:
- !PassingTestCaseRule {test_case_name: osci.brew-build.tier0.functional}

102
permtab-unsupport-syscalls-v1.patch
View File

@ -1,102 +0,0 @@
diff --git a/lib/libaudit.c b/lib/libaudit.c
index 7a8c6d4b1..de34812f0 100644
--- a/lib/libaudit.c
+++ b/lib/libaudit.c
@@ -100,6 +100,7 @@ static struct libaudit_conf config;
static int audit_failure_parser(const char *val, int line);
static int audit_name_to_uid(const char *name, uid_t *auid);
static int audit_name_to_gid(const char *name, gid_t *gid);
+static char* filter_supported_syscalls(const char* syscalls, int machine) __attr_dealloc_free;
static const struct kw_pair keywords[] =
{
@@ -1524,6 +1525,50 @@ int _audit_parse_syscall(const char *optarg, struct audit_rule_data *rule)
return audit_rule_syscallbyname_data(rule, optarg);
}
+/*
+ * Filters unsupported syscalls from a comma-separated string based
+ * on the given architecture. Returns a new string with supported syscalls
+ * or NULL on error.
+ */
+static char* filter_supported_syscalls(const char* syscalls, int machine)
+{
+ if (syscalls == NULL) {
+ return NULL;
+ }
+
+ // Allocate memory for the filtered syscalls string
+ char* filtered_syscalls = malloc(strlen(syscalls) + 1);
+ if (filtered_syscalls == NULL) {
+ return NULL;
+ }
+ filtered_syscalls[0] = '\0'; // Initialize as empty string
+
+ // Tokenize the syscalls string and filter unsupported syscalls
+ const char* delimiter = ",";
+ char* syscalls_copy = strdup(syscalls);
+ if (syscalls_copy == NULL) {
+ free(filtered_syscalls);
+ return NULL;
+ }
+ char* token = strtok(syscalls_copy, delimiter);
+ while (token != NULL) {
+ if (audit_name_to_syscall(token, machine) != -1) {
+ strcat(filtered_syscalls, token);
+ strcat(filtered_syscalls, delimiter);
+ }
+ token = strtok(NULL, delimiter);
+ }
+ free(syscalls_copy);
+
+ // Remove the trailing delimiter, if present
+ size_t len = strlen(filtered_syscalls);
+ if (len > 0 && filtered_syscalls[len - 1] == ',') {
+ filtered_syscalls[len - 1] = '\0';
+ }
+
+ return filtered_syscalls;
+}
+
static int audit_add_perm_syscalls(int perm, struct audit_rule_data *rule)
{
// We only get here if syscall notation is being used in the rule.
@@ -1536,20 +1581,36 @@ static int audit_add_perm_syscalls(int perm, struct audit_rule_data *rule)
return 0;
}
+ const int machine = audit_elf_to_machine(_audit_elf);
const char *syscalls = audit_perm_to_name(perm);
- int rc = _audit_parse_syscall(syscalls, rule);
+ const char *syscalls_to_use;
+
+ // The permtab table is hardcoded, but some syscalls, like rename
+ // on arm64, are unavailable on certain architectures. To ensure compatibility,
+ // we must avoid creating rules with unsupported syscalls.
+ char* filtered_syscalls = filter_supported_syscalls(syscalls, machine);
+ if (filtered_syscalls == NULL) {
+ // use original syscalls in case we failed to parse - should not happen
+ syscalls_to_use = syscalls;
+ audit_msg(LOG_WARNING, "Filtering syscalls failed; using original syscalls.");
+ } else {
+ syscalls_to_use = filtered_syscalls;
+ }
+
+ int rc = _audit_parse_syscall(syscalls_to_use, rule);
switch (rc)
{
case 0:
_audit_syscalladded = 1;
break;
case -1: // Should never happen
- audit_msg(LOG_ERR, "Syscall name unknown: %s", syscalls);
+ audit_msg(LOG_ERR, "Syscall name unknown: %s", syscalls_to_use);
break;
default: // Error reported - do nothing here
break;
}
+ free(filtered_syscalls);
return rc;
}

