From 947d92d8c4bf67a8dde5131af935d785e2b73fb9 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Aug 06 2019 11:11:53 +0000 Subject: import audit-2.8.5-4.el7 --- diff --git a/.audit.metadata b/.audit.metadata index 63590d6..e27b1fc 100644 --- a/.audit.metadata +++ b/.audit.metadata @@ -1 +1 @@ -026235ab9e8b19f6c2b1112ce13d180f35cf0ff4 SOURCES/audit-2.8.4.tar.gz +62fcac8cbd20c796b909b91f8f615f8556b22a24 SOURCES/audit-2.8.5.tar.gz diff --git a/.gitignore b/.gitignore index 957e97b..3859a24 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/audit-2.8.4.tar.gz +SOURCES/audit-2.8.5.tar.gz diff --git a/SOURCES/audit-2.8.4-close.patch b/SOURCES/audit-2.8.4-close.patch deleted file mode 100644 index 71271ea..0000000 --- a/SOURCES/audit-2.8.4-close.patch +++ /dev/null @@ -1,37 +0,0 @@ -diff -urp audit-2.8.4.orig/src/auditd-event.c audit-2.8.4/src/auditd-event.c ---- audit-2.8.4.orig/src/auditd-event.c 2018-05-21 13:38:08.000000000 -0400 -+++ audit-2.8.4/src/auditd-event.c 2018-06-26 09:13:40.898668045 -0400 -@@ -119,7 +119,8 @@ void shutdown_events(void) - pthread_join(flush_thread, NULL); - - free((void *)format_buf); -- fclose(log_file); -+ if (log_file) -+ fclose(log_file); - auparse_destroy_ext(NULL, AUPARSE_DESTROY_ALL); - } - -@@ -156,6 +157,7 @@ int init_event(struct daemon_conf *conf) - if (format_buf == NULL) { - audit_msg(LOG_ERR, "No memory for formatting, exiting"); - fclose(log_file); -+ log_file = NULL; - return 1; - } - init_flush_thread(); -@@ -1003,6 +1005,7 @@ static void rotate_logs(unsigned int num - "rotating log file (%s)", strerror(errno)); - } - fclose(log_file); -+ log_file = NULL; - - /* Rotate */ - len = strlen(config->log_file) + 16; -@@ -1455,6 +1458,7 @@ static void reconfigure(struct auditd_ev - - if (need_reopen) { - fclose(log_file); -+ log_file = NULL; - fix_disk_permissions(); - if (open_audit_log()) { - int saved_errno = errno; diff --git a/SOURCES/audit-2.8.4-fix-hang.patch b/SOURCES/audit-2.8.4-fix-hang.patch deleted file mode 100644 index c51dca1..0000000 --- a/SOURCES/audit-2.8.4-fix-hang.patch +++ /dev/null @@ -1,34 +0,0 @@ -diff -urp audit-2.8.4.orig/src/auditd.c audit-2.8.4/src/auditd.c ---- audit-2.8.4.orig/src/auditd.c 2018-05-21 13:38:08.000000000 -0400 -+++ audit-2.8.4/src/auditd.c 2018-06-27 08:12:44.027716750 -0400 -@@ -388,7 +388,7 @@ static int become_daemon(void) - if (do_fork) { - if (pipe(init_pipe) || - fcntl(init_pipe[0], F_SETFD, FD_CLOEXEC) || -- fcntl(init_pipe[0], F_SETFD, FD_CLOEXEC)) -+ fcntl(init_pipe[1], F_SETFD, FD_CLOEXEC)) - return -1; - pid = fork(); - } else -@@ -432,7 +432,9 @@ static int become_daemon(void) - break; - default: - /* Wait for the child to say its done */ -- rc = read(init_pipe[0], &status, sizeof(status)); -+ do { -+ rc = read(init_pipe[0], &status,sizeof(status)); -+ } while (rc < 0 && errno == EINTR); - if (rc < 0) - return -1; - -diff -urp audit-2.8.4.orig/src/auditd-dispatch.c audit-2.8.4/src/auditd-dispatch.c ---- audit-2.8.4.orig/src/auditd-dispatch.c 2018-05-21 13:38:08.000000000 -0400 -+++ audit-2.8.4/src/auditd-dispatch.c 2018-06-27 08:13:27.590712076 -0400 -@@ -47,7 +47,6 @@ int dispatcher_pid(void) - - void dispatcher_reaped(void) - { -- audit_msg(LOG_INFO, "dispatcher %d reaped", pid); - pid = 0; - shutdown_dispatcher(); - } diff --git a/SOURCES/audit-2.8.6-memleak.patch