From 7bdd34a421355d053e7b336a81d69ea7616b4978 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Apr 10 2018 05:24:33 +0000 Subject: import audit-2.8.1-3.el7 --- diff --git a/.audit.metadata b/.audit.metadata index d278edf..fd91c28 100644 --- a/.audit.metadata +++ b/.audit.metadata @@ -1 +1 @@ -d9dc30c4af8733724cad73ba136ec63b4e2b11f5 SOURCES/audit-2.7.6.tar.gz +ed97614e377d0f9cf647d218d91b29398a21c4e2 SOURCES/audit-2.8.1.tar.gz diff --git a/.gitignore b/.gitignore index d7891dd..ed1bf79 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/audit-2.7.6.tar.gz +SOURCES/audit-2.8.1.tar.gz diff --git a/SOURCES/audit-2.7.7-aureport.patch b/SOURCES/audit-2.7.7-aureport.patch deleted file mode 100644 index 81ef3ea..0000000 --- a/SOURCES/audit-2.7.7-aureport.patch +++ /dev/null @@ -1,44 +0,0 @@ -diff -urp audit-2.7.7.orig/src/aureport-scan.c audit-2.7.7/src/aureport-scan.c ---- audit-2.7.7.orig/src/aureport-scan.c 2017-03-27 18:21:19.000000000 -0400 -+++ audit-2.7.7/src/aureport-scan.c 2017-06-08 16:06:48.232990012 -0400 -@@ -452,7 +452,8 @@ static int per_event_summary(llist *l) - } else { - if (list_find_msg_range(l, - AUDIT_FIRST_KERN_ANOM_MSG, -- AUDIT_LAST_KERN_ANOM_MSG)) { -+ AUDIT_LAST_KERN_ANOM_MSG) || -+ list_find_msg(l, AUDIT_SECCOMP) ) { - ilist_add_if_uniq(&sd.anom_list, - l->head->type, 0); - } -@@ -729,7 +730,8 @@ static int per_event_detailed(llist *l) - } else { - if (list_find_msg_range(l, - AUDIT_FIRST_KERN_ANOM_MSG, -- AUDIT_LAST_KERN_ANOM_MSG)) { -+ AUDIT_LAST_KERN_ANOM_MSG) || -+ list_find_msg(l, AUDIT_SECCOMP) ) { - print_per_event_item(l); - rc = 1; - } -diff -urp audit-2.7.7.orig/src/ausearch-parse.c audit-2.7.7/src/ausearch-parse.c ---- audit-2.7.7.orig/src/ausearch-parse.c 2017-03-27 18:21:19.000000000 -0400 -+++ audit-2.7.7/src/ausearch-parse.c 2017-06-08 16:00:13.856999833 -0400 -@@ -2080,7 +2080,7 @@ static int parse_kernel_anom(const lnode - str = strstr(term, "exe="); - if (str) { - str += 4; -- if (*str == '"') { -+ if (*str == '"') { - str++; - term = strchr(str, '"'); - if (term == NULL) -@@ -2090,7 +2090,7 @@ static int parse_kernel_anom(const lnode - *term = '"'; - } else - s->exe = unescape(str); -- } else -+ } else if (n->type != AUDIT_ANOM_ABEND) - return 14; - } - diff --git a/SOURCES/audit-2.7.7-queue_error_action.patch b/SOURCES/audit-2.7.7-queue_error_action.patch deleted file mode 100644 index ad6cb76..0000000 --- a/SOURCES/audit-2.7.7-queue_error_action.patch +++ /dev/null @@ -1,12 +0,0 @@ -diff -urp audit-2.7.7.orig/audisp/plugins/remote/audisp-remote.conf audit-2.7.7/audisp/plugins/remote/audisp-remote.conf ---- audit-2.7.7.orig/audisp/plugins/remote/audisp-remote.conf 2017-03-27 18:21:19.000000000 -0400 -+++ audit-2.7.7/audisp/plugins/remote/audisp-remote.conf 2017-05-26 13:40:38.950027312 -0400 -@@ -23,7 +23,7 @@ disk_error_action = warn_once - remote_ending_action = reconnect - generic_error_action = syslog - generic_warning_action = syslog --queue_error = stop -+queue_error_action = stop - overflow_action = syslog - - ##enable_krb5 = no diff --git a/SOURCES/audit-2.8.2-auparse-numeric_field.patch b/SOURCES/audit-2.8.2-auparse-numeric_field.patch new file mode 100644 index 0000000..f2c0787 --- /dev/null +++ b/SOURCES/audit-2.8.2-auparse-numeric_field.patch @@ -0,0 +1,12 @@ +diff --git a/auparse/expression.c b/auparse/expression.c +index 17213eb..1e8876e 100644 +--- a/auparse/expression.c ++++ b/auparse/expression.c +@@ -854,6 +854,7 @@ expr_create_timestamp_comparison_ex(unsigned op, time_t sec, unsigned milli, + || op == EO_VALUE_LE || op == EO_VALUE_GT || op == EO_VALUE_GE); + res->op = op; + res->virtual_field = 1; ++ res->numeric_field = 1; + res->v.p.field.id = EF_TIMESTAMP_EX; + res->precomputed_value = 1; + res->v.p.value.timestamp_ex.sec = sec; diff --git a/SOURCES/audit-2.8.2-fix-reset-lost-return.patch b/SOURCES/audit-2.8.2-fix-reset-lost-return.patch new file mode 100644 index 0000000..3f438aa --- /dev/null +++ b/SOURCES/audit-2.8.2-fix-reset-lost-return.patch @@ -0,0 +1,141 @@ +Subject: [PATCH 2/2] lost_reset: return value rather than sequence number when zero +Date: Wed, 22 Nov 2017 19:00:57 -0500 + +The kernel always returns negative values on error, so zero and anything +positive is valid success. Lost_reset returned a positive value at the +time of reset, including zero that got interpreted as success and +replaced with the