From a1e6a3f084bebd498eb31cd26a7d1414f9ce6e53 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Aug 01 2017 03:37:53 +0000 Subject: import audit-2.7.6-3.el7 --- diff --git a/.audit.metadata b/.audit.metadata index fac8703..d278edf 100644 --- a/.audit.metadata +++ b/.audit.metadata @@ -1 +1 @@ -5b14b50733d6d9d11467d88933f2d2ef10f7b19e SOURCES/audit-2.6.5.tar.gz +d9dc30c4af8733724cad73ba136ec63b4e2b11f5 SOURCES/audit-2.7.6.tar.gz diff --git a/.gitignore b/.gitignore index dc190bc..d7891dd 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/audit-2.6.5.tar.gz +SOURCES/audit-2.7.6.tar.gz diff --git a/SOURCES/audit-2.6.5-autrace.patch b/SOURCES/audit-2.6.5-autrace.patch deleted file mode 100644 index 8b513ed..0000000 --- a/SOURCES/audit-2.6.5-autrace.patch +++ /dev/null @@ -1,37 +0,0 @@ -diff -urp audit-2.6.5.orig/src/autrace.c audit-2.6.5/src/autrace.c ---- audit-2.6.5.orig/src/autrace.c 2016-07-13 12:14:36.000000000 -0400 -+++ audit-2.6.5/src/autrace.c 2016-07-22 10:41:41.221461110 -0400 -@@ -298,18 +298,19 @@ static int count_em(int fd) - FD_SET(fd, &read_mask); - - for (i = 0; i < timeout; i++) { -+ struct timeval t; -+ -+ t.tv_sec = 0; -+ t.tv_usec = 100000; /* .1 second */ - retval = audit_get_reply(fd, &rep, GET_REPLY_NONBLOCKING, 0); - if (retval > 0) { -- struct timeval t; -- - if (rep.type == NLMSG_ERROR && - rep.error->error == 0) - continue; -- t.tv_sec = 0; -- t.tv_usec = 100000; /* .1 second */ - do { - retval=select(fd+1, &read_mask, NULL, NULL, &t); - } while (retval < 0 && errno == EINTR); -+ - switch (rep.type) - { - case NLMSG_DONE: -@@ -323,7 +324,8 @@ static int count_em(int fd) - default: - break; - } -- } -+ } else if (errno == EAGAIN) // Take short delay -+ retval = select(fd+1, &read_mask, NULL, NULL, &t); - } - if (i >= timeout && count == 0) - count = -1; diff --git a/SOURCES/audit-2.6.5-directory-permissions.patch b/SOURCES/audit-2.6.5-directory-permissions.patch deleted file mode 100644 index c439c27..0000000 --- a/SOURCES/audit-2.6.5-directory-permissions.patch +++ /dev/null @@ -1,12 +0,0 @@ -diff -urp audit-2.6.5.orig/src/auditd-event.c audit-2.6.5/src/auditd-event.c ---- audit-2.6.5.orig/src/auditd-event.c 2016-07-13 12:14:36.000000000 -0400 -+++ audit-2.6.5/src/auditd-event.c 2016-07-22 10:37:45.468455518 -0400 -@@ -900,7 +900,7 @@ static void fix_disk_permissions(void) - // Start with the directory - strcpy(path, config->log_file); - dir = dirname(path); -- chmod(dir, config->log_group ? S_IRWXU|S_IRWXG : S_IRWXU); -+ chmod(dir, config->log_group ? S_IRWXU|S_IRGRP|S_IXGRP : S_IRWXU); - chown(dir, 0, config->log_group ? config->log_group : 0); - - // Now, for each file... diff --git a/SOURCES/audit-2.6.7-augenrules.patch b/SOURCES/audit-2.6.7-augenrules.patch deleted file mode 100644 index 41b0cdb..0000000 --- a/SOURCES/audit-2.6.7-augenrules.patch +++ /dev/null @@ -1,15 +0,0 @@ -diff -urp audit-2.6.5.orig/init.d/augenrules audit-2.6.5/init.d/augenrules ---- audit-2.6.5.orig/init.d/augenrules 2016-07-14 10:25:39.000000000 -0400 -+++ audit-2.6.5/init.d/augenrules 2016-08-10 09:21:51.018391054 -0400 -@@ -125,6 +125,11 @@ if [ -f ${DestinationFile} ]; then - fi - # We copy the file so that it gets