58
permtab-unsupport-syscalls-v2.patch
View File

@ -1,58 +0,0 @@
diff --git a/lib/libaudit.c b/lib/libaudit.c
index de34812f0..61f9bd9da 100644
--- a/lib/libaudit.c
+++ b/lib/libaudit.c
@@ -1536,37 +1536,35 @@ static char* filter_supported_syscalls(const char* syscalls, int machine)
return NULL;
}
- // Allocate memory for the filtered syscalls string
- char* filtered_syscalls = malloc(strlen(syscalls) + 1);
- if (filtered_syscalls == NULL) {
- return NULL;
- }
- filtered_syscalls[0] = '\0'; // Initialize as empty string
-
- // Tokenize the syscalls string and filter unsupported syscalls
+ char buf[512] = "";
+ char* ptr = buf;
const char* delimiter = ",";
+
char* syscalls_copy = strdup(syscalls);
- if (syscalls_copy == NULL) {
- free(filtered_syscalls);
+ if (syscalls_copy == NULL)
return NULL;
- }
+
char* token = strtok(syscalls_copy, delimiter);
+ int first = 1; // Track if this is the first syscall being added
+
while (token != NULL) {
if (audit_name_to_syscall(token, machine) != -1) {
- strcat(filtered_syscalls, token);
- strcat(filtered_syscalls, delimiter);
+ if (!first)
+ *ptr++ = ',';
+ ptr = stpcpy(ptr, token);
+ first = 0;
}
token = strtok(NULL, delimiter);
}
+
free(syscalls_copy);
- // Remove the trailing delimiter, if present
- size_t len = strlen(filtered_syscalls);
- if (len > 0 && filtered_syscalls[len - 1] == ',') {
- filtered_syscalls[len - 1] = '\0';
+ // If no valid syscalls were found, return NULL
+ if (ptr == buf) {
+ return NULL;
}
- return filtered_syscalls;
+ return strdup(buf);
}
static int audit_add_perm_syscalls(int perm, struct audit_rule_data *rule)

14
remote-logging-ordering-cycle.patch
View File

@ -1,14 +0,0 @@
diff --git a/init.d/auditd.service.in b/init.d/auditd.service.in
index 173795164..853912f61 100644
--- a/init.d/auditd.service.in
+++ b/init.d/auditd.service.in
@@ -16,6 +16,9 @@ Wants=audit-rules.service
## a minimal file that overrides only the necessary lines but inherits the
## original settings in case they get updated by a distribution. Please check
## systemd documentation if it's unclear how to override settings.
+## If using remote logging, ensure that the systemd-update-utmp.service file
+## is updated to remove the After=auditd.service directive to prevent a
+## boot-time ordering cycle.
After=local-fs.target systemd-tmpfiles-setup.service
#After=network-online.target local-fs.target systemd-tmpfiles-setup.service
Before=sysinit.target shutdown.target audit-rules.service

