From ade0363af5cb5de5d1d2598720d1f37d9ebcd2eb Mon Sep 17 00:00:00 2001 From: CentOS Buildsys Date: Mar 18 2014 21:37:10 +0000 Subject: import audit-2.3.3-4.el7.src.rpm --- diff --git a/.audit.metadata b/.audit.metadata index 935e45b..85ae7fa 100644 --- a/.audit.metadata +++ b/.audit.metadata @@ -1 +1 @@ -fb135dc049b3cc60843045fd67fa9704b4aba67a SOURCES/audit-2.3.2.tar.gz +58ea81cb6052fc3a1d1ec5e5accebc0aaf7c8d1a SOURCES/audit-2.3.3.tar.gz diff --git a/SOURCES/audit-2.3.3-augenrules.patch b/SOURCES/audit-2.3.3-augenrules.patch new file mode 100644 index 0000000..f408308 --- /dev/null +++ b/SOURCES/audit-2.3.3-augenrules.patch @@ -0,0 +1,21 @@ +diff -urp audit-2.3.3.orig/init.d/auditd.service audit-2.3.3/init.d/auditd.service +--- audit-2.3.3.orig/init.d/auditd.service 2014-01-16 06:24:42.000000000 -0500 ++++ audit-2.3.3/init.d/auditd.service 2014-03-18 12:47:13.682617960 -0400 +@@ -8,12 +8,11 @@ RefuseManualStop=yes + + [Service] + ExecStart=/sbin/auditd -n +-## To use augenrules, copy this file to /etc/systemd/system/auditd.service +-## and uncomment the next line and delete/comment out the auditctl line. +-## Then copy existing rules to /etc/audit/rules.d/ +-## Not doing this last step can cause loss of existing rules +-#ExecStartPost=-/sbin/augenrules --load +-ExecStartPost=-/sbin/auditctl -R /etc/audit/audit.rules ++## To not use augenrules, copy this file to /etc/systemd/system/auditd.service ++## and comment/delete the next line and uncomment the auditctl line. ++## NOTE: augenrules expect any rules to be added to /etc/audit/rules.d/ ++ExecStartPost=-/sbin/augenrules --load ++#ExecStartPost=-/sbin/auditctl -R /etc/audit/audit.rules + ExecReload=/bin/kill -HUP $MAINPID + + [Install] diff --git a/SOURCES/audit-2.3.3-login.patch b/SOURCES/audit-2.3.3-login.patch new file mode 100644 index 0000000..f8701dc --- /dev/null +++ b/SOURCES/audit-2.3.3-login.patch @@ -0,0 +1,86 @@ +diff -urp audit-2.3.3.orig/src/ausearch-parse.c audit-2.3.3/src/ausearch-parse.c +--- audit-2.3.3.orig/src/ausearch-parse.c 2014-03-18 12:18:17.376764161 -0400 ++++ audit-2.3.3/src/ausearch-parse.c 2014-03-18 12:21:10.924749548 -0400 +@@ -1106,14 +1106,41 @@ static int parse_login(const lnode *n, s + s->uid = strtoul(ptr, NULL, 10); + if (errno) + return 6; +- // get loginuid + *term = ' '; ++ // optionally get subj ++ if (event_subject) { ++ str = strstr(term, "subj="); ++ if (str) { ++ ptr = str + 5; ++ term = strchr(ptr, ' '); ++ if (term == NULL) ++ return 12; ++ *term = 0; ++ if (audit_avc_init(s) == 0) { ++ anode an; ++ ++ anode_init(&an); ++ an.scontext = strdup(str); ++ alist_append(s->avc, &an); ++ *term = ' '; ++ } else ++ return 13; ++ *term = ' '; ++ } ++ } ++ // get loginuid + str = strstr(term, "new auid="); + if (str == NULL) { +- str = strstr(term, "new loginuid="); +- if (str == NULL) +- return 7; +- ptr = str + 13; ++ // 3.14 kernel changed it to the next line ++ str = strstr(term, " auid="); ++ if (str == NULL) { ++ str = strstr(term, "new loginuid="); ++ if (str == NULL) ++ return 7; ++ ptr = str + 13; ++ } ++ else ++ ptr = str + 6; + } else + ptr = str + 9; + term = strchr(ptr, ' '); +@@ -1148,18 +1175,24 @@ static int parse_login(const lnode *n, s + if (term == NULL) + term = n->message; + str = strstr(term, "new