From c672a96f53f7397fd2f440989d6481848d1201d8 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Nov 03 2016 06:02:06 +0000 Subject: import audit-2.6.5-3.el7 --- diff --git a/.audit.metadata b/.audit.metadata index 1cbe0b8..fac8703 100644 --- a/.audit.metadata +++ b/.audit.metadata @@ -1 +1 @@ -84ce70969f3be29e460d92d9cd026119bee9b1dc SOURCES/audit-2.4.1.tar.gz +5b14b50733d6d9d11467d88933f2d2ef10f7b19e SOURCES/audit-2.6.5.tar.gz diff --git a/.gitignore b/.gitignore index ec48444..dc190bc 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/audit-2.4.1.tar.gz +SOURCES/audit-2.6.5.tar.gz diff --git a/SOURCES/audit-2.3.3-augenrules.patch b/SOURCES/audit-2.3.3-augenrules.patch deleted file mode 100644 index f408308..0000000 --- a/SOURCES/audit-2.3.3-augenrules.patch +++ /dev/null @@ -1,21 +0,0 @@ -diff -urp audit-2.3.3.orig/init.d/auditd.service audit-2.3.3/init.d/auditd.service ---- audit-2.3.3.orig/init.d/auditd.service 2014-01-16 06:24:42.000000000 -0500 -+++ audit-2.3.3/init.d/auditd.service 2014-03-18 12:47:13.682617960 -0400 -@@ -8,12 +8,11 @@ RefuseManualStop=yes - - [Service] - ExecStart=/sbin/auditd -n --## To use augenrules, copy this file to /etc/systemd/system/auditd.service --## and uncomment the next line and delete/comment out the auditctl line. --## Then copy existing rules to /etc/audit/rules.d/ --## Not doing this last step can cause loss of existing rules --#ExecStartPost=-/sbin/augenrules --load --ExecStartPost=-/sbin/auditctl -R /etc/audit/audit.rules -+## To not use augenrules, copy this file to /etc/systemd/system/auditd.service -+## and comment/delete the next line and uncomment the auditctl line. -+## NOTE: augenrules expect any rules to be added to /etc/audit/rules.d/ -+ExecStartPost=-/sbin/augenrules --load -+#ExecStartPost=-/sbin/auditctl -R /etc/audit/audit.rules - ExecReload=/bin/kill -HUP $MAINPID - - [Install] diff --git a/SOURCES/audit-2.4.1-uid-1000.patch b/SOURCES/audit-2.4.1-uid-1000.patch deleted file mode 100644 index dd2af0f..0000000 --- a/SOURCES/audit-2.4.1-uid-1000.patch +++ /dev/null @@ -1,90 +0,0 @@ -diff -ur audit-2.4.1.orig/contrib/stig.rules audit-2.4.1/contrib/stig.rules ---- audit-2.4.1.orig/contrib/stig.rules 2014-10-27 16:54:03.000000000 -0400 -+++ audit-2.4.1/contrib/stig.rules 2014-10-28 14:21:39.896827577 -0400 -@@ -19,7 +19,7 @@ - ## NOTE: - ## 1) if this is being used on a 32 bit machine, comment out the b64 lines - ## 2) These rules assume that login under the root account is not allowed. --## 3) It is also assumed that 500 represents the first usable user account. To -+## 3) It is also assumed that 1000 represents the first usable user account. To - ## be sure, look at UID_MIN in /etc/login.defs. - ## 4) If these rules generate too much spurious data for your tastes, limit the - ## the syscall file rules with a directory, like -F dir=/etc -@@ -106,22 +106,22 @@ - - ##- Discretionary access control permission modification (unsuccessful - ## and successful use of chown/chmod) ---a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>=500 -F auid!=4294967295 -F key=perm_mod ---a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=500 -F auid!=4294967295 -F key=perm_mod ---a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F auid>=500 -F auid!=4294967295 -F key=perm_mod ---a always,exit -F arch=b64 -S chown,fchown,lchown,fchownat -F auid>=500 -F auid!