Compare commits
No commits in common. "c8" and "c9s" have entirely different histories.
@ -1 +0,0 @@
|
||||
45cffb1ded9a57a79b33547f58228131d3eb14a6 SOURCES/audit-3.1.2.tar.gz
|
1
.fmf/version
Normal file
1
.fmf/version
Normal file
@ -0,0 +1 @@
|
||||
1
|
175
.gitignore
vendored
175
.gitignore
vendored
@ -1 +1,174 @@
|
||||
SOURCES/audit-3.1.2.tar.gz
|
||||
audit-0.5.tar.gz
|
||||
audit-0.6.2.tar.gz
|
||||
audit-0.5.5.tar.gz
|
||||
audit-0.6.3.tar.gz
|
||||
audit-0.6.4.tar.gz
|
||||
audit-0.6.5.tar.gz
|
||||
audit-0.6.6.tar.gz
|
||||
audit-0.6.7.tar.gz
|
||||
audit-0.6.8.tar.gz
|
||||
audit-0.6.9.tar.gz
|
||||
audit-0.6.10.tar.gz
|
||||
audit-0.6.11.tar.gz
|
||||
audit-0.6.12.tar.gz
|
||||
audit-0.7.tar.gz
|
||||
audit-0.7.1.tar.gz
|
||||
audit-0.7.2.tar.gz
|
||||
audit-0.7.3.tar.gz
|
||||
audit-0.7.4.tar.gz
|
||||
audit-0.8.1.tar.gz
|
||||
audit-0.8.2.tar.gz
|
||||
audit-0.9.2.tar.gz
|
||||
audit-0.9.3.tar.gz
|
||||
audit-0.9.4.tar.gz
|
||||
audit-0.9.5.tar.gz
|
||||
audit-0.9.6.tar.gz
|
||||
audit-0.9.7.tar.gz
|
||||
audit-0.9.8.tar.gz
|
||||
audit-0.9.9.tar.gz
|
||||
audit-0.9.10.tar.gz
|
||||
audit-0.9.11.tar.gz
|
||||
audit-0.9.12.tar.gz
|
||||
audit-0.9.13.tar.gz
|
||||
audit-0.9.14.tar.gz
|
||||
audit-0.9.15.tar.gz
|
||||
audit-0.9.16.tar.gz
|
||||
audit-0.9.17.tar.gz
|
||||
audit-0.9.18.tar.gz
|
||||
audit-0.9.19.tar.gz
|
||||
audit-0.9.20.tar.gz
|
||||
audit-1.0.tar.gz
|
||||
audit-1.0.1.tar.gz
|
||||
audit-1.0.2.tar.gz
|
||||
audit-1.0.3.tar.gz
|
||||
audit-1.0.4.tar.gz
|
||||
audit-1.0.5.tar.gz
|
||||
audit-1.0.6.tar.gz
|
||||
audit-1.0.7.tar.gz
|
||||
audit-1.0.8.tar.gz
|
||||
audit-1.0.9.tar.gz
|
||||
audit-1.0.10.tar.gz
|
||||
audit-1.0.12.tar.gz
|
||||
audit-1.1.tar.gz
|
||||
audit-1.1.1.tar.gz
|
||||
audit-1.1.2.tar.gz
|
||||
audit-1.1.3.tar.gz
|
||||
audit-1.1.4.tar.gz
|
||||
audit-1.1.5.tar.gz
|
||||
audit-1.1.6.tar.gz
|
||||
audit-1.2.tar.gz
|
||||
audit-1.2.1.tar.gz
|
||||
audit-1.2.2.tar.gz
|
||||
audit-1.2.3.tar.gz
|
||||
audit-1.2.4.tar.gz
|
||||
audit-1.2.5.tar.gz
|
||||
audit-1.2.6.tar.gz
|
||||
audit-1.2.7.tar.gz
|
||||
audit-1.2.8.tar.gz
|
||||
audit-1.2.9.tar.gz
|
||||
audit-1.3.tar.gz
|
||||
audit-1.3.1.tar.gz
|
||||
audit-1.4.tar.gz
|
||||
audit-1.4.1.tar.gz
|
||||
audit-1.4.2.tar.gz
|
||||
audit-1.5.tar.gz
|
||||
audit-1.5.1.tar.gz
|
||||
audit-1.5.2.tar.gz
|
||||
audit-1.5.3.tar.gz
|
||||
audit-1.5.5.tar.gz
|
||||
audit-1.5.6.tar.gz
|
||||
audit-1.6.tar.gz
|
||||
audit-1.6.1.tar.gz
|
||||
audit-1.6.2.tar.gz
|
||||
audit-1.6.4.tar.gz
|
||||
audit-1.6.5.tar.gz
|
||||
audit-1.6.6.tar.gz
|
||||
audit-1.6.7.tar.gz
|
||||
audit-1.6.8.tar.gz
|
||||
audit-1.6.9.tar.gz
|
||||
audit-1.7.tar.gz
|
||||
audit-1.7.1.tar.gz
|
||||
audit-1.7.3.tar.gz
|
||||
audit-1.7.4.tar.gz
|
||||
audit-1.7.5.tar.gz
|
||||
audit-1.7.6.tar.gz
|
||||
audit-1.7.7.tar.gz
|
||||
audit-1.7.8.tar.gz
|
||||
audit-1.7.9.tar.gz
|
||||
audit-1.7.10.tar.gz
|
||||
audit-1.7.11.tar.gz
|
||||
audit-1.7.12.tar.gz
|
||||
audit-1.7.13.tar.gz
|
||||
audit-2.0.tar.gz
|
||||
audit-1.8.tar.gz
|
||||
audit-2.0.1.tar.gz
|
||||
audit-2.0.3.tar.gz
|
||||
audit-2.0.4.tar.gz
|
||||
/audit-2.0.5.tar.gz
|
||||
/audit-2.0.6.tar.gz
|
||||
/audit-2.1.tar.gz
|
||||
/audit-2.1.1.tar.gz
|
||||
/audit-2.1.2.tar.gz
|
||||
/audit-2.1.3.tar.gz
|
||||
/audit-2.2.tar.gz
|
||||
/audit-2.2.1.tar.gz
|
||||
/audit-2.2.2.tar.gz
|
||||
/audit-2.3.tar.gz
|
||||
/audit-2.3.1.tar.gz
|
||||
/audit-2.3.2.tar.gz
|
||||
/audit-2.3.3.tar.gz
|
||||
/audit-2.3.4.tar.gz
|
||||
/audit-2.3.5.tar.gz
|
||||
/audit-2.3.6.tar.gz
|
||||
/audit-2.3.7.tar.gz
|
||||
/audit-2.3.8svn20140801.tar.gz
|
||||
/audit-2.3.8.svn20140801.tar.gz
|
||||
/audit-2.3.8.svn20140802.tar.gz
|
||||
/audit-2.3.8.svn20140803.tar.gz
|
||||
/audit-2.4.tar.gz
|
||||
/audit-2.4.1.tar.gz
|
||||
/audit-2.4.2.tar.gz
|
||||
/audit-2.4.3.tar.gz
|
||||
/audit-2.4.4.tar.gz
