diff --git a/.audit.metadata b/.audit.metadata index ab146fb..363ea1c 100644 --- a/.audit.metadata +++ b/.audit.metadata @@ -1 +1 @@ -5205dd634a26512d69d75ca27171c70b70f102f0 SOURCES/audit-3.0-alpha8.tar.gz +fe9807c29de893c8e8bc4df8624e00a98ab2b32a SOURCES/audit-3.0-alpha9.tar.gz diff --git a/.gitignore b/.gitignore index fa16155..de9fa84 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/audit-3.0-alpha8.tar.gz +SOURCES/audit-3.0-alpha9.tar.gz diff --git a/SOURCES/30-ospp-v42.rules b/SOURCES/30-ospp-v42.rules deleted file mode 100644 index 29fd3ce..0000000 --- a/SOURCES/30-ospp-v42.rules +++ /dev/null @@ -1,140 +0,0 @@ -## The purpose of these rules is to meet the requirements for Operating -## System Protection Profile (OSPP)v4.2. These rules depends on having -## 10-base-config.rules, 11-loginuid.rules, and 43-module-load.rules installed. - -## Successful/Unsuccessful file creation (open with O_CREAT) --a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create --a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create --a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create --a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create --a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create --a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create --a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create --a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create --a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create --a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create --a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create --a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create --a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create --a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create --a always,exit -F arch=b32 -S open -F a1&0100 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create --a always,exit -F arch=b64 -S open -F a1&0100 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create --a always,exit -F arch=b32 -S creat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create --a always,exit -F arch=b64 -S creat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create - -## Successful/Unsuccessful file modifications (open for write or truncate) --a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification --a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification --a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification --a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification --a always,exit -F arch=b32 -S truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification --a always,exit -F arch=b64 -S truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification --a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification --a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification --a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification --a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification --a always,exit -F arch=b32 -S truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification --a always,exit -F arch=b64 -S truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification --a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification --a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification --a always,exit -F arch=b32 -S open -F a1&01003 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification --a always,exit -F arch=b64 -S open -F a1&01003 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification --a always,exit -F arch=b32 -S truncate,ftruncate -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification --a always,exit -F arch=b64 -S truncate,ftruncate -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification - -## Successful/Unsuccessful