ses="); +- if (str) { +- ptr = str + 8; +- term = strchr(ptr, ' '); +- if (term) +- *term = 0; +- errno = 0; +- s->session_id = strtoul(ptr, NULL, 10); +- if (errno) +- return 11; +- if (term) +- *term = ' '; ++ if (str == NULL) { ++ // The 3.14 kernel changed it to the next line ++ str = strstr(term, " ses="); ++ if (str == NULL) ++ return 14; ++ ptr = str + 5; + } ++ else ++ ptr = str + 8; ++ term = strchr(ptr, ' '); ++ if (term) ++ *term = 0; ++ errno = 0; ++ s->session_id = strtoul(ptr, NULL, 10); ++ if (errno) ++ return 11; ++ if (term) ++ *term = ' '; + } + return 0; + } diff --git a/SOURCES/audit-2.3.3-remote.patch b/SOURCES/audit-2.3.3-remote.patch new file mode 100644 index 0000000..fda01a9 --- /dev/null +++ b/SOURCES/audit-2.3.3-remote.patch @@ -0,0 +1,13 @@ +diff -urp audit-2.3.3.orig/audisp/plugins/remote/audisp-remote.c audit-2.3.3/audisp/plugins/remote/audisp-remote.c +--- audit-2.3.3.orig/audisp/plugins/remote/audisp-remote.c 2014-01-16 06:24:42.000000000 -0500 ++++ audit-2.3.3/audisp/plugins/remote/audisp-remote.c 2014-03-18 12:36:32.574671943 -0400 +@@ -1063,6 +1063,9 @@ static int init_transport(void) + { + case T_TCP: + rc = init_sock(); ++ // We set this so that it will retry the connection ++ if (rc == ET_TEMPORARY) ++ remote_ended = 1; + break; + default: + rc = ET_PERMANENT; diff --git a/SOURCES/audit-2.3.3-uid-1000.patch b/SOURCES/audit-2.3.3-uid-1000.patch new file mode 100644 index 0000000..ad5fc34 --- /dev/null +++ b/SOURCES/audit-2.3.3-uid-1000.patch @@ -0,0 +1,101 @@ +diff -urp audit-2.3.3.orig/contrib/stig.rules audit-2.3.3/contrib/stig.rules +--- audit-2.3.3.orig/contrib/stig.rules 2014-03-18 13:07:27.658515740 -0400 ++++ audit-2.3.3/contrib/stig.rules 2014-03-18 13:08:25.979510829 -0400 +@@ -16,7 +16,7 @@ + ## NOTE: + ## 1) if this is being used on a 32 bit machine, comment out the b64 lines + ## 2) These rules assume that login under the root account is not allowed. +-## 3) It is also assumed that 500 represents the first usable user account. To ++## 3) It is also assumed that 1000 represents the first usable user account. To + ## be sure, look at UID_MIN in /etc/login.defs. + ## 4) If these rules generate too much spurious data for your tastes, limit the + ## the syscall file rules with a directory, like -F dir=/etc +@@ -102,22 +102,22 @@ + + ##- Discretionary access control permission modification (unsuccessful + ## and successful use of chown/chmod) +--a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod +--a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod +--a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod +--a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod +--a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod +--a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod ++-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod ++-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod ++-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod ++-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod ++-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod ++-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod + + ##- Unauthorized access attempts to files (unsuccessful) +--a always,exit -F arch=b32 -S creat -S open -S openat -S open_by_handle_at -S truncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access +--a always,exit -F arch=b32 -S creat -S open -S openat -S open_by_handle_at -S truncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access +--a always,exit -F arch=b64 -S creat -S open -S openat -S open_by_handle_at -S truncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access +--a always,exit -F arch=b64 -S creat -S open -S openat -S open_by_handle_at -S truncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access ++-a always,exit -F arch=b32 -S creat -S open -S openat -S open_by_handle_at -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access ++-a always,exit -F arch=b32 -S creat -S open -S openat -S open_by_handle_at -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access ++-a always,exit -F arch=b64 -S creat -S open -S openat -S open_by_handle_at -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access ++-a always,exit -F arch=b64 -S creat -S open -S openat -S open_by_handle_at -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access + + ##- Use of privileged commands (unsuccessful and successful) + ## use find /bin -type f -perm -04000 2>/dev/null and put all those files in a rule like this +--a always,exit -F path=/bin/ping -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged ++-a always,exit -F path=/bin/ping -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged + + ##- Use of print command (unsuccessful and successful) + +@@ -125,14 +125,14 @@ + ## You have to mount media before using it. You must disable all automounting + ## so that its done manually in order to get the correct user requesting the + ## export +--a always,exit -F arch=b32 -S mount -F auid>=500 -F auid!=4294967295 -k export +--a always,exit -F arch=b64 -S mount -F auid>=500 -F auid!=4294967295 -k export ++-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k export ++-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k export + + ##- System startup and shutdown (unsuccessful and successful) + + ##- Files and programs deleted by the user (successful and unsuccessful) +--a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k delete +--a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k delete ++-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete ++-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete + + ##- All system administration actions + ##- All security personnel actions +@@ -160,10 +160,6 @@ + #-a always,exit -F arch=b32 -S ptrace -F a0=6 -k register-injection + #-a always,exit -F arch=b64 -S ptrace -F a0=6 -k register-injection + +-## Optional - could be an attempt to bypass audit or simply legacy program +-#-a always,exit -F arch=b32 -S personality -F a0!=4294967295 -k bypass +-#-a always,exit -F arch=b64 -S personality -F a0!=4294967295 -k bypass +- + ## Optional - might want to watch module insertion + #-w /sbin/insmod -p x -k modules + #-w /sbin/rmmod -p x -k modules +@@ -174,7 +170,7 @@ + #-a always,exit -F arch=b64 -S delete_module -k module-unload + + ## Optional - admin may be abusing power by looking in user's home dir +-#-a always,exit -F dir=/home -F uid=0 -F auid>=500 -F auid!=4294967295 -C auid!=obj_uid -F key=power-abuse ++#-a always,exit -F dir=/home -F uid=0 -F auid>=1000 -F auid!