=4294967295 -F key=perm_mod ---a always,exit -F arch=b32 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>=500 -F auid!=4294967295 -F key=perm_mod ---a always,exit -F arch=b64 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>=500 -F auid!=4294967295 -F key=perm_mod -+-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=4294967295 -F key=perm_mod -+-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=4294967295 -F key=perm_mod -+-a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F auid>=1000 -F auid!=4294967295 -F key=perm_mod -+-a always,exit -F arch=b64 -S chown,fchown,lchown,fchownat -F auid>=1000 -F auid!=4294967295 -F key=perm_mod -+-a always,exit -F arch=b32 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod -+-a always,exit -F arch=b64 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod - - ##- Unauthorized access attempts to files (unsuccessful) ---a always,exit -F arch=b32 -S open,creat,truncate,openat,open_by_handle_at -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -F key=access ---a always,exit -F arch=b32 -S open,creat,truncate,openat,open_by_handle_at -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -F key=access ---a always,exit -F arch=b64 -S open,truncate,creat,openat,open_by_handle_at -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -F key=access ---a always,exit -F arch=b64 -S open,truncate,creat,openat,open_by_handle_at -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -F key=access -+-a always,exit -F arch=b32 -S open,creat,truncate,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access -+-a always,exit -F arch=b32 -S open,creat,truncate,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access -+-a always,exit -F arch=b64 -S open,truncate,creat,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access -+-a always,exit -F arch=b64 -S open,truncate,creat,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access - - ##- Use of privileged commands (unsuccessful and successful) - ## use find /bin -type f -perm -04000 2>/dev/null and put all those files in a rule like this ---a always,exit -F path=/bin/ping -F perm=x -F auid>=500 -F auid!=4294967295 -F key=privileged -+-a always,exit -F path=/bin/ping -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged - - ##- Use of print command (unsuccessful and successful) - -@@ -129,14 +129,14 @@ - ## You have to mount media before using it. You must disable all automounting - ## so that its done manually in order to get the correct user requesting the - ## export ---a always,exit -F arch=b32 -S mount -F auid>=500 -F auid!=4294967295 -F key=export ---a always,exit -F arch=b64 -S mount -F auid>=500 -F auid!=4294967295 -F key=export -+-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -F key=export -+-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -F key=export - - ##- System startup and shutdown (unsuccessful and successful) - - ##- Files and programs deleted by the user (successful and unsuccessful) ---a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F auid>=500 -F auid!=4294967295 -F key=delete ---a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F auid>=500 -F auid!=4294967295 -F key=delete -+-a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F auid>=1000 -F auid!