file access (any other opens) This has to go last. --a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-access --a always,exit -F arch=b64 -S open,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-access --a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-access --a always,exit -F arch=b64 -S open,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-access -# These next two are likely to result in a whole lot of events --a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-access --a always,exit -F arch=b64 -S open,openat,open_by_handle_at -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-access - -## Successful/Unsuccessful file delete --a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete --a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete --a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete --a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete --a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-delete --a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-delete - -## Successful/Unsuccessful permission change --a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-perm-change --a always,exit -F arch=b64 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-perm-change --a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-perm-change --a always,exit -F arch=b64 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-perm-change --a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-perm-change --a always,exit -F arch=b64 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-perm-change - -## Successful/Unsuccessful ownership change --a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-perm-change --a always,exit -F arch=b64 -S lchown,fchown,chown,fchownat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-perm-change --a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-perm-change --a always,exit -F arch=b64 -S lchown,fchown,chown,fchownat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-perm-change --a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-perm-change --a always,exit -F arch=b64 -S lchown,fchown,chown,fchownat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-perm-change - -## User add delete modify. This is covered by pam. However, someone could -## open a file and directly create or modify a user, so we'll watch passwd and -## shadow for writes --a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify --a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify --a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify --a always,exit -F arch=b64 -S open -F a1&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify --a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify --a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify --a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify --a always,exit -F arch=b64 -S open -F a1&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify - -## User enable and disable. This is entirely handled by pam. - -## Group add delete modify. This is covered by pam. However, someone could -## open a file and directly create or modify a user, so we'll watch group and -## gshadow for writes --a always,exit -F path=/etc/passwd -F perm=wa -F auid>=1000 -F auid!=unset -F key=user-modify --a always,exit -F path=/etc/shadow -F perm=wa -F auid>=1000 -F auid!=unset -F key=user-modify --a always,exit -F path=/etc/group -F perm=wa -F auid>=1000 -F auid!=unset -F key=group-modify --a always,exit -F path=/etc/gshadow -F perm=wa -F auid>=1000 -F auid!