diff --git a/.audit.metadata b/.audit.metadata index a46f962..ab146fb 100644 --- a/.audit.metadata +++ b/.audit.metadata @@ -1 +1 @@ -6968c30d9bb05d3f44413d1cd944ca8cbf3cf8c4 SOURCES/audit-3.0-alpha5.tar.gz +5205dd634a26512d69d75ca27171c70b70f102f0 SOURCES/audit-3.0-alpha8.tar.gz diff --git a/.gitignore b/.gitignore index 93992bf..fa16155 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/audit-3.0-alpha5.tar.gz +SOURCES/audit-3.0-alpha8.tar.gz diff --git a/SOURCES/30-ospp-v42.rules b/SOURCES/30-ospp-v42.rules new file mode 100644 index 0000000..29fd3ce --- /dev/null +++ b/SOURCES/30-ospp-v42.rules @@ -0,0 +1,140 @@ +## The purpose of these rules is to meet the requirements for Operating +## System Protection Profile (OSPP)v4.2. These rules depends on having +## 10-base-config.rules, 11-loginuid.rules, and 43-module-load.rules installed. + +## Successful/Unsuccessful file creation (open with O_CREAT) +-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create +-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create +-a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create +-a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create +-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create +-a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create +-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create +-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create +-a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create +-a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create +-a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create +-a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create +-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create +-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create +-a always,exit -F arch=b32 -S open -F a1&0100 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create +-a always,exit -F arch=b64 -S open -F a1&0100 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create +-a always,exit -F arch=b32 -S creat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create +-a always,exit -F arch=b64 -S creat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create + +## Successful/Unsuccessful file modifications (open for write or truncate) +-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification +-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification +-a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification +-a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification +-a always,exit -F arch=b32 -S truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification +-a always,exit -F arch=b64 -S truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification +-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification +-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification +-a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification +-a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification +-a always,exit -F arch=b32 -S truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification +-a always,exit -F arch=b64 -S truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification +-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification +-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification +-a always,exit -F arch=b32 -S open -F a1&01003 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification +-a always,exit -F arch=b64 -S open -F a1&01003 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification +-a always,exit -F arch=b32 -S truncate,ftruncate -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification +-a always,exit -F arch=b64 -S truncate,ftruncate -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification + +## Successful/Unsuccessful file access (any other opens) This has to go last. +-a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-access +-a always,exit -F arch=b64 -S open,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-access +-a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-access +-a always,exit -F arch=b64 -S open,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-access +# These next two are likely to result in a whole lot of events +-a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-access +-a always,exit -F arch=b64 -S open,openat,open_by_handle_at -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-access + +## Successful/Unsuccessful file delete +-a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete +-a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete +-a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete +-a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete +-a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-delete +-a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-delete + +## Successful/Unsuccessful permission change +-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-perm-change +-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-perm-change +-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-perm-change +-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-perm-change +-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-perm-change +-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-perm-change + +## Successful/Unsuccessful ownership change +-a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-perm-change +-a always,exit -F arch=b64 -S lchown,fchown,chown,fchownat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-perm-change +-a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-perm-change +-a always,exit -F arch=b64 -S lchown,fchown,chown,fchownat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-perm-change +-a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-perm-change +-a always,exit -F arch=b64 -S lchown,fchown,chown,fchownat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-perm-change + +## User add delete modify. This is covered by pam. However, someone could +## open a file and directly create or modify a user, so we'll watch passwd and +## shadow for writes +-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify +-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify +-a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify +-a always,exit -F arch=b64 -S open -F a1&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify +-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify +-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify +-a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify +-a always,exit -F arch=b64 -S open -F a1&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify + +## User enable and disable. This is entirely handled by pam. + +## Group add delete modify. This is covered by pam. However, someone could +## open a file and directly create or modify a user, so we'll watch group and +## gshadow for writes +-a always,exit -F path=/etc/passwd -F perm=wa -F auid>=1000 -F auid!=unset -F key=user-modify +-a always,exit -F path=/etc/shadow -F perm=wa -F auid>=1000 -F auid!=unset -F key=user-modify +-a always,exit -F path=/etc/group -F perm=wa -F auid>=1000 -F auid!=unset -F key=group-modify +-a always,exit -F path=/etc/gshadow -F perm=wa -F auid>=1000 -F auid!=unset -F key=group-modify + + +## Use of special rights for config changes. This would be use of setuid +## programs that relate to user accts. This is not all setuid apps because +## requirements are only for ones that affect system configuration. +-a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes +-a always,exit -F path=/usr/sbin/usernetctl -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes +-a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes +-a always,exit -F path=/usr/sbin/seunshare -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes +-a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes +-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes +-a always,exit -F path=/usr/bin/newuidmap -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes +-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes +-a always,exit -F path=/usr/bin/newgidmap -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes +-a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes +-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes +-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes +-a always,exit -F path=/usr/bin/at -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes + +## Privilege escalation via su or sudo. This is entirely handled by pam. + +## Audit log access +-a always,exit -F dir=/var/log/audit/ -F perm=r -F auid>=1000 -F auid!=unset -F key=access-audit-trail +## Attempts to Alter Process and Session Initiation Information +-a always,exit -F path=/var/run/utmp -F perm=wa -F auid>=1000 -F auid!=unset -F key=session +-a always,exit -F path=/var/log/btmp -F perm=wa -F auid>=1000 -F auid!=unset -F key=session +-a always,exit -F path=/var/log/wtmp -F perm=wa -F auid>=1000 -F auid!=unset -F key=session + +## Attempts to modify MAC controls +-a always,exit -F dir=/etc/selinux/ -F perm=wa -F auid>=1000 -F auid!=unset -F key=MAC-policy + +## Software updates. This is entirely handled by rpm. + +## System start and shutdown. This is entirely handled by systemd + +## Kernel Module loading. This is handled in 43-module-load.rules + +## Application invocation. The requirements list an optional requirement +## FPT_SRP_EXT.1 Software Restriction Policies. This event is intended to +## state results from that policy. This would be handled entirely by +## that daemon. + diff --git a/SOURCES/audit-3.0-af_unix-plugin.patch b/SOURCES/audit-3.0-af_unix-plugin.patch deleted file mode 100644 index d0e0ce1..0000000 --- a/SOURCES/audit-3.0-af_unix-plugin.patch +++ /dev/null @@ -1,244 +0,0 @@ -diff -urp audit-3.0.orig/audisp/audispd-builtins.c audit-3.0/audisp/audispd-builtins.c ---- audit-3.0.orig/audisp/audispd-builtins.c 2018-08-31 17:05:48.000000000 -0400 -+++ audit-3.0/audisp/audispd-builtins.c 2018-12-06 20:01:06.922443361 -0500 -@@ -35,12 +35,17 @@ - #include // writev - #include - #include -+#include "ev.h" - #include "audispd-pconfig.h" - #include "audispd-builtins.h" - -+// Global data -+extern struct ev_loop *loop; -+ - // Local data - static volatile int sock = -1, conn = -1; - static char *path = NULL; -+static struct ev_io af_unix_watcher; - - // Local prototypes - static void init_af_unix(const plugin_conf_t *conf); -@@ -63,21 +68,37 @@ void stop_builtin(plugin_conf_t *conf) - syslog(LOG_ERR, "Unknown builtin %s", conf->path); - } - --static void af_unix_accept(int fd) -+static int watching = 0; -+static void stop_watching(void) -+{ -+ if (watching) { -+ ev_io_stop(loop, &af_unix_watcher); -+ watching = 0; -+ } -+} -+ -+static void af_unix_accept(struct ev_loop *l, struct ev_io *_io, int revents) - { - int cmd; - - do { -- conn = accept(fd, NULL, NULL); -+ conn = accept(_io->fd, NULL, NULL); - } while (conn < 0 && errno == EINTR); - - // De-register since this is intended to be one listener - if (conn >= 0) -- remove_event(fd); -+ stop_watching(); - cmd = fcntl(conn, F_GETFD); - fcntl(conn, F_SETFD, cmd|FD_CLOEXEC); - } - -+static void start_watching(void) -+{ -+ ev_io_init(&af_unix_watcher, af_unix_accept, sock, EV_READ); -+ ev_io_start(loop, &af_unix_watcher); -+ watching = 1; -+} -+ - static int create_af_unix_socket(const char *path, int mode) - { - struct sockaddr_un addr; -@@ -122,8 +143,8 @@ static int create_af_unix_socket(const c - // Make socket listening...won't block - (void)listen(sock, 5); - -- // Register socket with poll -- add_event(sock, af_unix_accept); -+ // Register socket with libev -+ start_watching(); - return 0; - } - -@@ -213,7 +234,8 @@ void send_af_unix_string(const char *s, - if (rc < 0 && errno == EPIPE) { - close(conn); - conn = -1; -- add_event(sock, af_unix_accept); -+ stop_watching(); -+ start_watching(); - } - } - } -@@ -237,7 +259,8 @@ void send_af_unix_binary(event_t *e) - if (rc < 0 && errno == EPIPE) { - close(conn); - conn = -1; -- add_event(sock, af_unix_accept); -+ stop_watching(); -+ start_watching(); - } - } - } -@@ -250,10 +273,13 @@ void destroy_af_unix(void) - conn = -1; - did_something = 1; - } -+ stop_watching(); - if (sock >= 0) { -+ - close(sock); - sock = -1; - did_something = 1; -+ - } - if (path) { - unlink(path); -diff -urp audit-3.0.orig/audisp/audispd-builtins.h audit-3.0/audisp/audispd-builtins.h ---- audit-3.0.orig/audisp/audispd-builtins.h 2018-08-31 17:05:48.000000000 -0400 -+++ audit-3.0/audisp/audispd-builtins.h 2018-12-06 20:01:06.922443361 -0500 -@@ -33,10 +33,5 @@ void send_af_unix_string(const char *s, - void send_af_unix_binary(event_t *e); - void destroy_af_unix(void); - --typedef void (*poll_callback_ptr)(int fd); --int add_event(int fd, poll_callback_ptr cb); --int remove_event(int fd); -- -- - #endif - -diff -urp audit-3.0.orig/audisp/audispd.c audit-3.0/audisp/audispd.c ---- audit-3.0.orig/audisp/audispd.c 2018-08-31 17:05:48.000000000 -0400 -+++ audit-3.0/audisp/audispd.c 2018-12-06 20:01:06.922443361 -0500 -@@ -31,7 +31,6 @@ - #include - #include - #include --#include - #include - #include - #include -@@ -578,43 +577,6 @@ static int event_loop(void) - return 1; - } - --static struct pollfd pfd[4]; --static poll_callback_ptr pfd_cb[4]; --static volatile int pfd_cnt=0; --int add_event(int fd, poll_callback_ptr cb) --{ -- if (pfd_cnt > 3) -- return -1; -- -- pfd[pfd_cnt].fd = fd; -- pfd[pfd_cnt].events = POLLIN; -- pfd[pfd_cnt].revents = 0; -- pfd_cb[pfd_cnt] = cb; -- pfd_cnt++; -- return 0; --} -- --int remove_event(int fd) --{ -- int start, i; -- if (pfd_cnt == 0) -- return -1; -- -- for (start=0; start < pfd_cnt; start++) { -- if (pfd[start].fd == fd) -- break; -- } -- for (i=start; i<(pfd_cnt-1); i++) { -- pfd[i].events = pfd[i+1].events; -- pfd[i].revents = pfd[i+1].revents; -- pfd[i].fd = pfd[i+1].fd; -- pfd_cb[i] = pfd_cb[i+1]; -- } -- -- pfd_cnt--; -- return 0; --} -- - /* returns > 0 if plugins and 0 if none */ - int libdisp_active(void) - { -diff -urp audit-3.0.orig/audisp/Makefile.am audit-3.0/audisp/Makefile.am ---- audit-3.0.orig/audisp/Makefile.am 2018-08-31 17:05:48.000000000 -0400 -+++ audit-3.0/audisp/Makefile.am 2018-12-06 20:01:06.922443361 -0500 -@@ -22,7 +22,7 @@ - - SUBDIRS = plugins - CONFIG_CLEAN_FILES = *.rej *.orig --AM_CPPFLAGS = -D_GNU_SOURCE -fPIC -DPIC -I${top_srcdir} -I${top_srcdir}/lib -I${top_srcdir}/src -+AM_CPPFLAGS = -D_GNU_SOURCE -fPIC -DPIC -I${top_srcdir} -I${top_srcdir}/lib -I${top_srcdir}/src -I${top_srcdir}/src/libev - LIBS = -L${top_builddir}/lib -laudit - LDADD = -lpthread - -@@ -30,5 +30,6 @@ noinst_HEADERS = audispd-pconfig.h audis - queue.h audispd-builtins.h libdisp.h - libdisp_a_SOURCES = audispd.c audispd-pconfig.c queue.c \ - audispd-llist.c audispd-builtins.c -+libdisp_a_CFLAGS = -fno-strict-aliasing - noinst_LIBRARIES = libdisp.a - -diff -urp audit-3.0.orig/src/auditd.c audit-3.0/src/auditd.c ---- audit-3.0.orig/src/auditd.c 2018-12-06 19:41:21.076570614 -0500 -+++ audit-3.0/src/auditd.c 2018-12-06 20:01:06.923443360 -0500 -@@ -580,6 +580,7 @@ static void close_pipes(void) - close(pipefds[1]); - } - -+struct ev_loop *loop; - int main(int argc, char *argv[]) - { - struct sigaction sa; -@@ -597,7 +598,6 @@ int main(int argc, char *argv[]) - enum startup_state opt_startup = startup_enable; - extern char *optarg; - extern int optind; -- struct ev_loop *loop; - struct ev_io netlink_watcher; - struct ev_io pipe_watcher; - struct ev_signal sigterm_watcher; -@@ -748,14 +748,6 @@ int main(int argc, char *argv[]) - return 1; - } - -- if (init_dispatcher(&config)) { -- if (pidfile) -- unlink(pidfile); -- tell_parent(FAILURE); -- free_config(&config); -- return 1; -- } -- - /* Get machine name ready for use */ - if (resolve_node(&config)) { - if (pidfile) -@@ -891,6 +883,14 @@ int main(int argc, char *argv[]) - /* Depending on value of opt_startup (-s) set initial audit state */ - loop = ev_default_loop (EVFLAG_NOENV); - -+ if (init_dispatcher(&config)) { -+ if (pidfile) -+ unlink(pidfile); -+ tell_parent(FAILURE); -+ free_config(&config); -+ return 1; -+ } -+ - if (!opt_aggregate_only) { - ev_io_init (&netlink_watcher, netlink_handler, fd, EV_READ); - ev_io_start (loop, &netlink_watcher); diff --git a/SOURCES/audit-3.0-auditd-stop.patch b/SOURCES/audit-3.0-auditd-stop.patch deleted file mode 100644 index bf28e7b..0000000 --- a/SOURCES/audit-3.0-auditd-stop.patch +++ /dev/null @@ -1,12 +0,0 @@ -diff -ur audit-3.0.orig/init.d/auditd.stop audit-3.0/init.d/auditd.stop ---- audit-3.0.orig/init.d/auditd.stop 2018-08-31 17:05:48.000000000 -0400 -+++ audit-3.0/init.d/auditd.stop 2018-12-08 17:15:59.916950477 -0500 -@@ -10,7 +10,7 @@ - . /etc/init.d/functions - - printf "Stopping logging: " --killproc $prog -TERM -+killproc -d 1 $prog -TERM - RETVAL=$? - echo - exit $RETVAL diff --git a/SOURCES/audit-3.0-ausearch-buffer-fix.patch b/SOURCES/audit-3.0-ausearch-buffer-fix.patch deleted file mode 100644 index b3cd57a..0000000 --- a/SOURCES/audit-3.0-ausearch-buffer-fix.patch +++ /dev/null @@ -1,21 +0,0 @@ -diff -urp audit-3.0.orig/src/ausearch-lol.c audit-3.0/src/ausearch-lol.c ---- audit-3.0.orig/src/ausearch-lol.c 2018-08-31 17:05:48.000000000 -0400 -+++ audit-3.0/src/ausearch-lol.c 2018-12-06 19:38:21.208589916 -0500 -@@ -277,7 +277,7 @@ int lol_add_record(lol *lo, char *buff) - if (n.tlen > MAX_AUDIT_MESSAGE_LENGTH) - n.tlen = MAX_AUDIT_MESSAGE_LENGTH; - } else -- n.tlen = MAX_AUDIT_MESSAGE_LENGTH; -+ n.tlen = n.mlen; - fmt = LF_ENRICHED; - } else { - ptr = strrchr(n.message, 0x0a); -@@ -287,7 +287,7 @@ int lol_add_record(lol *lo, char *buff) - if (n.mlen > MAX_AUDIT_MESSAGE_LENGTH) - n.mlen = MAX_AUDIT_MESSAGE_LENGTH; - } else -- n.mlen = MAX_AUDIT_MESSAGE_LENGTH; -+ n.mlen = strlen(n.message); - n.interp = NULL; - n.tlen = n.mlen; - fmt = LF_RAW; diff --git a/SOURCES/audit-3.0-cap_audit_read.patch b/SOURCES/audit-3.0-cap_audit_read.patch deleted file mode 100644 index 50565f8..0000000 --- a/SOURCES/audit-3.0-cap_audit_read.patch +++ /dev/null @@ -1,12 +0,0 @@ -diff -urp audit-3.0.orig/src/auditd.c audit-3.0/src/auditd.c ---- audit-3.0.orig/src/auditd.c 2018-08-31 17:05:48.000000000 -0400 -+++ audit-3.0/src/auditd.c 2018-12-06 19:41:21.076570614 -0500 -@@ -665,7 +665,7 @@ int main(int argc, char *argv[]) - #ifndef DEBUG - /* Make sure we can do our job. Containers may not give you - * capabilities, so we revert to a uid check for that case. */ -- if (!audit_can_control() || !audit_can_read()) { -+ if (!audit_can_control()) { - if (!config.local_events && geteuid() == 0) - ; - else { diff --git a/SOURCES/audit-3.0-chkconfig.patch b/SOURCES/audit-3.0-chkconfig.patch new file mode 100644 index 0000000..edfd58a --- /dev/null +++ b/SOURCES/audit-3.0-chkconfig.patch @@ -0,0 +1,71 @@ +commit d1c80e0217a049441cdad42428254270904f8694 +Author: Steve Grubb +Date: Fri Jul 5 12:58:03 2019 -0400 + + Remove dependency on chkconfig + +diff --git a/init.d/auditd.reload b/init.d/auditd.reload +index b9c9c6c..9c30295 100644 +--- a/init.d/auditd.reload ++++ b/init.d/auditd.reload +@@ -7,7 +7,7 @@ test $(id -u) = 0 || exit 4 + + PATH=/sbin:/bin:/usr/bin:/usr/sbin + prog="auditd" +-. /etc/init.d/functions ++. /etc/rc.d/init.d/functions + + printf "Reconfiguring: " + /sbin/augenrules --load +diff --git a/init.d/auditd.resume b/init.d/auditd.resume +index 8185cd1..f1d2157 100644 +--- a/init.d/auditd.resume ++++ b/init.d/auditd.resume +@@ -7,7 +7,7 @@ test $(id -u) = 0 || exit 4 + + PATH=/sbin:/bin:/usr/bin:/usr/sbin + prog="auditd" +-. /etc/init.d/functions ++. /etc/rc.d/init.d/functions + + printf "Resuming logging: " + killproc $prog -USR2 +diff --git a/init.d/auditd.rotate b/init.d/auditd.rotate +index a627a43..2b13cf7 100644 +--- a/init.d/auditd.rotate ++++ b/init.d/auditd.rotate +@@ -7,7 +7,7 @@ test $(id -u) = 0 || exit 4 + + PATH=/sbin:/bin:/usr/bin:/usr/sbin + prog="auditd" +-. /etc/init.d/functions ++. /etc/rc.d/init.d/functions + + printf "Rotating logs: " + killproc $prog -USR1 +diff --git a/init.d/auditd.state b/init.d/auditd.state +index 6e9e69e..c7e291e 100644 +--- a/init.d/auditd.state ++++ b/init.d/auditd.state +@@ -8,7 +8,7 @@ test $(id -u) = 0 || exit 4 + PATH=/sbin:/bin:/usr/bin:/usr/sbin + prog="auditd" + state_file="/var/run/auditd.state" +-. /etc/init.d/functions ++. /etc/rc.d/init.d/functions + + printf "Getting auditd internal state: " + killproc $prog -CONT +diff --git a/init.d/auditd.stop b/init.d/auditd.stop +index 6550fae..70aaeef 100644 +--- a/init.d/auditd.stop ++++ b/init.d/auditd.stop +@@ -7,7 +7,7 @@ test $(id -u) = 0 || exit 4 + + PATH=/sbin:/bin:/usr/bin:/usr/sbin + prog="auditd" +-. /etc/init.d/functions ++. /etc/rc.d/init.d/functions + pid="$(__pids_pidof "$prog")" + + printf "Stopping logging: " diff --git a/SOURCES/audit-3.0-docs.patch b/SOURCES/audit-3.0-docs.patch deleted file mode 100644 index ce0e40c..0000000 --- a/SOURCES/audit-3.0-docs.patch +++ /dev/null @@ -1,104 +0,0 @@ -diff -ur audit-3.0.orig/docs/auparse_normalize.3 audit-3.0/docs/auparse_normalize.3 ---- audit-3.0.orig/docs/auparse_normalize.3 2018-08-31 17:05:48.000000000 -0400 -+++ audit-3.0/docs/auparse_normalize.3 2018-12-06 19:27:33.636659407 -0500 -@@ -25,7 +25,8 @@ - - .SH "SEE ALSO" - --.BR -+.BR auparse_normalize_subject_primary (3) , -+.BR auparse_normalize_object_primary (3). - - .SH AUTHOR - Steve Grubb -diff -ur audit-3.0.orig/rules/30-ospp-v42.rules audit-3.0/rules/30-ospp-v42.rules ---- audit-3.0.orig/rules/30-ospp-v42.rules 2018-08-31 17:05:48.000000000 -0400 -+++ audit-3.0/rules/30-ospp-v42.rules 2018-12-06 19:27:33.656659405 -0500 -@@ -3,20 +3,28 @@ - ## 10-base-config.rules, 11-loginuid.rules, and 43-module-load.rules installed. - - ## Unsuccessful file creation (open with O_CREAT) ---a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create ---a always,exit -F arch=b64 -S open,openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create ---a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create ---a always,exit -F arch=b64 -S open,openat,open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create -+-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create -+-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create -+-a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create -+-a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create -+-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create -+-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create -+-a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create -+-a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create - -a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create - -a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create - -a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create - -a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create - - ## Unsuccessful file modifications (open for write or truncate) ---a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification ---a always,exit -F arch=b64 -S open,openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification ---a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification ---a always,exit -F arch=b64 -S open,openat,open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification -+-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification -+-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification -+-a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification -+-a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification -+-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification -+-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification -+-a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification -+-a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification - -a always,exit -F arch=b32 -S truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification - -a always,exit -F arch=b64 -S truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification - -a always,exit -F arch=b32 -S truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification -@@ -47,16 +55,30 @@ - -a always,exit -F arch=b64 -S lchown,fchown,chown,fchownat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change - - ## User add delete modify. This is covered by pam. However, someone could --## open a file and directly create a user, so we'll watch passwd for writes ---a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify ---a always,exit -F arch=b64 -S open,openat,open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify -+## open a file and directly create or modify a user, so we'll watch passwd and -+## shadow for writes -+-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify -+-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify -+-a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify -+-a always,exit -F arch=b64 -S open -F a1&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify -+-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify -+-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify -+-a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify -+-a always,exit -F arch=b64 -S open -F a1&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify - - ## User enable and disable. This is entirely handled by pam. - - ## Group add delete modify. This is covered by pam. However, someone could --## open a file and directly create a user, so we'll watch group for writes ---a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F a2&03 -F path=/etc/group -F auid>=1000 -F auid!=unset -F key=group-modify ---a always,exit -F arch=b64 -S open,openat,open_by_handle_at -F a2&03 -F path=/etc/group -F auid>=1000 -F auid!=unset -F key=group-modify -+## open a file and directly create or modify a user, so we'll watch group and -+## gshadow for writes -+-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&03 -F path=/etc/group -F auid>=1000 -F auid!=unset -F key=group-modify -+-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&03 -F path=/etc/group -F auid>=1000 -F auid!=unset -F key=group-modify -+-a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/group -F auid>=1000 -F auid!=unset -F key=group-modify -+-a always,exit -F arch=b64 -S open -F a1&03 -F path=/etc/group -F auid>=1000 -F auid!=unset -F key=group-modify -+-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&03 -F path=/etc/gshadow -F auid>=1000 -F auid!=unset -F key=group-modify -+-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&03 -F path=/etc/gshadow -F auid>=1000 -F auid!=unset -F key=group-modify -+-a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/gshadow -F auid>=1000 -F auid!=unset -F key=group-modify -+-a always,exit -F arch=b64 -S open -F a1&03 -F path=/etc/gshadow -F auid>=1000 -F auid!=unset -F key=group-modify - - ## Use of special rights for config changes. This would be use of setuid - ## programs that relate to user accts. This is not all setuid apps because -diff -ur audit-3.0.orig/rules/30-pci-dss-v31.rules audit-3.0/rules/30-pci-dss-v31.rules ---- audit-3.0.orig/rules/30-pci-dss-v31.rules 2018-08-31 17:05:48.000000000 -0400 -+++ audit-3.0/rules/30-pci-dss-v31.rules 2018-12-06 19:27:33.656659405 -0500 -@@ -41,8 +41,8 @@ - ## ausearch --start today -m user_auth,user_chauthtok -i - - ## 10.2.5.b All elevation of privileges is logged ---a always,exit -F arch=b64 -S setuid -Fa0=0 -F exe=/usr/bin/su -F key=10.2.5.b-elevated-privs-session ---a always,exit -F arch=b32 -S setuid -Fa0=0 -F exe=/usr/bin/su -F key=10.2.5.b-elevated-privs-session -+-a always,exit -F arch=b64 -S setuid -F a0=0 -F exe=/usr/bin/su -F key=10.2.5.b-elevated-privs-session -+-a always,exit -F arch=b32 -S setuid -F a0=0 -F exe=/usr/bin/su -F key=10.2.5.b-elevated-privs-session - -a always,exit -F arch=b64 -S setresuid -F a0=0 -F exe=/usr/bin/sudo -F key=10.2.5.b-elevated-privs-session - -a always,exit -F arch=b32 -S setresuid -F a0=0 -F exe=/usr/bin/sudo -F key=10.2.5.b-elevated-privs-session - -a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -F key=10.2.5.b-elevated-privs-setuid diff --git a/SOURCES/audit-3.0-krb-remote-fixup.patch b/SOURCES/audit-3.0-krb-remote-fixup.patch new file mode 100644 index 0000000..1c52779 --- /dev/null +++ b/SOURCES/audit-3.0-krb-remote-fixup.patch @@ -0,0 +1,63 @@ +diff -urp audit-3.0.orig/audisp/plugins/remote/audisp-remote.c audit-3.0/audisp/plugins/remote/audisp-remote.c +--- audit-3.0.orig/audisp/plugins/remote/audisp-remote.c 2019-06-07 17:08:36.000000000 -0400 ++++ audit-3.0/audisp/plugins/remote/audisp-remote.c 2019-07-13 11:37:45.000000000 -0400 +@@ -1,5 +1,5 @@ + /* audisp-remote.c -- +- * Copyright 2008-2012,2016,2018 Red Hat Inc., Durham, North Carolina. ++ * Copyright 2008-2012,2016,2018,2019 Red Hat Inc., Durham, North Carolina. + * All Rights Reserved. + * + * This program is free software; you can redistribute it and/or modify +@@ -98,7 +98,7 @@ static int ar_write (int, const void *, + credentials. These are the ones we talk to the server with. */ + gss_ctx_id_t my_context; + +-#define KEYTAB_NAME "/etc/audisp/audisp-remote.key" ++#define KEYTAB_NAME "/etc/audit/audisp-remote.key" + #define CCACHE_NAME "MEMORY:audisp-remote" + + #define REQ_FLAGS GSS_C_MUTUAL_FLAG | GSS_C_REPLAY_FLAG | GSS_C_INTEG_FLAG | GSS_C_CONF_FLAG +@@ -978,7 +989,14 @@ static int negotiate_credentials (void) + + static int stop_sock(void) + { ++ + if (sock >= 0) { ++ if (USE_GSS) { ++ OM_uint32 minor_status; ++ gss_delete_sec_context(&minor_status, &my_context, ++ GSS_C_NO_BUFFER); ++ my_context = GSS_C_NO_CONTEXT; ++ } + shutdown(sock, SHUT_RDWR); + close(sock); + } +@@ -995,11 +1013,8 @@ static int stop_transport(void) + switch (config.transport) + { + case T_TCP: +- rc = stop_sock(); +- break; + case T_KRB5: +- // FIXME: shutdown kerberos +- rc = -1; ++ rc = stop_sock(); + break; + default: + rc = -1; +@@ -1142,6 +1157,7 @@ static int init_transport(void) + switch (config.transport) + { + case T_TCP: ++ case T_KRB5: + rc = init_sock(); + // We set this so that it will retry the connection + if (rc == ET_TEMPORARY) +@@ -1589,6 +1605,7 @@ static int relay_event(const char *s, si + switch (config.transport) + { + case T_TCP: ++ case T_KRB5: + rc = relay_sock(s, len); + break; + default: diff --git a/SOURCES/audit-3.0-libev-remove-cold.patch b/SOURCES/audit-3.0-libev-remove-cold.patch deleted file mode 100644 index 95241e5..0000000 --- a/SOURCES/audit-3.0-libev-remove-cold.patch +++ /dev/null @@ -1,12 +0,0 @@ -diff -urp audit-3.0.orig/src/libev/ev.c audit-3.0/src/libev/ev.c ---- audit-3.0.orig/src/libev/ev.c 2019-01-03 12:25:16.000000000 -0500 -+++ audit-3.0/src/libev/ev.c 2019-01-09 10:58:20.437560972 -0500 -@@ -901,7 +901,7 @@ typedef int ecb_bool; - #if ECB_GCC_VERSION(4,3) - #define ecb_artificial ecb_attribute ((__artificial__)) - #define ecb_hot ecb_attribute ((__hot__)) -- #define ecb_cold ecb_attribute ((__cold__)) -+ #define ecb_cold - #else - #define ecb_artificial - #define ecb_hot diff --git a/SOURCES/audit-3.0-network-orig-events.patch b/SOURCES/audit-3.0-network-orig-events.patch deleted file mode 100644 index b1f6a82..0000000 --- a/SOURCES/audit-3.0-network-orig-events.patch +++ /dev/null @@ -1,232 +0,0 @@ -diff -urp audit-3.0.orig/src/auditd.c audit-3.0/src/auditd.c ---- audit-3.0.orig/src/auditd.c 2018-12-06 20:01:06.923443360 -0500 -+++ audit-3.0/src/auditd.c 2018-12-06 20:17:19.030339043 -0500 -@@ -214,24 +214,35 @@ static void cont_handler(struct ev_loop - - static int extract_type(const char *str) - { -- const char *tptr, *ptr2, *ptr = str; -+ char tmp, *ptr2, *ptr = str; -+ int type; - if (*str == 'n') { - ptr = strchr(str+1, ' '); - if (ptr == NULL) - return -1; // Malformed - bomb out - ptr++; - } -+ - // ptr should be at 't' - ptr2 = strchr(ptr, ' '); -- // get type=xxx in a buffer -- tptr = strndupa(ptr, ptr2 - ptr); -+ - // find = -- str = strchr(tptr, '='); -- if (str == NULL) -+ str = strchr(ptr, '='); -+ if (str == NULL || str >= ptr2) - return -1; // Malformed - bomb out -+ - // name is 1 past - str++; -- return audit_name_to_msg_type(str); -+ -+ // Save character & terminate string -+ tmp = *ptr2; -+ *ptr2 = 0; -+ -+ type = audit_name_to_msg_type(str); -+ -+ *ptr2 = tmp; // Restore character -+ -+ return type; - } - - void distribute_event(struct auditd_event *e) -@@ -250,18 +261,22 @@ void distribute_event(struct auditd_even - route = 0; - else { // We only need the original type if its being routed - e->reply.type = extract_type(e->reply.message); -- char *p = strchr(e->reply.message, -- AUDIT_INTERP_SEPARATOR); -- if (p) -- proto = AUDISP_PROTOCOL_VER2; -- else -- proto = AUDISP_PROTOCOL_VER; - -+ // Treat everything from the network as VER2 -+ // because they are already formatted. This is -+ // important when it gets to the dispatcher which -+ // can strip node= when its VER1. -+ proto = AUDISP_PROTOCOL_VER2; - } -- } else if (e->reply.type != AUDIT_DAEMON_RECONFIG) -- // All other events need formatting -+ } else if (e->reply.type != AUDIT_DAEMON_RECONFIG) { -+ // All other local events need formatting - format_event(e); -- else -+ -+ // If the event has been formatted with node, upgrade -+ // to VER2 so that the dispatcher honors the formatting -+ if (config.node_name_format != N_NONE) -+ proto = AUDISP_PROTOCOL_VER2; -+ } else - route = 0; // Don't DAEMON_RECONFIG events until after enqueue - - /* End of Event is for realtime interface - skip local logging of it */ -@@ -748,6 +763,17 @@ int main(int argc, char *argv[]) - return 1; - } - -+ /* Startup libev and dispatcher */ -+ loop = ev_default_loop(EVFLAG_NOENV); -+ if (init_dispatcher(&config)) { -+ if (pidfile) -+ unlink(pidfile); -+ tell_parent(FAILURE); -+ free_config(&config); -+ ev_default_destroy(); -+ return 1; -+ } -+ - /* Get machine name ready for use */ - if (resolve_node(&config)) { - if (pidfile) -@@ -755,6 +781,7 @@ int main(int argc, char *argv[]) - shutdown_dispatcher(); - tell_parent(FAILURE); - free_config(&config); -+ ev_default_destroy(); - return 1; - } - -@@ -766,6 +793,7 @@ int main(int argc, char *argv[]) - shutdown_dispatcher(); - tell_parent(FAILURE); - free_config(&config); -+ ev_default_destroy(); - return 1; - } - fcntl(pipefds[0], F_SETFD, FD_CLOEXEC); -@@ -785,6 +813,7 @@ int main(int argc, char *argv[]) - tell_parent(FAILURE); - close_pipes(); - free_config(&config); -+ ev_default_destroy(); - return 1; - } - if (getsubj(subj)) -@@ -811,6 +840,7 @@ int main(int argc, char *argv[]) - tell_parent(FAILURE); - close_pipes(); - free_config(&config); -+ ev_default_destroy(); - return 1; - } - } -@@ -821,6 +851,7 @@ int main(int argc, char *argv[]) - /* let config manager init */ - init_config_manager(); - -+ /* Depending on value of opt_startup (-s) set initial audit state */ - if (opt_startup != startup_nochange && !opt_aggregate_only && - (audit_is_enabled(fd) < 2) && - audit_set_enabled(fd, (int)opt_startup) < 0) { -@@ -849,6 +880,7 @@ int main(int argc, char *argv[]) - tell_parent(FAILURE); - close_pipes(); - free_config(&config); -+ ev_default_destroy(); - return 1; - } - -@@ -877,20 +909,11 @@ int main(int argc, char *argv[]) - tell_parent(FAILURE); - close_pipes(); - free_config(&config); -+ ev_default_destroy(); - return 1; - } - -- /* Depending on value of opt_startup (-s) set initial audit state */ -- loop = ev_default_loop (EVFLAG_NOENV); -- -- if (init_dispatcher(&config)) { -- if (pidfile) -- unlink(pidfile); -- tell_parent(FAILURE); -- free_config(&config); -- return 1; -- } -- -+ /* Start up all the handlers */ - if (!opt_aggregate_only) { - ev_io_init (&netlink_watcher, netlink_handler, fd, EV_READ); - ev_io_start (loop, &netlink_watcher); -diff -urp audit-3.0.orig/src/auditd-dispatch.c audit-3.0/src/auditd-dispatch.c ---- audit-3.0.orig/src/auditd-dispatch.c 2018-08-31 17:05:48.000000000 -0400 -+++ audit-3.0/src/auditd-dispatch.c 2018-12-06 20:17:09.769340037 -0500 -@@ -70,6 +70,7 @@ int dispatch_event(const struct audit_re - if (!libdisp_active()) - return 0; - -+ // Translate event into dispatcher format - e = malloc(sizeof(event_t)); - if (e == NULL) - return -1; -@@ -78,6 +79,7 @@ int dispatch_event(const struct audit_re - e->hdr.hlen = sizeof(struct audit_dispatcher_header); - e->hdr.type = rep->type; - -+ // Network originating events have data at rep->message - if (protocol_ver == AUDISP_PROTOCOL_VER) { - e->hdr.size = rep->msg.nlh.nlmsg_len; - memcpy(e->data, (void*)rep->msg.data, e->hdr.size); -diff -urp audit-3.0.orig/src/auditd-event.c audit-3.0/src/auditd-event.c ---- audit-3.0.orig/src/auditd-event.c 2018-08-31 17:05:48.000000000 -0400 -+++ audit-3.0/src/auditd-event.c 2018-12-06 20:17:09.769340037 -0500 -@@ -225,8 +225,10 @@ static void replace_event_msg(struct aud - e->reply.message = strndup(buf, MAX_AUDIT_MESSAGE_LENGTH-1); - len = MAX_AUDIT_MESSAGE_LENGTH; - } -- e->reply.msg.nlh.nlmsg_len = e->reply.len; -- e->reply.len = len; -+ // For network originating events, len should be used -+ if (!from_network(e)) // V1 protocol msg size -+ e->reply.msg.nlh.nlmsg_len = e->reply.len; -+ e->reply.len = len; // V2 protocol msg size - } - } - -@@ -500,7 +502,7 @@ struct auditd_event *create_event(char * - e->sequence_id = sequence_id; - - /* Network originating events need things adjusted to mimic netlink. */ -- if (e->ack_func) -+ if (from_network(e)) - replace_event_msg(e, msg); - - return e; -@@ -570,7 +572,7 @@ void handle_event(struct auditd_event *e - static void send_ack(const struct auditd_event *e, int ack_type, - const char *msg) - { -- if (e->ack_func) { -+ if (from_network(e)) { - unsigned char header[AUDIT_RMW_HEADER_SIZE]; - - AUDIT_RMW_PACK_HEADER(header, 0, ack_type, strlen(msg), -diff -urp audit-3.0.orig/src/auditd-event.h audit-3.0/src/auditd-event.h ---- audit-3.0.orig/src/auditd-event.h 2018-08-31 17:05:48.000000000 -0400 -+++ audit-3.0/src/auditd-event.h 2018-12-06 20:17:09.769340037 -0500 -@@ -36,6 +36,9 @@ struct auditd_event { - unsigned long sequence_id; - }; - -+static inline int from_network(const struct auditd_event *e) -+{ if (e && e->ack_func) return 1; return 0; }; -+ - #include "auditd-config.h" - - int dispatch_network_events(void); diff --git a/SOURCES/audit-3.0-queue-report.patch b/SOURCES/audit-3.0-queue-report.patch deleted file mode 100644 index 31f62c9..0000000 --- a/SOURCES/audit-3.0-queue-report.patch +++ /dev/null @@ -1,21 +0,0 @@ -diff -urp audit-3.0.orig/audisp/queue.c audit-3.0/audisp/queue.c ---- audit-3.0.orig/audisp/queue.c 2018-08-31 17:05:48.000000000 -0400 -+++ audit-3.0/audisp/queue.c 2018-12-06 20:21:22.184312950 -0500 -@@ -231,11 +231,12 @@ void increase_queue_depth(unsigned int s - - void write_queue_state(FILE *f) - { -- fprintf(f, "current queue depth = %u\n", currently_used); -- fprintf(f, "max queue depth used = %u\n", max_used); -- fprintf(f, "queue size = %u\n", q_depth); -- fprintf(f, "queue overflow detected = %s\n",overflowed ? "yes" : "no"); -- fprintf(f, "queueing suspended = %s\n", -+ fprintf(f, "current plugin queue depth = %u\n", currently_used); -+ fprintf(f, "max plugin queue depth used = %u\n", max_used); -+ fprintf(f, "plugin queue size = %u\n", q_depth); -+ fprintf(f, "plugin queue overflow detected = %s\n", -+ overflowed ? "yes" : "no"); -+ fprintf(f, "plugin queueing suspended = %s\n", - processing_suspended ? "yes" : "no"); - } - diff --git a/SOURCES/audit-3.0-saddr_fam-doc.patch b/SOURCES/audit-3.0-saddr_fam-doc.patch new file mode 100644 index 0000000..6549b92 --- /dev/null +++ b/SOURCES/audit-3.0-saddr_fam-doc.patch @@ -0,0 +1,14 @@ +diff --git a/docs/auditctl.8 b/docs/auditctl.8 +index 2c970cf..043a9d6 100644 +--- a/docs/auditctl.8 ++++ b/docs/auditctl.8 +@@ -210,6 +210,9 @@ Process ID + .B ppid + Parent's Process ID + .TP ++.B saddr_fam ++Address family number as found in /usr/include/bits/socket.h. For example, IPv4 would be 2 and IPv6 would be 10. ++.TP + .B sessionid + User's login session ID + .TP diff --git a/SOURCES/audit-3.0-user_avc.patch b/SOURCES/audit-3.0-user_avc.patch deleted file mode 100644 index f364111..0000000 --- a/SOURCES/audit-3.0-user_avc.patch +++ /dev/null @@ -1,97 +0,0 @@ -diff -ur audit-3.0.orig/src/aureport-options.c audit-3.0/src/aureport-options.c ---- audit-3.0.orig/src/aureport-options.c 2018-08-31 17:05:48.000000000 -0400 -+++ audit-3.0/src/aureport-options.c 2018-12-06 19:31:26.945634371 -0500 -@@ -85,7 +85,8 @@ - R_AVCS, R_SYSCALLS, R_PIDS, R_EVENTS, R_ACCT_MODS, - R_INTERPRET, R_HELP, R_ANOMALY, R_RESPONSE, R_SUMMARY_DET, R_CRYPTO, - R_MAC, R_FAILED, R_SUCCESS, R_ADD, R_DEL, R_AUTH, R_NODE, R_IN_LOGS, -- R_KEYS, R_TTY, R_NO_CONFIG, R_COMM, R_VIRT, R_INTEG, R_ESCAPE }; -+ R_KEYS, R_TTY, R_NO_CONFIG, R_COMM, R_VIRT, R_INTEG, R_ESCAPE, -+ R_DEBUG }; - - static struct nv_pair optiontab[] = { - { R_AUTH, "-au" }, -@@ -98,6 +99,7 @@ - { R_CONFIGS, "--config" }, - { R_CRYPTO, "-cr" }, - { R_CRYPTO, "--crypto" }, -+ { R_DEBUG, "--debug" }, - { R_DEL, "--delete" }, - { R_EVENTS, "-e" }, - { R_EVENTS, "--event" }, -@@ -731,6 +733,9 @@ - case R_DEL: - event_conf_act = C_DEL; - break; -+ case R_DEBUG: -+ event_debug = 1; -+ break; - case R_IN_LOGS: - force_logs = 1; - break; -diff -ur audit-3.0.orig/src/ausearch-parse.c audit-3.0/src/ausearch-parse.c ---- audit-3.0.orig/src/ausearch-parse.c 2018-08-31 17:05:48.000000000 -0400 -+++ audit-3.0/src/ausearch-parse.c 2018-12-06 