b/SOURCES/audit-2.8.6-memleak.patch new file mode 100644 index 0000000..77a3b40 --- /dev/null +++ b/SOURCES/audit-2.8.6-memleak.patch @@ -0,0 +1,20 @@ +diff --git a/auparse/auparse.c b/auparse/auparse.c +index 650db02..fe0feb1 100644 +--- a/auparse/auparse.c ++++ b/auparse/auparse.c +@@ -259,15 +259,6 @@ static event_list_t *au_get_ready_event(auparse_state_t *au, int is_test) + if (lowest && lowest->status == EBS_COMPLETE) { + lowest->status = EBS_EMPTY; + au->au_ready--; +- // Try to consolidate the array so that we iterate +- // over a smaller portion next time +- if (lowest == &lol->array[lol->maxi]) { +- au_lolnode *ptr = lowest; +- while (ptr->status == EBS_EMPTY && lol->maxi > 0) { +- lol->maxi--; +- ptr = &lol->array[lol->maxi]; +- } +- } + return lowest->l; + } + diff --git a/SOURCES/audit-3.0-avc.patch b/SOURCES/audit-3.0-avc.patch new file mode 100644 index 0000000..8af4ceb --- /dev/null +++ b/SOURCES/audit-3.0-avc.patch @@ -0,0 +1,96 @@ +diff -urp audit-3.0.orig/src/ausearch-parse.c audit-3.0/src/ausearch-parse.c +--- audit-3.0.orig/src/ausearch-parse.c 2019-03-15 15:30:39.000000000 -0400 ++++ audit-3.0/src/ausearch-parse.c 2019-04-16 16:08:52.862402589 -0400 +@@ -49,7 +49,7 @@ static int parse_dir(const lnode *n, sea + static int common_path_parser(search_items *s, char *path); + static int avc_parse_path(const lnode *n, search_items *s); + static int parse_path(const lnode *n, search_items *s); +-static int parse_user(const lnode *n, search_items *s); ++static int parse_user(const lnode *n, search_items *s, anode *avc); + static int parse_obj(const lnode *n, search_items *s); + static int parse_login(const lnode *n, search_items *s); + static int parse_daemon1(const lnode *n, search_items *s); +@@ -105,7 +105,7 @@ int extract_search_items(llist *l) + case AUDIT_FIRST_USER_MSG...AUDIT_USER_END: + case AUDIT_USER_CHAUTHTOK...AUDIT_LAST_USER_MSG: + case AUDIT_FIRST_USER_MSG2...AUDIT_LAST_USER_MSG2: +- ret = parse_user(n, s); ++ ret = parse_user(n, s, NULL); + break; + case AUDIT_SOCKADDR: + ret = parse_sockaddr(n, s); +@@ -830,7 +830,7 @@ static int parse_obj(const lnode *n, sea + return 0; + } + +-static int parse_user(const lnode *n, search_items *s) ++static int parse_user(const lnode *n, search_items *s, anode *avc) + { + char *ptr, *str, *term, saved, *mptr; + +@@ -915,7 +915,10 @@ static int parse_user(const lnode *n, se + if (term == NULL) + return 12; + *term = 0; +- if (audit_avc_init(s) == 0) { ++ if (avc) { ++ avc->scontext = strdup(str); ++ *term = ' '; ++ } else if (audit_avc_init(s) == 0) { + anode an; + + anode_init(&an); +@@ -926,6 +929,31 @@ static int parse_user(const lnode *n, se + return 13; + } + } ++ // optionally get tcontext ++ if (avc && event_object) { ++ // USER_AVC tcontext ++ str = strstr(term, "tcontext="); ++ if (str != NULL) { ++ str += 9; ++ term = strchr(str, ' '); ++ if (term) { ++ *term = 0; ++ avc->tcontext = strdup(str); ++ *term = ' '; ++ } ++ } ++ // Grab tclass if it exists ++ str = strstr(term, "tclass="); ++ if (str) { ++ str += 7; ++ term = strchr(str, ' '); ++ if (term) { ++ *term = 0; ++ avc->avc_class = strdup(str); ++ *term = ' '; ++ } ++ } ++ } + // optionally get gid + if (event_gid != -1) { + if (n->type == AUDIT_ADD_GROUP || n->type == AUDIT_DEL_GROUP || +@@ -1880,7 +1908,7 @@ static int parse_avc(const lnode *n, sea + other_avc: + // User AVC's are not formatted like a kernel AVC + if (n->type == AUDIT_USER_AVC) { +- rc = parse_user(n, s); ++ rc = parse_user(n, s, &an); + if (rc > 20) + rc = 0; + if (audit_avc_init(s) == 0) { +diff -urp audit-3.0.orig/src/ausearch-string.c audit-3.0/src/ausearch-string.c +--- audit-3.0.orig/src/ausearch-string.c 2019-03-15 15:30:39.000000000 -0400 ++++ audit-3.0/src/ausearch-string.c 2019-04-16 15:55:39.186487759 -0400 +@@ -118,6 +118,9 @@ int slist_add_if_uniq(slist *l, const ch + snode sn; + register snode *cur; + ++ if (str == NULL) ++ return -1; ++ + cur = l->head; + while (cur) { + if (strcmp(str, cur->str) == 0) { diff --git a/SOURCES/audit-3.0-cond-restart.patch b/SOURCES/audit-3.0-cond-restart.patch new file mode 100644 index 0000000..3ea2087 --- /dev/null +++ b/SOURCES/audit-3.0-cond-restart.patch @@ -0,0 +1,27 @@ +From 6f699797f43329e16fc89db97e1b95b0cc851860 Mon Sep 17 00:00:00 2001 +From: Steve Grubb +Date: Tue, 9 Apr 2019 19:45:27 +0200 +Subject: [PATCH] Make conditional restart conditional again + +--- + init.d/auditd.condrestart | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +diff --git a/init.d/auditd.condrestart b/init.d/auditd.condrestart +index efbaaa8..d86e5e4 100644 +--- a/init.d/auditd.condrestart ++++ b/init.d/auditd.condrestart +@@ -2,6 +2,10 @@ + # Helper script to provide legacy auditd service options not + # directly supported by systemd. + +-/usr/libexec/initscripts/legacy-actions/auditd/restart +-RETVAL="$?" +-exit $RETVAL ++state=`service auditd status | awk '/^ Active/ { print $2 }'` ++if [ $state = "active" ] ; then ++ /usr/libexec/initscripts/legacy-actions/auditd/restart ++ RETVAL="$?" ++ exit $RETVAL ++fi ++exit 0 diff --git a/SOURCES/audit-3.0-state-sleep.patch b/SOURCES/audit-3.0-state-sleep.patch deleted file mode 100644 index b920b62..0000000 --- a/SOURCES/audit-3.0-state-sleep.patch +++ /dev/null @@ -1,12 +0,0 @@ -diff --git a/init.d/auditd.state b/init.d/auditd.state -index ce777da..9a6b622 100644 ---- a/init.d/auditd.state -+++ b/init.d/auditd.state -@@ -14,6 +14,7 @@ printf "Getting auditd internal state: " - killproc $prog -CONT - RETVAL=$? - echo -e "\n" -+sleep 1 - if [ $? -eq 0 ] ; then - if [ -e $state_file ] ; then - cat $state_file diff --git a/SOURCES/audit-3.0-sw-update.patch b/SOURCES/audit-3.0-sw-update.patch deleted file mode 100644 index 6ee64a5..0000000 --- a/SOURCES/audit-3.0-sw-update.patch +++ /dev/null @@ -1,126 +0,0 @@ -diff -urNp audit-3.0.orig/auparse/normalize.c audit-3.0/auparse/normalize.c ---- audit-3.0.orig/auparse/normalize.c 2018-05-21 13:38:08.000000000 -0400 -+++ audit-3.0/auparse/normalize.c 2018-07-01 10:22:28.772089011 -0400 -@@ -910,6 +910,7 @@ static const char *normalize_determine_e - case AUDIT_NETFILTER_CFG: - case AUDIT_FEATURE_CHANGE ... AUDIT_REPLACE: - case AUDIT_USER_DEVICE: -+ case AUDIT_SOFTWARE_UPDATE: - kind = NORM_EVTYPE_CONFIG; - break; - case AUDIT_SECCOMP: -@@ -1187,6 +1188,11 @@ static value_t find_simple_object(aupars - f = auparse_find_field(au, "device"); - D.thing.what = NORM_WHAT_KEYSTROKES; - break; -+ case AUDIT_SOFTWARE_UPDATE: -+ auparse_first_record(au); -+ f = auparse_find_field(au, "sw"); -+ D.thing.what = NORM_WHAT_SOFTWARE; -+ break; - case AUDIT_VIRT_MACHINE_ID: - f = auparse_find_field(au, "vm"); - D.thing.what = NORM_WHAT_VM; -@@ -1286,6 +1292,9 @@ static