|
||||
/audit-2.4.5.tar.gz
|
||||
/audit-2.5.tar.gz
|
||||
/audit-2.5.1.tar.gz
|
||||
/audit-2.5.2.tar.gz
|
||||
/audit-2.6.tar.gz
|
||||
/audit-2.6.1.tar.gz
|
||||
/audit-2.6.2.tar.gz
|
||||
/audit-2.6.3.tar.gz
|
||||
/audit-2.6.4.tar.gz
|
||||
/audit-2.6.5.tar.gz
|
||||
/audit-2.6.6.tar.gz
|
||||
/audit-2.6.7.tar.gz
|
||||
/audit-2.7.tar.gz
|
||||
/audit-2.7.1.tar.gz
|
||||
/audit-2.7.2.tar.gz
|
||||
/audit-2.7.3.tar.gz
|
||||
/audit-2.7.4.tar.gz
|
||||
/audit-2.7.5.tar.gz
|
||||
/audit-2.7.6.tar.gz
|
||||
/audit-2.7.7.tar.gz
|
||||
/audit-2.7.8.tar.gz
|
||||
/audit-2.8.tar.gz
|
||||
/audit-2.8.1.tar.gz
|
||||
/audit-2.8.2.tar.gz
|
||||
/audit-2.8.3.tar.gz
|
||||
/audit-2.8.4.tar.gz
|
||||
/audit-3.0-alpha.tar.gz
|
||||
/audit-3.0-alpha2.tar.gz
|
||||
/audit-3.0-alpha3.tar.gz
|
||||
/audit-3.0-alpha5.tar.gz
|
||||
/audit-3.0-alpha6.tar.gz
|
||||
/audit-3.0-alpha7.tar.gz
|
||||
/audit-3.0-alpha8.tar.gz
|
||||
/audit-3.0-alpha9.tar.gz
|
||||
/audit-3.0.tar.gz
|
||||
/audit-3.0.1.tar.gz
|
||||
/audit-3.0.2.tar.gz
|
||||
/audit-3.0.5.tar.gz
|
||||
/audit-3.0.7.tar.gz
|
||||
/audit-3.1.2.tar.gz
|
||||
/audit-3.1.4.tar.gz
|
||||
/audit-3.1.5.tar.gz
|
||||
|
217
0001-Add-ausysrulevalidate.patch
Normal file
217
0001-Add-ausysrulevalidate.patch
Normal file
@ -0,0 +1,217 @@
|
||||
From 4011007b445e8f8da9b0cc45eccd793b94f6b5ce Mon Sep 17 00:00:00 2001
|
||||
From: Sergio Correia <scorreia@redhat.com>
|
||||
Date: Thu, 29 Jul 2021 19:25:43 -0300
|
||||
Subject: [PATCH] Add ausysrulevalidate
|
||||
|
||||
---
|
||||
contrib/ausysrulevalidate | 198 ++++++++++++++++++++++++++++++++++++++
|
||||
1 file changed, 198 insertions(+)
|
||||
create mode 100755 contrib/ausysrulevalidate
|
||||
|
||||
diff --git a/contrib/ausysrulevalidate b/contrib/ausysrulevalidate
|
||||
new file mode 100755
|
||||
index 0000000..a251b2c
|
||||
--- /dev/null
|
||||
+++ b/contrib/ausysrulevalidate
|
||||
@@ -0,0 +1,198 @@
|
||||
+#!/usr/bin/env python3
|
||||
+# -*- coding: utf-8 -*-
|
||||
+
|
||||
+# ausysrulevalidate - A program that lets you validate the syscalls
|
||||
+# in audit rules.
|
||||
+# Copyright (c) 2021 Red Hat Inc., Durham, North Carolina.
|
||||
+# All Rights Reserved.
|
||||
+#
|
||||
+# This software may be freely redistributed and/or modified under the
|
||||
+# terms of the GNU General Public License as published by the Free
|
||||
+# Software Foundation; either version 2, or (at your option) any
|
||||
+# later version.
|
||||
+#
|
||||
+# This program is distributed in the hope that it will be useful,
|
||||
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
+# GNU General Public License for more details.
|
||||
+#
|
||||
+# You should have received a copy of the GNU General Public License
|
||||
+# along with this program; see the file COPYING. If not, write to the
|
||||
+# Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor
|
||||
+# Boston, MA 02110-1335, USA.
|
||||
+#
|
||||
+# Authors:
|
||||
+# Sergio Correia <scorreia@redhat.com>
|
||||
+
|
||||
+""" This program lets you validate syscalls in audit rules. """
|
||||
+
|
||||
+import argparse
|
||||
+import os.path
|
||||
+import sys
|
||||
+
|
||||
+import audit
|
||||
+
|
||||
+
|
||||
+class AuSyscallRuleValidate:
|
||||
+ """AuSyscallRuleValidate validates syscalls in audit rules."""
|
||||
+
|
||||
+ def __init__(self):
|
||||
+ self.syscalls_table = {}
|
||||
+ self.invalid_syscalls = {}
|
||||
+ self.machines = {
|
||||
+ "b32": audit.audit_determine_machine("b32"),
|
||||
+ "b64": audit.audit_determine_machine("b64"),
|
||||
+ }
|
||||
+
|
||||
+ if self.machines["b32"] == -1 or self.machines["b64"] == -1:
|
||||
+ sys.stderr.write("ERROR: Unable to determine machine type\n")
|
||||
+ sys.exit(1)
|
||||
+
|
||||
+ def validate_syscall(self, arch, syscall):
|
||||
+ """Validates a single syscall."""
