From 00064ebb641fe874d9a4375b9ece76ca6d43d8af Mon Sep 17 00:00:00 2001 From: Steve Grubb Date: Apr 17 2008 20:54:12 +0000 Subject: - New upstream version - Update system-config-audit to version 0.4.6 (Miloslav Trmac) - audisp-prelude alerts now controlled by config file - Updated syscall table for 2.6.25 kernel - Add basic remote logging plugin - only sends & no flow control - Add support in auditctl for virtual keys - Add example STIG rules file - ausyscall program added for cross referencing syscall name and number info - Add string table lookup performance improvement patch (Miloslav Trmac) --- diff --git a/.cvsignore b/.cvsignore index a7b9f00..0dde84e 100644 --- a/.cvsignore +++ b/.cvsignore @@ -81,3 +81,4 @@ audit-1.6.tar.gz audit-1.6.1.tar.gz audit-1.6.2.tar.gz audit-1.6.5.tar.gz +audit-1.7.2.tar.gz diff --git a/audit-1.6.8-audispd-memleak.patch b/audit-1.6.8-audispd-memleak.patch deleted file mode 100644 index 7a565f5..0000000 --- a/audit-1.6.8-audispd-memleak.patch +++ /dev/null @@ -1,65 +0,0 @@ -diff -urp audit-1.6.9/audisp/audispd.c audit-1.6.10/audisp/audispd.c ---- audit-1.6.9/audisp/audispd.c 2008-03-06 12:50:06.000000000 -0500 -+++ audit-1.6.10/audisp/audispd.c 2008-03-13 22:11:53.000000000 -0400 -@@ -708,6 +711,13 @@ static void process_inbound_event(int fd - rc = readv(fd, &vec, 1); - } while (rc < 0 && errno == EINTR); - -+ if (rc <= 0) { -+ if (rc == 0) -+ stop = 1; // End of File -+ free(e); -+ return; -+ } -+ - if (rc > 0) { - /* Sanity check */ - if (e->hdr.ver != AUDISP_PROTOCOL_VER || -@@ -728,6 +738,11 @@ static void process_inbound_event(int fd - - if (rc > 0) - enqueue(e, &daemon_config); -+ else { -+ if (rc == 0) -+ stop = 1; // End of File -+ free(e); -+ } - } - } - -diff -urp audit-1.6.8/audisp/audispd-builtins.c audit-1.6.9/audisp/audispd-builtins.c ---- audit-1.6.8/audisp/audispd-builtins.c 2008-02-07 13:37:16.000000000 -0500 -+++ audit-1.6.9/audisp/audispd-builtins.c 2008-02-24 11:48:46.000000000 -0500 -@@ -226,6 +226,11 @@ void send_af_unix_binary(event_t *e) - do { - rc = writev(conn, vec, 2); - } while (rc < 0 && errno == EINTR); -+ if (rc < 0 && errno == EPIPE) { -+ close(conn); -+ conn = -1; -+ add_event(sock, af_unix_accept); -+ } - } - } - -diff -urp audit-1.6.8/audisp/queue.c audit-1.6.9/audisp/queue.c ---- audit-1.6.8/audisp/queue.c 2007-12-28 16:32:45.000000000 -0500 -+++ audit-1.6.9/audisp/queue.c 2008-03-02 08:51:05.000000000 -0500 -@@ -117,13 +117,16 @@ void enqueue(event_t *e, struct daemon_c - { - unsigned int n, retry_cnt = 0; - -- if (processing_suspended) -+ if (processing_suspended) { -+ free(e); - return; -+ } - - retry: - // We allow 3 retries and then its over - if (retry_cnt > 3) { - do_overflow_action(config); -+ free(e); - return; - } - pthread_mutex_lock(&queue_lock); diff --git a/audit-1.7-ausearch.patch b/audit-1.7-ausearch.patch deleted file mode 100644 index 1aff38e..0000000 --- a/audit-1.7-ausearch.patch +++ /dev/null @@ -1,69 +0,0 @@ -diff -up