value_t find_simple_obj_secondary - case AUDIT_CRYPTO_SESSION: - f = auparse_find_field(au, "rport"); - break; -+ case AUDIT_SOFTWARE_UPDATE: -+ f = auparse_find_field(au, "sw_type"); -+ break; - default: - break; - } -@@ -1311,6 +1320,9 @@ static value_t find_simple_obj_primary2( - case AUDIT_VIRT_RESOURCE: - f = auparse_find_field(au, "vm"); - break; -+ case AUDIT_SOFTWARE_UPDATE: -+ f = auparse_find_field(au, "root_dir"); -+ break; - default: - break; - } -@@ -1628,6 +1640,10 @@ map: - if (D.opt == NORM_OPT_ALL) { - if (type == AUDIT_USER_DEVICE) { - add_obj_attr(au, "uuid", 0); -+ } else if (type == AUDIT_SOFTWARE_UPDATE) { -+ auparse_first_record(au); -+ add_obj_attr(au, "key_enforce", 0); -+ add_obj_attr(au, "gpg_res", 0); - } - } - -diff -urNp audit-3.0.orig/auparse/normalize-internal.h audit-3.0/auparse/normalize-internal.h ---- audit-3.0.orig/auparse/normalize-internal.h 2018-05-21 13:38:08.000000000 -0400 -+++ audit-3.0/auparse/normalize-internal.h 2018-07-01 10:24:07.029078467 -0400 -@@ -1,6 +1,6 @@ - /* - * normalize-internal.h -- * Copyright (c) 2016-17 Red Hat Inc., Durham, North Carolina. -+ * Copyright (c) 2016-18 Red Hat Inc., Durham, North Carolina. - * All Rights Reserved. - * - * This library is free software; you can redistribute it and/or -@@ -96,6 +96,7 @@ - #define NORM_WHAT_MEMORY 20 - #define NORM_WHAT_KEYSTROKES 21 - #define NORM_WHAT_DEVICE 22 -+#define NORM_WHAT_SOFTWARE 23 - - // This enum is used to map events to what kind they are - #define NORM_EVTYPE_UNKNOWN 0 -diff -urNp audit-3.0.orig/auparse/normalize_obj_kind_map.h audit-3.0/auparse/normalize_obj_kind_map.h ---- audit-3.0.orig/auparse/normalize_obj_kind_map.h 2018-05-21 13:38:08.000000000 -0400 -+++ audit-3.0/auparse/normalize_obj_kind_map.h 2018-07-01 10:22:28.806089007 -0400 -@@ -1,6 +1,6 @@ - /* - * normalize_obj_kind_map.h -- * Copyright (c) 2016-17 Red Hat Inc., Durham, North Carolina. -+ * Copyright (c) 2016-18 Red Hat Inc., Durham, North Carolina. - * All Rights Reserved. - * - * This library is free software; you can redistribute it and/or -@@ -45,4 +45,5 @@ _S(NORM_WHAT_MAC_CONFIG, "mac-config") - _S(NORM_WHAT_MEMORY, "memory") - _S(NORM_WHAT_KEYSTROKES, "keystrokes") - _S(NORM_WHAT_DEVICE, "device") -+_S(NORM_WHAT_SOFTWARE, "software") - //_S(, "") -diff -urNp audit-3.0.orig/auparse/normalize_record_map.h audit-3.0/auparse/normalize_record_map.h ---- audit-3.0.orig/auparse/normalize_record_map.h 2018-05-21 13:38:08.000000000 -0400 -+++ audit-3.0/auparse/normalize_record_map.h 2018-07-01 10:22:28.806089007 -0400 -@@ -1,6 +1,6 @@ - /* - * normalize_record_map.h -- * Copyright (c) 2016-17 Red Hat Inc., Durham, North Carolina. -+ * Copyright (c) 2016-18 Red Hat Inc., Durham, North Carolina. - * All Rights Reserved. - * - * This library is free software; you can redistribute it and/or -@@ -63,6 +63,7 @@ _S(AUDIT_MAC_CHECK, "mac-permission") - _S(AUDIT_ACCT_LOCK, "locked-account") - _S(AUDIT_ACCT_UNLOCK, "unlocked-account") - _S(AUDIT_USER_DEVICE, "configured-device") -+_S(AUDIT_SOFTWARE_UPDATE, "installed-software") - _S(AUDIT_DAEMON_START, "started-audit") - _S(AUDIT_DAEMON_END, "shutdown-audit") - _S(AUDIT_DAEMON_ABORT, "aborted-auditd-startup") -diff -urNp audit-3.0.orig/auparse/typetab.h audit-3.0/auparse/typetab.h ---- audit-3.0.orig/auparse/typetab.h 2018-05-21 13:38:08.000000000 -0400 -+++ audit-3.0/auparse/typetab.h 2018-07-01 10:22:28.807089007 -0400 -@@ -1,5 +1,5 @@ - /* typetab.h -- -- * Copyright 2007-09,2011-12,2014-17 Red Hat Inc., Durham, North Carolina. -+ * Copyright 2007-09,2011-12,2014-18 Red Hat Inc., Durham, North Carolina. - * All Rights Reserved. - * - * This library is free software; you can redistribute it and/or -@@ -140,4 +140,5 @@ _S(AUPARSE_TYPE_MACPROTO, "macproto" ) - _S(AUPARSE_TYPE_ESCAPED, "invalid_context") - _S(AUPARSE_TYPE_IOCTL_REQ, "ioctlcmd" ) - _S(AUPARSE_TYPE_FANOTIFY, "resp" ) -- -+_S(AUPARSE_TYPE_ESCAPED, "sw" ) -+_S(AUPARSE_TYPE_ESCAPED, "root_dir" ) diff --git a/SPECS/audit.spec b/SPECS/audit.spec index 9e766b0..f14b8ec 100644 --- a/SPECS/audit.spec +++ b/SPECS/audit.spec @@ -2,7 +2,7 @@ Summary: User space tools for 2.6 kernel auditing Name: audit -Version: 2.8.4 +Version: 2.8.5 Release: 4%{?dist} License: GPLv2+ Group: System Environment/Daemons @@ -12,14 +12,9 @@ Source0: http://people.redhat.com/sgrubb/audit/%{name}-%{version}.tar.gz Patch1: audit-2.7.1-rhel7-fixup.patch # DO NOT REMOVE - backlog_wait_time is not in RHEL 7 kernel Patch2: audit-2.7.5-no-backlog-wait-time.patch -# Fix a segfault on shutdown -Patch3: audit-2.8.4-close.patch -# Fix a hang on boot (#1587995) -Patch4: audit-2.8.4-fix-hang.patch -# Add a sleep so that the report can run before displying it -Patch5: audit-3.0-state-sleep.patch -# Add support for ausearch --format text for SOFTWARE_UPDATE events -Patch6: audit-3.0-sw-update.patch +Patch3: audit-2.8.6-memleak.patch +Patch4: audit-3.0-avc.patch +Patch5: audit-3.0-cond-restart.patch BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) BuildRequires: openldap-devel BuildRequires: swig @@ -98,7 +93,6 @@ like relay events to remote machines. %patch3 -p1 %patch4 -p1 %patch5 -p1 -%patch6 -p1 %build %configure --sbindir=/sbin --libdir=/%{_lib} --with-python=yes \ @@ -171,6 +165,9 @@ fi %preun %systemd_preun auditd.service +if [ $1 -eq 0 ]; then + /sbin/service auditd stop > /dev/null 2>&1 +fi %postun libs -p /sbin/ldconfig @@ -277,6 +274,27 @@ fi %attr(644,root,root) %{_mandir}/man8/audisp-remote.8.gz %changelog +* Mon May 06 2019 Steve Grubb 2.8.5-4 +resolves: #1696709 - updating auditd is enabling disabled service + +* Sun May 05 2019 Steve Grubb 2.8.5-3 +resolves: #1705376 - aureport aborts when using a specific input + +* Wed Mar 27 2019 Steve Grubb 2.8.5-2 +resolves: #1651761 - Fix memory leak reported upstream + +* Tue Mar 05 2019 Steve Grubb 2.8.5-1 +resolves: #1651761 - Rebase audit package to 2.8.5 to pick up bug fixes +resolves: #1462178 - audit rule arch changed from b32 to b64 on ppc64le +resolves: #1614833 - audispd loops reloading config +resolves: #1622194 - audisp-remote memory leak when using krb5 +resolves: #1625156 - audisp-remote wont connect if remote ending action not reconnect +resolves: #1628626 - aureport -a --failed does not display user_avc events +resolves: #1648005 - tcp listener socket fails when ipv6.disable=1 boot command +resolves: #1650670 - space left in auditd.conf expressed as a percentage +resolves: #1663285 - ausearch device/inode missing when using a single file +resolves: #1672287 - max_log_file_action "keep_logs" doesn't behave as described + * Tue Jul 17 2018 Steve Grubb 2.8.4-4 resolves: #1559032 - Rebase audit package to 2.8.4 to pick up bug fixes