packet sequence number "2". + +Rename audit_send() to __audit_send() and pass the sequence number back +via a parameter rather than return value. + +Have a new stub audit_send() call __audit_send() and mimic the previous +behaviour of audit_send(). + +There are legacy functions that actually use a sequence number: + audit_request_rules_list_data() + delete_all_rules() + audit_request_signal_info() + src/auditd.c:get_reply() +A number of others don't appear to need it, but expose it in libaudit: + audit_send_user_message() + audit_log_user_comm_message() + audit_log_acct_message() + audit_log_user_avc_message() + audit_log_semanage_message() + audit_log_user_command() + audit_request_status() + audit_set_enabled() + audit_set_failure() + audit_set_rate_limit() + audit_set_backlog_limit() + audit_set_backlog_wait_time() + audit_add_rule_data() + audit_delete_rule_data() + +Passes all audit-testsuite tests. + +See: https://github.com/linux-audit/audit-userspace/issues/31 + +Signed-off-by: Richard Guy Briggs +--- + lib/libaudit.c | 3 ++- + lib/netlink.c | 28 ++++++++++++++++++++-------- + lib/private.h | 1 + + 3 files changed, 23 insertions(+), 9 deletions(-) + +diff --git a/lib/libaudit.c b/lib/libaudit.c +index a9ba575..aa8258c 100644 +--- a/lib/libaudit.c ++++ b/lib/libaudit.c +@@ -519,6 +519,7 @@ int audit_set_backlog_wait_time(int fd, uint32_t bwt) + int audit_reset_lost(int fd) + { + int rc; ++ int seq; + struct audit_status s; + + if ((audit_get_features() & AUDIT_FEATURE_BITMAP_LOST_RESET) == 0) +@@ -527,7 +528,7 @@ int audit_reset_lost(int fd) + memset(&s, 0, sizeof(s)); + s.mask = AUDIT_STATUS_LOST; + s.lost = 0; +- rc = audit_send(fd, AUDIT_SET, &s, sizeof(s)); ++ rc = __audit_send(fd, AUDIT_SET, &s, sizeof(s), &seq); + if (rc < 0) + audit_msg(audit_priority(errno), + "Error sending lost reset request (%s)", +diff --git a/lib/netlink.c b/lib/netlink.c +index 6e23883..5b2028f 100644 +--- a/lib/netlink.c ++++ b/lib/netlink.c +@@ -203,7 +203,7 @@ static int adjust_reply(struct audit_reply *rep, int len) + * error: -errno + * short: 0 + */ +-int audit_send(int fd, int type, const void *data, unsigned int size) ++int __audit_send(int fd, int type, const void *data, unsigned int size, int *seq) + { + static int sequence = 0; + struct audit_message req; +@@ -224,6 +224,7 @@ int audit_send(int fd, int type, const void *data, unsigned int size) + + if (++sequence < 0) + sequence = 1; ++ *seq = sequence; + + memset(&req, 0, sizeof(req)); + req.nlh.nlmsg_len = NLMSG_SPACE(size); +@@ -241,18 +242,29 @@ int audit_send(int fd, int type, const void *data, unsigned int size) + retval = sendto(fd, &req, req.nlh.nlmsg_len, 0, + (struct sockaddr*)&addr, sizeof(addr)); + } while (retval < 0 && errno == EINTR); +- if (retval == (int)req.nlh.nlmsg_len) { +- if ((retval = check_ack(fd)) == 0) +- return sequence; +- else +- return retval; +- } +- if (retval < 0) ++ if (retval == (int)req.nlh.nlmsg_len) ++ return check_ack(fd); ++ if (retval < 0) { + return -errno; ++ } else if (retval > 0) { ++ errno = EINVAL; ++ return -errno; ++ } + + return 0; + } + ++int audit_send(int fd, int type, const void *data, unsigned int size) ++{ ++ int rc; ++ int seq; ++ ++ rc = __audit_send(fd, type, data, size, &seq); ++ if (rc == 0) ++ rc = seq; ++ return rc; ++} ++ + /* + * This function will take a peek into the next packet and see if there's + * an error. If so, the error is returned and its non-zero. Otherwise a +diff --git a/lib/private.h b/lib/private.h +index dbe0f74..560740f 100644 +--- a/lib/private.h ++++ b/lib/private.h +@@ -121,6 +121,7 @@ void audit_msg(int priority, const char *fmt, ...) + #endif + + extern int audit_send(int fd, int type, const void *data, unsigned int size); ++extern int __audit_send(int fd, int type, const void *data, unsigned int size, int *seq); + + AUDIT_HIDDEN_START + +-- +1.8.3.1 + + diff --git a/SOURCES/audit-2.8.2-ipv6-bind.patch b/SOURCES/audit-2.8.2-ipv6-bind.patch new file mode 100644 index 0000000..7d63f42 --- /dev/null +++ b/SOURCES/audit-2.8.2-ipv6-bind.patch @@ -0,0 +1,76 @@ +From 659bfd369dc6810ac5349c433455c0d317482354 Mon Sep 17 00:00:00 2001 +From: Steve Grubb +Date: Tue, 17 Oct 2017 14:31:46 -0400 +Subject: [PATCH] Fixup ipv6 server side binding + +--- + src/auditd-listen.c | 32 ++++++++++++++++++++++++++++++++ + 2 files changed, 33 insertions(+) + +diff --git