diff --git a/audit-1.7.2-avc.patch b/audit-1.7.2-avc.patch deleted file mode 100644 index 1687052..0000000 --- a/audit-1.7.2-avc.patch +++ /dev/null @@ -1,21 +0,0 @@ -diff -urp audit-1.7.2.orig/src/ausearch-parse.c audit-1.7.2/src/ausearch-parse.c ---- audit-1.7.2.orig/src/ausearch-parse.c 2008-04-09 14:26:27.000000000 -0400 -+++ audit-1.7.2/src/ausearch-parse.c 2008-04-17 10:44:10.000000000 -0400 -@@ -1208,6 +1212,17 @@ static int parse_avc(const lnode *n, sea - term = str + 6; - } - } -+ if (event_filename) { -+ // do we have a path? -+ str = strstr(term, " path="); -+ if (str) { -+ str += 6; -+ rc = common_path_parser(s, str); -+ if (rc) -+ goto err; -+ term += 7; -+ } -+ } - if (event_subject) { - // scontext - str = strstr(term, "scontext="); diff --git a/audit-1.7.3-cmd.patch b/audit-1.7.3-cmd.patch deleted file mode 100644 index 3e5ef50..0000000 --- a/audit-1.7.3-cmd.patch +++ /dev/null @@ -1,29 +0,0 @@ -diff -urp audit-1.7.2/lib/audit_logging.c audit-1.7.3/lib/audit_logging.c ---- audit-1.7.2/lib/audit_logging.c 2008-04-01 12:25:33.000000000 -0400 -+++ audit-1.7.3/lib/audit_logging.c 2008-04-11 17:07:24.000000000 -0400 -@@ -633,7 +633,6 @@ int audit_log_user_command(int audit_fd, - // We borrow the commname buffer - if (getcwd(commname, PATH_MAX) == NULL) - strcpy(commname, "?"); -- strcpy(cwdname, commname); - p = commname; - len = strlen(commname); - while (*p) { -@@ -644,6 +643,8 @@ int audit_log_user_command(int audit_fd, - } - p++; - } -+ if (cwdenc == 0) -+ strcpy(cwdname, commname); - - len = strlen(cmd); - // Trim the trailing carriage return and spaces -@@ -665,6 +666,8 @@ int audit_log_user_command(int audit_fd, - } - p++; - } -+ if (cmdenc == 0) -+ strcpy(commname, cmd); - free(cmd); - - // Make the format string diff --git a/audit-1.7.3-prelude.patch b/audit-1.7.3-prelude.patch deleted file mode 100644 index fcb8166..0000000 --- a/audit-1.7.3-prelude.patch +++ /dev/null @@ -1,114 +0,0 @@ -diff -urp audit-1.7.2.orig/audisp/plugins/prelude/audisp-prelude.c audit-1.7.2/audisp/plugins/prelude/audisp-prelude.c ---- audit-1.7.2.orig/audisp/plugins/prelude/audisp-prelude.c 2008-04-07 16:57:12.000000000 -0400 -+++ audit-1.7.2/audisp/plugins/prelude/audisp-prelude.c 2008-04-18 14:23:06.000000000 -0400 -@@ -228,7 +228,8 @@ int main(int argc, char *argv[]) - return -1; - } - -- syslog(LOG_INFO, "audisp-prelude is ready for events"); -+ if (mode != M_TEST) -+ syslog(LOG_INFO, "audisp-prelude is ready for events"); - do { - /* Load configuration */ - if (hup) { -@@ -248,9 +249,10 @@ int main(int argc, char *argv[]) - /* Flush any accumulated events from queue */ - auparse_flush_feed(au); - -- syslog(LOG_INFO, "audisp-prelude is exiting on stop request"); - if (mode == M_TEST) - puts("audisp-prelude is exiting on stop request"); -+ else -+ syslog(LOG_INFO, "audisp-prelude is exiting on stop request"); - - /* Cleanup subsystems */ - if (client) -@@ -609,7 +611,7 @@ static int get_login_exe_info(auparse_st - base = basename(exe); - ret = prelude_string_new(&name_str); - PRELUDE_FAIL_CHECK; -- ret = prelude_string_set_ref(name_str, base); -+ ret = prelude_string_set_dup(name_str, base); - PRELUDE_FAIL_CHECK; - idmef_process_set_name(process, name_str); - } -@@ -708,7 +710,7 @@ static int get_comm_info(auparse_state_t - char *base = basename(exe); - ret = prelude_string_new(&name_str); - PRELUDE_FAIL_CHECK; -- ret = prelude_string_set_ref(name_str, base); -+ ret = prelude_string_set_dup(name_str, base); - idmef_process_set_name(process, name_str); - } - } -@@ -760,7 +762,7 @@ static int get_file_info(auparse_state_t - ret = prelude_string_new(&str); - PRELUDE_FAIL_CHECK; - -- ret = prelude_string_set_ref(str, path); -+ ret = prelude_string_set_dup(str, path); - PRELUDE_FAIL_CHECK; - if (path[0] == '/') { - char *base; -@@ -772,7 +774,7 @@ static int get_file_info(auparse_state_t - base = "/"; - ret = prelude_string_new(&name_str); - PRELUDE_FAIL_CHECK; -- ret = prelude_string_set_ref(name_str, base); -+ ret = prelude_string_set_dup(name_str, base); - PRELUDE_FAIL_CHECK; - idmef_file_set_name(file, name_str); - } else -@@ -1811,7 +1813,7 @@ static void handle_event(auparse_state_t - rc = 0; - switch (type) { - case AUDIT_AVC: -- case AUDIT_USER_AVC: -+// case AUDIT_USER_AVC: - if (config.avcs == E_NO) - break; - if (config.avcs_act != A_IDMEF) -diff -urp audit-1.7.2.orig/auparse/auparse.c audit-1.7.2/auparse/auparse.c ---- audit-1.7.2.orig/auparse/auparse.c 2008-04-08 12:37:09.000000000 -0400 -+++ audit-1.7.2/auparse/auparse.c 2008-04-18 14:10:36.000000000 -0400 -@@ -1130,6 +1130,7 @@ int auparse_first_record(auparse_state_t - return rc; - } - aup_list_first(&au->le); -+ aup_list_first_field(&au->le); - - return 1; - } -@@ -1236,7 +1237,22 @@ const char *auparse_find_field(auparse_s - { - free(au->find_field); - au->find_field = strdup(name); -- return auparse_find_field_next(au); -+ -+ if (au->le.e.sec) { -+ const char *cur_name; -+ rnode *r; -+ -+ // look at current record before moving -+ r = aup_list_get_cur(&au->le); -+ if (r == NULL) -+ return NULL; -+ cur_name = nvlist_get_cur_name(&r->nv); -+ if (cur_name && strcmp(cur_name, name) == 0) -+ return nvlist_get_cur_val(&r->nv); -+ -+ return auparse_find_field_next(au); -+ } -+ return NULL; - } - - /* Increment 1 location and then scan for next field */ -@@ -1258,6 +1274,8 @@ const char *auparse_find_field_next(aupa - if (nvlist_find_name(&r->nv, au->find_field)) - return nvlist_get_cur_val(&r->nv); - r = aup_list_next(&au->le); -+ if (r) -+ aup_list_first_field(&au->le); - } - } - return NULL; diff --git a/audit.spec b/audit.spec index db4c1a7..6ab9e82 100644 --- a/audit.spec +++ b/audit.spec @@ -1,20 +1,17 @@ %define sca_version 0.4.6 -%define sca_release 6 +%define sca_release 7 %define selinux_variants mls strict targeted %define selinux_policyver 3.2.5 %{!?python_sitelib: %define python_sitelib %(%{__python} -c "from distutils.sysconfig import get_python_lib; print get_python_lib()")} Summary: User space tools for 2.6 kernel auditing Name: audit -Version: 1.7.2 -Release: 6%{?dist} +Version: 1.7.3 +Release: 1%{?dist} License: GPLv2+ Group: System Environment/Daemons URL: http://people.redhat.com/sgrubb/audit/ Source0: http://people.redhat.com/sgrubb/audit/%{name}-%{version}.tar.gz -Patch1: audit-1.7.3-cmd.patch -Patch2: audit-1.7.2-avc.patch -Patch3: audit-1.7.3-prelude.patch BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) BuildRequires: gettext-devel intltool libtool swig python-devel BuildRequires: kernel-headers >= 2.6.18 @@ -98,9 +95,6 @@ A graphical utility for editing audit configuration. %prep %setup -q -%patch1 -p1 -%patch2 -p1 -%patch3 -p1 mkdir zos-remote-policy cp -p audisp/plugins/zos-remote/policy/audispd-zos-remote.* zos-remote-policy @@ -328,6 +322,13 @@ fi %config(noreplace) %{_sysconfdir}/security/console.apps/system-config-audit-server %changelog +* Fri May 09 2008 Steve Grubb 1.7.3-1 +- Fix output of keys in ausearch interpretted mode +- Fix ausearch/report --start now to not be reset to midnight +- audispd now has a priority boost config option +- Look for laddr in avcs reported via prelude +- Detect page 0 mmaps and alert via prelude + * Fri Apr 18 2008 Steve Grubb 1.7.2-6 - Fix overflow in audit_log_user_command, better (#438840) - ausearch was not matching path in avc records diff --git a/sources b/sources index 7faf5b4..498abf7 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -1415749e73fbee34ff5f5f78ab92386a audit-1.7.2.tar.gz +6980bf61ff301f37259ea788cfdd5d37 audit-1.7.3.tar.gz