the right selinux lable - cp ${TmpRules} ${DestinationFile} -+chmod 0640 ${DestinationFile} -+# Restore context on MLS system. /tmp is SystemLow & audit.rules is SystemHigh -+if [ -x /usr/sbin/restorecon ] ; then -+ /usr/sbin/restorecon -F ${DestinationFile} -+fi - rm -f ${TmpRules} - - try_load diff --git a/SOURCES/audit-2.6.7-log-perms.patch b/SOURCES/audit-2.6.7-log-perms.patch deleted file mode 100644 index b3852b2..0000000 --- a/SOURCES/audit-2.6.7-log-perms.patch +++ /dev/null @@ -1,13 +0,0 @@ -diff -urp audit-2.6.5.orig/src/auditd-event.c audit-2.6.5/src/auditd-event.c ---- audit-2.6.5.orig/src/auditd-event.c 2016-07-14 10:25:39.000000000 -0400 -+++ audit-2.6.5/src/auditd-event.c 2016-08-10 09:24:41.450386810 -0400 -@@ -907,8 +907,7 @@ static void fix_disk_permissions(void) - for (i = 1; i < config->num_logs; i++) { - int rc; - snprintf(path, len, "%s.%d", config->log_file, i); -- rc = chmod(path, config->log_group ? S_IWUSR|S_IRUSR|S_IRGRP : -- S_IWUSR|S_IRUSR); -+ rc = chmod(path, config->log_group ? S_IRUSR|S_IRGRP : S_IRUSR); - if (rc && errno == ENOENT) - break; - } diff --git a/SOURCES/audit-2.6.7-segfault-fix.patch b/SOURCES/audit-2.6.7-segfault-fix.patch deleted file mode 100644 index 7c71fa2..0000000 --- a/SOURCES/audit-2.6.7-segfault-fix.patch +++ /dev/null @@ -1,14 +0,0 @@ -Index: /trunk/src/auditd-event.c -=================================================================== ---- /trunk/src/auditd-event.c (revision 1420) -+++ /trunk/src/auditd-event.c (revision 1421) -@@ -444,5 +444,8 @@ - void cleanup_event(struct auditd_event *e) - { -- free((void *)e->reply.message); -+ // Over in send_audit_event we sometimes have message pointing -+ // into the middle of the reply allocation. Check for it. -+ if (e->reply.message != e->reply.msg.data) -+ free((void *)e->reply.message); - free(e); - } diff --git a/SOURCES/audit-2.6.7-syslog.patch b/SOURCES/audit-2.6.7-syslog.patch deleted file mode 100644 index cc664ea..0000000 --- a/SOURCES/audit-2.6.7-syslog.patch +++ /dev/null @@ -1,54 +0,0 @@ -diff -urp audit-2.6.7/audisp/audispd-builtins.c audit-2.6.7.orig/audisp/audispd-builtins.c ---- audit-2.6.7/audisp/audispd-builtins.c 2016-08-02 11:55:31.000000000 -0400 -+++ audit-2.6.7.orig/audisp/audispd-builtins.c 2016-08-09 12:32:54.524964714 -0400 -@@ -327,10 +327,24 @@ static void init_syslog(const plugin_con - syslog_started = 1; - } - --void send_syslog(const char *s) -+void send_syslog(const char *s, uint32_t ver) - { -- if (syslog_started) -+ if (syslog_started) { -+ if (ver == AUDISP_PROTOCOL_VER2) { -+ char *ptr = strdup(s); -+ if (ptr) { -+ char *c = strchr(ptr, AUDIT_INTERP_SEPARATOR); -+ if (c) -+ *c = ' '; -+ syslog(priority, "%s", ptr); -+ free(ptr); -+ return; -+ } -+ } -+ // Everything should fall through except success because -+ // something is better than nothing. - syslog(priority, "%s", s); -+ } - } - - void destroy_syslog(void) -diff -urp audit-2.6.7/audisp/audispd-builtins.h audit-2.6.7.orig/audisp/audispd-builtins.h ---- audit-2.6.7/audisp/audispd-builtins.h 2016-08-02 11:55:31.000000000 -0400 -+++ audit-2.6.7.orig/audisp/audispd-builtins.h 2016-08-09 12:25:38.274976900 -0400 -@@ -31,7 +31,7 @@ void