=unset -F key=group-modify - - -## Use of special rights for config changes. This would be use of setuid -## programs that relate to user accts. This is not all setuid apps because -## requirements are only for ones that affect system configuration. --a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes --a always,exit -F path=/usr/sbin/usernetctl -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes --a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes --a always,exit -F path=/usr/sbin/seunshare -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes --a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes --a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes --a always,exit -F path=/usr/bin/newuidmap -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes --a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes --a always,exit -F path=/usr/bin/newgidmap -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes --a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes --a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes --a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes --a always,exit -F path=/usr/bin/at -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes - -## Privilege escalation via su or sudo. This is entirely handled by pam. - -## Audit log access --a always,exit -F dir=/var/log/audit/ -F perm=r -F auid>=1000 -F auid!=unset -F key=access-audit-trail -## Attempts to Alter Process and Session Initiation Information --a always,exit -F path=/var/run/utmp -F perm=wa -F auid>=1000 -F auid!=unset -F key=session --a always,exit -F path=/var/log/btmp -F perm=wa -F auid>=1000 -F auid!=unset -F key=session --a always,exit -F path=/var/log/wtmp -F perm=wa -F auid>=1000 -F auid!=unset -F key=session - -## Attempts to modify MAC controls --a always,exit -F dir=/etc/selinux/ -F perm=wa -F auid>=1000 -F auid!=unset -F key=MAC-policy - -## Software updates. This is entirely handled by rpm. - -## System start and shutdown. This is entirely handled by systemd - -## Kernel Module loading. This is handled in 43-module-load.rules - -## Application invocation. The requirements list an optional requirement -## FPT_SRP_EXT.1 Software Restriction Policies. This event is intended to -## state results from that policy. This would be handled entirely by -## that daemon. - diff --git a/SOURCES/audit-3.0-bpf-record.patch b/SOURCES/audit-3.0-bpf-record.patch new file mode 100644 index 0000000..eabf31d --- /dev/null +++ b/SOURCES/audit-3.0-bpf-record.patch @@ -0,0 +1,38 @@ +From 9e0cf4082ddbefab8558ce1349e22f6f1777040d Mon Sep 17 00:00:00 2001 +From: olsajiri <42811547+olsajiri@users.noreply.github.com> +Date: Wed, 11 Dec 2019 17:57:39 +0100 +Subject: [PATCH] Add support for AUDIT_BPF event (#104) + +Signed-off-by: Jiri Olsa +--- + lib/libaudit.h | 4 ++++ + lib/msg_typetab.h | 1 + + 2 files changed, 5 insertions(+) + +diff --git a/lib/libaudit.h b/lib/libaudit.h +index ac22e2c..0eea55f 100644 +--- a/lib/libaudit.h ++++ b/lib/libaudit.h +@@ -290,6 +290,10 @@ extern "C" { + #define AUDIT_TIME_ADJNTPVAL 1333 /* NTP value adjustment */ + #endif + ++#ifndef AUDIT_BPF ++#define AUDIT_BPF 1334 /* BPF load/unload */ ++#endif ++ + #ifndef AUDIT_MAC_CALIPSO_ADD + #define AUDIT_MAC_CALIPSO_ADD 1418 /* NetLabel: add CALIPSO DOI entry */ + #endif +diff --git a/lib/msg_typetab.h b/lib/msg_typetab.h +index d668f34..81b1ea5 100644 +--- a/lib/msg_typetab.h ++++ b/lib/msg_typetab.h +@@ -125,6 +125,7 @@ _S(AUDIT_KERN_MODULE, "KERN_MODULE" ) + _S(AUDIT_FANOTIFY, "FANOTIFY" ) + _S(AUDIT_TIME_INJOFFSET, "TIME_INJOFFSET" ) + _S(AUDIT_TIME_ADJNTPVAL, "TIME_ADJNTPVAL" ) ++_S(AUDIT_BPF, "BPF" ) + _S(AUDIT_AVC, "AVC" ) + _S(AUDIT_SELINUX_ERR, "SELINUX_ERR" ) + _S(AUDIT_AVC_PATH, "AVC_PATH" ) diff --git a/SOURCES/audit-3.0-chkconfig.patch b/SOURCES/audit-3.0-chkconfig.patch deleted file mode 100644 index edfd58a..0000000 --- a/SOURCES/audit-3.0-chkconfig.patch +++ /dev/null @@ -1,71 +0,0 @@ -commit d1c80e0217a049441cdad42428254270904f8694 -Author: Steve Grubb -Date: Fri Jul 5 12:58:03 2019 -0400 - - Remove dependency