=4294967295 -F key=delete -+-a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F auid>=1000 -F auid!=4294967295 -F key=delete - - ##- All system administration actions - ##- All security personnel actions -@@ -175,7 +175,7 @@ - #-a always,exit -F arch=b64 -S delete_module -F key=module-unload - - ## Optional - admin may be abusing power by looking in user's home dir --#-a always,exit -F dir=/home -F uid=0 -F auid>=500 -F auid!=4294967295 -C auid!=obj_uid -F key=power-abuse -+#-a always,exit -F dir=/home -F uid=0 -F auid>=1000 -F auid!=4294967295 -C auid!=obj_uid -F key=power-abuse - - ## Optional - log container creation - #-a always,exit -F arch=b32 -S clone -F a0&0x7C020000 -F key=container-create -diff -ur audit-2.4.1.orig/docs/audit.rules.7 audit-2.4.1/docs/audit.rules.7 ---- audit-2.4.1.orig/docs/audit.rules.7 2014-10-27 16:54:03.000000000 -0400 -+++ audit-2.4.1/docs/audit.rules.7 2014-10-28 14:23:00.014833616 -0400 -@@ -76,10 +76,10 @@ - .B \-F - options that fine tune what to match against. Rather than list all the valid field types here, the reader should look at the auditctl man page which has a full listing of each field and what it means. But its worth mentioning a couple things. - --The audit system considers uids to be unsigned numbers. The audit system uses the number \-1 to indicate that a loginuid is not set. This means that when its printed out, it looks like 4294967295. If you write a rule that you wanted try to get the valid users of the system, you need to look in /etc/login.defs to see where user accounts start. For example, if UID_MIN is 500, then you would also need to take into account that the unsigned representation of \-1 is higher than 500. So you would address this with the following piece of a rule: -+The audit system considers uids to be unsigned numbers. The audit system uses the number \-1 to indicate that a loginuid is not set. This means that when its printed out, it looks like 4294967295. If you write a rule that you wanted try to get the valid users of the system, you need to look in /etc/login.defs to see where user accounts start. For example, if UID_MIN is 1000, then you would also need to take into account that the unsigned representation of \-1 is higher than 1000. So you would address this with the following piece of a rule: - - .nf --\-F auid>=500 \-F auid!=4294967295 -+\-F auid>=1000 \-F auid!=4294967295 - .fi - - These individual checks are "anded" and both have to be true. diff --git a/SOURCES/audit-2.4.2-ipsec.patch b/SOURCES/audit-2.4.2-ipsec.patch deleted file mode 100644 index f77316b..0000000 --- a/SOURCES/audit-2.4.2-ipsec.patch +++ /dev/null @@ -1,26 +0,0 @@ -diff -urp audit-2.4.1.orig/lib/libaudit.h audit-2.4.1/lib/libaudit.h ---- audit-2.4.1.orig/lib/libaudit.h 2014-10-27 16:54:03.000000000 -0400 -+++ audit-2.4.1/lib/libaudit.h 2014-12-16 13:37:12.798853979 -0500 -@@ -200,6 +200,10 @@ extern "C" { - #define AUDIT_CRYPTO_REPLAY_USER 2406 /* Crypto replay detected */ - #define AUDIT_CRYPTO_SESSION 2407 /* Record parameters set during - TLS session establishment */ -+#define AUDIT_CRYPTO_IKE_SA 2408 /* Record parameters related to -+ IKE SA */ -+#define AUDIT_CRYPTO_IPSEC_SA 2409 /* Record parameters related to -+ IPSEC SA */ - - #define AUDIT_LAST_CRYPTO_MSG 2499 - -diff -urp audit-2.4.1.orig/lib/msg_typetab.h