|
||||
+
|
||||
+ if syscall == "all":
|
||||
+ return True
|
||||
+
|
||||
+ lookup = "{0}:{1}".format(arch, syscall)
|
||||
+ if lookup in self.syscalls_table:
|
||||
+ return self.syscalls_table[lookup]
|
||||
+
|
||||
+ ret = audit.audit_name_to_syscall(syscall, self.machines[arch])
|
||||
+ self.syscalls_table[lookup] = ret != -1
|
||||
+ if not self.syscalls_table[lookup]:
|
||||
+ self.invalid_syscalls[lookup] = lookup
|
||||
+
|
||||
+ return self.syscalls_table[lookup]
|
||||
+
|
||||
+ def process_syscalls(self, arch, syscalls):
|
||||
+ """Processes a group of syscalls, validating them individually."""
|
||||
+
|
||||
+ scalls = syscalls.split(",")
|
||||
+ processed = []
|
||||
+ for syscall in scalls:
|
||||
+ if self.validate_syscall(arch, syscall):
|
||||
+ processed.append(syscall)
|
||||
+ return ",".join(processed)
|
||||
+
|
||||
+ def parse_line(self, line):
|
||||
+ """Processes a single line from the audit rules file, and returns the
|
||||
+ same line adjusted, if required, by removing invalid syscalls, or even
|
||||
+ removing the rule altogether, if no valid syscall remain after
|
||||
+ validation."""
|
||||
+
|
||||
+ if line.lstrip().startswith("#") or "-S" not in line:
|
||||
+ return line
|
||||
+
|
||||
+ # We do have a rule specifying syscalls, so let's validate them.
|
||||
+ tokens = line.split()
|
||||
+ processed = []
|
||||
+ is_syscall = False
|
||||
+ arch = None
|
||||
+
|
||||
+ for val in tokens:
|
||||
+ if not is_syscall:
|
||||
+ processed.append(val)
|
||||
+
|
||||
+ if val.startswith("arch="):
|
||||
+ archs = val.split("=")
|
||||
+ if len(archs) == 2:
|
||||
+ arch = val.split("=")[1]
|
||||
+ if arch not in self.machines:
|
||||
+ sys.stderr.write("ERROR: unexpected arch '{0}'\n".format(arch))
|
||||
+ continue
|
||||
+
|
||||
+ if val == "-S":
|
||||
+ is_syscall = True
|
||||
+ continue
|
||||
+
|
||||
+ if is_syscall:
|
||||
+ is_syscall = False
|
||||
+ scalls = self.process_syscalls(arch, val)
|
||||
+
|
||||
+ if len(scalls) == 0:
|
||||
+ processed = processed[:-1]
|
||||
+ continue
|
||||
+ processed.append(scalls)
|
||||
+
|
||||
+ if "-S" not in processed:
|
||||
+ # Removing rule altogether, as we have no valid syscalls remaining.
|
||||
+ return None
|
||||
+ return " ".join(processed)
|
||||
+
|
||||
+ def process_rules(self, rules_file):
|
||||
+ """Reads a file with audit rules and returns the rules after
|
||||
+ validation of syscalls/architecture. Invalid syscalls will be removed
|
||||
+ and, if there are no valid remaining syscalls, the rule itself is
|
||||
+ removed."""
|
||||
+
|
||||
+ if not os.path.isfile(rules_file):
|
||||
+ sys.stderr.write("ERROR: rules file '{0}' not found\n".format(rules_file))
|
||||
+ sys.exit(1)
|
||||
+
|
||||
+ with open(rules_file) as rules:
|
||||
+ content = rules.readlines()
|
||||
+
|
||||
+ processed = []
|
||||
+ changed = False
|
||||
+ for line in content:
|
||||
+ validated = self.parse_line(line)
|
||||
+ if validated is None:
|
||||
+ changed = True
|
||||
+ continue
|
||||
+
|
||||
+ if validated.rstrip("\r\n") != line.rstrip("\r\n"):
|
||||
+ changed = True
|
||||
+ processed.append(validated.rstrip("\r\n"))
|
||||
+
|
||||
+ invalid_syscalls = []
|
||||
+ for invalid in self.invalid_syscalls:
|
||||
+ invalid_syscalls.append(invalid)
|
||||
+
|
||||
+ return (processed, changed, invalid_syscalls)
|
||||
+
|
||||
+ def update_rules(self, rules_file):
|
||||
+ """Reads a file with audit rules and updates it after validation of
|
||||
+ syscalls/architecture. Invalid syscalls will be removed and, if
|
||||
+ there are no valid remaining syscalls, the rule itself is removed."""