audit-1.6.5/src/ausearch-report.c.ausearch audit-1.6.5/src/ausearch-report.c ---- audit-1.6.5/src/ausearch-report.c.ausearch 2007-12-20 21:02:15.000000000 +0100 -+++ audit-1.6.5/src/ausearch-report.c 2008-04-02 18:33:16.000000000 +0200 -@@ -36,6 +36,7 @@ - #include - #include - #include -+#include - #include "libaudit.h" - #include "ausearch-options.h" - #include "ausearch-parse.h" -@@ -59,7 +60,7 @@ static void output_raw(llist *l); - static void output_default(llist *l); - static void output_interpreted(llist *l); - static void output_interpreted_node(const lnode *n); --static void interpret(char *name, char *val, int comma); -+static void interpret(char *name, char *val, int comma, int rtype); - - /* The machine based on elf type */ - static int machine = 0; -@@ -287,7 +288,7 @@ no_print: - val = ptr; - - // print interpreted string -- interpret(name, val, comma); -+ interpret(name, val, comma, n->type); - } - printf("\n"); - } -@@ -838,13 +839,37 @@ static void print_signals(char *val) - printf("%s", strsignal(i)); - } - --static void interpret(char *name, char *val, int comma) -+static int is_hex_string(const char *str) -+{ -+ while (*str) { -+ if (!isxdigit(*str)) -+ return 0; -+ str++; -+ } -+ return 1; -+} -+ -+static void interpret(char *name, char *val, int comma, int rtype) - { - int type; - - while (*name == ' ') - name++; -- type = audit_lookup_type(name); -+ -+ /* Do some fixups */ -+ if (rtype == AUDIT_EXECVE && name[0] == 'a') -+ type = T_ESCAPED; -+ else if (rtype == AUDIT_AVC && strcmp(name, "saddr") == 0) -+ type = -1; -+ else if (strcmp(name, "acct") == 0) { -+ if (val[0] == '"') -+ type = T_ESCAPED; -+ else if (is_hex_string(val)) -+ type = T_ESCAPED; -+ else -+ type = -1; -+ } else -+ type = audit_lookup_type(name); - - switch(type) { - case T_UID: diff --git a/audit-1.7.1-log-cmd-overflow.patch b/audit-1.7.1-log-cmd-overflow.patch deleted file mode 100644 index 8fea32d..0000000 --- a/audit-1.7.1-log-cmd-overflow.patch +++ /dev/null @@ -1,15 +0,0 @@ -diff -urp audit-1.6.5.orig/lib/audit_logging.c audit-1.6.5/lib/audit_logging.c ---- audit-1.6.5.orig/lib/audit_logging.c 2008-04-01 16:33:34.000000000 -0400 -+++ audit-1.6.5/lib/audit_logging.c 2008-04-01 16:34:12.000000000 -0400 -@@ -652,7 +652,10 @@ int audit_log_user_command(int audit_fd, - } - - p = cmd; -- strcpy(commname, cmd); -+ if (len >= PATH_MAX) { -+ cmd[PATH_MAX] = 0; -+ len = PATH_MAX-1; -+ } - while (*p) { - if (*p == '"' || *p < 0x21 || (unsigned)*p > 0x7f) { - _audit_c2x(commname, cmd, len); diff --git a/audit-1.7.1-lsb-headers.patch b/audit-1.7.1-lsb-headers.patch deleted file mode 100644 index 0ee012a..0000000 --- a/audit-1.7.1-lsb-headers.patch +++ /dev/null @@ -1,20 +0,0 @@ -diff -ur audit-1.6.10.orig/init.d/auditd.init audit-1.6.10/init.d/auditd.init ---- audit-1.6.10.orig/init.d/auditd.init 2008-03-27 10:53:28.000000000 -0400 -+++ audit-1.6.10/init.d/auditd.init 2008-03-27 14:17:10.000000000 -0400 -@@ -23,16 +23,6 @@ - # 6 - program is