audit-2.4.1/lib/msg_typetab.h ---- audit-2.4.1.orig/lib/msg_typetab.h 2014-10-27 16:54:03.000000000 -0400 -+++ audit-2.4.1/lib/msg_typetab.h 2014-12-16 13:37:12.798853979 -0500 -@@ -205,6 +205,8 @@ _S(AUDIT_CRYPTO_KEY_USER, "CR - _S(AUDIT_CRYPTO_FAILURE_USER, "CRYPTO_FAILURE_USER" ) - _S(AUDIT_CRYPTO_REPLAY_USER, "CRYPTO_REPLAY_USER" ) - _S(AUDIT_CRYPTO_SESSION, "CRYPTO_SESSION" ) -+_S(AUDIT_CRYPTO_IKE_SA, "CRYPTO_IKE_SA" ) -+_S(AUDIT_CRYPTO_IPSEC_SA, "CRYPTO_IPSEC_SA" ) - _S(AUDIT_VIRT_CONTROL, "VIRT_CONTROL" ) - _S(AUDIT_VIRT_RESOURCE, "VIRT_RESOURCE" ) - _S(AUDIT_VIRT_MACHINE_ID, "VIRT_MACHINE_ID" ) diff --git a/SOURCES/audit-2.4.2-ppc-machine.patch b/SOURCES/audit-2.4.2-ppc-machine.patch deleted file mode 100644 index b431900..0000000 --- a/SOURCES/audit-2.4.2-ppc-machine.patch +++ /dev/null @@ -1,21 +0,0 @@ -Index: /trunk/lib/libaudit.c -=================================================================== ---- /trunk/lib/libaudit.c (revision 1065) -+++ /trunk/lib/libaudit.c (revision 1066) -@@ -1214,12 +1214,8 @@ - break; - #endif -- case MACH_PPC64LE: -- if (bits != __AUDIT_ARCH_64BIT) -- return -6; -- break; -- -- case MACH_86_64: /* fallthrough */ -- case MACH_PPC64: /* fallthrough */ -- case MACH_S390X: /* fallthrough */ -+ case MACH_86_64: /* fallthrough */ -+ case MACH_PPC64: /* fallthrough */ -+ case MACH_PPC64LE: /* fallthrough */ -+ case MACH_S390X: /* fallthrough */ - break; - default: diff --git a/SOURCES/audit-2.6.5-autrace.patch b/SOURCES/audit-2.6.5-autrace.patch new file mode 100644 index 0000000..8b513ed --- /dev/null +++ b/SOURCES/audit-2.6.5-autrace.patch @@ -0,0 +1,37 @@ +diff -urp audit-2.6.5.orig/src/autrace.c audit-2.6.5/src/autrace.c +--- audit-2.6.5.orig/src/autrace.c 2016-07-13 12:14:36.000000000 -0400 ++++ audit-2.6.5/src/autrace.c 2016-07-22 10:41:41.221461110 -0400 +@@ -298,18 +298,19 @@ static int count_em(int fd) + FD_SET(fd, &read_mask); + + for (i = 0; i < timeout; i++) { ++ struct timeval t; ++ ++ t.tv_sec = 0; ++ t.tv_usec = 100000; /* .1 second */ + retval = audit_get_reply(fd, &rep, GET_REPLY_NONBLOCKING, 0); + if (retval > 0) { +- struct timeval t; +- + if (rep.type == NLMSG_ERROR && + rep.error->error == 0) + continue; +- t.tv_sec = 0; +- t.tv_usec = 100000; /* .1 second */ + do { + retval=select(fd+1, &read_mask, NULL, NULL, &t); + } while (retval < 0 && errno == EINTR); ++ + switch (rep.type) + { + case NLMSG_DONE: +@@ -323,7 +324,8 @@ static int count_em(int fd) + default: + break; + } +- } ++ } else if (errno == EAGAIN) // Take short delay ++ retval = select(fd+1, &read_mask, NULL, NULL, &t); + } + if (i >= timeout && count == 0) + count = -1; diff --git a/SOURCES/audit-2.6.5-directory-permissions.patch b/SOURCES/audit-2.6.5-directory-permissions.patch new file mode 100644 index 0000000..c439c27 --- /dev/null +++ b/SOURCES/audit-2.6.5-directory-permissions.patch @@ -0,0 +1,12 @@ +diff -urp audit-2.6.5.orig/src/auditd-event.c audit-2.6.5/src/auditd-event.c +--- audit-2.6.5.orig/src/auditd-event.c 2016-07-13 12:14:36.000000000 -0400 ++++ audit-2.6.5/src/auditd-event.c 2016-07-22 10:37:45.468455518 -0400 +@@ -900,7 +900,7 @@ static void fix_disk_permissions(void) + // Start with the directory + strcpy(path, config->log_file); + dir = dirname(path); +- chmod(dir, config->log_group ? S_IRWXU|S_IRWXG : S_IRWXU); ++ chmod(dir, config->log_group ? S_IRWXU|S_IRGRP|S_IXGRP : S_IRWXU); + chown(dir, 0, config->log_group ? config->log_group : 0); + + // Now, for each file... diff --git a/SOURCES/audit-2.6.7-augenrules.patch b/SOURCES/audit-2.6.7-augenrules.patch new file mode 100644 index 0000000..41b0cdb --- /dev/null +++ b/SOURCES/audit-2.6.7-augenrules.patch @@ -0,0 +1,15 @@ +diff -urp audit-2.6.5.orig/init.d/augenrules audit-2.6.5/init.d/augenrules +--- audit-2.6.5.orig/init.d/augenrules 2016-07-14 10:25:39.000000000 -0400 ++++ audit-2.6.5/init.d/augenrules 2016-08-10 09:21:51.018391054 -0400 +@@ -125,6 +125,11 @@ if [ -f ${DestinationFile} ]; then + fi + # We copy the file so that it gets the right selinux lable + cp ${TmpRules} ${DestinationFile} ++chmod 0640 ${DestinationFile} ++# Restore context on MLS system. /tmp is SystemLow & audit.rules is SystemHigh ++if [ -x /usr/sbin/restorecon ] ; then ++ /usr/sbin/restorecon -F ${DestinationFile} ++fi + rm -f ${TmpRules} + + try_load diff --git a/SOURCES/audit-2.6.7-log-perms.patch b/SOURCES/audit-2.6.7-log-perms.patch new file mode 100644 index 0000000..b3852b2 --- /dev/null +++ b/SOURCES/audit-2.6.7-log-perms.patch @@ -0,0 +1,13 @@ +diff -urp audit-2.6.5.orig/src/auditd-event.c audit-2.6.5/src/auditd-event.c +--- audit-2.6.5.orig/src/auditd-event.c 2016-07-14 10:25:39.000000000 -0400 ++++ audit-2.6.5/src/auditd-event.c 2016-08-10 09:24:41.450386810 -0400 +@@ -907,8 +907,7 @@ static void fix_disk_permissions(void) + for (i = 1; i < config->num_logs; i++) { + int rc; + snprintf(path, len, "%s.%d", config->log_file, i); +- rc = chmod(path, config->log_group ? S_IWUSR|S_IRUSR|S_IRGRP : +- S_IWUSR|S_IRUSR); ++ rc = chmod(path, config->log_group ? S_IRUSR|S_IRGRP : S_IRUSR); + if (rc && errno == ENOENT) + break; + } diff --git a/SOURCES/audit-2.6.7-syslog.patch b/SOURCES/audit-2.6.7-syslog.patch new file mode 100644 index 0000000..cc664ea --- /dev/null +++ b/SOURCES/audit-2.6.7-syslog.patch @@ -0,0 +1,54 @@ +diff -urp audit-2.6.7/audisp/audispd-builtins.c audit-2.6.7.orig/audisp/audispd-builtins.c +--- audit-2.6.7/audisp/audispd-builtins.c 2016-08-02 11:55:31.000000000 -0400 ++++ audit-2.6.7.orig/audisp/audispd-builtins.c 2016-08-09 12:32:54.524964714 -0400 +@@ -327,10 +327,24 @@ static void init_syslog(const plugin_con + syslog_started = 1; + } + +-void send_syslog(const char *s) ++void send_syslog(const char *s, uint32_t ver) + { +- if (syslog_started) ++ if (syslog_started) { ++ if (ver == AUDISP_PROTOCOL_VER2) { ++ char *ptr = strdup(s); ++ if (ptr) { ++ char *c = strchr(ptr, AUDIT_INTERP_SEPARATOR); ++ if (c) ++ *c = ' '; ++ syslog(priority, "%s", ptr); ++ free(ptr); ++ return; ++ } ++ } ++ // Everything should fall through except success because ++ // something is better than nothing. + syslog(priority, "%s", s); ++ } + } + + void destroy_syslog(void) +diff -urp audit-2.6.7/audisp/audispd-builtins.h audit-2.6.7.orig/audisp/audispd-builtins.h +--- audit-2.6.7/audisp/audispd-builtins.h 2016-08-02 11:55:31.000000000 -0400 ++++ audit-2.6.7.orig/audisp/audispd-builtins.h 2016-08-09 12:25:38.274976900 -0400 +@@ -31,7 +31,7 @@ void stop_builtin(plugin_conf_t *conf); + void send_af_unix_string(const char *s, unsigned int len); + void send_af_unix_binary(event_t *e); + void destroy_af_unix(void); +-void send_syslog(const char *s); ++void send_syslog(const char *s, uint32_t ver); + void destroy_syslog(void); + + typedef void (*poll_callback_ptr)(int fd); +diff -urp audit-2.6.7/audisp/audispd.c audit-2.6.7.orig/audisp/audispd.c +--- audit-2.6.7/audisp/audispd.c 2016-08-02 11:55:31.000000000 -0400 ++++ audit-2.6.7.orig/audisp/audispd.c 2016-08-09 12:25:06.357977791 -0400 +@@ -684,7 +684,7 @@ static int event_loop(void) + + /* Now send the event to the right child */ + if (conf->p->type == S_SYSLOG) +- send_syslog(v); ++ send_syslog(v, e->hdr.ver); + else if (conf->p->type == S_AF_UNIX) { + if (conf->p->format == F_STRING) + send_af_unix_string(v, len); diff --git a/SPECS/audit.spec b/SPECS/audit.spec index 229bee2..cfb38d3 100644 --- a/SPECS/audit.spec +++ b/SPECS/audit.spec @@ -1,37 +1,32 @@ %{!?python_sitearch: %define python_sitearch %(%{__python} -c "from distutils.sysconfig import get_python_lib; print get_python_lib(1)")} -# Do we want systemd? -%define WITH_SYSTEMD 1 - Summary: User space tools for 2.6 kernel auditing Name: audit -Version: 2.4.1 -Release: 5%{?dist} +Version: 2.6.5 +Release: 3%{?dist} License: GPLv2+ Group: System Environment/Daemons URL: http://people.redhat.com/sgrubb/audit/ Source0: http://people.redhat.com/sgrubb/audit/%{name}-%{version}.tar.gz -# Default to using augenrules to create audit.rules -Patch1: audit-2.3.3-augenrules.patch -# Adjust beginning user id's to 1000 -Patch2: audit-2.4.1-uid-1000.patch -# Add 2 ipsec related events -Patch3: audit-2.4.2-ipsec.patch -# Fix detection of audit elf type when ppc64le is specified in a rule -Patch4: audit-2.4.2-ppc-machine.patch +# bz 1358831 - group ownership and permissions of /var/log/audit +Patch1: audit-2.6.5-directory-permissions.patch +# bz 1358775 - autrace: Error - can't get rule count +Patch2: audit-2.6.5-autrace.patch +# bz 1362582 - regenerated audit.rules context and permissions changed +Patch3: audit-2.6.7-augenrules.patch +Patch4: audit-2.6.7-log-perms.patch +Patch5: audit-2.6.7-syslog.patch BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) -BuildRequires: swig python-devel +BuildRequires: openldap-devel +BuildRequires: swig +BuildRequires: python-devel BuildRequires: tcp_wrappers-devel krb5-devel libcap-ng-devel BuildRequires: kernel-headers >= 2.6.29 -Requires: %{name}-libs = %{version}-%{release} -%if %{WITH_SYSTEMD} +Requires: %{name}-libs%{?_isa} = %{version}-%{release} BuildRequires: systemd-units Requires(post): systemd-units systemd-sysv chkconfig coreutils Requires(preun): systemd-units Requires(postun): systemd-units coreutils -%else -Requires: chkconfig -%endif %description The audit package contains the user space utilities for @@ -51,7 +46,7 @@ applications to use the audit framework. Summary: Header files for libaudit License: LGPLv2+ Group: Development/Libraries -Requires: %{name}-libs = %{version}-%{release} +Requires: %{name}-libs%{?_isa} = %{version}-%{release} Requires: kernel-headers >= 2.6.29 %description libs-devel @@ -73,7 +68,7 @@ framework libraries Summary: Python bindings for libaudit License: LGPLv2+ Group: Development/Libraries -Requires: %{name}-libs = %{version}-%{release} +Requires: %{name}-libs%{?