on chkconfig - -diff --git a/init.d/auditd.reload b/init.d/auditd.reload -index b9c9c6c..9c30295 100644 ---- a/init.d/auditd.reload -+++ b/init.d/auditd.reload -@@ -7,7 +7,7 @@ test $(id -u) = 0 || exit 4 - - PATH=/sbin:/bin:/usr/bin:/usr/sbin - prog="auditd" --. /etc/init.d/functions -+. /etc/rc.d/init.d/functions - - printf "Reconfiguring: " - /sbin/augenrules --load -diff --git a/init.d/auditd.resume b/init.d/auditd.resume -index 8185cd1..f1d2157 100644 ---- a/init.d/auditd.resume -+++ b/init.d/auditd.resume -@@ -7,7 +7,7 @@ test $(id -u) = 0 || exit 4 - - PATH=/sbin:/bin:/usr/bin:/usr/sbin - prog="auditd" --. /etc/init.d/functions -+. /etc/rc.d/init.d/functions - - printf "Resuming logging: " - killproc $prog -USR2 -diff --git a/init.d/auditd.rotate b/init.d/auditd.rotate -index a627a43..2b13cf7 100644 ---- a/init.d/auditd.rotate -+++ b/init.d/auditd.rotate -@@ -7,7 +7,7 @@ test $(id -u) = 0 || exit 4 - - PATH=/sbin:/bin:/usr/bin:/usr/sbin - prog="auditd" --. /etc/init.d/functions -+. /etc/rc.d/init.d/functions - - printf "Rotating logs: " - killproc $prog -USR1 -diff --git a/init.d/auditd.state b/init.d/auditd.state -index 6e9e69e..c7e291e 100644 ---- a/init.d/auditd.state -+++ b/init.d/auditd.state -@@ -8,7 +8,7 @@ test $(id -u) = 0 || exit 4 - PATH=/sbin:/bin:/usr/bin:/usr/sbin - prog="auditd" - state_file="/var/run/auditd.state" --. /etc/init.d/functions -+. /etc/rc.d/init.d/functions - - printf "Getting auditd internal state: " - killproc $prog -CONT -diff --git a/init.d/auditd.stop b/init.d/auditd.stop -index 6550fae..70aaeef 100644 ---- a/init.d/auditd.stop -+++ b/init.d/auditd.stop -@@ -7,7 +7,7 @@ test $(id -u) = 0 || exit 4 - - PATH=/sbin:/bin:/usr/bin:/usr/sbin - prog="auditd" --. /etc/init.d/functions -+. /etc/rc.d/init.d/functions - pid="$(__pids_pidof "$prog")" - - printf "Stopping logging: " diff --git a/SOURCES/audit-3.0-clang-warnings.patch b/SOURCES/audit-3.0-clang-warnings.patch new file mode 100644 index 0000000..a8bea31 --- /dev/null +++ b/SOURCES/audit-3.0-clang-warnings.patch @@ -0,0 +1,36 @@ +commit b4b63a18e044e507b9091f01aef91d4b3beff97d +Author: Steve Grubb +Date: Mon Nov 4 16:54:44 2019 -0500 + + Fix 2 clang reported warnings + +diff --git a/audisp/plugins/syslog/audisp-syslog.c b/audisp/plugins/syslog/audisp-syslog.c +index 2515e0b..9daa021 100644 +--- a/audisp/plugins/syslog/audisp-syslog.c ++++ b/audisp/plugins/syslog/audisp-syslog.c +@@ -181,7 +181,7 @@ static inline void write_syslog(char *s) + mptr = stpcpy(mptr, fval ? fval : "?"); + mptr = stpcpy(mptr, " "); + rc = auparse_next_field(au); +- if (!header && strcmp(fname, "type") == 0) { ++ if (!header && fname && strcmp(fname, "type") == 0) { + mptr = stpcpy(mptr, "msg=audit("); + + time_t t = auparse_get_time(au); +diff --git a/src/ausearch-lol.c b/src/ausearch-lol.c +index 54452e8..e709456 100644 +--- a/src/ausearch-lol.c ++++ b/src/ausearch-lol.c +@@ -324,8 +324,11 @@ int lol_add_record(lol *lo, char *buff) + } + + // Eat standalone EOE, main event was already marked complete +- if (e.type == AUDIT_EOE) ++ if (e.type == AUDIT_EOE) { ++ free((char *)e.node); ++ free(n.message); + return 0; ++ } + + // Create new event and fill it in + l = malloc(sizeof(llist)); diff --git a/SOURCES/audit-3.0-krb-remote-fixup.patch b/SOURCES/audit-3.0-krb-remote-fixup.patch deleted file mode 100644 index 1c52779..0000000 --- a/SOURCES/audit-3.0-krb-remote-fixup.patch +++ /dev/null @@ -1,63 +0,0 @@ -diff -urp audit-3.0.orig/audisp/plugins/remote/audisp-remote.c audit-3.0/audisp/plugins/remote/audisp-remote.c ---- audit-3.0.orig/audisp/plugins/remote/audisp-remote.c 2019-06-07 17:08:36.000000000 -0400 -+++ audit-3.0/audisp/plugins/remote/audisp-remote.c 2019-07-13 11:37:45.000000000 -0400 -@@ -1,5 +1,5 @@ - /* audisp-remote.c -- -- * Copyright 2008-2012,2016,2018 Red Hat