|
||||
+
|
||||
+ new_rules, changed, invalid_syscalls = self.process_rules(rules_file)
|
||||
+ if changed:
|
||||
+ with open(rules_file, "w") as rules:
|
||||
+ for line in new_rules:
|
||||
+ rules.write("{0}\n".format(line))
|
||||
+
|
||||
+ return (new_rules, changed, invalid_syscalls)
|
||||
+
|
||||
+
|
||||
+if __name__ == "__main__":
|
||||
+ parser = argparse.ArgumentParser(description="ausysrulevalidate")
|
||||
+ parser.add_argument(
|
||||
+ "-u", "--update", help="Update rules file if required", action="store_true"
|
||||
+ )
|
||||
+ parser.add_argument(
|
||||
+ "-v", "--verbose", help="Show the resulting rules file", action="store_true"
|
||||
+ )
|
||||
+ required_named = parser.add_argument_group("required named arguments")
|
||||
+ required_named.add_argument(
|
||||
+ "-r", "--rules-file", help="Rules file name", required=True
|
||||
+ )
|
||||
+ args = parser.parse_args()
|
||||
+
|
||||
+ validator = AuSyscallRuleValidate()
|
||||
+
|
||||
+ action = validator.process_rules
|
||||
+ if args.update:
|
||||
+ action = validator.update_rules
|
||||
+
|
||||
+ data, changed, invalid = action(args.rules_file)
|
||||
+ if changed:
|
||||
+ verb = "require"
|
||||
+ if args.update:
|
||||
+ verb += "d"
|
||||
+ sys.stderr.write("Rules in '{0}' {1} changes\n".format(args.rules_file, verb))
|
||||
+ if len(invalid) > 0:
|
||||
+ sys.stderr.write("Invalid syscalls: {0}\n".format(", ".join(invalid)))
|
||||
+
|
||||
+ if args.verbose:
|
||||
+ print(*data, sep="\n")
|
||||
--
|
||||
2.31.1
|
||||
|
@ -1,25 +1,31 @@
|
||||
%{!?python_sitearch: %define python_sitearch %(%{__python} -c "from distutils.sysconfig import get_python_lib; print get_python_lib(1)")}
|
||||
|
||||
Summary: User space tools for kernel auditing
|
||||
Name: audit
|
||||
Version: 3.1.2
|
||||
Version: 3.1.5
|
||||
Release: 1%{?dist}
|
||||
License: GPLv2+
|
||||
URL: http://people.redhat.com/sgrubb/audit/
|
||||
Source0: http://people.redhat.com/sgrubb/audit/%{name}-%{version}.tar.gz
|
||||
Source1: https://www.gnu.org/licenses/lgpl-2.1.txt
|
||||
|
||||
BuildRequires: gcc swig make
|
||||
Patch1: 0001-Add-ausysrulevalidate.patch
|
||||
|
||||
BuildRequires: make gcc swig
|
||||
BuildRequires: openldap-devel
|
||||
BuildRequires: krb5-devel libcap-ng-devel
|
||||
BuildRequires: kernel-headers >= 2.6.29
|
||||
BuildRequires: systemd
|
||||
#BuildRequires: autoconf automake libtool
|
||||
BuildRequires: autoconf automake libtool
|
||||
|
||||
Requires: %{name}-libs%{?_isa} = %{version}-%{release}
|
||||
Requires(post): systemd coreutils
|
||||
Requires(preun): systemd initscripts
|
||||
Requires(postun): systemd coreutils initscripts
|
||||
Requires(preun): systemd
|
||||
Requires(postun): systemd coreutils
|
||||
Recommends: initscripts-service
|
||||
|
||||
# Placing this here under the assumption that anything using the
|
||||
# python libraries expects the system to have an audit daemon
|
||||
Obsoletes: python2-audit < %{version}-%{release}
|
||||
|
||||
%description
|
||||
The audit package contains the user space utilities for
|
||||
@ -31,7 +37,7 @@ Summary: Dynamic library for libaudit
|
||||
License: LGPLv2+
|
||||
|
||||
%description libs
|
||||
The audit-libs package contains the dynamic libraries needed for
|
||||
The audit-libs package contains the dynamic libraries needed for
|
||||
applications to use the audit framework.
|
||||
|
||||
%package libs-devel
|
||||
@ -48,6 +54,7 @@ developing applications that need to use the audit framework libraries.
|
||||
Summary: Python3 bindings for libaudit
|
||||
License: LGPLv2+
|
||||
BuildRequires: python3-devel
|
||||
BuildRequires: make
|
||||
Requires: %{name}-libs%{?_isa} = %{version}-%{release}
|
||||
Provides: audit-libs-python3 = %{version}-%{release}
|
||||
Provides: audit-libs-python3%{?_isa} = %{version}-%{release}
|
||||
@ -84,14 +91,19 @@ Management Facility) database, through an IBM Tivoli Directory Server
|
||||
%prep
|
||||
%setup -q
|
||||
cp %{SOURCE1} .
|
||||
#autoreconf -fv --install
|
||||
%patch -P 1 -p1
|
||||
|
||||
autoreconf -fv --install
|
||||
|
||||
# Remove the ids code, its not ready
|
||||
sed -i 's/ ids / /' audisp/plugins/Makefile.in
|
||||
|
||||
%build
|
||||
%configure --with-python=no \
|
||||
--with-python3=yes \
|
||||
--enable-gssapi-krb5=yes --with-arm --with-aarch64 \
|
||||
--with-libcap-ng=yes --without-golang --enable-zos-remote \
|
||||
--enable-systemd
|
||||
--with-libcap-ng=yes --enable-zos-remote --without-golang \
|
||||
--enable-systemd --enable-experimental --with-io_uring
|
||||
|
||||
make CFLAGS="%{optflags}" %{?_smp_mflags}
|
||||
|
||||
@ -102,14 +114,23 @@ mkdir -p $RPM_BUILD_ROOT/%{_lib}
|
||||
mkdir -p $RPM_BUILD_ROOT/%{_libdir}/audit
|
||||
mkdir -p --mode=0700 $RPM_BUILD_ROOT/%{_var}/log/audit
|
||||
mkdir -p $RPM_BUILD_ROOT/%{_var}/spool/audit
|
||||
mkdir -p $RPM_BUILD_ROOT/%{_datadir}
|
||||
make DESTDIR=$RPM_BUILD_ROOT install
|
||||
|
||||
# Validate sample rules shipped.
|
||||
for r in $RPM_BUILD_ROOT/%{_datadir}/%{name}/sample-rules/*.rules; do
|
||||
PYTHONPATH=$RPM_BUILD_ROOT/%{python3_sitearch} \
|
||||
LD_LIBRARY_PATH=$RPM_BUILD_ROOT/%{_libdir} \
|
||||
%{_builddir}/%{name}-%{version}/contrib/ausysrulevalidate \
|
||||
--update --rules-file "${r}"