=4294967295 -C auid!=obj_uid -F key=power-abuse + + ## Optional - log container creation + #-a always,exit -F arch=b32 -S clone -F a0&2080505856 -k container-create +diff -urp audit-2.3.3.orig/docs/audit.rules.7 audit-2.3.3/docs/audit.rules.7 +--- audit-2.3.3.orig/docs/audit.rules.7 2014-03-18 13:07:29.580515578 -0400 ++++ audit-2.3.3/docs/audit.rules.7 2014-03-18 13:07:58.584513136 -0400 +@@ -76,10 +76,10 @@ After the syscall is specified, you woul + .B \-F + options that fine tune what to match against. Rather than list all the valid field types here, the reader should look at the auditctl man page which has a full listing of each field and what it means. But its worth mentioning a couple things. + +-The audit system considers uids to be unsigned numbers. The audit system uses the number \-1 to indicate that a loginuid is not set. This means that when its printed out, it looks like 4294967295. If you write a rule that you wanted try to get the valid users of the system, you need to look in /etc/login.defs to see where user accounts start. For example, if UID_MIN is 500, then you would also need to take into account that the unsigned representation of \-1 is higher than 500. So you would address this with the following piece of a rule: ++The audit system considers uids to be unsigned numbers. The audit system uses the number \-1 to indicate that a loginuid is not set. This means that when its printed out, it looks like 4294967295. If you write a rule that you wanted try to get the valid users of the system, you need to look in /etc/login.defs to see where user accounts start. For example, if UID_MIN is 1000, then you would also need to take into account that the unsigned representation of \-1 is higher than 1000. So you would address this with the following piece of a rule: + + .nf +-\-F auid>=500 \-F auid!=4294967295 ++\-F auid>=1000 \-F auid!=4294967295 + .fi + + These individual checks are "anded" and both have to be true. diff --git a/SOURCES/audit-2.3.5-debug.patch b/SOURCES/audit-2.3.5-debug.patch new file mode 100644 index 0000000..4b42b34 --- /dev/null +++ b/SOURCES/audit-2.3.5-debug.patch @@ -0,0 +1,104 @@ +diff -urp audit-2.3.5.orig/docs/ausearch.8 audit-2.3.5/docs/ausearch.8 +--- audit-2.3.5.orig/docs/ausearch.8 2014-03-10 13:31:14.000000000 -0400 ++++ audit-2.3.5/docs/ausearch.8 2014-03-11 10:51:13.385867279 -0400 +@@ -21,6 +21,9 @@ Search for an event based on the given \ + .BR \-c ,\ \-\-comm \ \fIcomm-name\fP + Search for an event based on the given \fIcomm name\fP. The comm name is the executable's name from the task structure. + .TP ++.BR \-\-debug ++Write malformed events that are skipped to stderr. ++.TP + .BR \-e,\ \-\-exit \ \fIexit-code-or-errno\fP + Search for an event based on the given syscall \fIexit code or errno\fP. + .TP +diff -urp audit-2.3.5.orig/src/aureport-options.c audit-2.3.5/src/aureport-options.c +--- audit-2.3.5.orig/src/aureport-options.c 2014-03-10 13:31:14.000000000 -0400 ++++ audit-2.3.5/src/aureport-options.c 2014-03-11 10:41:08.604806542 -0400 +@@ -56,6 +56,7 @@ const char *event_uuid = NULL; + const char *event_vmname = NULL; + int event_exit = 0, event_exit_is_set = 0; + int event_ppid = -1, event_session_id = -2; ++int event_debug = 0; + + /* These are used by aureport */ + const char *dummy = "dummy"; +diff -urp audit-2.3.5.orig/src/ausearch-options.c audit-2.3.5/src/ausearch-options.c +--- audit-2.3.5.orig/src/ausearch-options.c 2014-03-10 13:31:14.000000000 -0400 ++++ audit-2.3.5/src/ausearch-options.c 2014-03-11 10:26:49.577720272 -0400 +@@ -55,6 +55,7 @@ int just_one = 0; + int event_session_id = -2; + int event_exit = 0, event_exit_is_set = 0; + int line_buffered = 0; ++int event_debug = 0; + const char *event_key = NULL; + const char *event_filename = NULL; + const char *event_exe = NULL; +@@ -81,13 +82,14 @@ S_HOSTNAME, S_INTERP, S_INFILE, S_MESSAG + S_TIME_END, S_TIME_START, S_TERMINAL, S_ALL_UID, S_EFF_UID, S_UID, S_LOGINID, + S_VERSION, S_EXACT_MATCH, S_EXECUTABLE, S_CONTEXT, S_SUBJECT, S_OBJECT, + S_PPID, S_KEY, S_RAW, S_NODE, S_IN_LOGS, S_JUST_ONE, S_SESSION, S_EXIT, +-S_LINEBUFFERED, S_UUID, S_VMNAME}; ++S_LINEBUFFERED, S_UUID, S_VMNAME, S_DEBUG }; + + static struct nv_pair optiontab[] = { + { S_EVENT, "-a" }, + { S_EVENT, "--event" }, + { S_COMM, "-c" }, + { S_COMM, "--comm" }, ++ { S_DEBUG, "--debug" }, + { S_EXIT, "-e" }, + { S_EXIT, "--exit" }, + { S_FILENAME, "-f" }, +@@ -176,6 +178,7 @@ static void usage(void) + printf("usage: ausearch [options]\n" + "\t-a,--event \tsearch based on audit event id\n" + "\t-c,--comm \t\tsearch based on command line name\n" ++ "\t --debug\t\t\tWrite malformed events that are skipped to stderr\n" + "\t-e,--exit \tsearch based on syscall exit code\n" + "\t-f,--file \t\tsearch based on file name\n" + "\t-ga,--gid-all \tsearch based on All group ids\n" +@@ -1099,6 +1102,9 @@ int check_params(int count, char *vars[] + case S_LINEBUFFERED: + line_buffered = 1; + break; ++ case S_DEBUG: ++ event_debug = 1; ++ break; + default: + fprintf(stderr, "%s is an unsupported option\n", + vars[c]); +diff -urp audit-2.3.5.orig/src/ausearch-options.h audit-2.3.5/src/ausearch-options.h +--- audit-2.3.5.orig/src/ausearch-options.h 2014-03-10 13:31:14.000000000 -0400 ++++ audit-2.3.5/src/ausearch-options.h 2014-03-11 10:07:12.631602075 -0400 +@@ -36,6 +36,7 @@ extern const char *event_object; + extern int event_se; + extern int just_one; + extern int line_buffered; ++extern int event_debug; + extern pid_t event_ppid; + extern int event_session_id; + extern ilist *event_type; +diff -urp audit-2.3.5.orig/src/ausearch-parse.c audit-2.3.5/src/ausearch-parse.c +--- audit-2.3.5.orig/src/ausearch-parse.c 2014-03-10 13:31:14.000000000 -0400 ++++ audit-2.3.5/src/ausearch-parse.c 2014-03-11 10:31:00.205745442 -0400 +@@ -168,11 +168,17 @@ int extract_search_items(llist *l) + ret = parse_tty(n, s); + break; + default: +- // printf("unparsed type:%d\n", n->type); ++ if (event_debug) ++ fprintf(stderr, ++ "Unparsed type:%d\n - skipped", ++ n->type); + break; + } +- // if (ret) printf("type:%d ret:%d\n", n->type, ret); +- } while ((n=list_next(l)) && ret==0); ++ if (event_debug && ret) ++ fprintf(stderr, ++ "Malformed event skipped, rc=%d. %s\n", ++ ret, n->message); ++ } while ((n=list_next(l)) && ret == 0); + } + return ret; + } diff --git a/SOURCES/audit-2.3.5-fp.patch b/SOURCES/audit-2.3.5-fp.patch new file mode 100644 index 0000000..25ab793 --- /dev/null +++ b/SOURCES/audit-2.3.5-fp.patch @@ -0,0 +1,12 @@ +diff -urp audit-2.3.5.orig/auparse/interpret.c audit-2.3.5/auparse/interpret.c +--- audit-2.3.5.orig/auparse/interpret.c 2014-02-27 09:06:10.000000000 -0500 ++++ audit-2.3.5/auparse/interpret.c 2014-03-07 12:09:40.896400420 -0500 +@@ -2276,6 +2276,8 @@ int auparse_interp_adjust_type(int rtype + type = AUPARSE_TYPE_FLAGS; + else if (rtype == AUDIT_MQ_OPEN && strcmp(name, "mode") == 0) + type = AUPARSE_TYPE_MODE_SHORT; ++ else if (rtype == AUDIT_CRYPTO_KEY_USER && strcmp(name, "fp") == 0) ++ type = AUPARSE_TYPE_UNCLASSIFIED; + else + type = lookup_type(name); + diff --git a/SOURCES/audit-2.3.5-rotate.patch b/SOURCES/audit-2.3.5-rotate.patch new file mode 100644 index 0000000..90b0b73 --- /dev/null +++ b/SOURCES/audit-2.3.5-rotate.patch @@ -0,0 +1,13 @@ +diff -urp audit-2.3.5.orig/src/auditd-event.c audit-2.3.5/src/auditd-event.c +--- audit-2.3.5.orig/src/auditd-event.c 2014-03-11 13:45:06.000000000 -0400 ++++ audit-2.3.5/src/auditd-event.c 2014-03-11 15:23:10.971506011 -0400 +@@ -705,7 +705,8 @@ static void rotate_logs(struct auditd_co + unsigned int len, i; + char *oldname, *newname; + +- if (data->config->num_logs < 2) ++ if (data->config->max_log_size_action == SZ_ROTATE && ++ data->config->num_logs < 2) + return; + + /* Close audit file. fchmod and fchown errors are not fatal because we diff --git a/SOURCES/audit-2.3.5-seccomp.patch b/SOURCES/audit-2.3.5-seccomp.patch new file mode 100644 index 0000000..98974f5 --- /dev/null +++ b/SOURCES/audit-2.3.5-seccomp.patch @@ -0,0 +1,112 @@ +diff -urp audit-2.3.5.orig/src/ausearch-common.h audit-2.3.5/src/ausearch-common.h +--- audit-2.3.5.orig/src/ausearch-common.h 2014-03-12 12:30:31.000000000 -0400 ++++ audit-2.3.5/src/ausearch-common.h 2014-03-17 17:08:27.200016460 -0400 +@@ -1,5 +1,5 @@ + /* ausearch-common.h -- +- * Copyright 2006-08,2010 Red Hat Inc., Durham, North Carolina. ++ * Copyright 2006-08,2010,2014 Red Hat Inc., Durham, North Carolina. + * Copyright (c) 2011 IBM Corp. + * All Rights Reserved. + * +@@ -41,6 +41,7 @@ extern const char *event_filename; + extern const char *event_hostname; + extern const char *event_terminal; + extern int event_syscall; ++extern int event_machine; + extern const char *event_exe; + extern int event_ua, event_ga; + extern int event_exit, event_exit_is_set; +diff -urp audit-2.3.5.orig/src/ausearch-match.c audit-2.3.5/src/ausearch-match.c +--- audit-2.3.5.orig/src/ausearch-match.c 2014-03-12 12:30:31.000000000 -0400 ++++ audit-2.3.5/src/ausearch-match.c 2014-03-17 17:08:27.200016460 -0400 +@@ -84,9 +84,14 @@ int match(llist *l) + if ((event_pid != -1) && + (event_pid != l->s.pid)) + return 0; +- if ((event_syscall != -1) && +- (event_syscall != l->s.syscall)) +- return 0; ++ if (event_syscall != -1) { ++ if (event_syscall != l->s.syscall) ++ return 0; ++ if (event_machine != -1 && ++ (event_machine != ++ audit_elf_to_machine(l->s.arch))) ++ return 0; ++ } + if ((event_session_id != -2) && + (event_session_id != l->s.session_id)) + return 0; +diff -urp audit-2.3.5.orig/src/ausearch-options.c audit-2.3.5/src/ausearch-options.c +--- audit-2.3.5.orig/src/ausearch-options.c 2014-03-12 12:30:31.000000000 -0400 ++++ audit-2.3.5/src/ausearch-options.c 2014-03-17 17:08:27.200016460 -0400 +@@ -49,7 +49,7 @@ pid_t event_pid = -1, event_ppid = -1; + success_t event_success = S_UNSET; + int event_exact_match = 0; + uid_t event_uid = -1, event_euid = -1, event_loginuid = -2; +-int event_syscall = -1; ++int event_syscall = -1, event_machine = -1; + int event_ua = 0, event_ga = 0, event_se = 0; + int just_one = 0; + int event_session_id = -2; +@@ -661,6 +661,7 @@ int check_params(int count, char *vars[] + optarg); + retval = -1; + } ++ event_machine = machine; + } + c++; + break; +diff -urp audit-2.3.5.orig/src/ausearch-parse.c audit-2.3.5/src/ausearch-parse.c +--- audit-2.3.5.orig/src/ausearch-parse.c 2014-03-12 12:30:31.000000000 -0400 ++++ audit-2.3.5/src/ausearch-parse.c 2014-03-17 17:09:33.344014612 -0400 +@@ -1883,6 +1883,37 @@ static int parse_kernel_anom(const lnode + } + } + ++ if (n->type == AUDIT_SECCOMP) { ++ // get arch ++ str = strstr(term, "arch="); ++ if (str == NULL) ++ return 0; // A few kernel versions don't have it ++ ptr = str + 5; ++ term = strchr(ptr, ' '); ++ if (term == NULL) ++ return 12; ++ *term = 0; ++ errno = 0; ++ s->arch = (int)strtoul(ptr, NULL, 16); ++ if (errno) ++ return 13; ++ *term = ' '; ++ // get syscall ++ str = strstr(term, "syscall="); ++ if (str == NULL) ++ return 14; ++ ptr = str + 8; ++ term = strchr(ptr, ' '); ++ if (term == NULL) ++ return 15; ++ *term = 0; ++ errno = 0; ++ s->syscall = (int)strtoul(ptr, NULL, 10); ++ if (errno) ++ return 16; ++ *term = ' '; ++ } ++ + return 0; + } + +diff -urp audit-2.3.5.orig/src/ausearch-report.c audit-2.3.5/src/ausearch-report.c +--- audit-2.3.5.orig/src/ausearch-report.c 2014-03-12 12:30:31.000000000 -0400 ++++ audit-2.3.5/src/ausearch-report.c 2014-03-17 17:08:27.201016460 -0400 +@@ -335,7 +335,7 @@ static void interpret(char *name, char * + } + type = auparse_interp_adjust_type(rtype, name, val); + +- if (rtype == AUDIT_SYSCALL) { ++ if (rtype == AUDIT_SYSCALL || rtype == AUDIT_SECCOMP) { + if (machine == (unsigned long)-1) + machine = audit_detect_machine(); + if (*name == 'a' && strcmp(name, "arch") == 0) { diff --git a/SOURCES/ausearch.patch b/SOURCES/ausearch.patch deleted file mode 100644 index 0dccd6a..0000000 --- a/SOURCES/ausearch.patch +++ /dev/null @@ -1,11 +0,0 @@ -diff -ur tags/audit-2.3.2/src/ausearch-parse.c trunk/src/ausearch-parse.c ---- tags/audit-2.3.2/src/ausearch-parse.c 2013-07-29 17:36:18.412837824 -0400 -+++ trunk/src/ausearch-parse.c 2013-08-01 09:37:48.661798043 -0400 -@@ -98,6 +98,7 @@ - case AUDIT_PATH: - ret = parse_path(n, s); - break; -+ case AUDIT_USER: - case AUDIT_FIRST_USER_MSG...AUDIT_LAST_USER_MSG: - case AUDIT_FIRST_USER_MSG2...AUDIT_LAST_USER_MSG2: - ret = parse_user(n, s); diff --git a/SOURCES/mac_config_change.patch b/SOURCES/mac_config_change.patch deleted file mode 100644 index b3f1e50..0000000 --- a/SOURCES/mac_config_change.patch +++ /dev/null @@ -1,24 +0,0 @@ -Index: lib/libaudit.h -=================================================================== ---- lib/libaudit.h (revision 872) -+++ lib/libaudit.h (working copy) -@@ -186,6 +186,7 @@ - #define AUDIT_FS_RELABEL 2309 /* Filesystem relabeled */ - #define AUDIT_USER_MAC_POLICY_LOAD 2310 /* Userspc daemon loaded policy */ - #define AUDIT_ROLE_MODIFY 2311 /* Admin modified a role */ -+#define AUDIT_USER_MAC_CONFIG_CHANGE 2312 /* Change made to MAC policy */ - - #define AUDIT_FIRST_CRYPTO_MSG 2400 - #define AUDIT_CRYPTO_TEST_USER 2400 /* Crypto test results */ -Index: lib/msg_typetab.h -=================================================================== ---- lib/msg_typetab.h (revision 871) -+++ lib/msg_typetab.h (working copy) -@@ -190,6 +190,7 @@ - _S(AUDIT_FS_RELABEL, "FS_RELABEL" ) - _S(AUDIT_USER_MAC_POLICY_LOAD, "USER_MAC_POLICY_LOAD" ) - _S(AUDIT_ROLE_MODIFY, "ROLE_MODIFY" ) -+_S(AUDIT_USER_MAC_CONFIG_CHANGE, "USER_MAC_CONFIG_CHANGE" ) - _S(AUDIT_CRYPTO_TEST_USER, "CRYPTO_TEST_USER" ) - _S(AUDIT_CRYPTO_PARAM_CHANGE_USER, "CRYPTO_PARAM_CHANGE_USER" ) - _S(AUDIT_CRYPTO_LOGIN, "CRYPTO_LOGIN" ) diff --git a/SPECS/audit.spec b/SPECS/audit.spec index ecc5a3f..54f16cc 100644 --- a/SPECS/audit.spec +++ b/SPECS/audit.spec @@ -5,16 +5,28 @@ Summary: User space tools for 2.6 kernel auditing Name: audit -Version: 2.3.2 -Release: 3%{?dist} +Version: 2.3.3 +Release: 4%{?dist} License: GPLv2+ Group: System Environment/Daemons URL: http://people.redhat.com/sgrubb/audit/ Source0: http://people.redhat.com/sgrubb/audit/%{name}-%{version}.tar.gz -# Fixed upstream -Patch1: ausearch.patch -# Upstream commit 881 -Patch2: mac_config_change.patch +# CRYPTO_KEY_USER fp field interpretation collision +Patch1: audit-2.3.5-fp.patch +# Add --debug option to ausearch +Patch2: audit-2.3.5-debug.patch +# Correct parsing of AUDIT_LOGIN events due to kernel changes +Patch3: audit-2.3.3-login.patch +# When shifting logs, ignore num_logs (#950158) +Patch4: audit-2.3.5-rotate.patch +# Interpret syscall in AUDIT_SECCOMP events +Patch5: audit-2.3.5-seccomp.patch +# Fix retry logic when temporary network failure during remote logging #1028635 +Patch6: audit-2.3.3-remote.patch +# Default to using augenrules to create audit.rules +Patch7: audit-2.3.3-augenrules.patch +# Adjust beginning user id's to 1000 +Patch8: audit-2.3.3-uid-1000.patch BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) BuildRequires: swig python-devel BuildRequires: tcp_wrappers-devel krb5-devel libcap-ng-devel @@ -92,8 +104,22 @@ behavior. %prep %setup -q +# CRYPTO_KEY_USER %patch1 -p1 -%patch2 -p0 +# --debug +%patch2 -p1 +# AUDIT_LOGIN +%patch3 -p1 +# ignore num_logs +%patch4 -p1 +# AUDIT_SECCOMP +%patch5 -p1 +# Remote logging +%patch6 -p1 +# augenrules +%patch7 -p1 +# uid 1000 +%patch8 -p1 %build %configure --sbindir=/sbin --libdir=/%{_lib} --with-python=yes --with-libwrap --enable-gssapi-krb5=yes --with-libcap-ng=yes --with-armeb --with-aarch64 \ @@ -166,7 +192,6 @@ fi %preun %if %{WITH_SYSTEMD} -/sbin/service auditd stop > /dev/null 2>&1 %systemd_preun auditd.service %else if [ $1 -eq 0 ]; then @@ -277,6 +302,20 @@ fi %attr(644,root,root) %{_mandir}/man8/audisp-remote.8.gz %changelog +* Tue Mar 17 2014 Steve Grubb 2.3.3-4 +resolves: #1077249 - Audit update, various issues + +* Fri Jan 24 2014 Daniel Mach - 2.3.3-3 +- Mass rebuild 2014-01-24 + +* Mon Jan 20 2014 Steve Grubb 2.3.3-2 +- New upstream bugfix/enhancement release +resolves: #1053804 - ausearch issues found by ausearch-test +resolves: #1030409 - ausearch help typo for "-x" option + +* Fri Dec 27 2013 Daniel Mach - 2.3.2-4 +- Mass rebuild 2013-12-27 + * Thu Oct 03 2013 Steve Grubb 2.3.2-3 resolves: #828495 - semanage port should generate an audit event