_isa} = %{version}-%{release} %description libs-python The audit-libs-python package contains the bindings so that libaudit @@ -83,9 +78,8 @@ and libauparse can be used by python. Summary: Plugins for the audit event dispatcher License: GPLv2+ Group: System Environment/Daemons -BuildRequires: openldap-devel Requires: %{name} = %{version}-%{release} -Requires: %{name}-libs = %{version}-%{release} +Requires: %{name}-libs%{?_isa} = %{version}-%{release} Requires: openldap %description -n audispd-plugins @@ -96,34 +90,25 @@ behavior. %prep %setup -q -# augenrules %patch1 -p1 -# uid 1000 %patch2 -p1 -# Add ipsec audit events %patch3 -p1 -# Fix ppc64le elf type translation -%patch4 -p2 +%patch4 -p1 +%patch5 -p1 %build %configure --sbindir=/sbin --libdir=/%{_lib} --with-python=yes --with-libwrap --enable-gssapi-krb5=yes --with-libcap-ng=yes --with-arm --with-aarch64 \ ---without-golang \ -%if %{WITH_SYSTEMD} - --enable-systemd -%endif +--without-golang --enable-zos-remote --enable-systemd -make %{?_smp_mflags} +make CFLAGS="%{optflags}" %{?_smp_mflags} %install rm -rf $RPM_BUILD_ROOT -mkdir -p $RPM_BUILD_ROOT/{sbin,etc/audispd/plugins.d} -%if !%{WITH_SYSTEMD} -mkdir -p $RPM_BUILD_ROOT/{etc/{sysconfig,rc.d/init.d}} -%endif +mkdir -p $RPM_BUILD_ROOT/{sbin,etc/audispd/plugins.d,etc/audit/rules.d} mkdir -p $RPM_BUILD_ROOT/%{_mandir}/{man5,man8} mkdir -p $RPM_BUILD_ROOT/%{_lib} mkdir -p $RPM_BUILD_ROOT/%{_libdir}/audit -mkdir -p $RPM_BUILD_ROOT/%{_var}/log/audit +mkdir -p --mode=0700 $RPM_BUILD_ROOT/%{_var}/log/audit mkdir -p $RPM_BUILD_ROOT/%{_var}/spool/audit make DESTDIR=$RPM_BUILD_ROOT install @@ -141,14 +126,9 @@ cd $curdir # Remove these items so they don't get picked up. rm -f $RPM_BUILD_ROOT/%{_lib}/libaudit.so rm -f $RPM_BUILD_ROOT/%{_lib}/libauparse.so -rm -f $RPM_BUILD_ROOT/%{_lib}/libaudit.la -rm -f $RPM_BUILD_ROOT/%{_lib}/libauparse.la -rm -f $RPM_BUILD_ROOT/%{_libdir}/python?.?/site-packages/_audit.a -rm -f $RPM_BUILD_ROOT/%{_libdir}/python?.?/site-packages/_audit.la -rm -f $RPM_BUILD_ROOT/%{_libdir}/python?.?/site-packages/_auparse.a -rm -f $RPM_BUILD_ROOT/%{_libdir}/python?.?/site-packages/_auparse.la -rm -f $RPM_BUILD_ROOT/%{_libdir}/python?.?/site-packages/auparse.a -rm -f $RPM_BUILD_ROOT/%{_libdir}/python?.?/site-packages/auparse.la + +find $RPM_BUILD_ROOT -name '*.la' -delete +find $RPM_BUILD_ROOT/%{_libdir}/python?.?/site-packages -name '*.a' -delete # Move the pkgconfig file mv $RPM_BUILD_ROOT/%{_lib}/pkgconfig $RPM_BUILD_ROOT%{_libdir} @@ -157,10 +137,13 @@ mv $RPM_BUILD_ROOT/%{_lib}/pkgconfig $RPM_BUILD_ROOT%{_libdir} touch -r ./audit.spec $RPM_BUILD_ROOT/etc/libaudit.conf touch -r ./audit.spec $RPM_BUILD_ROOT/usr/share/man/man5/libaudit.conf.5.gz -%ifnarch aarch64 ppc %{power64} s390 s390x %{ix86} %check +%ifnarch aarch64 ppc %{power64} s390 s390x %{ix86} make check %endif +# Get rid of make files that they don't get packaged. +rm -f rules/Makefile* + %clean rm -rf $RPM_BUILD_ROOT @@ -169,24 +152,19 @@ rm -rf $RPM_BUILD_ROOT %post # Copy default rules into place on new installation -if [ ! -e /etc/audit/audit.rules ] ; then - cp /etc/audit/rules.d/audit.rules /etc/audit/audit.rules +files=`ls /etc/audit/rules.d/ 2>/dev/null | wc -w` +if [ "$files" -eq 0 ] ; then + if [ -e /usr/share/doc/audit/rules/10-base-config.rules ] ; then + cp /usr/share/doc/audit/rules/10-base-config.rules /etc/audit/rules.d/audit.rules + else + touch /etc/audit/rules.d/audit.rules + fi + chmod 0600 /etc/audit/rules.d/audit.rules fi -%if %{WITH_SYSTEMD} %systemd_post auditd.service -%else -/sbin/chkconfig --add auditd -%endif %preun -%if %{WITH_SYSTEMD} %systemd_preun auditd.service -%else -if [ $1 -eq 0 ]; then - /sbin/service auditd stop > /dev/null 2>&1 - /sbin/chkconfig --del auditd -fi -%endif %postun libs -p /sbin/ldconfig @@ -210,7 +188,9 @@ fi %{_includedir}/libaudit.h %{_includedir}/auparse.h %{_includedir}/auparse-defs.h +%{_datadir}/aclocal/audit.m4 %{_libdir}/pkgconfig/audit.pc +%{_libdir}/pkgconfig/auparse.pc %{_mandir}/man3/* %files libs-static @@ -226,7 +206,7 @@ fi %files %defattr(-,root,root,-) -%doc README COPYING ChangeLog contrib/capp.rules contrib/nispom.rules contrib/lspp.rules contrib/stig.rules init.d/auditd.cron +%doc README COPYING ChangeLog rules init.d/auditd.cron %attr(644,root,root) %{_mandir}/man8/audispd.8.gz %attr(644,root,root) %{_mandir}/man8/auditctl.8.gz %attr(644,root,root) %{_mandir}/man8/auditd.8.gz @@ -242,8 +222,8 @@ fi %attr(644,root,root) %{_mandir}/man5/auditd.conf.5.gz %attr(644,root,root) %{_mandir}/man5/audispd.conf.5.gz %attr(644,root,root) %{_mandir}/man5/ausearch-expression.5.gz -%attr(750,root,root) /sbin/auditctl -%attr(750,root,root) /sbin/auditd +%attr(755,root,root) /sbin/auditctl +%attr(755,root,root) /sbin/auditd %attr(755,root,root) /sbin/ausearch %attr(755,root,root) /sbin/aureport %attr(750,root,root) /sbin/autrace @@ -253,25 +233,22 @@ fi %attr(755,root,root) %{_bindir}/aulastlog %attr(755,root,root) %{_bindir}/ausyscall %attr(755,root,root) %{_bindir}/auvirt -%if %{WITH_SYSTEMD} -%attr(640,root,root) %{_unitdir}/auditd.service +%attr(644,root,root) %{_unitdir}/auditd.service %attr(750,root,root) %dir %{_libexecdir}/initscripts/legacy-actions/auditd %attr(750,root,root) %{_libexecdir}/initscripts/legacy-actions/auditd/resume %attr(750,root,root) %{_libexecdir}/initscripts/legacy-actions/auditd/rotate %attr(750,root,root) %{_libexecdir}/initscripts/legacy-actions/auditd/stop %attr(750,root,root) %{_libexecdir}/initscripts/legacy-actions/auditd/restart %attr(750,root,root) %{_libexecdir}/initscripts/legacy-actions/auditd/condrestart -%else -%attr(755,root,root) /etc/rc.d/init.d/auditd -%config(noreplace) %attr(640,root,root) /etc/sysconfig/auditd -%endif -%attr(750,root,root) %dir %{_var}/log/audit +%attr(-,root,-) %dir %{_var}/log/audit %attr(750,root,root) %dir /etc/audit %attr(750,root,root) %dir /etc/audit/rules.d %attr(750,root,root) %dir /etc/audisp %attr(750,root,root) %dir /etc/audisp/plugins.d %config(noreplace) %attr(640,root,root) /etc/audit/auditd.conf -%config(noreplace) %attr(640,root,root) /etc/audit/rules.d/audit.rules +%ghost %config(noreplace) %attr(640,root,root) /etc/audit/rules.d/audit.rules +%ghost %config(noreplace) %attr(640,root,root) /etc/audit/audit.rules +%config(noreplace) %attr(640,root,root) /etc/audit/audit-stop.rules %config(noreplace) %attr(640,root,root) /etc/audisp/audispd.conf %config(noreplace) %attr(640,root,root) /etc/audisp/plugins.d/af_unix.conf %config(noreplace) %attr(640,root,root) /etc/audisp/plugins.d/syslog.conf @@ -291,6 +268,9 @@ fi %attr(644,root,root) %{_mandir}/man8/audisp-remote.8.gz %changelog +* Wed Aug 10 2016 Steve Grubb 2.6.5-3 +resolves: #1296204 - Rebase audit package + * Wed Jan 14 2015 Steve Grubb 2.4.1-5 resolves: #1180675 - rules with "-F arch=ppc64le" fail to load