|
||||
done
|
||||
|
||||
# Remove these items so they don't get picked up.
|
||||
rm -f $RPM_BUILD_ROOT/%{_libdir}/libaudit.a
|
||||
rm -f $RPM_BUILD_ROOT/%{_libdir}/libauparse.a
|
||||
|
||||
find $RPM_BUILD_ROOT -name '*.la' -delete
|
||||
find $RPM_BUILD_ROOT/%{_libdir}/python?.?/site-packages -name '*.a' -delete || true
|
||||
find $RPM_BUILD_ROOT/%{_libdir}/python%{python3_version}/site-packages -name '*.a' -delete
|
||||
|
||||
# On platforms with 32 & 64 bit libs, we need to coordinate the timestamp
|
||||
touch -r ./audit.spec $RPM_BUILD_ROOT/etc/libaudit.conf
|
||||
@ -121,27 +142,39 @@ make check
|
||||
rm -f rules/Makefile*
|
||||
|
||||
%post
|
||||
%systemd_post auditd.service
|
||||
|
||||
# Copy default rules into place on new installation
|
||||
files=`ls /etc/audit/rules.d/ 2>/dev/null | wc -w`
|
||||
if [ "$files" -eq 0 ] ; then
|
||||
if [ -e %{_datadir}/%{name}/sample-rules/10-base-config.rules ] ; then
|
||||
cp %{_datadir}/%{name}/sample-rules/10-base-config.rules /etc/audit/rules.d/audit.rules
|
||||
else
|
||||
touch /etc/audit/rules.d/audit.rules
|
||||
fi
|
||||
chmod 0600 /etc/audit/rules.d/audit.rules
|
||||
if [ -e %{_datadir}/%{name}/sample-rules/10-base-config.rules ] ; then
|
||||
cp %{_datadir}/%{name}/sample-rules/10-base-config.rules /etc/audit/rules.d/audit.rules
|
||||
else
|
||||
touch /etc/audit/rules.d/audit.rules
|
||||
fi
|
||||
chmod 0600 /etc/audit/rules.d/audit.rules
|
||||
fi
|
||||
|
||||
# If upgrading, restart the daemon if it's running
|
||||
if [ $1 -eq 2 ]; then
|
||||
state=$(systemctl status auditd | awk '/Active:/ { print $2 }')
|
||||
|
||||
if [ $state = "active" ] ; then
|
||||
auditctl --signal stop || true
|
||||
systemctl start auditd
|
||||
fi
|
||||
# if installing, start it since preset says we should be running
|
||||
elif [ $1 -eq 1 ]; then
|
||||
systemctl start auditd
|
||||
fi
|
||||
%systemd_post auditd.service
|
||||
|
||||
%preun
|
||||
%systemd_preun auditd.service
|
||||
# if uninstalling stop the daemon
|
||||
if [ $1 -eq 0 ]; then
|
||||
/sbin/service auditd stop > /dev/null 2>&1
|
||||
fi
|
||||
|
||||
%postun
|
||||
if [ $1 -ge 1 ]; then
|
||||
/sbin/service auditd condrestart > /dev/null 2>&1 || :
|
||||
auditctl --signal stop || true
|
||||
# also delete loaded rules if uninstalling
|
||||
auditctl -D || true
|
||||
fi
|
||||
|
||||
%files libs
|
||||
@ -206,7 +239,6 @@ fi
|
||||
%attr(750,root,root) %{_libexecdir}/initscripts/legacy-actions/auditd/rotate
|
||||
%attr(750,root,root) %{_libexecdir}/initscripts/legacy-actions/auditd/state
|
||||
%attr(750,root,root) %{_libexecdir}/initscripts/legacy-actions/auditd/stop
|
||||
%attr(750,root,root) %{_libexecdir}/audit-functions
|
||||
%ghost %{_localstatedir}/run/auditd.state
|
||||
%attr(-,root,-) %dir %{_var}/log/audit
|
||||
%attr(750,root,root) %dir /etc/audit
|
||||
@ -216,21 +248,24 @@ fi
|
||||
%ghost %config(noreplace) %attr(600,root,root) /etc/audit/rules.d/audit.rules
|
||||
%ghost %config(noreplace) %attr(640,root,root) /etc/audit/audit.rules
|
||||
%config(noreplace) %attr(640,root,root) /etc/audit/audit-stop.rules
|
||||
%config(noreplace) %attr(640,root,root) /etc/audit/plugins.d/af_unix.conf
|
||||
|
||||
%files -n audispd-plugins
|
||||
%config(noreplace) %attr(640,root,root) /etc/audit/audisp-remote.conf
|
||||
%config(noreplace) %attr(640,root,root) /etc/audit/plugins.d/au-remote.conf
|
||||
%config(noreplace) %attr(640,root,root) /etc/audit/plugins.d/syslog.conf
|
||||
%config(noreplace) %attr(640,root,root) /etc/audit/audisp-statsd.conf
|
||||
%config(noreplace) %attr(640,root,root) /etc/audit/plugins.d/au-statsd.conf
|
||||
%config(noreplace) %attr(640,root,root) /etc/audit/plugins.d/af_unix.conf
|
||||
%attr(750,root,root) %{_sbindir}/audisp-remote
|
||||
%attr(750,root,root) %{_sbindir}/audisp-syslog
|
||||
%attr(750,root,root) %{_sbindir}/audisp-af_unix
|
||||
%attr(750,root,root) %{_sbindir}/audisp-statsd
|
||||
%attr(700,root,root) %dir %{_var}/spool/audit
|
||||
%attr(644,root,root) %{_mandir}/man5/audisp-remote.conf.5.gz
|
||||
%attr(644,root,root) %{_mandir}/man8/audisp-remote.8.gz
|
||||
%attr(644,root,root) %{_mandir}/man8/audisp-syslog.8.gz
|
||||
%attr(644,root,root) %{_mandir}/man8/audisp-af_unix.8.gz
|
||||
%attr(644,root,root) %{_mandir}/man8/audisp-statsd.8.gz
|
||||
|
||||
%files -n audispd-plugins-zos
|
||||
%attr(644,root,root) %{_mandir}/man8/audispd-zos-remote.8.gz
|
||||
@ -240,100 +275,205 @@ fi
|
||||
%attr(750,root,root) %{_sbindir}/audispd-zos-remote
|
||||
|
||||
%changelog
|
||||
* Sat Oct 21 2023 Sergio Correia <scorreia@redhat.com> - 3.1.2-1
|
||||
- Rebase audit to latest upstream release
|
||||