a/src/auditd-listen.c b/src/auditd-listen.c +index 7a5c2c6..0d1717f 100644 +--- a/src/auditd-listen.c ++++ b/src/auditd-listen.c +@@ -914,6 +914,7 @@ int auditd_tcp_listen_init(struct ev_loop *loop, struct daemon_conf *config) + struct addrinfo hints; + char local[16]; + int one = 1, rc; ++ int prefer_ipv6 = 0; + + ev_periodic_init(&periodic_watcher, periodic_handler, + 0, config->tcp_client_max_idle, NULL); +@@ -929,6 +930,7 @@ int auditd_tcp_listen_init(struct ev_loop *loop, struct daemon_conf *config) + memset(&hints, '\0', sizeof(hints)); + hints.ai_flags = AI_PASSIVE | AI_ADDRCONFIG; + hints.ai_socktype = SOCK_STREAM; ++ hints.ai_family = AF_UNSPEC; + snprintf(local, sizeof(local), "%ld", config->tcp_listen_port); + + rc = getaddrinfo(NULL, local, &hints, &ai); +@@ -937,9 +939,32 @@ int auditd_tcp_listen_init(struct ev_loop *loop, struct daemon_conf *config) + return 1; + } + ++ { ++ int ipv4 = 0, ipv6 = 0; + nlsocks = 0; + runp = ai; + while (runp && nlsocks < N_SOCKS) { ++ // Let's take a pass through and see what we got. ++ if (runp->ai_family == AF_INET) ++ ipv4++; ++ else if (runp->ai_family == AF_INET6) ++ ipv6++; ++ runp = runp->ai_next; ++ nlsocks++; ++ } ++ ++ if (nlsocks == 2 && ipv4 && ipv6) ++ prefer_ipv6 = 1; ++ } ++ ++ nlsocks = 0; ++ runp = ai; ++ while (runp && nlsocks < N_SOCKS) { ++ // On linux, ipv6 sockets by default include ipv4 so ++ // we only need one. ++ if (runp->ai_family == AF_INET && prefer_ipv6) ++ goto next_try; ++ + listen_socket[nlsocks] = socket(runp->ai_family, + runp->ai_socktype, runp->ai_protocol); + if (listen_socket[nlsocks] < 0) { +@@ -950,6 +975,13 @@ int auditd_tcp_listen_init(struct ev_loop *loop, struct daemon_conf *config) + /* This avoids problems if auditd needs to be restarted. */ + setsockopt(listen_socket[nlsocks], SOL_SOCKET, SO_REUSEADDR, + (char *)&one, sizeof (int)); ++ ++ // If we had more than 2 addresses suggested we'll ++ // separate the sockets. ++ if (!prefer_ipv6 && runp->ai_family == AF_INET6) ++ setsockopt(listen_socket[nlsocks], IPPROTO_IPV6, ++ IPV6_V6ONLY, &one, sizeof(int)); ++ + set_close_on_exec(listen_socket[nlsocks]); + + if (bind(listen_socket[nlsocks], runp->ai_addr, diff --git a/SOURCES/audit-2.8.2-style-fix.patch b/SOURCES/audit-2.8.2-style-fix.patch new file mode 100644 index 0000000..c5541f2 --- /dev/null +++ b/SOURCES/audit-2.8.2-style-fix.patch @@ -0,0 +1,578 @@ +From 63151c4f0e9d1d037f80f10cb7809573a49da6c7 Mon Sep 17 00:00:00 2001 +From: Steve Grubb +Date: Tue, 17 Oct 2017 13:33:28 -0400 +Subject: [PATCH] make style match rest of audit system + +--- + src/auditd-listen.c | 176 ++++++++++++++++++++++++++-------------------------- + 1 file changed, 88 insertions(+), 88 deletions(-) + +diff --git a/src/auditd-listen.c b/src/auditd-listen.c +index b4dc097..7a5c2c6 100644 +--- a/src/auditd-listen.c ++++ b/src/auditd-listen.c +@@ -114,11 +114,11 @@ static char *sockaddr_to_addr4(struct sockaddr_in *addr) + + static void set_close_on_exec(int fd) + { +- int flags = fcntl (fd, F_GETFD); ++ int flags = fcntl(fd, F_GETFD); + if (flags == -1) + flags = 0; + flags |= FD_CLOEXEC; +- fcntl (fd, F_SETFD, flags); ++ fcntl(fd, F_SETFD, flags); + } + + static void release_client(struct ev_tcp *client) +@@ -144,11 +144,11 @@ static void release_client(struct ev_tcp *client) + + static void close_client(struct ev_tcp *client) + { +- release_client (client); +- free (client); ++ release_client(client); ++ free(client); + } + +-static int ar_write (int sock, const void *buf, int len) ++static int ar_write(int sock, const void *buf, int len) + { + int rc = 0, w; + while (len > 0) { +@@ -167,7 +167,7 @@ static int ar_write (int sock, const void *buf, int len) + } + + #ifdef USE_GSSAPI +-static int ar_read (int sock, void *buf, int len) ++static int ar_read(int sock, void *buf, int len) + { + int rc = 0, r; + while (len > 0) { +@@ -192,13 +192,13 @@ static int ar_read (int sock, void *buf, int len) + the tokens. The protocol we use for transferring tokens is to send + the length first, four bytes MSB first, then the token data. We + return nonzero on error. */ +-static int recv_token (int s, gss_buffer_t tok) ++static int recv_token(int s, gss_buffer_t tok) + { + int ret; + unsigned char lenbuf[4]; + unsigned int len; + +- ret = ar_read(s, (char *) lenbuf, 4); ++ ret = ar_read(s, (char *)lenbuf, 4); + if (ret < 