not configured - # 7 - program is not running - # --### BEGIN INIT INFO --# Provides: audit --# Required-Start: $syslog $local_fs --# Required-Stop: $syslog $local_fs --# Should-Start: $network --# Default-Start: 2 3 4 5 --# Default-Stop: 0 1 6 --# Short-Description: audit daemon --# Description: The audit daemon collects system security events --### END INIT INFO - - - PATH=/sbin:/bin:/usr/bin:/usr/sbin diff --git a/audit-1.7.2-avc.patch b/audit-1.7.2-avc.patch new file mode 100644 index 0000000..1687052 --- /dev/null +++ b/audit-1.7.2-avc.patch @@ -0,0 +1,21 @@ +diff -urp audit-1.7.2.orig/src/ausearch-parse.c audit-1.7.2/src/ausearch-parse.c +--- audit-1.7.2.orig/src/ausearch-parse.c 2008-04-09 14:26:27.000000000 -0400 ++++ audit-1.7.2/src/ausearch-parse.c 2008-04-17 10:44:10.000000000 -0400 +@@ -1208,6 +1212,17 @@ static int parse_avc(const lnode *n, sea + term = str + 6; + } + } ++ if (event_filename) { ++ // do we have a path? ++ str = strstr(term, " path="); ++ if (str) { ++ str += 6; ++ rc = common_path_parser(s, str); ++ if (rc) ++ goto err; ++ term += 7; ++ } ++ } + if (event_subject) { + // scontext + str = strstr(term, "scontext="); diff --git a/audit-1.7.3-cmd.patch b/audit-1.7.3-cmd.patch new file mode 100644 index 0000000..3e5ef50 --- /dev/null +++ b/audit-1.7.3-cmd.patch @@ -0,0 +1,29 @@ +diff -urp audit-1.7.2/lib/audit_logging.c audit-1.7.3/lib/audit_logging.c +--- audit-1.7.2/lib/audit_logging.c 2008-04-01 12:25:33.000000000 -0400 ++++ audit-1.7.3/lib/audit_logging.c 2008-04-11 17:07:24.000000000 -0400 +@@ -633,7 +633,6 @@ int audit_log_user_command(int audit_fd, + // We borrow the commname buffer + if (getcwd(commname, PATH_MAX) == NULL) + strcpy(commname, "?"); +- strcpy(cwdname, commname); + p = commname; + len = strlen(commname); + while (*p) { +@@ -644,6 +643,8 @@ int audit_log_user_command(int audit_fd, + } + p++; + } ++ if (cwdenc == 0) ++ strcpy(cwdname, commname); + + len = strlen(cmd); + // Trim the trailing carriage return and spaces +@@ -665,6 +666,8 @@ int audit_log_user_command(int audit_fd, + } + p++; + } ++ if (cmdenc == 0) ++ strcpy(commname, cmd); + free(cmd); + + // Make the format string diff --git a/audit-1.7.3-prelude.patch b/audit-1.7.3-prelude.patch new file mode 100644 index 0000000..1922001 --- /dev/null +++ b/audit-1.7.3-prelude.patch @@ -0,0 +1,33 @@ +diff -urp audit-1.7.2.orig/audisp/plugins/prelude/audisp-prelude.c audit-1.7.2/audisp/plugins/prelude/audisp-prelude.c +--- audit-1.7.2.orig/audisp/plugins/prelude/audisp-prelude.c 2008-04-07 16:57:12.000000000 -0400 ++++ audit-1.7.2/audisp/plugins/prelude/audisp-prelude.c 2008-04-17 16:27:51.000000000 -0400 +@@ -228,7 +228,8 @@ int main(int argc, char *argv[]) + return -1; + } + +- syslog(LOG_INFO, "audisp-prelude is ready for events"); ++ if (mode != M_TEST) ++ syslog(LOG_INFO, "audisp-prelude is ready for events"); + do { + /* Load configuration */ + if (hup) { +@@ -248,9 +249,10 @@ int main(int argc, char *argv[]) + /* Flush