Restore audit logs in bash-4.3 or newer versions

This patch now uses audit function provided by upstream.

Resolves: RHEL-22619
This commit is contained in:
Siteshwar Vashisht 2024-01-24 14:49:20 +01:00
parent 7c25b00c2a
commit c683466ca9
3 changed files with 21 additions and 99 deletions

View File

@ -1,96 +0,0 @@
diff -up bash-4.2/config.h.in.audit bash-4.2/config.h.in
--- bash-4.2/config.h.in.audit 2013-01-31 16:26:16.857698992 +0100
+++ bash-4.2/config.h.in 2013-01-31 16:26:16.876699255 +0100
@@ -1131,6 +1131,14 @@
/* End additions for lib/intl */
+
+/* Additions for lib/readline */
+
+/* Define if you have <linux/audit.h> and it defines AUDIT_USER_TTY */
+#undef HAVE_DECL_AUDIT_USER_TTY
+
+/* End additions for lib/readline */
+
#include "config-bot.h"
#endif /* _CONFIG_H_ */
diff -up bash-4.2/configure.in.audit bash-4.2/configure.in
--- bash-4.2/configure.in.audit 2013-01-31 16:26:16.858699005 +0100
+++ bash-4.2/configure.ac 2013-01-31 16:26:16.877699269 +0100
@@ -888,6 +888,8 @@ BASH_FUNC_DUP2_CLOEXEC_CHECK
BASH_SYS_PGRP_SYNC
BASH_SYS_SIGNAL_VINTAGE
+AC_CHECK_DECLS([AUDIT_USER_TTY],,, [[#include <linux/audit.h>]])
+
dnl checking for the presence of certain library symbols
BASH_SYS_ERRLIST
BASH_SYS_SIGLIST
diff -up bash-4.2/lib/readline/readline.c.audit bash-4.2/lib/readline/readline.c
--- bash-4.2/lib/readline/readline.c.audit 2013-01-31 16:26:16.871699185 +0100
+++ bash-4.2/lib/readline/readline.c 2013-01-31 17:24:23.902744860 +0100
@@ -55,6 +55,12 @@
extern int errno;
#endif /* !errno */
+#if defined (HAVE_DECL_AUDIT_USER_TTY)
+# include <sys/socket.h>
+# include <linux/audit.h>
+# include <linux/netlink.h>
+#endif
+
/* System-specific feature definitions and include files. */
#include "rldefs.h"
#include "rlmbutil.h"
@@ -301,7 +307,48 @@ rl_set_prompt (prompt)
rl_visible_prompt_length = rl_expand_prompt (rl_prompt);
return 0;
}
-
+
+#if defined (HAVE_DECL_AUDIT_USER_TTY)
+/* Report STRING to the audit system. */
+static void
+audit_tty (char *string)
+{
+ struct sockaddr_nl addr;
+ struct msghdr msg;
+ struct nlmsghdr nlm;
+ struct iovec iov[2];
+ size_t size;
+ int fd;
+
+ size = strlen (string) + 1;
+ fd = socket (AF_NETLINK, SOCK_RAW, NETLINK_AUDIT);
+ if (fd < 0)
+ return;
+ nlm.nlmsg_len = NLMSG_LENGTH (size);
+ nlm.nlmsg_type = AUDIT_USER_TTY;
+ nlm.nlmsg_flags = NLM_F_REQUEST;
+ nlm.nlmsg_seq = 0;
+ nlm.nlmsg_pid = 0;
+ iov[0].iov_base = &nlm;
+ iov[0].iov_len = sizeof (nlm);
+ iov[1].iov_base = string;
+ iov[1].iov_len = size;
+ addr.nl_family = AF_NETLINK;
+ addr.nl_pad = 0;
+ addr.nl_pid = 0;
+ addr.nl_groups = 0;
+ msg.msg_name = &addr;
+ msg.msg_namelen = sizeof (addr);
+ msg.msg_iov = iov;
+ msg.msg_iovlen = 2;
+ msg.msg_control = NULL;
+ msg.msg_controllen = 0;
+ msg.msg_flags = 0;
+ (void)sendmsg (fd, &msg, 0);
+ close (fd);
+}
+#endif
+
/* Read a line of input. Prompt with PROMPT. An empty PROMPT means
none. A return value of NULL means that EOF was encountered. */
char *