0) { + audit_msg(LOG_ERR, "GSS-API error reading token length"); + return -1; +@@ -220,13 +220,13 @@ static int recv_token (int s, gss_buffer_t tok) + } + tok->length = len; + +- tok->value = (char *) malloc(tok->length ? tok->length : 1); ++ tok->value = (char *)malloc(tok->length ? tok->length : 1); + if (tok->length && tok->value == NULL) { + audit_msg(LOG_ERR, "Out of memory allocating token data"); + return -1; + } + +- ret = ar_read(s, (char *) tok->value, tok->length); ++ ret = ar_read(s, (char *)tok->value, tok->length); + if (ret < 0) { + audit_msg(LOG_ERR, "GSS-API error reading token data"); + free(tok->value); +@@ -243,7 +243,7 @@ static int recv_token (int s, gss_buffer_t tok) + /* Same here. */ + int send_token(int s, gss_buffer_t tok) + { +- int ret; ++ int ret; + unsigned char lenbuf[4]; + unsigned int len; + +@@ -268,7 +268,7 @@ int send_token(int s, gss_buffer_t tok) + if (ret < 0) { + audit_msg(LOG_ERR, "GSS-API error sending token data"); + return -1; +- } else if (ret != (int) tok->length) { ++ } else if (ret != (int)tok->length) { + audit_msg(LOG_ERR, "GSS-API error sending token data"); + return -1; + } +@@ -277,14 +277,14 @@ int send_token(int s, gss_buffer_t tok) + } + + +-static void gss_failure_2 (const char *msg, int status, int type) ++static void gss_failure_2(const char *msg, int status, int type) + { + OM_uint32 message_context = 0; + OM_uint32 min_status = 0; + gss_buffer_desc status_string; + + do { +- gss_display_status (&min_status, ++ gss_display_status(&min_status, + status, + type, + GSS_C_NO_OID, +@@ -298,11 +298,11 @@ static void gss_failure_2 (const char *msg, int status, int type) + } while (message_context != 0); + } + +-static void gss_failure (const char *msg, int major_status, int minor_status) ++static void gss_failure(const char *msg, int major_status, int minor_status) + { +- gss_failure_2 (msg, major_status, GSS_C_GSS_CODE); ++ gss_failure_2(msg, major_status, GSS_C_GSS_CODE); + if (minor_status) +- gss_failure_2 (msg, minor_status, GSS_C_MECH_CODE); ++ gss_failure_2(msg, minor_status, GSS_C_MECH_CODE); + } + + #define KCHECK(x,f) if (x) { \ +@@ -323,7 +323,7 @@ static int server_acquire_creds(const char *service_name, + krb5_context kcontext = NULL; + int krberr; + +- my_service_name = strdup (service_name); ++ my_service_name = strdup(service_name); + name_buf.value = (char *)service_name; + name_buf.length = strlen(name_buf.value) + 1; + major_status = gss_import_name(&minor_status, &name_buf, +@@ -346,9 +346,9 @@ static int server_acquire_creds(const char *service_name, + + (void) gss_release_name(&minor_status, &server_name); + +- krberr = krb5_init_context (&kcontext); ++ krberr = krb5_init_context(&kcontext); + KCHECK (krberr, "krb5_init_context"); +- krberr = krb5_get_default_realm (kcontext, &my_gss_realm); ++ krberr = krb5_get_default_realm(kcontext, &my_gss_realm); + KCHECK (krberr, "krb5_get_default_realm"); + + audit_msg(LOG_DEBUG, "GSS creds for %s acquired", service_name); +@@ -360,7 +360,7 @@ static int server_acquire_creds(const char *service_name, + the case of Kerberos, this is where the key exchange happens. + FIXME: While everything else is strictly nonblocking, this + negotiation blocks. */ +-static int negotiate_credentials (ev_tcp *io) ++static int negotiate_credentials(ev_tcp *io) + { + gss_buffer_desc send_tok, recv_tok; + gss_name_t client; +@@ -440,12 +440,12 @@ static int negotiate_credentials (ev_tcp *io) + + audit_msg(LOG_INFO, "GSS-API Accepted connection from: %s", + (char *)recv_tok.value); +- io->remote_name = strdup (recv_tok.value); +- io->remote_name_len = strlen (recv_tok.value); ++ io->remote_name = strdup(recv_tok.value); ++ io->remote_name_len = strlen(recv_tok.value); + gss_release_buffer(&min_stat, &recv_tok); + +- slashptr = strchr (io->remote_name, '/'); +- atptr = strchr (io->remote_name, '@'); ++ slashptr = strchr(io->remote_name, '/'); ++ atptr = strchr(io->remote_name, '@'); + + if (!slashptr || !atptr) { + audit_msg(LOG_ERR, "Invalid GSS name from remote client: %s", +@@ -454,14 +454,14 @@ static int negotiate_credentials (ev_tcp *io) + } + + *slashptr = 0; +- if (strcmp (io->remote_name, my_service_name)) { ++ if (strcmp(io->remote_name, my_service_name)) { + audit_msg(LOG_ERR, "Unauthorized GSS client name: %s (not %s)", + io->remote_name, my_service_name); + return -1; + } + *slashptr = '/'; + +- if (strcmp (atptr+1, my_gss_realm)) { ++ if (strcmp(atptr+1, my_gss_realm)) { + audit_msg(LOG_ERR, "Unauthorized GSS client realm: %s (not %s)", + atptr+1, my_gss_realm); + return -1; +@@ -473,7 +473,7 @@ static int negotiate_credentials (ev_tcp *io) + + /* This is called from auditd-event after the message has been logged. + The header is already filled in. */ +-static void client_ack (void *ack_data, const unsigned char *header, ++static void client_ack(void *ack_data, const unsigned char *header, + const char *msg) + { + ev_tcp *io = (ev_tcp *)ack_data; +@@ -483,18 +483,18 @@ static void client_ack (void *ack_data, const unsigned char *header, + gss_buffer_desc utok, etok; + int rc, mlen; + +- mlen = strlen (msg); ++ mlen = strlen(msg); + utok.length = AUDIT_RMW_HEADER_SIZE + mlen; +- utok.value = malloc (utok.length + 1); ++ utok.value = malloc(utok.length + 1); + +- memcpy (utok.value, header, AUDIT_RMW_HEADER_SIZE); +- memcpy (utok.value+AUDIT_RMW_HEADER_SIZE, msg, mlen); ++ memcpy(utok.value, header, AUDIT_RMW_HEADER_SIZE); ++ memcpy(utok.value+AUDIT_RMW_HEADER_SIZE, msg, mlen); + + /* Wrapping the message creates a token for the + client. Then we just have to worry about sending + the token. */ + +- major_status = gss_wrap (&minor_status, ++ major_status = gss_wrap(&minor_status, + io->gss_context, + 1, + GSS_C_QOP_DEFAULT, +@@ -504,21 +504,21 @@ static void client_ack (void *ack_data, const unsigned char *header, + if (major_status != GSS_S_COMPLETE) { + gss_failure("encrypting message", major_status, + minor_status); +- free (utok.value); ++ free(utok.value); + return; + } + // FIXME: What were we going to do with rc? +- rc = send_token (io->io.fd, &etok); +- free (utok.value); ++ rc = send_token(io->io.fd, &etok); ++ free(utok.value); + (void) gss_release_buffer(&minor_status, &etok); + + return; + } + #endif + // Send the header and a text error message if it exists +- ar_write (io->io.fd, header, AUDIT_RMW_HEADER_SIZE); ++ ar_write(io->io.fd, header, AUDIT_RMW_HEADER_SIZE); + if (msg[0]) +- ar_write (io->io.fd, msg, strlen(msg)); ++ ar_write(io->io.fd, msg, strlen(msg)); + } + + extern void distribute_event(struct auditd_event *e); +@@ -540,7 +540,7 @@ static void client_message (struct ev_tcp *io, unsigned int length, + unsigned char ack[AUDIT_RMW_HEADER_SIZE]; + AUDIT_RMW_PACK_HEADER (ack, 0, AUDIT_RMW_TYPE_ACK, + 0, seq); +- client_ack (io, ack, ""); ++ client_ack(io, ack, ""); + } else { + struct auditd_event *e = create_event( + header+AUDIT_RMW_HEADER_SIZE, +@@ -552,10 +552,10 @@ static void client_message (struct ev_tcp *io, unsigned int length, + } + } + +-static void auditd_tcp_client_handler( struct ev_loop *loop, +- struct ev_io *_io, int revents ) ++static void auditd_tcp_client_handler(struct ev_loop *loop, ++ struct ev_io *_io, int revents) + { +- struct ev_tcp *io = (struct ev_tcp *) _io; ++ struct ev_tcp *io = (struct ev_tcp *)_io; + int i, r; + int total_this_call = 0; + +@@ -586,18 +586,18 @@ static void auditd_tcp_client_handler( struct ev_loop *loop, + otherwise fails, the read will return -1. */ + if (r <= 0) { + if (r < 0) +- audit_msg (LOG_WARNING, ++ audit_msg(LOG_WARNING, + "client %s socket closed unexpectedly", + sockaddr_to_addr4(&io->addr)); + + /* There may have been a final message without a LF. */ + if (io->bufptr) { +- client_message (io, io->bufptr, io->buffer); ++ client_message(io, io->bufptr, io->buffer); + + } + +- ev_io_stop (loop, _io); +- close_client (io); ++ ev_io_stop(loop, _io); ++ close_client(io); + return; + } + +@@ -635,7 +635,7 @@ static void auditd_tcp_client_handler( struct ev_loop *loop, + + /* Unwrapping the token gives us the original message, + which we know is already a single record. */ +- major_status = gss_unwrap (&minor_status, io->gss_context, ++ major_status = gss_unwrap(&minor_status, io->gss_context, + &etok, &utok, NULL, NULL); + + if (major_status != GSS_S_COMPLETE) { +@@ -645,10 +645,10 @@ static void auditd_tcp_client_handler( struct ev_loop *loop, + /* client_message() wants to NUL terminate it, + so copy it to a bigger buffer. Plus, we + want to add our own tag. */ +- memcpy (msgbuf, utok.value, utok.length); ++ memcpy(msgbuf, utok.value, utok.length); + while (utok.length > 0 && msgbuf[utok.length-1] == '\n') + utok.length --; +- snprintf (msgbuf + utok.length, ++ snprintf(msgbuf + utok.length, + MAX_AUDIT_MESSAGE_LENGTH - utok.length, + " krb5=%s", io->remote_name); + utok.length += 6 + io->remote_name_len; +@@ -681,7 +681,7 @@ static void auditd_tcp_client_handler( struct ev_loop *loop, + return; + + /* We have an I-byte message in buffer. Send ACK */ +- client_message (io, i, io->buffer); ++ client_message(io, i, io->buffer); + + } else { + /* At this point, the buffer has IO->BUFPTR+R bytes in it. +@@ -701,7 +701,7 @@ static void auditd_tcp_client_handler( struct ev_loop *loop, + i++; + + /* We have an I-byte message in buffer. Send ACK */ +- client_message (io, i, io->buffer); ++ client_message(io, i, io->buffer); + } + + /* Now copy any remaining bytes to the beginning of the +@@ -730,7 +730,7 @@ static int auditd_tcpd_check(int sock) + + request_init(&request, RQ_DAEMON, "auditd", RQ_FILE, sock, 0); + fromhost(&request); +- if (! hosts_access(&request)) ++ if (!hosts_access(&request)) + return 1; + return 0; + } +@@ -759,7 +759,7 @@ static int check_num_connections(struct sockaddr_in *aaddr) + } + + static void auditd_tcp_listen_handler( struct ev_loop *loop, +- struct ev_io *_io, int revents ) ++ struct ev_io *_io, int revents) + { + int one=1; + int afd; +@@ -770,7 +770,7 @@ static void auditd_tcp_listen_handler( struct ev_loop *loop, + + /* Accept the connection and see where it's coming from. */ + aaddrlen = sizeof(aaddr); +- afd = accept (_io->fd, (struct sockaddr *)&aaddr, &aaddrlen); ++ afd = accept(_io->fd, (struct sockaddr *)&aaddr, &aaddrlen); + if (afd == -1) { + audit_msg(LOG_ERR, "Unable to accept TCP connection"); + return; +@@ -793,8 +793,8 @@ static void auditd_tcp_listen_handler( struct ev_loop *loop, + + /* Verify it's coming from an authorized port. We assume the firewall + * will block attempts from unauthorized machines. */ +- if (min_port > ntohs (aaddr.sin_port) || +- ntohs (aaddr.sin_port) > max_port) { ++ if (min_port > ntohs(aaddr.sin_port) || ++ ntohs(aaddr.sin_port) > max_port) { + audit_msg(LOG_ERR, "TCP connection from %s rejected", + sockaddr_to_addr4(&aaddr)); + snprintf(emsg, sizeof(emsg), +@@ -825,29 +825,29 @@ static void auditd_tcp_listen_handler( struct ev_loop *loop, + setsockopt(afd, SOL_SOCKET, SO_REUSEADDR, (char *)&one, sizeof (int)); + setsockopt(afd, SOL_SOCKET, SO_KEEPALIVE, (char *)&one, sizeof (int)); + setsockopt(afd, IPPROTO_TCP, TCP_NODELAY, (char *)&one, sizeof (int)); +- set_close_on_exec (afd); ++ set_close_on_exec(afd); + + /* Make the client data structure */ +- client = (struct ev_tcp *) malloc (sizeof (struct ev_tcp)); ++ client = (struct ev_tcp *)malloc (sizeof (struct ev_tcp)); + if (client == NULL) { + audit_msg(LOG_CRIT, "Unable to allocate TCP client data"); + snprintf(emsg, sizeof(emsg), + "op=alloc addr=%s port=%d res=no", + sockaddr_to_ipv4(&aaddr), +- ntohs (aaddr.sin_port)); ++ ntohs(aaddr.sin_port)); + send_audit_event(AUDIT_DAEMON_ACCEPT, emsg); + shutdown(afd, SHUT_RDWR); + close(afd); + return; + } + +- memset (client, 0, sizeof (struct ev_tcp)); ++ memset(client, 0, sizeof (struct ev_tcp)); + client->client_active = 1; + + // Was watching for EV_ERROR, but libev 3.48 took it away +- ev_io_init (&(client->io), auditd_tcp_client_handler, afd, EV_READ); ++ ev_io_init(&(client->io), auditd_tcp_client_handler, afd, EV_READ); + +- memcpy (&client->addr, &aaddr, sizeof (struct sockaddr_in)); ++ memcpy(&client->addr, &aaddr, sizeof (struct sockaddr_in)); + + #ifdef USE_GSSAPI + if (use_gss && negotiate_credentials (client)) { +@@ -860,7 +860,7 @@ static void auditd_tcp_listen_handler( struct ev_loop *loop, + #endif + + fcntl(afd, F_SETFL, O_NONBLOCK | O_NDELAY); +- ev_io_start (loop, &(client->io)); ++ ev_io_start(loop, &(client->io)); + + /* Add the new connection to a linked list of active clients. */ + client->next = client_chain; +@@ -883,7 +883,7 @@ static void auditd_set_ports(int minp, int maxp, int max_p_addr) + } + + static void periodic_handler(struct ev_loop *loop, struct ev_periodic *per, +- int revents ) ++ int revents) + { + struct daemon_conf *config = (struct daemon_conf *) per->data; + struct ev_tcp *ev, *next = NULL; +@@ -902,24 +902,24 @@ static void periodic_handler(struct ev_loop *loop, struct ev_periodic *per, + audit_msg(LOG_NOTICE, + "client %s idle too long - closing connection\n", + sockaddr_to_addr4(&(ev->addr))); +- ev_io_stop (loop, &ev->io); ++ ev_io_stop(loop, &ev->io); + release_client(ev); + free(ev); + } + } + +-int auditd_tcp_listen_init ( struct ev_loop *loop, struct daemon_conf *config ) ++int auditd_tcp_listen_init(struct ev_loop *loop, struct daemon_conf *config) + { + struct addrinfo *ai, *runp; + struct addrinfo hints; + char local[16]; + int one = 1, rc; + +- ev_periodic_init (&periodic_watcher, periodic_handler, ++ ev_periodic_init(&periodic_watcher, periodic_handler, + 0, config->tcp_client_max_idle, NULL); + periodic_watcher.data = config; + if (config->tcp_client_max_idle) +- ev_periodic_start (loop, &periodic_watcher); ++ ev_periodic_start(loop, &periodic_watcher); + + /* If the port is not set, that means we aren't going to + listen for connections. */ +@@ -940,7 +940,7 @@ int auditd_tcp_listen_init ( struct ev_loop *loop, struct daemon_conf *config ) + nlsocks = 0; + runp = ai; + while (runp && nlsocks < N_SOCKS) { +- listen_socket[nlsocks] = socket (runp->ai_family, ++ listen_socket[nlsocks] = socket(runp->ai_family, + runp->ai_socktype, runp->ai_protocol); + if (listen_socket[nlsocks] < 0) { + audit_msg(LOG_ERR, "Cannot create tcp listener socket"); +@@ -950,7 +950,7 @@ int auditd_tcp_listen_init ( struct ev_loop *loop, struct daemon_conf *config ) + /* This avoids problems if auditd needs to be restarted. */ + setsockopt(listen_socket[nlsocks], SOL_SOCKET, SO_REUSEADDR, + (char *)&one, sizeof (int)); +- set_close_on_exec (listen_socket[nlsocks]); ++ set_close_on_exec(listen_socket[nlsocks]); + + if (bind(listen_socket[nlsocks], runp->ai_addr, + runp->ai_addrlen)) { +@@ -977,9 +977,9 @@ int auditd_tcp_listen_init ( struct ev_loop *loop, struct daemon_conf *config ) + p ? p->p_name: "?"); + endprotoent(); + +- ev_io_init (&tcp_listen_watcher, auditd_tcp_listen_handler, ++ ev_io_init(&tcp_listen_watcher, auditd_tcp_listen_handler, + listen_socket[nlsocks], EV_READ); +- ev_io_start (loop, &tcp_listen_watcher); ++ ev_io_start(loop, &tcp_listen_watcher); + non_fatal: + nlsocks++; + if (nlsocks == N_SOCKS) +@@ -1014,7 +1014,7 @@ int auditd_tcp_listen_init ( struct ev_loop *loop, struct daemon_conf *config ) + key_file = "/etc/audit/audit.key"; + setenv ("KRB5_KTNAME", key_file, 1); + +- if (stat (key_file, &st) == 0) { ++ if (stat(key_file, &st) == 0) { + if ((st.st_mode & 07777) != 0400) { + audit_msg (LOG_ERR, + "%s is not mode 0400 (it's %#o) - compromised key?", +@@ -1022,7 +1022,7 @@ int auditd_tcp_listen_init ( struct ev_loop *loop, struct daemon_conf *config ) + return -1; + } + if (st.st_uid != 0) { +- audit_msg (LOG_ERR, ++ audit_msg(LOG_ERR, + "%s is not owned by root (it's %d) - compromised key?", + key_file, st.st_uid); + return -1; +@@ -1036,17 +1036,16 @@ int auditd_tcp_listen_init ( struct ev_loop *loop, struct daemon_conf *config ) + return 0; + } + +-void auditd_tcp_listen_uninit ( struct ev_loop *loop, +- struct daemon_conf *config ) ++void auditd_tcp_listen_uninit(struct ev_loop *loop, struct daemon_conf *config) + { + #ifdef USE_GSSAPI + OM_uint32 status; + #endif + +- ev_io_stop ( loop, &tcp_listen_watcher ); ++ ev_io_stop(loop, &tcp_listen_watcher); + while (nlsocks >= 0) { + nlsocks--; +- close ( listen_socket[nlsocks] ); ++ close (listen_socket[nlsocks]); + } + + #ifdef USE_GSSAPI +@@ -1060,29 +1059,29 @@ void auditd_tcp_listen_uninit ( struct ev_loop *loop, + unsigned char ack[AUDIT_RMW_HEADER_SIZE]; + + AUDIT_RMW_PACK_HEADER (ack, 0, AUDIT_RMW_TYPE_ENDING, 0, 0); +- client_ack (client_chain, ack, ""); +- ev_io_stop (loop, &client_chain->io); +- close_client (client_chain); ++ client_ack(client_chain, ack, ""); ++ ev_io_stop(loop, &client_chain->io); ++ close_client(client_chain); + } + + if (config->tcp_client_max_idle) +- ev_periodic_stop (loop, &periodic_watcher); ++ ev_periodic_stop(loop, &periodic_watcher); + } + + static void periodic_reconfigure(struct daemon_conf *config) + { +- struct ev_loop *loop = ev_default_loop (EVFLAG_AUTO); ++ struct ev_loop *loop = ev_default_loop(EVFLAG_AUTO); + if (config->tcp_client_max_idle) { +- ev_periodic_set (&periodic_watcher, ev_now (loop), ++ ev_periodic_set(&periodic_watcher, ev_now(loop), + config->tcp_client_max_idle, NULL); +- ev_periodic_start (loop, &periodic_watcher); ++ ev_periodic_start(loop, &periodic_watcher); + } else { +- ev_periodic_stop (loop, &periodic_watcher); ++ ev_periodic_stop(loop, &periodic_watcher); + } + } + +-void auditd_tcp_listen_reconfigure ( struct