164
remove-HALT-spaceleftaction.patch
View File

@ -1,164 +0,0 @@
diff --git a/docs/auditd.conf.5 b/docs/auditd.conf.5
index 0b785e7a3..fae6efda9 100644
--- a/docs/auditd.conf.5
+++ b/docs/auditd.conf.5
@@ -156,7 +156,7 @@ while the audit daemon is running, you should send the audit daemon SIGHUP to re
This parameter tells the system what action to take when the system has
detected that it is starting to get low on disk space.
Valid values are
-.IR ignore ", " syslog ", " rotate ", " email ", " exec ", " suspend ", " single ", and " halt .
+.IR ignore ", " syslog ", " rotate ", " email ", " exec ", " suspend ", and " single .
If set to
.IR ignore ,
the audit daemon does nothing.
@@ -173,9 +173,20 @@ as well as sending the message to syslog.
.I suspend
will cause the audit daemon to stop writing records to the disk. The daemon will still be alive. The
.I single
-option will cause the audit daemon to put the computer system in single user mode. The
+option will cause the audit daemon to put the computer system in single user mode. Except for rotate, it will perform this action just one time. The previously available
.I halt
-option will cause the audit daemon to shutdown the computer system. Except for rotate, it will perform this action just one time.
+option, which would cause the audit daemon to shut down the computer system, has been deprecated and should no longer be used. It was determined that halting the system at this stage could lead to unintended consequences and is considered a bad action if selected.
+
+Disk space notifications follow a three-stage progression. The
+.I space_left_action
+is the low water mark and serves as the first warning that disk space is running low. Halting at this stage is not recommended, as it prevents administrators from taking corrective action. The next stage,
+.I admin_space_left_action,
+indicates an emergency level where immediate action is required to free up disk space. Administrators should configure critical responses for this level. Finally, the
+.I disk_full_action
+occurs when the disk is completely full. At this stage, the system may have already halted, and preemptive measures configured in earlier stages will determine the systems behavior.
+
+
+
.TP
.I admin_space_left
This is a numeric value in megabytes that tells the audit daemon when
diff --git a/src/auditd-config.c b/src/auditd-config.c
index b2992e647..5065e6aa6 100644
--- a/src/auditd-config.c
+++ b/src/auditd-config.c
@@ -1034,6 +1034,11 @@ static int space_action_parser(const struct nv_pair *nv, int line,
if (check_exe_name(nv->option, line))
return 1;
config->space_left_exe = strdup(nv->option);
+ } else if (failure_actions[i].option == FA_HALT) {
+ audit_msg(LOG_ERR,
+ "The HALT option in space_left_action has been deprecated"
+ " to prevent system instability from premature shutdowns.");
+ return 1;
}
config->space_left_action = failure_actions[i].option;
return 0;
@@ -1043,6 +1048,13 @@ static int space_action_parser(const struct nv_pair *nv, int line,
return 1;
}
+const char *failure_action_to_str(unsigned int action)
+{
+ if (action > FA_HALT)
+ return "unknown";
+ return failure_actions[action].name;
+}
+
// returns 0 if OK, 1 on temp error, 2 on permanent error
static int validate_email(const char *acct)
{
diff --git a/src/auditd-config.h b/src/auditd-config.h
index dae6a5086..3d7170476 100644
--- a/src/auditd-config.h
+++ b/src/auditd-config.h
@@ -114,4 +114,6 @@ int start_config_manager(struct auditd_event *e);
#endif
void free_config(struct daemon_conf *config);
+const char *failure_action_to_str(unsigned int action);
+
#endif
diff --git a/src/auditd-event.c b/src/auditd-event.c
index fb3b98be4..3a64d5aae 100644
--- a/src/auditd-event.c
+++ b/src/auditd-event.c
@@ -829,19 +829,36 @@ extern int sendmail(const char *subject, const char *content,
static void do_space_left_action(int admin)
{
int action;
+ char buffer[256];
+ const char *next_actions;
- if (admin)
+ // Select the appropriate action and generate a meaningful message
+ // explaining what happens if disk space reaches a threshold or
+ // becomes completely full.
+ if (admin) {
action = config->admin_space_left_action;
- else
+
+ snprintf(buffer, sizeof(buffer),
+ "If the disk becomes full, audit will %s.", failure_action_to_str(config->disk_full_action));
+ }
+ else {
action = config->space_left_action;
+ snprintf(buffer, sizeof(buffer),
+ "If the admin space left threshold is reached, audit will %s. "
+ "If the disk becomes full, audit will %s.",
+ failure_action_to_str(config->admin_space_left_action),
+ failure_action_to_str(config->disk_full_action));
+ }
+ next_actions = buffer;
+
switch (action)
{
case FA_IGNORE:
break;
case FA_SYSLOG:
audit_msg(LOG_ALERT,
- "Audit daemon is low on disk space for logging");
+ "Audit daemon is low on disk space for logging. %s", next_actions);
break;
case FA_ROTATE:
if (config->num_logs > 1) {
@@ -851,19 +868,24 @@ static void do_space_left_action(int admin)
}
break;
case FA_EMAIL:
+ char content[512];
+ const char *subject;
+
if (admin == 0) {
- sendmail("Audit Disk Space Alert",
- "The audit daemon is low on disk space for logging! Please take action\nto ensure no loss of service.",
- config->action_mail_acct);
- audit_msg(LOG_ALERT,
- "Audit daemon is low on disk space for logging");
+ subject = "Audit Disk Space Alert";
+ snprintf(content, sizeof(content),
+ "The audit daemon is low on disk space for logging! Please take action\n"
+ "to ensure no loss of service.\n"
+ "%s", next_actions);
} else {
- sendmail("Audit Admin Space Alert",
- "The audit daemon is very low on disk space for logging! Immediate action\nis required to ensure no loss of service.",
- config->action_mail_acct);
- audit_msg(LOG_ALERT,
- "Audit daemon is very low on disk space for logging");
+ subject = "Audit Admin Space Alert";
+ snprintf(content, sizeof(content),
+ "The audit daemon is very low on disk space for logging! Immediate action\n"
+ "is required to ensure no loss of service.\n"
+ "%s", next_actions);
}
+ sendmail(subject, content, config->action_mail_acct);
+ audit_msg(LOG_ALERT, "%s", content);
break;
case FA_EXEC:
// Close the logging file in case the script zips or
@@ -897,6 +919,7 @@ static void do_space_left_action(int admin)
stop = 1;
break;
case FA_HALT:
+ // Only available for admin
audit_msg(LOG_ALERT,
"The audit daemon is now halting the system and exiting due to low disk space");
change_runlevel(HALT);