Resolves: RHEL-15001
|
||||
* Tue Jul 09 2024 Attila Lakatos <alakatos@redhat.com> - 3.1.5-1
|
||||
- New upstream maintenance release, 3.1.4
|
||||
- Prevent scriplets from failing
|
||||
- When upgrading, restart the daemon if it's running
|
||||
- If uninstalling, stop the daemon
|
||||
- auditctl: use pidfd_send_signal for signaling auditd
|
||||
Resolves: RHEL-45865
|
||||
- Minor doc update
|
||||
Resolves: RHEL-5186
|
||||
- augenrules: do not exit with failure if in immutable mode
|
||||
Resolves: RHEL-40110
|
||||
- auditd.service: Disable ProtectControlGroups
|
||||
Resolves: RHEL-5197
|
||||
- auditctl: correct output when displaying rules with exe/path/dir
|
||||
Resolves: RHEL-40243
|
||||
|
||||
* Thu Jun 22 2023 Radovan Sroka <rsroka@redhat.com> - 3.0.7-5
|
||||
* Wed Nov 08 2023 Sergio Correia <scorreia@redhat.com> - 3.1.2-2
|
||||
- Remove %systemd_preun from %preun scriptlet, as it was causing troubles when removing audit
|
||||
Related: RHEL-14896
|
||||
|
||||
* Fri Oct 27 2023 Sergio Correia <scorreia@redhat.com> - 3.1.2-1
|
||||
- New upstream release, 3.1.2
|
||||
Resolves: RHEL-14896
|
||||
|
||||
* Thu Jun 22 2023 Radovan Sroka <rsroka@redhat.com> - 3.0.7-104
|
||||
- Introduce new fanotify record fields
|
||||
Resolves: rhbz#2216668
|
||||
- invalid use of flexible array member
|
||||
Resolves: rhbz#2116867
|
||||
Resolves: rhbz#2216666
|
||||
|
||||
* Mon May 02 2022 Sergio Correia <scorreia@redhat.com> - 3.0.7-4
|
||||
* Mon May 02 2022 Sergio Correia <scorreia@redhat.com> - 3.0.7-103
|
||||
- Drop ProtectHome from auditd.service as it interferes with rules
|
||||
Resolves: rhbz#2071727 - Default systemd service config blocks audit watch rules in some directories
|
||||
Resolves: rhbz#2071725 - Default systemd service config blocks audit watch rules in some directories [rhel-9.1.0]
|
||||
|
||||
* Mon Mar 14 2022 Sergio Correia <scorreia@redhat.com> - 3.0.7-3
|
||||
* Sun Mar 13 2022 Sergio Correia <scorreia@redhat.com> - 3.0.7-102
|
||||
- Fix path normalization in auparse
|
||||
Resolves: rhbz#2062612 - auparse missing information when used with --format-text
|
||||
Resolves: rhbz#2062824 - auparse missing information when used with --format-text
|
||||
|
||||
* Tue Feb 22 2022 Sergio Correia <scorreia@redhat.com> - 3.0.7-2
|
||||
* Tue Feb 22 2022 Sergio Correia <scorreia@redhat.com> - 3.0.7-101
|
||||
- Adjust sample-rules dir permissions
|
||||
Resolves: rhbz#2054727 - /usr/share/audit/sample-rules is no longer readable by non-root users
|
||||
Resolves: rhbz#2054432 - /usr/share/audit/sample-rules is no longer readable by non-root users
|
||||
|
||||
* Tue Jan 25 2022 Sergio Correia <scorreia@redhat.com> - 3.0.7-1
|
||||
- New upstream release - 3.0.7
|
||||
Related: rhbz#1939406
|
||||
* Tue Jan 25 2022 Sergio Correia <scorreia@redhat.com> - 3.0.7-100
|
||||
- New upstream release, 3.0.7
|
||||
Resolves: rhbz#2019929 - capability=unknown-capability(39) in audit messages
|
||||
|
||||
* Thu Jan 13 2022 Sergio Correia <scorreia@redhat.com> - 3.0.5-1
|
||||
- Rebase audit package on 8.6
|
||||
Resolves: rhbz#1939406
|
||||
Resolves: rhbz#1906065
|
||||
Resolves: rhbz#1921447
|
||||
Resolves: rhbz#1927884
|
||||
Resolves: rhbz#1921658
|
||||
* Wed Nov 03 2021 Sergio Correia <scorreia@redhat.com> - 3.0.5-5
|
||||
- auparse: refact nvlist cleanup code
|
||||
Resolves: rhbz#2008965
|
||||
|
||||
* Wed Jan 08 2020 Steve Grubb <sgrubb@redhat.com> 3.0-0.17.20191104git1c2f876
|
||||
resolves: rhbz#1757986 - Rebase audit package on 8.2 for updates (bpf patch)
|
||||
* Wed Nov 03 2021 Sergio Correia <scorreia@redhat.com> - 3.0.5-4
|
||||
- When interpreting, if val is NULL return an empty string
|
||||
Resolves: rhbz#2004420
|
||||
|
||||
* Thu Nov 28 2019 Steve Grubb <sgrubb@redhat.com> 3.0-0.16.20191104git1c2f876
|
||||
resolves: rhbz#1497279 - Add option to interpret fields in audit syslog plugin
|
||||
* Wed Nov 03 2021 Sergio Correia <scorreia@redhat.com> - 3.0.5-3
|
||||
- Update dependency to initscripts-service instead of initscripts
|
||||
Resolves: rhbz#2000933
|
||||
|
||||
* Mon Nov 04 2019 Steve Grubb <sgrubb@redhat.com> 3.0-0.15.20191104git1c2f876
|
||||
resolves: rhbz#1757986 - Rebase audit package on 8.2 for updates
|
||||
resolves: rhbz#1767054 - move audit rules to shared data directory
|
||||
resolves: rhbz#1746018 - Breakup 30-ospp-v42.rules into more granular files
|
||||
resolves: rhbz#1740798 - auditctl(8) needs clarification for backlog_limit
|
||||
resolves: rhbz#1497279 - Add option to interpret fields in audit syslog plugin
|
||||
* Tue Aug 17 2021 Sergio Correia <scorreia@redhat.com> - 3.0.5-2
|
||||
- Fix timestamp parsing
|
||||