Inc., Durham, North Carolina. -+ * Copyright 2008-2012,2016,2018,2019 Red Hat Inc., Durham, North Carolina. - * All Rights Reserved. - * - * This program is free software; you can redistribute it and/or modify -@@ -98,7 +98,7 @@ static int ar_write (int, const void *, - credentials. These are the ones we talk to the server with. */ - gss_ctx_id_t my_context; - --#define KEYTAB_NAME "/etc/audisp/audisp-remote.key" -+#define KEYTAB_NAME "/etc/audit/audisp-remote.key" - #define CCACHE_NAME "MEMORY:audisp-remote" - - #define REQ_FLAGS GSS_C_MUTUAL_FLAG | GSS_C_REPLAY_FLAG | GSS_C_INTEG_FLAG | GSS_C_CONF_FLAG -@@ -978,7 +989,14 @@ static int negotiate_credentials (void) - - static int stop_sock(void) - { -+ - if (sock >= 0) { -+ if (USE_GSS) { -+ OM_uint32 minor_status; -+ gss_delete_sec_context(&minor_status, &my_context, -+ GSS_C_NO_BUFFER); -+ my_context = GSS_C_NO_CONTEXT; -+ } - shutdown(sock, SHUT_RDWR); - close(sock); - } -@@ -995,11 +1013,8 @@ static int stop_transport(void) - switch (config.transport) - { - case T_TCP: -- rc = stop_sock(); -- break; - case T_KRB5: -- // FIXME: shutdown kerberos -- rc = -1; -+ rc = stop_sock(); - break; - default: - rc = -1; -@@ -1142,6 +1157,7 @@ static int init_transport(void) - switch (config.transport) - { - case T_TCP: -+ case T_KRB5: - rc = init_sock(); - // We set this so that it will retry the connection - if (rc == ET_TEMPORARY) -@@ -1589,6 +1605,7 @@ static int relay_event(const char *s, si - switch (config.transport) - { - case T_TCP: -+ case T_KRB5: - rc = relay_sock(s, len); - break; - default: diff --git a/SOURCES/audit-3.0-saddr_fam-doc.patch b/SOURCES/audit-3.0-saddr_fam-doc.patch deleted file mode 100644 index 6549b92..0000000 --- a/SOURCES/audit-3.0-saddr_fam-doc.patch +++ /dev/null @@ -1,14 +0,0 @@ -diff --git a/docs/auditctl.8 b/docs/auditctl.8 -index 2c970cf..043a9d6 100644 ---- a/docs/auditctl.8 -+++ b/docs/auditctl.8 -@@ -210,6 +210,9 @@ Process ID - .B ppid - Parent's Process ID - .TP -+.B saddr_fam -+Address family number as found in /usr/include/bits/socket.h. For example, IPv4 would be 2 and IPv6 would be 10. -+.TP - .B sessionid - User's login session ID - .TP diff --git a/SOURCES/audit-3.0-user-event.patch b/SOURCES/audit-3.0-user-event.patch new file mode 100644 index 0000000..99aaf0f --- /dev/null +++ b/SOURCES/audit-3.0-user-event.patch @@ -0,0 +1,35 @@ +diff --git a/src/auditctl.c b/src/auditctl.c +index ac08e47..1150911 100644 +--- a/src/auditctl.c ++++ b/src/auditctl.c +@@ -809,6 +809,7 @@ static int setopt(int count, int lineno, char *vars[]) + retval = -1; + } else { + const char*s = optarg; ++ char *umsg; + while (*s) { + if (*s < 32) { + audit_msg(LOG_ERR, +@@ -817,11 +818,18 @@ static int setopt(int count, int lineno, char *vars[]) + } + s++; + } ++ if (asprintf(&umsg, "text=%s", optarg) < 0) { ++ audit_msg(LOG_ERR, "Can't create user event"); ++ return -1; ++ } + if (audit_log_user_message( fd, AUDIT_USER, +- optarg, NULL, NULL, NULL, 1) <= 0) +- retval = -1; +- else +- return -2; // success - no reply for this ++ umsg, NULL, NULL, NULL, 1) <= 0) ++ retval = -1; ++ else { ++ free(umsg); ++ return -2; // success - no reply for this ++ } ++ free(umsg); + } + break; + case 'R': diff --git a/SPECS/audit.spec b/SPECS/audit.spec index 595718a..0d837a0 100644 --- a/SPECS/audit.spec +++ b/SPECS/audit.spec @@ -1,24 +1,24 @@ %{!?python_sitearch: %define python_sitearch %(%{__python} -c "from distutils.sysconfig import get_python_lib; print get_python_lib(1)")} -Summary: User space tools for 2.6 kernel auditing +Summary: User space tools for kernel auditing Name: audit Version: 3.0 -Release: 0.13.20190507gitf58ec40%{?dist} +Release: 0.17.20191104git1c2f876%{?dist} License: GPLv2+ URL: http://people.redhat.com/sgrubb/audit/ -Source0: http://people.redhat.com/sgrubb/audit/%{name}-%{version}-alpha8.tar.gz +Source0: http://people.redhat.com/sgrubb/audit/%{name}-%{version}-alpha9.tar.gz Source1: https://www.gnu.org/licenses/lgpl-2.1.txt -Source2: 30-ospp-v42.rules -Patch1: audit-3.0-saddr_fam-doc.patch -Patch2: audit-3.0-chkconfig.patch -Patch3: audit-3.0-krb-remote-fixup.patch +Patch1: audit-3.0-clang-warnings.patch +Patch2: audit-3.0-user-event.patch +Patch3: audit-3.0-bpf-record.patch BuildRequires: gcc swig BuildRequires: openldap-devel BuildRequires: krb5-devel libcap-ng-devel BuildRequires: kernel-headers >= 2.6.29 -Requires: %{name}-libs%{?_isa} = %{version}-%{release} BuildRequires: systemd + +Requires: %{name}-libs%{?_isa} = %{version}-%{release} Requires(post): systemd coreutils Requires(preun): systemd initscripts Requires(postun): systemd coreutils initscripts @@ -89,15 +89,13 @@ Management Facility) database, through an IBM Tivoli Directory Server %patch2 -p1 %patch3 -p1 cp %{SOURCE1} . -## overwrite 30-ospp-v42.rules -cp -f %{SOURCE2} rules/ %build %configure --sbindir=/sbin --libdir=/%{_lib} --with-python=no \ --with-python3=yes \ --enable-gssapi-krb5=yes --with-arm --with-aarch64 \ --with-libcap-ng=yes --enable-zos-remote \ - --enable-systemd + --enable-systemd make CFLAGS="%{optflags}" %{?_smp_mflags} @@ -143,8 +141,8 @@ rm -f rules/Makefile* # Copy default rules into place on new installation files=`ls /etc/audit/rules.d/ 2>/dev/null | wc -w` if [ "$files" -eq 0 ] ; then - if [ -e /usr/share/doc/audit/rules/10-base-config.rules ] ; then - cp /usr/share/doc/audit/rules/10-base-config.rules /etc/audit/rules.d/audit.rules + if [ -e %{_datadir}/%{name}/sample-rules/10-base-config.rules ] ; then + cp %{_datadir}/%{name}/sample-rules/10-base-config.rules /etc/audit/rules.d/audit.rules else touch /etc/audit/rules.d/audit.rules fi @@ -155,12 +153,12 @@ fi %preun %systemd_preun auditd.service if [ $1 -eq 0 ]; then - /sbin/service auditd stop > /dev/null 2>&1 + /sbin/service auditd stop > /dev/null 2>&1 fi %postun if [ $1 -ge 1 ]; then - /sbin/service auditd condrestart > /dev/null 2>&1 || : + /sbin/service auditd condrestart > /dev/null 2>&1 || : fi %files libs @@ -187,9 +185,10 @@ fi %attr(755,root,root) %{python3_sitearch}/* %files -%doc README ChangeLog rules init.d/auditd.cron +%doc README ChangeLog init.d/auditd.cron %{!?_licensedir:%global license %%doc} %license COPYING +%attr(644,root,root) %{_datadir}/%{name}/sample-rules/* %attr(644,root,root) %{_mandir}/man8/auditctl.8.gz %attr(644,root,root) %{_mandir}/man8/auditd.8.gz %attr(644,root,root) %{_mandir}/man8/aureport.8.gz @@ -209,7 +208,7 @@ fi %attr(755,root,root) /sbin/ausearch %attr(755,root,root) /sbin/aureport %attr(750,root,root) /sbin/autrace -%attr(750,root,root) /sbin/augenrules +%attr(755,root,root) /sbin/augenrules %attr(755,root,root) %{_bindir}/aulast %attr(755,root,root) %{_bindir}/aulastlog %attr(755,root,root) %{_bindir}/ausyscall @@ -253,6 +252,19 @@ fi %attr(750,root,root) /sbin/audispd-zos-remote %changelog +* Wed Jan 08 2020 Steve Grubb 3.0-0.17.20191104git1c2f876 +resolves: rhbz#1757986 - Rebase audit package on 8.2 for updates (bpf patch) + +* Thu Nov 28 2019 Steve Grubb 3.0-0.16.20191104git1c2f876 +resolves: rhbz#1497279 - Add option to interpret fields in audit syslog plugin + +* Mon Nov 04 2019 Steve Grubb 3.0-0.15.20191104git1c2f876 +resolves: rhbz#1757986 - Rebase audit package on 8.2 for updates +resolves: rhbz#1767054 - move audit rules to shared data directory +resolves: rhbz#1746018 - Breakup 30-ospp-v42.rules into more granular files +resolves: rhbz#1740798 - auditctl(8) needs clarification for backlog_limit +resolves: rhbz#1497279 - Add option to interpret fields in audit syslog plugin + * Thu Jul 25 2019 Steve Grubb 3.0-0.13.20190607gitf58ec40 resolves: rhbz#1695638 - Rebase audit package to pick up latest bugfixes