12
bash-4.3-audit.patch Normal file
View File

@ -0,0 +1,12 @@
diff --git a/lib/readline/rlconf.h b/lib/readline/rlconf.h
--- a/lib/readline/rlconf.h
+++ b/lib/readline/rlconf.h
@@ -64,7 +64,7 @@
/* Define this if you want to enable code that talks to the Linux kernel
tty auditing system. */
-/* #define ENABLE_TTY_AUDIT_SUPPORT */
+#define ENABLE_TTY_AUDIT_SUPPORT
/* Defaults for the various editing mode indicators, inserted at the beginning
of the last (maybe only) line of the prompt if show-mode-in-prompt is on */

View File

@ -6,7 +6,7 @@
Version: %{baseversion}%{patchleveltag} Version: %{baseversion}%{patchleveltag}
Name: bash Name: bash
Summary: The GNU Bourne Again shell Summary: The GNU Bourne Again shell
Release: 6%{?dist} Release: 7%{?dist}
License: GPLv3+ License: GPLv3+
Url: https://www.gnu.org/software/bash Url: https://www.gnu.org/software/bash
Source0: https://ftp.gnu.org/gnu/bash/bash-%{baseversion}.tar.gz Source0: https://ftp.gnu.org/gnu/bash/bash-%{baseversion}.tar.gz
@ -33,8 +33,6 @@ Patch103: bash-2.05a-interpreter.patch
Patch104: bash-2.05b-debuginfo.patch Patch104: bash-2.05b-debuginfo.patch
# Pid passed to setpgrp() can not be pid of a zombie process. # Pid passed to setpgrp() can not be pid of a zombie process.
Patch105: bash-2.05b-pgrp_sync.patch Patch105: bash-2.05b-pgrp_sync.patch
# Enable audit logs
Patch106: bash-3.2-audit.patch
# Source bashrc file when bash is run under ssh. # Source bashrc file when bash is run under ssh.
Patch107: bash-3.2-ssh_source_bash.patch Patch107: bash-3.2-ssh_source_bash.patch
# Use makeinfo to generate .texi file # Use makeinfo to generate .texi file
@ -93,6 +91,9 @@ Patch129: bash-5.1-mbrtowc.patch
# 2141576 - CVE-2022-3715 bash: a heap-buffer-overflow in valid_parameter_transform # 2141576 - CVE-2022-3715 bash: a heap-buffer-overflow in valid_parameter_transform
Patch130: bash-5.2-check-xform.patch Patch130: bash-5.2-check-xform.patch
# Enable audit logs
Patch131: bash-4.3-audit.patch
BuildRequires: gcc BuildRequires: gcc
BuildRequires: texinfo bison BuildRequires: texinfo bison
BuildRequires: ncurses-devel BuildRequires: ncurses-devel
@ -100,6 +101,7 @@ BuildRequires: autoconf, gettext
# Required for bash tests # Required for bash tests
BuildRequires: glibc-all-langpacks BuildRequires: glibc-all-langpacks
BuildRequires: make BuildRequires: make
BuildRequires: audit-libs-devel
Requires: filesystem >= 3 Requires: filesystem >= 3
Provides: /bin/sh Provides: /bin/sh
Provides: /bin/bash Provides: /bin/bash
@ -324,6 +326,10 @@ end
%{_libdir}/pkgconfig/%{name}.pc %{_libdir}/pkgconfig/%{name}.pc
%changelog %changelog
* Wed Jan 24 2024 Siteshwar Vashisht <svashisht@redhat.com> - 5.1.8-7
- Restore audit logs in bash-4.3 or newer versions
Resolves: RHEL-22619
* Tue Nov 22 2022 Siteshwar Vashisht <svashisht@redhat.com> - 5.1.8-6 * Tue Nov 22 2022 Siteshwar Vashisht <svashisht@redhat.com> - 5.1.8-6
- Add a null check in parameter_brace_transform() function - Add a null check in parameter_brace_transform() function
Resolves: CVE-2022-3715 Resolves: CVE-2022-3715