Related: rhbz#1938680
|
||||
|
||||
* Thu Jul 25 2019 Steve Grubb <sgrubb@redhat.com> 3.0-0.13.20190607gitf58ec40
|
||||
resolves: rhbz#1695638 - Rebase audit package to pick up latest bugfixes
|
||||
* Mon Aug 16 2021 Sergio Correia <scorreia@redhat.com> - 3.0.5-1
|
||||
- New upstream release, 3.0.5
|
||||
Related: rhbz#1938680
|
||||
|
||||
* Sat Jul 13 2019 Steve Grubb <sgrubb@redhat.com> 3.0-0.12.20190607gitf58ec40
|
||||
resolves: rhbz#1695638 - Rebase audit package to pick up latest bugfixes
|
||||
* Mon Aug 16 2021 Sergio Correia <scorreia@redhat.com> - 3.0.2-3
|
||||
- Validates the sample rules we ship
|
||||
Resolves: rhbz#1985630
|
||||
|
||||
* Mon Jun 10 2019 Steve Grubb <sgrubb@redhat.com> 3.0-0.11.20190607gitf58ec40
|
||||
resolves: rhbz#1643567 - service auditd stop exits prematurely
|
||||
resolves: rhbz#1693470 - libauparse memory leak
|
||||
resolves: rhbz#1694071 - ausearch doesn't record device/inode details checkpointing a single file
|
||||
resolves: rhbz#1695638 - Rebase audit package to pick up latest bugfixes
|
||||
resolves: rhbz#1705894 - aureport aborts when using a specific input
|
||||
resolves: rhbz#1706045 - RFE: Backport support for new audit record types
|
||||
resolves: rhbz#1715852 - RFE: provide a way to filter on network address family
|
||||
* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 3.0.2-2
|
||||
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
|
||||
Related: rhbz#1991688
|
||||
|
||||
* Wed Jan 09 2019 Steve Grubb <sgrubb@redhat.com> 3.0-0.10.20180831git0047a6c
|
||||
resolves: rhbz#1655270] Message "audit: backlog limit exceeded" reported
|
||||
- Fix annobin failure
|
||||
* Tue Jun 22 2021 Sergio Correia <scorreia@redhat.com> - 3.0.2-1
|
||||
- New upstream release, 3.0.2.
|
||||
Fix issues detected by static analyzers
|
||||
Resolves: rhbz#1938680
|
||||
|
||||
* Fri Dec 07 2018 Steve Grubb <sgrubb@redhat.com> 3.0-0.8.20180831git0047a6c
|
||||
resolves: rhbz#1639745 - build requires go-toolset-7 which is not available
|
||||
resolves: rhbz#1643567 - service auditd stop exits prematurely
|
||||
resolves: rhbz#1616428 - Update git snapshot of audit package
|
||||
- Remove static libs subpackage
|
||||
* Mon Jun 21 2021 Sergio Correia <scorreia@redhat.com> - 3.0.1-4
|
||||
- Enable default RHEL configuration
|
||||
This enables syscall auditing by default.
|
||||
Resolves: rhbz#1924561
|
||||
|
||||
* Fri Aug 31 2018 Steve Grubb <sgrubb@redhat.com> 3.0-0.5.20180831git0047a6c
|
||||
resolves: rhbz#1616428 - Update git snapshot of audit package
|
||||
* Thu Apr 15 2021 Mohan Boddu <mboddu@redhat.com> - 3.0.1-3
|
||||
- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
|
||||
|
||||
* Thu Feb 18 2021 Steve Grubb <sgrubb@redhat.com> 3.0.1-2
|
||||
- Add patch fixing segafult in the audisp-statsd plugin
|
||||
|
||||
* Fri Feb 12 2021 Steve Grubb <sgrubb@redhat.com> 3.0.1-1
|
||||
- New upstream feature and bugfix release
|
||||
- Enable building the audisp-statsd plugin
|
||||
|
||||
* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 3.0-2
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
|
||||
|
||||
* Wed Dec 16 2020 Steve Grubb <sgrubb@redhat.com> 3.0-1
|
||||
- New upstream feature and bugfix release
|
||||
|
||||
* Mon Jul 27 2020 Fedora Release Engineering <releng@fedoraproject.org> - 3.0-0.21.20191104git1c2f876
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
|
||||
|
||||
* Tue May 26 2020 Miro Hrončok <mhroncok@redhat.com> - 3.0-0.20.20191104git1c2f876
|
||||
- Rebuilt for Python 3.9
|
||||
|
||||
* Thu Mar 12 2020 Steve Grubb <sgrubb@redhat.com> 3.0-0.19.20191104git1c2f876
|
||||
- Add Obsolete python2-audit (#1783061)
|
||||
|
||||
* Wed Jan 29 2020 Steve Grubb <sgrubb@redhat.com> 3.0-0.18.20191104git1c2f876
|
||||
- Fix multiple definition of `event_node_list' (#1794446)
|
||||
|
||||
* Tue Jan 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 3.0-0.17.20191104git1c2f876
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
|
||||
|
||||
* Fri Nov 22 2019 Steve Grubb <sgrubb@redhat.com> 3.0-0.16.20191104git1c2f876
|
||||
- Drop python2 subpackage (#1775076)
|
||||
|
||||
* Mon Nov 04 2019 Steve Grubb <sgrubb@redhat.com> 3.0-0.14.20191104git1c2f876
|
||||
- New upstream git snapshot prerelease
|
||||
|
||||
* Thu Oct 03 2019 Miro Hrončok <mhroncok@redhat.com> - 3.0-0.14.20190507gitf58ec40
|
||||
- Rebuilt for Python 3.8.0rc1 (#1748018)
|
||||
|
||||
* Mon Aug 19 2019 Miro Hrončok <mhroncok@redhat.com> - 3.0-0.13.20190507gitf58ec40
|
||||
- Rebuilt for Python 3.8
|
||||
|
||||
* Wed Jul 31 2019 Steve Grubb <sgrubb@redhat.com> 3.0-0.12.20190507gitf58ec40
|
||||
- Fix 1734953 - audit: FTBFS in Fedora rawhide/f31
|
||||
|
||||
* Wed Jul 24 2019 Fedora Release Engineering <releng@fedoraproject.org> - 3.0-0.11.20190507gitf58ec40
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
|
||||
|
||||
* Fri Jul 05 2019 Steve Grubb <sgrubb@redhat.com> 3.0-0.10.20190507gitf58ec40
|
||||
- Add initscripts package to the requires (bz #1727058)
|
||||
|
||||
* Mon Jun 10 2019 Steve Grubb <sgrubb@redhat.com> 3.0-0.9.20190507gitf58ec40
|
||||
- New upstream git snapshot prerelease which fixes several problems
|
||||
- Fixed 1698130 - removing audit.rpm doesn't stop auditd
|
||||
|
||||
* Tue Mar 26 2019 Steve Grubb <sgrubb@redhat.com> 3.0-0.7.20190326git03e7489
|
||||
- New upstream git snapshot prerelease which fixes a memory leak
|
||||
|
||||
* Thu Jan 31 2019 Fedora Release Engineering <releng@fedoraproject.org> - 3.0-0.6.20181218gitbdb72c0
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
|
||||
|
||||
* Tue Dec 18 2018 Steve Grubb <sgrubb@redhat.com> 3.0-0.5.20181218gitbdb72c0
|
||||
- New upstream git snapshot prerelease
|
||||
- Remove historical ldconfig scriptlet (#1644056)
|
||||
|
||||
* Fri Aug 31 2018 Steve Grubb <sgrubb@redhat.com> 3.0-0.4.20180831git0047a6c
|
||||
- New upstream feature prerelease
|
||||
|
||||
* Wed Aug 08 2018 Steve Grubb <sgrubb@redhat.com> 3.0-0.2.20180808git77fbcf3
|
||||
resolves: rhbz#1567357 New upstream feature prerelease
|
||||
- New upstream feature prerelease
|
||||
|
||||
* Tue Jul 17 2018 Steve Grubb <sgrubb@redhat.com> 3.0-0.1.20180717gitacd53d1
|
||||
- New upstream feature prerelease
|
||||
|
||||
* Tue Jun 26 2018 Steve Grubb <sgrubb@redhat.com> 2.8.4-2
|
||||
- Fix segfault on shutdown
|
||||
* Thu Jul 12 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2.8.4-4
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
|
||||
|
||||
* Wed Jul 4 2018 Peter Robinson <pbrobinson@fedoraproject.org> 2.8.4-3
|
||||
- Remove unused sys V initscripts legacy bits
|
||||
|
||||
* Mon Jul 02 2018 Miro Hrončok <mhroncok@redhat.com> - 2.8.4-2
|
||||
- Rebuilt for Python 3.7
|
||||
|
||||
* Tue Jun 19 2018 Steve Grubb <sgrubb@redhat.com> 2.8.4-1
|
||||
- New upstream bugfix release
|
||||
|
||||
* Wed May 30 2018 Steve Grubb <sgrubb@redhat.com> 2.8.3-1
|
||||
- New upstream bugfix release
|
||||
- Remove Python2 support
|
||||
* Tue Jun 19 2018 Miro Hrončok <mhroncok@redhat.com> - 2.8.3-4
|
||||
- Rebuilt for Python 3.7
|
||||
|
||||
* Fri Apr 13 2018 Tom Stellard <tstellar@redhat.com> - 2.7.8-2
|
||||
- Use go-toolset-7 instead of golang
|
||||
- Package now must be built with: rhpkg --release rhel-8.0-go-toolset
|
||||
* Tue Apr 10 2018 Pete Walter <pwalter@fedoraproject.org> - 2.8.3-3
|
||||
- Rename Python 2 and 3 subpackages to python2-audit and python3-audit as per guidelines
|
||||
|
||||
* Mon Mar 26 2018 Steve Grubb <sgrubb@redhat.com> 2.8.3-2
|
||||
- Fix Obsoletion of audit-libs-python not handled properly (#1559674)
|
||||
|
||||
* Sat Mar 10 2018 Steve Grubb <sgrubb@redhat.com> 2.8.3-1
|
||||
- New upstream bugfix release
|
||||
|
||||
* Wed Feb 07 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2.8.2-4
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
|
||||
|
||||
* Mon Feb 05 2018 Steve Grubb <sgrubb@redhat.com> 2.8.2-3
|
||||
- Add a Provides audit-libs-python (#1537864)
|
||||
- Remove tcp_wrappers support?
|
||||
|
||||
* Thu Dec 14 2017 Steve Grubb <sgrubb@redhat.com> 2.8.2-2
|
||||
- Rename things from python to python2
|
||||
|
||||
* Thu Dec 14 2017 Steve Grubb <sgrubb@redhat.com> 2.8.2-1
|
||||
- New upstream bugfix release
|
||||
|
||||
* Thu Oct 12 2017 Steve Grubb <sgrubb@redhat.com> 2.8.1-1
|
||||
- New upstream bugfix release
|
||||
|
||||
* Tue Oct 10 2017 Steve Grubb <sgrubb@redhat.com> 2.8-1
|
||||
- New upstream feature release
|
||||
|
||||
* Mon Sep 18 2017 Steve Grubb <sgrubb@redhat.com> 2.7.8-1
|
||||
- New upstream bugfix release
|
12
ci_tests.fmf
Normal file
12
ci_tests.fmf
Normal file
@ -0,0 +1,12 @@
|
||||
/e2e_internal:
|
||||
plan:
|
||||
import:
|
||||
url: https://github.com/RedHat-SP-Security/audit-plans.git
|
||||
name: /generic/e2e_ci_internal
|
||||
|
||||
/rpmverify:
|
||||
plan:
|
||||
import:
|
||||
url: https://github.com/RedHat-SP-Security/audit-plans.git
|
||||
name: /generic/rpmverify
|
||||
|
7
gating.yaml
Normal file
7
gating.yaml
Normal file
@ -0,0 +1,7 @@
|
||||
--- !Policy
|
||||
product_versions:
|
||||
- rhel-9
|
||||
decision_context: osci_compose_gate
|
||||
rules:
|
||||
- !PassingTestCaseRule {test_case_name: baseos-ci.brew-build.tier1.functional}
|
||||
- !PassingTestCaseRule {test_case_name: baseos-ci.brew-build.tedude.validation}
|
Loading…
Reference in New Issue
Block a user