any accumulated events from queue */ + auparse_flush_feed(au); + +- syslog(LOG_INFO, "audisp-prelude is exiting on stop request"); + if (mode == M_TEST) + puts("audisp-prelude is exiting on stop request"); ++ else ++ syslog(LOG_INFO, "audisp-prelude is exiting on stop request"); + + /* Cleanup subsystems */ + if (client) +@@ -1938,6 +1940,7 @@ static void handle_event(auparse_state_t + break; + case AUDIT_SYSCALL: + handle_watched_syscalls(au, &idmef, &alert); ++ goto_record_type(au, AUDIT_SYSCALL); + break; + default: + break; diff --git a/audit.spec b/audit.spec index 58bd65c..820d552 100644 --- a/audit.spec +++ b/audit.spec @@ -1,21 +1,21 @@ -%define sca_version 0.4.5 -%define sca_release 7 +%define sca_version 0.4.6 +%define sca_release 1 %define selinux_variants mls strict targeted %define selinux_policyver 3.0.8 +%{!?python_sitelib: %define python_sitelib %(%{__python} -c "from distutils.sysconfig import get_python_lib; print get_python_lib()")} Summary: User space tools for 2.6 kernel auditing Name: audit -Version: 1.6.8 -Release: 4%{?dist} +Version: 1.7.2 +Release: 1%{?dist} License: GPLv2+ Group: System Environment/Daemons URL: http://people.redhat.com/sgrubb/audit/ Source0: http://people.redhat.com/sgrubb/audit/%{name}-%{version}.tar.gz Patch0: audit-1.6.8-zos.patch -Patch1: audit-1.6.8-audispd-memleak.patch -Patch2: audit-1.7.1-lsb-headers.patch -Patch3: audit-1.7.1-log-cmd-overflow.patch -Patch4: audit-1.7-ausearch.patch +Patch1: audit-1.7.3-cmd.patch +Patch2: audit-1.7.2-avc.patch +Patch3: audit-1.7.3-prelude.patch BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) BuildRequires: gettext-devel intltool libtool swig python-devel BuildRequires: kernel-headers >= 2.6.18 @@ -102,8 +102,6 @@ A graphical utility for editing audit configuration. %patch0 -p1 %patch1 -p1 %patch2 -p1 -%patch3 -p1 -%patch4 -p1 mkdir zos-remote-policy cp -p audisp/plugins/zos-remote/policy/audispd-zos-remote.* zos-remote-policy @@ -115,9 +113,14 @@ make %{?_smp_mflags} cd zos-remote-policy for selinuxvariant in %{selinux_variants} do - make NAME=${selinuxvariant} -f /usr/share/selinux/devel/Makefile + if [ "${selinuxvariant}" = "mls" ]; then + TYPE=mls-mls + else + TYPE=${selinuxvariant}-mcs + fi + make -f /usr/share/selinux/devel/Makefile mv audispd-zos-remote.pp audispd-zos-remote.pp.${selinuxvariant} - make NAME=${selinuxvariant} -f /usr/share/selinux/devel/Makefile clean + make -f /usr/share/selinux/devel/Makefile clean done cd - @@ -247,16 +250,17 @@ fi %{_includedir}/auparse.h %{_includedir}/auparse-defs.h %{_mandir}/man3/* +%{_mandir}/man5/ausearch-expression.5.gz %files libs-python %defattr(-,root,root) -%{_libdir}/python?.?/site-packages/_audit.so -%{_libdir}/python?.?/site-packages/auparse.so -/usr/lib/python?.?/site-packages/audit.py* +%attr(755,root,root) %{_libdir}/python?.?/site-packages/_audit.so +%attr(755,root,root) %{_libdir}/python?.?