19:31:26.945634371 -0500 -@@ -102,7 +102,8 @@ - ret = parse_path(n, s); - break; - case AUDIT_USER: -- case AUDIT_FIRST_USER_MSG...AUDIT_LAST_USER_MSG: -+ case AUDIT_FIRST_USER_MSG...AUDIT_USER_END: -+ case AUDIT_USER_CHAUTHTOK...AUDIT_LAST_USER_MSG: - case AUDIT_FIRST_USER_MSG2...AUDIT_LAST_USER_MSG2: - ret = parse_user(n, s); - break; -@@ -136,6 +137,7 @@ - avc_parse_path(n, s); - break; - case AUDIT_AVC: -+ case AUDIT_USER_AVC: - ret = parse_avc(n, s); - break; - case AUDIT_NETFILTER_PKT: -@@ -1867,6 +1869,20 @@ - *term = ' '; - } - -+ // User AVC's are not formatted like a kernel AVC -+ if (n->type == AUDIT_USER_AVC) { -+ rc = parse_user(n, s); -+ if (rc > 20) -+ rc = 0; -+ if (audit_avc_init(s) == 0) { -+ alist_append(s->avc, &an); -+ } else { -+ rc = 10; -+ goto err; -+ } -+ return rc; -+ } -+ - // get pid - if (event_pid != -1) { - str = strstr(term, "pid="); -diff -urp audit-3.0.orig/src/ausearch-parse.c audit-3.0/src/ausearch-parse.c ---- audit-3.0.orig/src/ausearch-parse.c 2018-10-03 19:46:52.000000000 -0400 -+++ audit-3.0/src/ausearch-parse.c 2018-12-08 15:48:54.350009208 -0500 -@@ -1839,8 +1839,10 @@ static int parse_avc(const lnode *n, sea - if (str) { - str += 5; - term = strchr(str, '{'); -- if (term == NULL) -- return 1; -+ if (term == NULL) { -+ term = n->message; -+ goto other_avc; -+ } - if (event_success != S_UNSET) { - *term = 0; - // FIXME. Do not override syscall success if already -@@ -1869,6 +1871,7 @@ static int parse_avc(const lnode *n, sea - *term = ' '; - } - -+other_avc: - // User AVC's are not formatted like a kernel AVC - if (n->type == AUDIT_USER_AVC) { - rc = parse_user(n, s); diff --git a/SPECS/audit.spec b/SPECS/audit.spec index 174a79e..595718a 100644 --- a/SPECS/audit.spec +++ b/SPECS/audit.spec @@ -3,31 +3,15 @@ Summary: User space tools for 2.6 kernel auditing Name: audit Version: 3.0 -Release: 0.10.20180831git0047a6c%{?dist} +Release: 0.13.20190507gitf58ec40%{?dist} License: GPLv2+ URL: http://people.redhat.com/sgrubb/audit/ -Source0: http://people.redhat.com/sgrubb/audit/%{name}-%{version}-alpha5.tar.gz +Source0: http://people.redhat.com/sgrubb/audit/%{name}-%{version}-alpha8.tar.gz Source1: https://www.gnu.org/licenses/lgpl-2.1.txt -# Update documentation and rules -Patch1: audit-3.0-docs.patch -# 1628626 - lightly parse USER_AVC events -Patch2: audit-3.0-user_avc.patch -# Fix a buffer length calculation in ausearch -Patch3: audit-3.0-ausearch-buffer-fix.patch -# Remove CAP_AUDIT_READ from daemon permission checks -Patch4: audit-3.0-cap_audit_read.patch -# Port af_unix plugin to libev -Patch5: audit-3.0-af_unix-plugin.patch -# Make all network originating events VER2 dispatcher protocol -Patch6: audit-3.0-network-orig-events.patch -# Adjust state report for plugin queue -Patch7: audit-3.0-queue-report.patch -# 1643567 - auditd wasn't quite stopped when it was supposed to be -Patch8: audit-3.0-auditd-stop.patch -# In libev, cold functions cause annocheck failures. Remove them. -Patch9: audit-3.0-libev-remove-cold.patch -# Next BuildRequires is only needed for the patching - remove in the future -BuildRequires: autoconf automake +Source2: 30-ospp-v42.rules +Patch1: audit-3.0-saddr_fam-doc.patch +Patch2: audit-3.0-chkconfig.patch +Patch3: audit-3.0-krb-remote-fixup.patch BuildRequires: gcc swig BuildRequires: openldap-devel @@ -36,8 +20,8 @@ BuildRequires: kernel-headers >= 2.6.29 Requires: %{name}-libs%{?_isa} = %{version}-%{release} BuildRequires: systemd Requires(post): systemd coreutils -Requires(preun): systemd -Requires(postun): systemd coreutils +Requires(preun): systemd initscripts +Requires(postun): systemd coreutils initscripts %description The audit package contains the user space utilities for @@ -99,21 +83,14 @@ incoming audit events, as they happen, to a configured z/OS SMF (Service Management Facility) database, through an IBM Tivoli Directory Server (ITDS) set for Remote Audit service. -%enable_gotoolset7 - %prep %setup -q %patch1 -p1 %patch2 -p1 %patch3 -p1 -%patch4 -p1 -%patch5 -p1 -%patch6 -p1 -%patch7 -p1 -%patch8 -p1 -%patch9 -p1 cp %{SOURCE1} . -autoreconf +## overwrite 30-ospp-v42.rules +cp -f %{SOURCE2} rules/ %build %configure --sbindir=/sbin --libdir=/%{_lib} --with-python=no \ @@ -177,6 +154,9 @@ fi %preun %systemd_preun auditd.service +if [ $1 -eq 0 ]; then + /sbin/service auditd stop > /dev/null 2>&1 +fi %postun if [ $1 -ge 1 ]; then @@ -244,7 +224,7 @@ fi %attr(750,root,root) %{_libexecdir}/initscripts/legacy-actions/auditd/state %attr(750,root,root) %{_libexecdir}/initscripts/legacy-actions/auditd/stop %ghost %{_localstatedir}/run/auditd.state -%attr(750,root,root) %dir %{_var}/log/audit +%attr(-,root,-) %dir %{_var}/log/audit %attr(750,root,root) %dir /etc/audit %attr(750,root,root) %dir /etc/audit/rules.d %attr(750,root,root) %dir /etc/audit/plugins.d @@ -273,6 +253,21 @@ fi %attr(750,root,root) /sbin/audispd-zos-remote %changelog +* Thu Jul 25 2019 Steve Grubb 3.0-0.13.20190607gitf58ec40 +resolves: rhbz#1695638 - Rebase audit package to pick up latest bugfixes + +* Sat Jul 13 2019 Steve Grubb 3.0-0.12.20190607gitf58ec40 +resolves: rhbz#1695638 - Rebase audit package to pick up latest bugfixes + +* Mon Jun 10 2019 Steve Grubb 3.0-0.11.20190607gitf58ec40 +resolves: rhbz#1643567 - service auditd stop exits prematurely +resolves: rhbz#1693470 - libauparse memory leak +resolves: rhbz#1694071 - ausearch doesn't record device/inode details checkpointing a single file +resolves: rhbz#1695638 - Rebase audit package to pick up latest bugfixes +resolves: rhbz#1705894 - aureport aborts when using a specific input +resolves: rhbz#1706045 - RFE: Backport support for new audit record types +resolves: rhbz#1715852 - RFE: provide a way to filter on network address family + * Wed Jan 09 2019 Steve Grubb 3.0-0.10.20180831git0047a6c resolves: rhbz#1655270] Message "audit: backlog limit exceeded" reported - Fix annobin failure