daemon_conf *nconf, +- struct daemon_conf *oconf ) ++void auditd_tcp_listen_reconfigure(struct daemon_conf *nconf, ++ struct daemon_conf *oconf) + { + use_libwrap = nconf->use_libwrap; + +@@ -1112,3 +1111,4 @@ void auditd_tcp_listen_reconfigure ( struct daemon_conf *nconf, + // and recredential if needed. + oconf->krb5_principal = nconf->krb5_principal; + } ++ diff --git a/SPECS/audit.spec b/SPECS/audit.spec index 1e4b8ef..ad10844 100644 --- a/SPECS/audit.spec +++ b/SPECS/audit.spec @@ -2,7 +2,7 @@ Summary: User space tools for 2.6 kernel auditing Name: audit -Version: 2.7.6 +Version: 2.8.1 Release: 3%{?dist} License: GPLv2+ Group: System Environment/Daemons @@ -12,10 +12,14 @@ Source0: http://people.redhat.com/sgrubb/audit/%{name}-%{version}.tar.gz Patch1: audit-2.7.1-rhel7-fixup.patch # DO NOT REMOVE - backlog_wait_time is not in RHEL 7 kernel Patch2: audit-2.7.5-no-backlog-wait-time.patch -# BZ 1455594 - Bad configuration keyword for audispd-remote.conf -Patch3: audit-2.7.7-queue_error_action.patch -# BZ 1460110 - aureport does not report all anomalies -Patch4: audit-2.7.7-aureport.patch +# This patch is purely fomatting. Needed for Patch4 to apply +Patch3: audit-2.8.2-style-fix.patch +# This patch fixes issue reported in bz 1101605#c15 +Patch4: audit-2.8.2-ipv6-bind.patch +# This patch corrects the return value for auditctl --reset-lost +Patch5: audit-2.8.2-fix-reset-lost-return.patch +# This patch makes date a numeric field so auparse_search works +Patch6: audit-2.8.2-auparse-numeric_field.patch BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) BuildRequires: openldap-devel BuildRequires: swig @@ -31,7 +35,7 @@ Requires(postun): systemd-units coreutils %description The audit package contains the user space utilities for storing and searching the audit records generated by -the audit subsystem in the Linux 2.6 kernel. +the audit subsystem in the Linux 2.6 and later kernels. %package libs Summary: Dynamic library for libaudit @@ -85,8 +89,7 @@ Requires: openldap %description -n audispd-plugins The audispd-plugins package provides plugins for the real-time interface to the audit system, audispd. These plugins can do things -like relay events to remote machines or analyze events for suspicious -behavior. +like relay events to remote machines. %prep %setup -q @@ -94,10 +97,14 @@ behavior. %patch2 -p1 %patch3 -p1 %patch4 -p1 +%patch5 -p1 +%patch6 -p1 %build -%configure --sbindir=/sbin --libdir=/%{_lib} --with-python=yes --with-libwrap --enable-gssapi-krb5=yes --with-libcap-ng=yes --with-arm --with-aarch64 \ ---without-golang --enable-zos-remote --enable-systemd +%configure --sbindir=/sbin --libdir=/%{_lib} --with-python=yes \ + --with-libwrap --enable-gssapi-krb5=yes \ + --with-libcap-ng=yes --with-arm --with-aarch64 \ + --enable-zos-remote --without-golang --enable-systemd make CFLAGS="%{optflags}" %{?_smp_mflags} @@ -226,8 +233,8 @@ fi %attr(755,root,root) /sbin/ausearch %attr(755,root,root) /sbin/aureport %attr(750,root,root) /sbin/autrace -%attr(750,root,root) /sbin/audispd -%attr(750,root,root) /sbin/augenrules +%attr(755,root,root) /sbin/audispd +%attr(755,root,root) /sbin/augenrules %attr(755,root,root) %{_bindir}/aulast %attr(755,root,root) %{_bindir}/aulastlog %attr(755,root,root) %{_bindir}/ausyscall @@ -267,6 +274,25 @@ fi %attr(644,root,root) %{_mandir}/man8/audisp-remote.8.gz %changelog +* Tue Dec 12 2017 Steve Grubb 2.8.1-3 +resolves: #1399314 - Allow non-equality comparisons for uid and gid fields + +* Mon Nov 06 2017 Steve Grubb 2.8.1-2 +resolves: #1508965 - Need to rebuild rpm to remove static relocations + +* Thu Oct 12 2017 Steve Grubb 2.8.1-1 +resolves: #982154 - Can't find the "avc" event with the auvirt command +resolves: #1101605 - Ipv6 seems no working +resolves: #1399314 - Allow non-equality comparisons for uid and gid fields +resolves: #1455598 - Default port is wrong in audisp-remote.conf +resolves: #1476406 - Audit package rebase + +* Mon Sep 18 2017 Steve Grubb 2.7.8-1 +resolves: #1406887 - auditd validate_email uses obsolete gethostbyname +resolves: #1448526 - aureport shows the wrong auid "-1" +resolves: #1475998 - python audit crash if when using AUSOURCE_FILE_POINTER +resolves: #1482121 - python audit crash dereferencing auparse_state_t le field + * Mon Jun 12 2017 Steve Grubb 2.7.6-3 resolves: #1460110 - aureport does not report all anomalies