1
sources
View File

@ -1 +0,0 @@
SHA512 (v4.0.3.tar.gz) = a20d2f832632fa844764086aac98c80f7fcb120ceeaae7472248e04eec0493981e31fd59f22c3f0dbff81ccbcd132b8297812f2b4cdb87b866c59aedf3611342

134
timebased-log-rotation.patch
View File

@ -1,134 +0,0 @@
diff --git a/audit.spec b/audit.spec
index ee839006a..5ca742888 100644
--- a/audit.spec
+++ b/audit.spec
@@ -210,6 +210,7 @@ fi
%attr(644,root,root) %{_mandir}/man8/aulastlog.8.gz
%attr(644,root,root) %{_mandir}/man8/ausyscall.8.gz
%attr(644,root,root) %{_mandir}/man5/auditd.conf.5.gz
+%attr(644,root,root) %{_mandir}/man5/auditd.cron.5.gz
%attr(644,root,root) %{_mandir}/man5/auditd-plugins.5.gz
%attr(755,root,root) %{_sbindir}/auditd
%attr(755,root,root) %{_sbindir}/ausearch
diff --git a/docs/Makefile.am b/docs/Makefile.am
index 9db23cb3d..410ecda62 100644
--- a/docs/Makefile.am
+++ b/docs/Makefile.am
@@ -68,5 +68,6 @@ ausearch_next_event.3 ausearch_cur_event.3 ausearch_set_stop.3 \
get_auditfail_action.3 set_aumessage_mode.3 \
audispd-zos-remote.8 libaudit.conf.5 \
augenrules.8 audit_set_backlog_wait_time.3 \
-zos-remote.conf.5
+zos-remote.conf.5 \
+auditd.cron.5
diff --git a/docs/auditd.conf.5 b/docs/auditd.conf.5
index fae6efda9..d5765dd43 100644
--- a/docs/auditd.conf.5
+++ b/docs/auditd.conf.5
@@ -432,6 +432,10 @@ record type >= AUDIT_MAC_UNLBL_ALLOW && record type <= AUDIT_MAC_CALIPSO_DEL (th
for the stream being processed, the time of the event is over end_of_event_timeout seconds old.
.RE
+.SH LOG ROTATION POLICY
+
+By default, auditd uses size-based log rotation. If you prefer time-based rotation (e.g., hourly, daily, weekly, or custom schedule), refer to auditd.cron(5) for configuration details.
+
.SH FILES
.TP
.I /etc/audit/auditd.conf
@@ -440,7 +444,8 @@ Audit daemon configuration file
.SH "SEE ALSO"
.BR auditd (8),
.BR audisp\-remote.conf (5),
-.BR auditd\-plugins (5).
+.BR auditd\-plugins (5),
+.BR auditd.cron (5).
.SH AUTHOR
Steve Grubb
diff --git a/docs/auditd.cron.5 b/docs/auditd.cron.5
new file mode 100644
index 000000000..af1409823
--- /dev/null
+++ b/docs/auditd.cron.5
@@ -0,0 +1,66 @@
+.TH AUDITD.CRON "5" "Feb 2025" "Red Hat" "System Administration Utilities"
+.SH NAME
+auditd.conf \- time-based rotation of audit logs
+.SH DESCRIPTION
+By default, the audit daemon (auditd) supports size-based log rotation, where logs are rotated once they reach a specified size, as configured in
+.I /etc/audit/auditd.conf.
+This manual describes an alternative method: time-based log rotation using
+.B cron.
+Using this approach, audit logs can be rotated at specified intervals (hourly, daily, weekly or on a custom date), regardless of their size.
+
+.SH CONFIGURATION
+
+.B 1.Disable Size-Based Rotation:
+
+To enable time-based log rotation, first disable \fBauditd's\fP built-in size-based rotation by setting the following parameter in
+.I /etc/audit/auditd.conf:
+
+.RS
+max_log_file_action = ignore
+.RE
+
+.B 2. Configure Log Retention:
+
+The
+.B num_logs
+parameter determines the number of rotated log files to keep. For daily rotation, setting
+
+.RS
+num_logs = 7
+.RE
+
+ensures that logs from the last seven days are retained. However, on busy systems, audit logs may grow rapidly, potentially leading to a lack of disk space. To prevent this, ensure that the
+.B space_left_action
+parameter is configured to handle low-disk-space situations appropriately.
+
+.B 3. Apply Configuration Changes:
+
+After modifying the main auditd configuration file, reload auditd to apply the changes:
+
+.RS
+auditctl --signal reload
+.RE
+
+.B 4. Deploy the Rotation Script:
+
+Copy the provided
+.B auditd.cron
+script to the appropriate cron directory (
+.IR cron.daily
+or
+.IR cron.hourly
+or
+.IR cron.weekly
+, depending on your rotation preference). Then, ensure the file has the correct SELinux labels:
+
+.RS
+cp /usr/share/doc/audit/auditd.cron /etc/cron.daily
+.RE
+
+.SH "SEE ALSO"
+.BR auditd.conf (5),
+.BR auditd (8),
+.BR cron(8).
+
+.SH AUTHOR
+Attila Lakatos
diff --git a/init.d/auditd.cron b/init.d/auditd.cron
index 825cb227d..e692231df 100644
--- a/init.d/auditd.cron
+++ b/init.d/auditd.cron
@@ -5,7 +5,7 @@
# based on time instead of log size.
##########
-/sbin/auditctl --signal usr1
+/sbin/auditctl --signal rotate
EXITVALUE=$?
if [ $EXITVALUE != 0 ]; then
/usr/bin/logger -t auditd "ALERT auditctl exited abnormally with [$EXITVALUE] while rotating the logs"