/site-packages/auparse.so +%{python_sitelib}/audit.py* %files %defattr(-,root,root,-) -%doc README COPYING ChangeLog contrib/capp.rules contrib/nispom.rules contrib/lspp.rules init.d/auditd.cron +%doc README COPYING ChangeLog contrib/capp.rules contrib/nispom.rules contrib/lspp.rules contrib/stig.rules init.d/auditd.cron %attr(644,root,root) %{_mandir}/man8/audispd.8.gz %attr(644,root,root) %{_mandir}/man8/auditctl.8.gz %attr(644,root,root) %{_mandir}/man8/auditd.8.gz @@ -264,6 +268,7 @@ fi %attr(644,root,root) %{_mandir}/man8/ausearch.8.gz %attr(644,root,root) %{_mandir}/man8/autrace.8.gz %attr(644,root,root) %{_mandir}/man8/aulastlog.8.gz +%attr(644,root,root) %{_mandir}/man8/ausyscall.8.gz %attr(644,root,root) %{_mandir}/man5/auditd.conf.5.gz %attr(644,root,root) %{_mandir}/man5/audispd.conf.5.gz %attr(750,root,root) /sbin/auditctl @@ -272,7 +277,8 @@ fi %attr(755,root,root) /sbin/aureport %attr(750,root,root) /sbin/autrace %attr(750,root,root) /sbin/audispd -%attr(750,root,root) /sbin/aulastlog +%attr(750,root,root) %{_bindir}/aulastlog +%attr(755,root,root) %{_bindir}/ausyscall %attr(755,root,root) /etc/rc.d/init.d/auditd %attr(750,root,root) %{_var}/log/audit %attr(750,root,root) %dir /etc/audit @@ -295,8 +301,15 @@ fi %attr(750,root,root) /sbin/audispd-zos-remote %attr(644,root,root) %{_datadir}/selinux/*/audispd-zos-remote.pp %config(noreplace) %attr(640,root,root) /etc/audisp/plugins.d/au-prelude.conf +%config(noreplace) %attr(640,root,root) /etc/audisp/audisp-prelude.conf %attr(750,root,root) /sbin/audisp-prelude +%attr(644,root,root) %{_mandir}/man5/audisp-prelude.conf.5.gz %attr(644,root,root) %{_mandir}/man8/audisp-prelude.8.gz +%config(noreplace) %attr(640,root,root) /etc/audisp/audisp-remote.conf +%config(noreplace) %attr(640,root,root) /etc/audisp/plugins.d/au-remote.conf +%attr(750,root,root) /sbin/audisp-remote +%attr(644,root,root) %{_mandir}/man5/audisp-remote.conf.5.gz +%attr(644,root,root) %{_mandir}/man8/audisp-remote.8.gz %files -n system-config-audit -f system-config-audit.lang %defattr(-,root,root,-) @@ -314,6 +327,17 @@ fi %config(noreplace) %{_sysconfdir}/security/console.apps/system-config-audit-server %changelog +* Thu Apr 17 2008 Steve Grubb 1.7.2-1 +- New upstream version +- Update system-config-audit to version 0.4.6 (Miloslav Trmac) +- audisp-prelude alerts now controlled by config file +- Updated syscall table for 2.6.25 kernel +- Add basic remote logging plugin - only sends & no flow control +- Add support in auditctl for virtual keys +- Add example STIG rules file +- ausyscall program added for cross referencing syscall name and number info +- Add string table lookup performance improvement patch (Miloslav Trmac) + * Wed Apr 02 2008 Steve Grubb 1.6.8-4 - Fix overflow in audit_log_user_command bz 438840 - Remove LSB headers from init scripts diff --git a/sources b/sources index a0c7f6e..7faf5b4 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -67cd6d2995bbb0a8b3c37ce484d758f5 audit-1.6.8.tar.gz +1415749e73fbee34ff5f5f78ab92386a audit-1.7.2.tar.gz