stop_builtin(plugin_conf_t *conf); - void send_af_unix_string(const char *s, unsigned int len); - void send_af_unix_binary(event_t *e); - void destroy_af_unix(void); --void send_syslog(const char *s); -+void send_syslog(const char *s, uint32_t ver); - void destroy_syslog(void); - - typedef void (*poll_callback_ptr)(int fd); -diff -urp audit-2.6.7/audisp/audispd.c audit-2.6.7.orig/audisp/audispd.c ---- audit-2.6.7/audisp/audispd.c 2016-08-02 11:55:31.000000000 -0400 -+++ audit-2.6.7.orig/audisp/audispd.c 2016-08-09 12:25:06.357977791 -0400 -@@ -684,7 +684,7 @@ static int event_loop(void) - - /* Now send the event to the right child */ - if (conf->p->type == S_SYSLOG) -- send_syslog(v); -+ send_syslog(v, e->hdr.ver); - else if (conf->p->type == S_AF_UNIX) { - if (conf->p->format == F_STRING) - send_af_unix_string(v, len); diff --git a/SOURCES/audit-2.7-write-log.patch b/SOURCES/audit-2.7-write-log.patch deleted file mode 100644 index 9d8c0cc..0000000 --- a/SOURCES/audit-2.7-write-log.patch +++ /dev/null @@ -1,46 +0,0 @@ -diff -urp audit-2.6.5.orig/src/auditd-config.c audit-2.6.5/src/auditd-config.c ---- audit-2.6.5.orig/src/auditd-config.c 2016-07-14 15:53:39.000000000 +0000 -+++ audit-2.6.5/src/auditd-config.c 2017-01-20 15:59:31.719704789 +0000 -@@ -841,8 +841,7 @@ static int log_format_parser(struct nv_p - if (config->log_format == LF_NOLOG) { - audit_msg(LOG_WARNING, - "The NOLOG option to log_format is deprecated. Please use the write_logs option."); -- if (config->log_format == LF_NOLOG && -- config->write_logs != 0) -+ if (config->write_logs != 0) - audit_msg(LOG_WARNING, - "The NOLOG option is overriding the write_logs current setting."); - config->write_logs = 0; -diff -urp audit-2.6.5.orig/src/auditd-event.c audit-2.6.5/src/auditd-event.c ---- audit-2.6.5.orig/src/auditd-event.c 2017-01-20 15:54:57.969419865 +0000 -+++ audit-2.6.5/src/auditd-event.c 2017-01-20 16:04:17.562133973 +0000 -@@ -48,6 +48,8 @@ - extern volatile int stop; - - /* Local function prototypes */ -+static void send_ack(const struct auditd_event *e, int ack_type, -+ const char *msg); - static void write_to_log(const struct auditd_event *e); - static void check_log_file_size(void); - static void check_space_left(void); -@@ -496,7 +498,7 @@ void handle_event(struct auditd_event *e - if (config->write_logs == 0) - return; - } -- if (!logging_suspended) { -+ if (!logging_suspended && config->write_logs) { - write_to_log(e); - - /* See if we need to flush to disk manually */ -@@ -537,7 +539,10 @@ void handle_event(struct auditd_event *e - } - } - } -- } -+ } else if (!config->write_logs) -+ send_ack(e, AUDIT_RMW_TYPE_ACK, ""); -+ // FIXME: When logging is suspended, what should remote do? -+ // Should probably be new response type - } - - static void send_ack(const struct auditd_event *e, int ack_type, diff --git a/SOURCES/audit-2.7.1-rhel7-fixup.patch b/SOURCES/audit-2.7.1-rhel7-fixup.patch new file mode 100644 index 0000000..d34cfb1 --- /dev/null +++ b/SOURCES/audit-2.7.1-rhel7-fixup.patch @@ -0,0 +1,21 @@ +diff -urp audit-2.7.1.orig/auparse/classify.c audit-2.7.1/auparse/classify.c +--- audit-2.7.1.orig/auparse/normalize.c 2016-12-21 19:00:51.000000000 -0500 ++++ audit-2.7.1/auparse/normalize.c 2016-12-22 12:22:21.259800153 -0500 +@@ -241,7 +241,7 @@ static void simple_file_attr(auparse_sta + switch (type) + { + case AUDIT_PATH: +- f = auparse_find_field(au, "nametype"); ++ f = auparse_find_field(au, "objtype"); + if (f && strcmp(f, "PARENT") == 0) { + if (parent == 0) + parent = auparse_get_record_num(au); +@@ -280,7 +280,7 @@ static void set_file_object(auparse_stat + + // Now double check that we picked the right one. + do { +- f = auparse_find_field(au, "nametype"); ++ f = auparse_find_field(au, "objtype"); + if (f) { + if (strcmp(f, "PARENT")) + break; diff --git a/SOURCES/audit-2.7.5-no-backlog-wait-time.patch b/SOURCES/audit-2.7.5-no-backlog-wait-time.patch new file mode 100644 index 0000000..8ffca7e --- /dev/null +++ b/SOURCES/audit-2.7.5-no-backlog-wait-time.patch @@ -0,0 +1,38 @@ +diff -ur audit-2.7.5.orig/docs/auditctl.8 audit-2.7.5/docs/auditctl.8 +--- audit-2.7.5.orig/docs/auditctl.8 2017-04-10 10:22:22.000000000 -0400 ++++ audit-2.7.5/docs/auditctl.8 2017-04-10 10:46:51.704436241 -0400 +@@ -10,9 +10,6 @@ + .BI \-b\ backlog + Set max number of outstanding audit buffers allowed (Kernel Default=64) If all buffers are full, the failure flag is consulted by the kernel for action. + .TP +-.BI \-\-backlog_wait_time \ \fIwait_time\fP +-Set the time for the kernel to wait (Kernel Default 60*HZ) when the backlog_limit is reached before queuing more audit events to be transferred to auditd. The number must be greater than or equal to zero and less that 10 times the default value. +-.TP + .B \-c + Continue loading rules in spite of an error. This summarizes the results of loading the rules. The exit code will not be success if any rule fails to load. + .TP +diff -ur audit-2.7.5.orig/docs/Makefile.in audit-2.7.5/docs/Makefile.in +--- audit-2.7.5.orig/docs/Makefile.in 2017-04-10 10:31:52.000000000 -0400 ++++ audit-2.7.5/docs/Makefile.in 2017-04-10 10:49:12.389447484 -0400 +@@ -373,7 +373,7 @@ + ausearch_next_event.3 ausearch_set_stop.3 \ + autrace.8 get_auditfail_action.3 set_aumessage_mode.3 \ + audispd.8 audispd.conf.5 audispd-zos-remote.8 libaudit.conf.5 \ +-augenrules.8 audit_set_backlog_wait_time.3 \ ++augenrules.8 \ + zos-remote.conf.5 + + all: all-am +diff -ur audit-2.7.5.orig/rules/10-base-config.rules audit-2.7.5/rules/10-base-config.rules +--- audit-2.7.5.orig/rules/10-base-config.rules 2017-04-10 10:22:22.000000000 -0400 ++++ audit-2.7.5/rules/10-base-config.rules 2017-04-10 10:47:56.555441424 -0400 +@@ -5,9 +5,6 @@ + ## Make this bigger for busy systems + -b 8192 + +-## This determine how long to wait in burst of events +---backlog_wait_time 0 +- + ## Set failure mode to syslog + -f 1 + diff --git a/SOURCES/audit-2.7.7-aureport.patch b/SOURCES/audit-2.7.7-aureport.patch new file mode 100644 index 0000000..81ef3ea --- /dev/null +++ b/SOURCES/audit-2.7.7-aureport.patch @@ -0,0 +1,44 @@ +diff -urp audit-2.7.7.orig/src/aureport-scan.c audit-2.7.7/src/aureport-scan.c +--- audit-2.7.7.orig/src/aureport-scan.c 2017-03-27 18:21:19.000000000 -0400 ++++ audit-2.7.7/src/aureport-scan.c 2017-06-08 16:06:48.232990012 -0400 +@@ -452,7 +452,8 @@ static int per_event_summary(llist *l) + } else { + if (list_find_msg_range(l, + AUDIT_FIRST_KERN_ANOM_MSG, +- AUDIT_LAST_KERN_ANOM_MSG)) { ++ AUDIT_LAST_KERN_ANOM_MSG) || ++ list_find_msg(l, AUDIT_SECCOMP) ) { + ilist_add_if_uniq(&sd.anom_list, + l->head->type, 0); + } +@@ -729,7 +730,8 @@ static int per_event_detailed(llist *l) + } else { + if (list_find_msg_range(l, + AUDIT_FIRST_KERN_ANOM_MSG, +- AUDIT_LAST_KERN_ANOM_MSG)) { ++ AUDIT_LAST_KERN_ANOM_MSG) || ++ list_find_msg(l, AUDIT_SECCOMP) ) { + print_per_event_item(l); + rc = 1; + } +diff -urp audit-2.7.7.orig/src/ausearch-parse.c audit-2.7.7/src/ausearch-parse.c +--- audit-2.7.7.orig/src/ausearch-parse.c 2017-03-27 18:21:19.000000000 -0400 ++++ audit-2.7.7/src/ausearch-parse.c 2017-06-08 16:00:13.856999833 -0400 +@@ -2080,7 +2080,7 @@ static int parse_kernel_anom(const lnode + str = strstr(term, "exe="); + if (str) { + str += 4; +- if (*str == '"') { ++ if (*str == '"') { + str++; + term = strchr(str, '"'); + if (term == NULL) +@@ -2090,7 +2090,7 @@ static int parse_kernel_anom(const lnode + *term = '"'; + } else + s->exe = unescape(str); +- } else ++ } else if (n->type != AUDIT_ANOM_ABEND) + return 14; + } + diff --git a/SOURCES/audit-2.7.7-queue_error_action.patch b/SOURCES/audit-2.7.7-queue_error_action.patch new file mode 100644 index 0000000..ad6cb76 --- /dev/null +++ b/SOURCES/audit-2.7.7-queue_error_action.patch @@ -0,0 +1,12 @@ +diff -urp audit-2.7.7.orig/audisp/plugins/remote/audisp-remote.conf audit-2.7.7/audisp/plugins/remote/audisp-remote.conf +--- audit-2.7.7.orig/audisp/plugins/remote/audisp-remote.conf 2017-03-27 18:21:19.000000000 -0400 ++++ audit-2.7.7/audisp/plugins/remote/audisp-remote.conf 2017-05-26 13:40:38.950027312 -0400 +@@ -23,7 +23,7 @@ disk_error_action = warn_once + remote_ending_action = reconnect + generic_error_action = syslog + generic_warning_action = syslog +-queue_error = stop ++queue_error_action = stop + overflow_action = syslog + + ##enable_krb5 = no diff --git a/SPECS/audit.spec b/SPECS/audit.spec index 74b6e7a..1e4b8ef 100644 --- a/SPECS/audit.spec +++ b/SPECS/audit.spec @@ -2,24 +2,20 @@ Summary: User space tools for 2.6 kernel auditing Name: audit -Version: 2.6.5 -Release: 3%{?dist}.1 +Version: 2.7.6 +Release: 3%{?dist} License: GPLv2+ Group: System Environment/Daemons URL: http://people.redhat.com/sgrubb/audit/ Source0: http://people.redhat.com/sgrubb/audit/%{name}-%{version}.tar.gz -# bz 1358831 - group ownership and permissions of /var/log/audit -Patch1: audit-2.6.5-directory-permissions.patch -# bz 1358775 - autrace: Error - can't get rule count -Patch2: audit-2.6.5-autrace.patch -# bz 1362582 - regenerated audit.rules context and permissions changed -Patch3: audit-2.6.7-augenrules.patch -Patch4: audit-2.6.7-log-perms.patch -Patch5: audit-2.6.7-syslog.patch -# bz 1415726 - Setting log_format to NOLOG make auditd core dump -Patch6: audit-2.6.7-segfault-fix.patch -# bz 1415724 - write_logs option is not correctly handled -Patch7: audit-2.7-write-log.patch +# This patch switches collecting nametype for objtype because RHEL is different +Patch1: audit-2.7.1-rhel7-fixup.patch +# DO NOT REMOVE - backlog_wait_time is not in RHEL 7 kernel +Patch2: audit-2.7.5-no-backlog-wait-time.patch +# BZ 1455594 - Bad configuration keyword for audispd-remote.conf +Patch3: audit-2.7.7-queue_error_action.patch +# BZ 1460110 - aureport does not report all anomalies +Patch4: audit-2.7.7-aureport.patch BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) BuildRequires: openldap-devel BuildRequires: swig @@ -34,7 +30,7 @@ Requires(postun): systemd-units coreutils %description The audit package contains the user space utilities for -storing and searching the audit records generate by +storing and searching the audit records generated by the audit subsystem in the Linux 2.6 kernel. %package libs @@ -98,9 +94,6 @@ behavior. %patch2 -p1 %patch3 -p1 %patch4 -p1 -%patch5 -p1 -%patch6 -p2 -%patch7 -p1 %build %configure --sbindir=/sbin --libdir=/%{_lib} --with-python=yes --with-libwrap --enable-gssapi-krb5=yes --with-libcap-ng=yes --with-arm --with-aarch64 \ @@ -160,12 +153,12 @@ rm -rf $RPM_BUILD_ROOT # Copy default rules into place on new installation files=`ls /etc/audit/rules.d/ 2>/dev/null | wc -w` if [ "$files" -eq 0 ] ; then - if [ -e /usr/share/doc/audit/rules/10-base-config.rules ] ; then - cp /usr/share/doc/audit/rules/10-base-config.rules /etc/audit/rules.d/audit.rules - else - touch /etc/audit/rules.d/audit.rules - fi - chmod 0600 /etc/audit/rules.d/audit.rules + if [ -e /usr/share/doc/audit-%{version}/rules/10-base-config.rules ] ; then + cp /usr/share/doc/audit-%{version}/rules/10-base-config.rules /etc/audit/rules.d/audit.rules + else + touch /etc/audit/rules.d/audit.rules + fi + chmod 0600 /etc/audit/rules.d/audit.rules fi %systemd_post auditd.service @@ -274,9 +267,33 @@ fi %attr(644,root,root) %{_mandir}/man8/audisp-remote.8.gz %changelog -* Fri Jan 20 2017 Steve Grubb 2.6.5-3.1 -resolves: #1415724 - write_logs option is not correctly handled -resolves: #1415726 - Setting log_format to NOLOG make auditd core dump +* Mon Jun 12 2017 Steve Grubb 2.7.6-3 +resolves: #1460110 - aureport does not report all anomalies + +* Fri May 26 2017 Steve Grubb 2.7.6-2 +resolves: #1455594 - Bad configuration keyword for audispd-remote.conf + +* Wed Apr 19 2017 Steve Grubb 2.7.6-1 +resolves: #1443107 - disk full action and infinite loop in audit-remote + +* Mon Apr 10 2017 Steve Grubb 2.7.5-1 +resolves: #1437187 - audit rpm postinstall script points to non-existing file +resolves: #1437426 - Remove "--backlog_wait_time" from auditctl man page & rules +resolves: #1437626 - PF_PACKET socket address will cause ausearch to segfault +resolves: #1438997 - SECCOMP records have wrong syscall + +* Tue Mar 28 2017 Steve Grubb 2.7.4-1 +resolves: #1367703 - auvirt wasn't supporting date keywords +resolves: #1396792 - augenrules includes files ending in regexp "rules" +resolves: #1406525 - ausearch with '--raw' parameter outputs garbage character + +* Tue Feb 28 2017 Steve Grubb 2.7.3-1 +resolves: #1381601 - audit package update +resolves: #1382381 - typo in package description + +* Fri Jan 20 2017 Steve Grubb 2.6.5-4 +resolves: #1382397 - write_logs option is not correctly handled +resolves: #1414812 - Setting log_format to NOLOG make auditd core dump * Wed Aug 10 2016 Steve Grubb 2.6.5-3 resolves: #1296204 - Rebase audit package