87
warning-before-HALT.patch
View File

@ -1,87 +0,0 @@
diff --git a/common/common.c b/common/common.c
index cd15b1691..13065a0c7 100644
--- a/common/common.c
+++ b/common/common.c
@@ -25,6 +25,8 @@
#include <fcntl.h>
#include <unistd.h>
#include <stdio.h>
+#include <utmpx.h>
+#include <fcntl.h>
/*
* This function returns 1 if it is the last record in an event.
@@ -75,4 +77,36 @@ int write_to_console(const char *fmt, ...)
close(fd);
return res;
+}
+
+void wall_message(const char* format, ...)
+{
+ struct utmpx* entry;
+ char message[512];
+ va_list args;
+ int fd;
+
+ // Format the message
+ va_start(args, format);
+ vsnprintf(message, sizeof(message), format, args);
+ va_end(args);
+
+ setutxent();
+
+ // Send the message to all active users
+ while ((entry = getutxent())) {
+ // Only active users have a valid terminal
+ if (entry->ut_type == USER_PROCESS) {
+ char tty_path[128];
+ snprintf(tty_path, sizeof(tty_path), "/dev/%s", entry->ut_line);
+
+ fd = open(tty_path, O_WRONLY | O_NOCTTY);
+ if (fd != -1) {
+ dprintf(fd, "\nBroadcast message from audit daemon:\n%s\n", message);
+ close(fd);
+ }
+ }
+ }
+
+ endutxent();
}
\ No newline at end of file
diff --git a/common/common.h b/common/common.h
index 5d4b66945..61dbe7d23 100644
--- a/common/common.h
+++ b/common/common.h
@@ -57,6 +57,13 @@ int write_to_console(const char *fmt, ...)
;
#endif
+void wall_message(const char *fmt, ...)
+#ifdef __GNUC__
+ __attribute__((format(printf, 1, 2)));
+#else
+ ;
+#endif
+
AUDIT_HIDDEN_END
#endif
diff --git a/src/auditd-event.c b/src/auditd-event.c
index 3a64d5aae..a6eeb2c18 100644
--- a/src/auditd-event.c
+++ b/src/auditd-event.c
@@ -852,6 +852,13 @@ static void do_space_left_action(int admin)
}
next_actions = buffer;
+ // If space_left is reached and FA_HALT is set in any of these fields
+ // we need to inform logged in users.
+ if (config->admin_space_left_action == FA_HALT ||
+ config->disk_full_action == FA_HALT) {
+ wall_message("The audit system is low on disk space and is now halting the system for admin corrective action.");
+ }
+
switch (action)
{
case FA_IGNORE: