diff --git a/.audit.metadata b/.audit.metadata index 85ae7fa..1cbe0b8 100644 --- a/.audit.metadata +++ b/.audit.metadata @@ -1 +1 @@ -58ea81cb6052fc3a1d1ec5e5accebc0aaf7c8d1a SOURCES/audit-2.3.3.tar.gz +84ce70969f3be29e460d92d9cd026119bee9b1dc SOURCES/audit-2.4.1.tar.gz diff --git a/.gitignore b/.gitignore index 3879b87..ec48444 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/audit-2.3.3.tar.gz +SOURCES/audit-2.4.1.tar.gz diff --git a/SOURCES/audit-2.3.3-login.patch b/SOURCES/audit-2.3.3-login.patch deleted file mode 100644 index f8701dc..0000000 --- a/SOURCES/audit-2.3.3-login.patch +++ /dev/null @@ -1,86 +0,0 @@ -diff -urp audit-2.3.3.orig/src/ausearch-parse.c audit-2.3.3/src/ausearch-parse.c ---- audit-2.3.3.orig/src/ausearch-parse.c 2014-03-18 12:18:17.376764161 -0400 -+++ audit-2.3.3/src/ausearch-parse.c 2014-03-18 12:21:10.924749548 -0400 -@@ -1106,14 +1106,41 @@ static int parse_login(const lnode *n, s - s->uid = strtoul(ptr, NULL, 10); - if (errno) - return 6; -- // get loginuid - *term = ' '; -+ // optionally get subj -+ if (event_subject) { -+ str = strstr(term, "subj="); -+ if (str) { -+ ptr = str + 5; -+ term = strchr(ptr, ' '); -+ if (term == NULL) -+ return 12; -+ *term = 0; -+ if (audit_avc_init(s) == 0) { -+ anode an; -+ -+ anode_init(&an); -+ an.scontext = strdup(str); -+ alist_append(s->avc, &an); -+ *term = ' '; -+ } else -+ return 13; -+ *term = ' '; -+ } -+ } -+ // get loginuid - str = strstr(term, "new auid="); - if (str == NULL) { -- str = strstr(term, "new loginuid="); -- if (str == NULL) -- return 7; -- ptr = str + 13; -+ // 3.14 kernel changed it to the next line -+ str = strstr(term, " auid="); -+ if (str == NULL) { -+ str = strstr(term, "new loginuid="); -+ if (str == NULL) -+ return 7; -+ ptr = str + 13; -+ } -+ else -+ ptr = str + 6; - } else - ptr = str + 9; - term = strchr(ptr, ' '); -@@ -1148,18 +1175,24 @@ static int parse_login(const lnode *n, s - if (term == NULL) - term = n->message; - str = strstr(term, "new ses="); -- if (str) { -- ptr = str + 8; -- term = strchr(ptr, ' '); -- if (term) -- *term = 0; -- errno = 0; -- s->session_id = strtoul(ptr, NULL, 10); -- if (errno) -- return 11; -- if (term) -- *term = ' '; -+ if (str == NULL) { -+ // The 3.14 kernel changed it to the next line -+ str = strstr(term, " ses="); -+ if (str == NULL) -+ return 14; -+ ptr = str + 5; - } -+ else -+ ptr = str + 8; -+ term = strchr(ptr, ' '); -+ if (term) -+ *term = 0; -+ errno = 0; -+ s->session_id = strtoul(ptr, NULL, 10); -+ if (errno) -+ return 11; -+ if (term) -+ *term = ' '; - } - return 0; - } diff --git a/SOURCES/audit-2.3.3-remote.patch b/SOURCES/audit-2.3.3-remote.patch deleted file mode 100644 index fda01a9..0000000 --- a/SOURCES/audit-2.3.3-remote.patch +++ /dev/null @@ -1,13 +0,0 @@ -diff -urp audit-2.3.3.orig/audisp/plugins/remote/audisp-remote.c audit-2.3.3/audisp/plugins/remote/audisp-remote.c ---- audit-2.3.3.orig/audisp/plugins/remote/audisp-remote.c 2014-01-16 06:24:42.000000000 -0500 -+++ audit-2.3.3/audisp/plugins/remote/audisp-remote.c 2014-03-18 12:36:32.574671943 -0400 -@@ -1063,6 +1063,9 @@ static int init_transport(void) - { - case T_TCP: - rc = init_sock(); -+ // We set this so that it will retry the connection -+ if (rc == ET_TEMPORARY) -+ remote_ended = 1; - break; - default: - rc = ET_PERMANENT; diff --git a/SOURCES/audit-2.3.3-uid-1000.patch b/SOURCES/audit-2.3.3-uid-1000.patch deleted file mode 100644 index ad5fc34..0000000 --- a/SOURCES/audit-2.3.3-uid-1000.patch +++ /dev/null @@ -1,101 +0,0 @@ -diff -urp audit-2.3.3.orig/contrib/stig.rules audit-2.3.3/contrib/stig.rules ---- audit-2.3.3.orig/contrib/stig.rules 2014-03-18 13:07:27.658515740 -0400 -+++ audit-2.3.3/contrib/stig.rules 2014-03-18 13:08:25.979510829 -0400 -@@ -16,7 +16,7 @@ - ## NOTE: - ## 1) if this is being used on a 32 bit machine, comment out the b64 lines - ## 2) These rules assume that login under the root account is not allowed. --## 3) It is also assumed that 500 represents the first usable user account. To -+## 3) It is also assumed that 1000 represents the first usable user account. To - ## be sure, look at UID_MIN in /etc/login.defs. - ## 4) If these rules generate too much spurious data for your tastes, limit the - ## the syscall file rules with a directory, like -F dir=/etc -@@ -102,22 +102,22 @@ - - ##- Discretionary access control permission modification (unsuccessful - ## and successful use of chown/chmod) ---a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod ---a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod ---a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod ---a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod ---a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod ---a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod -+-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod -+-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod -+-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod -+-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod -+-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod -+-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod - - ##- Unauthorized access attempts to files (unsuccessful) ---a always,exit -F arch=b32 -S creat -S open -S openat -S open_by_handle_at -S truncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access ---a always,exit -F arch=b32 -S creat -S open -S openat -S open_by_handle_at -S truncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access ---a always,exit -F arch=b64 -S creat -S open -S openat -S open_by_handle_at -S truncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access ---a always,exit -F arch=b64 -S creat -S open -S openat -S open_by_handle_at -S truncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access -+-a always,exit -F arch=b32 -S creat -S open -S openat -S open_by_handle_at -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access -+-a always,exit -F arch=b32 -S creat -S open -S openat -S open_by_handle_at -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access -+-a always,exit -F arch=b64 -S creat -S open -S openat -S open_by_handle_at -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access -+-a always,exit -F arch=b64 -S creat -S open -S openat -S open_by_handle_at -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access - - ##- Use of privileged commands (unsuccessful and successful) - ## use find /bin -type f -perm -04000 2>/dev/null and put all those files in a rule like this ---a always,exit -F path=/bin/ping -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged -+-a always,exit -F path=/bin/ping -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged - - ##- Use of print command (unsuccessful and successful) - -@@ -125,14 +125,14 @@ - ## You have to mount media before using it. You must disable all automounting - ## so that its done manually in order to get the correct user requesting the - ## export ---a always,exit -F arch=b32 -S mount -F auid>=500 -F auid!=4294967295 -k export ---a always,exit -F arch=b64 -S mount -F auid>=500 -F auid!=4294967295 -k export -+-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k export -+-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k export - - ##- System startup and shutdown (unsuccessful and successful) - - ##- Files and programs deleted by the user (successful and unsuccessful) ---a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k delete ---a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k delete -+-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete -+-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete - - ##- All system administration actions - ##- All security personnel actions -@@ -160,10 +160,6 @@ - #-a always,exit -F arch=b32 -S ptrace -F a0=6 -k register-injection - #-a always,exit -F arch=b64 -S ptrace -F a0=6 -k register-injection - --## Optional - could be an attempt to bypass audit or simply legacy program --#-a always,exit -F arch=b32 -S personality -F a0!=4294967295 -k bypass --#-a always,exit -F arch=b64 -S personality -F a0!=4294967295 -k bypass -- - ## Optional - might want to watch module insertion - #-w /sbin/insmod -p x -k modules - #-w /sbin/rmmod -p x -k modules -@@ -174,7 +170,7 @@ - #-a always,exit -F arch=b64 -S delete_module -k module-unload - - ## Optional - admin may be abusing power by looking in user's home dir --#-a always,exit -F dir=/home -F uid=0 -F auid>=500 -F auid!=4294967295 -C auid!=obj_uid -F key=power-abuse -+#-a always,exit -F dir=/home -F uid=0 -F auid>=1000 -F auid!=4294967295 -C auid!=obj_uid -F key=power-abuse - - ## Optional - log container creation - #-a always,exit -F arch=b32 -S clone -F a0&2080505856 -k container-create -diff -urp audit-2.3.3.orig/docs/audit.rules.7 audit-2.3.3/docs/audit.rules.7 ---- audit-2.3.3.orig/docs/audit.rules.7 2014-03-18 13:07:29.580515578 -0400 -+++ audit-2.3.3/docs/audit.rules.7 2014-03-18 13:07:58.584513136 -0400 -@@ -76,10 +76,10 @@ After the syscall is specified, you woul - .B \-F - options that fine tune what to match against. Rather than list all the valid field types here, the reader should look at the auditctl man page which has a full listing of each field and what it means. But its worth mentioning a couple things. - --The audit system considers uids to be unsigned numbers. The audit system uses the number \-1 to indicate that a loginuid is not set. This means that when its printed out, it looks like 4294967295. If you write a rule that you wanted try to get the valid users of the system, you need to look in /etc/login.defs to see where user accounts start. For example, if UID_MIN is 500, then you would also need to take into account that the unsigned representation of \-1 is higher than 500. So you would address this with the following piece of a rule: -+The audit system considers uids to be unsigned numbers. The audit system uses the number \-1 to indicate that a loginuid is not set. This means that when its printed out, it looks like 4294967295. If you write a rule that you wanted try to get the valid users of the system, you need to look in /etc/login.defs to see where user accounts start. For example, if UID_MIN is 1000, then you would also need to take into account that the unsigned representation of \-1 is higher than 1000. So you would address this with the following piece of a rule: - - .nf --\-F auid>=500 \-F auid!=4294967295 -+\-F auid>=1000 \-F auid!=4294967295 - .fi - - These individual checks are "anded" and both have to be true. diff --git a/SOURCES/audit-2.3.5-debug.patch b/SOURCES/audit-2.3.5-debug.patch deleted file mode 100644 index 4b42b34..0000000 --- a/SOURCES/audit-2.3.5-debug.patch +++ /dev/null @@ -1,104 +0,0 @@ -diff -urp audit-2.3.5.orig/docs/ausearch.8 audit-2.3.5/docs/ausearch.8 ---- audit-2.3.5.orig/docs/ausearch.8 2014-03-10 13:31:14.000000000 -0400 -+++ audit-2.3.5/docs/ausearch.8 2014-03-11 10:51:13.385867279 -0400 -@@ -21,6 +21,9 @@ Search for an event based on the given \ - .BR \-c ,\ \-\-comm \ \fIcomm-name\fP - Search for an event based on the given \fIcomm name\fP. The comm name is the executable's name from the task structure. - .TP -+.BR \-\-debug -+Write malformed events that are skipped to stderr. -+.TP - .BR \-e,\ \-\-exit \ \fIexit-code-or-errno\fP - Search for an event based on the given syscall \fIexit code or errno\fP. - .TP -diff -urp audit-2.3.5.orig/src/aureport-options.c audit-2.3.5/src/aureport-options.c ---- audit-2.3.5.orig/src/aureport-options.c 2014-03-10 13:31:14.000000000 -0400 -+++ audit-2.3.5/src/aureport-options.c 2014-03-11 10:41:08.604806542 -0400 -@@ -56,6 +56,7 @@ const char *event_uuid = NULL; - const char *event_vmname = NULL; - int event_exit = 0, event_exit_is_set = 0; - int event_ppid = -1, event_session_id = -2; -+int event_debug = 0; - - /* These are used by aureport */ - const char *dummy = "dummy"; -diff -urp audit-2.3.5.orig/src/ausearch-options.c audit-2.3.5/src/ausearch-options.c ---- audit-2.3.5.orig/src/ausearch-options.c 2014-03-10 13:31:14.000000000 -0400 -+++ audit-2.3.5/src/ausearch-options.c 2014-03-11 10:26:49.577720272 -0400 -@@ -55,6 +55,7 @@ int just_one = 0; - int event_session_id = -2; - int event_exit = 0, event_exit_is_set = 0; - int line_buffered = 0; -+int event_debug = 0; - const char *event_key = NULL; - const char *event_filename = NULL; - const char *event_exe = NULL; -@@ -81,13 +82,14 @@ S_HOSTNAME, S_INTERP, S_INFILE, S_MESSAG - S_TIME_END, S_TIME_START, S_TERMINAL, S_ALL_UID, S_EFF_UID, S_UID, S_LOGINID, - S_VERSION, S_EXACT_MATCH, S_EXECUTABLE, S_CONTEXT, S_SUBJECT, S_OBJECT, - S_PPID, S_KEY, S_RAW, S_NODE, S_IN_LOGS, S_JUST_ONE, S_SESSION, S_EXIT, --S_LINEBUFFERED, S_UUID, S_VMNAME}; -+S_LINEBUFFERED, S_UUID, S_VMNAME, S_DEBUG }; - - static struct nv_pair optiontab[] = { - { S_EVENT, "-a" }, - { S_EVENT, "--event" }, - { S_COMM, "-c" }, - { S_COMM, "--comm" }, -+ { S_DEBUG, "--debug" }, - { S_EXIT, "-e" }, - { S_EXIT, "--exit" }, - { S_FILENAME, "-f" }, -@@ -176,6 +178,7 @@ static void usage(void) - printf("usage: ausearch [options]\n" - "\t-a,--event \tsearch based on audit event id\n" - "\t-c,--comm \t\tsearch based on command line name\n" -+ "\t --debug\t\t\tWrite malformed events that are skipped to stderr\n" - "\t-e,--exit \tsearch based on syscall exit code\n" - "\t-f,--file \t\tsearch based on file name\n" - "\t-ga,--gid-all \tsearch based on All group ids\n" -@@ -1099,6 +1102,9 @@ int check_params(int count, char *vars[] - case S_LINEBUFFERED: - line_buffered = 1; - break; -+ case S_DEBUG: -+ event_debug = 1; -+ break; - default: - fprintf(stderr, "%s is an unsupported option\n", - vars[c]); -diff -urp audit-2.3.5.orig/src/ausearch-options.h audit-2.3.5/src/ausearch-options.h ---- audit-2.3.5.orig/src/ausearch-options.h 2014-03-10 13:31:14.000000000 -0400 -+++ audit-2.3.5/src/ausearch-options.h 2014-03-11 10:07:12.631602075 -0400 -@@ -36,6 +36,7 @@ extern const char *event_object; - extern int event_se; - extern int just_one; - extern int line_buffered; -+extern int event_debug; - extern pid_t event_ppid; - extern int event_session_id; - extern ilist *event_type; -diff -urp audit-2.3.5.orig/src/ausearch-parse.c audit-2.3.5/src/ausearch-parse.c ---- audit-2.3.5.orig/src/ausearch-parse.c 2014-03-10 13:31:14.000000000 -0400 -+++ audit-2.3.5/src/ausearch-parse.c 2014-03-11 10:31:00.205745442 -0400 -@@ -168,11 +168,17 @@ int extract_search_items(llist *l) - ret = parse_tty(n, s); - break; - default: -- // printf("unparsed type:%d\n", n->type); -+ if (event_debug) -+ fprintf(stderr, -+ "Unparsed type:%d\n - skipped", -+ n->type); - break; - } -- // if (ret) printf("type:%d ret:%d\n", n->type, ret); -- } while ((n=list_next(l)) && ret==0); -+ if (event_debug && ret) -+ fprintf(stderr, -+ "Malformed event skipped, rc=%d. %s\n", -+ ret, n->message); -+ } while ((n=list_next(l)) && ret == 0); - } - return ret; - } diff --git a/SOURCES/audit-2.3.5-fp.patch b/SOURCES/audit-2.3.5-fp.patch deleted file mode 100644 index 25ab793..0000000 --- a/SOURCES/audit-2.3.5-fp.patch +++ /dev/null @@ -1,12 +0,0 @@ -diff -urp audit-2.3.5.orig/auparse/interpret.c audit-2.3.5/auparse/interpret.c ---- audit-2.3.5.orig/auparse/interpret.c 2014-02-27 09:06:10.000000000 -0500 -+++ audit-2.3.5/auparse/interpret.c 2014-03-07 12:09:40.896400420 -0500 -@@ -2276,6 +2276,8 @@ int auparse_interp_adjust_type(int rtype - type = AUPARSE_TYPE_FLAGS; - else if (rtype == AUDIT_MQ_OPEN && strcmp(name, "mode") == 0) - type = AUPARSE_TYPE_MODE_SHORT; -+ else if (rtype == AUDIT_CRYPTO_KEY_USER && strcmp(name, "fp") == 0) -+ type = AUPARSE_TYPE_UNCLASSIFIED; - else - type = lookup_type(name); - diff --git a/SOURCES/audit-2.3.5-rotate.patch b/SOURCES/audit-2.3.5-rotate.patch deleted file mode 100644 index 90b0b73..0000000 --- a/SOURCES/audit-2.3.5-rotate.patch +++ /dev/null @@ -1,13 +0,0 @@ -diff -urp audit-2.3.5.orig/src/auditd-event.c audit-2.3.5/src/auditd-event.c ---- audit-2.3.5.orig/src/auditd-event.c 2014-03-11 13:45:06.000000000 -0400 -+++ audit-2.3.5/src/auditd-event.c 2014-03-11 15:23:10.971506011 -0400 -@@ -705,7 +705,8 @@ static void rotate_logs(struct auditd_co - unsigned int len, i; - char *oldname, *newname; - -- if (data->config->num_logs < 2) -+ if (data->config->max_log_size_action == SZ_ROTATE && -+ data->config->num_logs < 2) - return; - - /* Close audit file. fchmod and fchown errors are not fatal because we diff --git a/SOURCES/audit-2.3.5-seccomp.patch b/SOURCES/audit-2.3.5-seccomp.patch deleted file mode 100644 index 98974f5..0000000 --- a/SOURCES/audit-2.3.5-seccomp.patch +++ /dev/null @@ -1,112 +0,0 @@ -diff -urp audit-2.3.5.orig/src/ausearch-common.h audit-2.3.5/src/ausearch-common.h ---- audit-2.3.5.orig/src/ausearch-common.h 2014-03-12 12:30:31.000000000 -0400 -+++ audit-2.3.5/src/ausearch-common.h 2014-03-17 17:08:27.200016460 -0400 -@@ -1,5 +1,5 @@ - /* ausearch-common.h -- -- * Copyright 2006-08,2010 Red Hat Inc., Durham, North Carolina. -+ * Copyright 2006-08,2010,2014 Red Hat Inc., Durham, North Carolina. - * Copyright (c) 2011 IBM Corp. - * All Rights Reserved. - * -@@ -41,6 +41,7 @@ extern const char *event_filename; - extern const char *event_hostname; - extern const char *event_terminal; - extern int event_syscall; -+extern int event_machine; - extern const char *event_exe; - extern int event_ua, event_ga; - extern int event_exit, event_exit_is_set; -diff -urp audit-2.3.5.orig/src/ausearch-match.c audit-2.3.5/src/ausearch-match.c ---- audit-2.3.5.orig/src/ausearch-match.c 2014-03-12 12:30:31.000000000 -0400 -+++ audit-2.3.5/src/ausearch-match.c 2014-03-17 17:08:27.200016460 -0400 -@@ -84,9 +84,14 @@ int match(llist *l) - if ((event_pid != -1) && - (event_pid != l->s.pid)) - return 0; -- if ((event_syscall != -1) && -- (event_syscall != l->s.syscall)) -- return 0; -+ if (event_syscall != -1) { -+ if (event_syscall != l->s.syscall) -+ return 0; -+ if (event_machine != -1 && -+ (event_machine != -+ audit_elf_to_machine(l->s.arch))) -+ return 0; -+ } - if ((event_session_id != -2) && - (event_session_id != l->s.session_id)) - return 0; -diff -urp audit-2.3.5.orig/src/ausearch-options.c audit-2.3.5/src/ausearch-options.c ---- audit-2.3.5.orig/src/ausearch-options.c 2014-03-12 12:30:31.000000000 -0400 -+++ audit-2.3.5/src/ausearch-options.c 2014-03-17 17:08:27.200016460 -0400 -@@ -49,7 +49,7 @@ pid_t event_pid = -1, event_ppid = -1; - success_t event_success = S_UNSET; - int event_exact_match = 0; - uid_t event_uid = -1, event_euid = -1, event_loginuid = -2; --int event_syscall = -1; -+int event_syscall = -1, event_machine = -1; - int event_ua = 0, event_ga = 0, event_se = 0; - int just_one = 0; - int event_session_id = -2; -@@ -661,6 +661,7 @@ int check_params(int count, char *vars[] - optarg); - retval = -1; - } -+ event_machine = machine; - } - c++; - break; -diff -urp audit-2.3.5.orig/src/ausearch-parse.c audit-2.3.5/src/ausearch-parse.c ---- audit-2.3.5.orig/src/ausearch-parse.c 2014-03-12 12:30:31.000000000 -0400 -+++ audit-2.3.5/src/ausearch-parse.c 2014-03-17 17:09:33.344014612 -0400 -@@ -1883,6 +1883,37 @@ static int parse_kernel_anom(const lnode - } - } - -+ if (n->type == AUDIT_SECCOMP) { -+ // get arch -+ str = strstr(term, "arch="); -+ if (str == NULL) -+ return 0; // A few kernel versions don't have it -+ ptr = str + 5; -+ term = strchr(ptr, ' '); -+ if (term == NULL) -+ return 12; -+ *term = 0; -+ errno = 0; -+ s->arch = (int)strtoul(ptr, NULL, 16); -+ if (errno) -+ return 13; -+ *term = ' '; -+ // get syscall -+ str = strstr(term, "syscall="); -+ if (str == NULL) -+ return 14; -+ ptr = str + 8; -+ term = strchr(ptr, ' '); -+ if (term == NULL) -+ return 15; -+ *term = 0; -+ errno = 0; -+ s->syscall = (int)strtoul(ptr, NULL, 10); -+ if (errno) -+ return 16; -+ *term = ' '; -+ } -+ - return 0; - } - -diff -urp audit-2.3.5.orig/src/ausearch-report.c audit-2.3.5/src/ausearch-report.c ---- audit-2.3.5.orig/src/ausearch-report.c 2014-03-12 12:30:31.000000000 -0400 -+++ audit-2.3.5/src/ausearch-report.c 2014-03-17 17:08:27.201016460 -0400 -@@ -335,7 +335,7 @@ static void interpret(char *name, char * - } - type = auparse_interp_adjust_type(rtype, name, val); - -- if (rtype == AUDIT_SYSCALL) { -+ if (rtype == AUDIT_SYSCALL || rtype == AUDIT_SECCOMP) { - if (machine == (unsigned long)-1) - machine = audit_detect_machine(); - if (*name == 'a' && strcmp(name, "arch") == 0) { diff --git a/SOURCES/audit-2.4.1-uid-1000.patch b/SOURCES/audit-2.4.1-uid-1000.patch new file mode 100644 index 0000000..dd2af0f --- /dev/null +++ b/SOURCES/audit-2.4.1-uid-1000.patch @@ -0,0 +1,90 @@ +diff -ur audit-2.4.1.orig/contrib/stig.rules audit-2.4.1/contrib/stig.rules +--- audit-2.4.1.orig/contrib/stig.rules 2014-10-27 16:54:03.000000000 -0400 ++++ audit-2.4.1/contrib/stig.rules 2014-10-28 14:21:39.896827577 -0400 +@@ -19,7 +19,7 @@ + ## NOTE: + ## 1) if this is being used on a 32 bit machine, comment out the b64 lines + ## 2) These rules assume that login under the root account is not allowed. +-## 3) It is also assumed that 500 represents the first usable user account. To ++## 3) It is also assumed that 1000 represents the first usable user account. To + ## be sure, look at UID_MIN in /etc/login.defs. + ## 4) If these rules generate too much spurious data for your tastes, limit the + ## the syscall file rules with a directory, like -F dir=/etc +@@ -106,22 +106,22 @@ + + ##- Discretionary access control permission modification (unsuccessful + ## and successful use of chown/chmod) +--a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>=500 -F auid!=4294967295 -F key=perm_mod +--a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=500 -F auid!=4294967295 -F key=perm_mod +--a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F auid>=500 -F auid!=4294967295 -F key=perm_mod +--a always,exit -F arch=b64 -S chown,fchown,lchown,fchownat -F auid>=500 -F auid!=4294967295 -F key=perm_mod +--a always,exit -F arch=b32 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>=500 -F auid!=4294967295 -F key=perm_mod +--a always,exit -F arch=b64 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>=500 -F auid!=4294967295 -F key=perm_mod ++-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=4294967295 -F key=perm_mod ++-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=4294967295 -F key=perm_mod ++-a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F auid>=1000 -F auid!=4294967295 -F key=perm_mod ++-a always,exit -F arch=b64 -S chown,fchown,lchown,fchownat -F auid>=1000 -F auid!=4294967295 -F key=perm_mod ++-a always,exit -F arch=b32 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod ++-a always,exit -F arch=b64 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod + + ##- Unauthorized access attempts to files (unsuccessful) +--a always,exit -F arch=b32 -S open,creat,truncate,openat,open_by_handle_at -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -F key=access +--a always,exit -F arch=b32 -S open,creat,truncate,openat,open_by_handle_at -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -F key=access +--a always,exit -F arch=b64 -S open,truncate,creat,openat,open_by_handle_at -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -F key=access +--a always,exit -F arch=b64 -S open,truncate,creat,openat,open_by_handle_at -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -F key=access ++-a always,exit -F arch=b32 -S open,creat,truncate,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access ++-a always,exit -F arch=b32 -S open,creat,truncate,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access ++-a always,exit -F arch=b64 -S open,truncate,creat,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access ++-a always,exit -F arch=b64 -S open,truncate,creat,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access + + ##- Use of privileged commands (unsuccessful and successful) + ## use find /bin -type f -perm -04000 2>/dev/null and put all those files in a rule like this +--a always,exit -F path=/bin/ping -F perm=x -F auid>=500 -F auid!=4294967295 -F key=privileged ++-a always,exit -F path=/bin/ping -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged + + ##- Use of print command (unsuccessful and successful) + +@@ -129,14 +129,14 @@ + ## You have to mount media before using it. You must disable all automounting + ## so that its done manually in order to get the correct user requesting the + ## export +--a always,exit -F arch=b32 -S mount -F auid>=500 -F auid!=4294967295 -F key=export +--a always,exit -F arch=b64 -S mount -F auid>=500 -F auid!=4294967295 -F key=export ++-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -F key=export ++-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -F key=export + + ##- System startup and shutdown (unsuccessful and successful) + + ##- Files and programs deleted by the user (successful and unsuccessful) +--a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F auid>=500 -F auid!=4294967295 -F key=delete +--a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F auid>=500 -F auid!=4294967295 -F key=delete ++-a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F auid>=1000 -F auid!=4294967295 -F key=delete ++-a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F auid>=1000 -F auid!=4294967295 -F key=delete + + ##- All system administration actions + ##- All security personnel actions +@@ -175,7 +175,7 @@ + #-a always,exit -F arch=b64 -S delete_module -F key=module-unload + + ## Optional - admin may be abusing power by looking in user's home dir +-#-a always,exit -F dir=/home -F uid=0 -F auid>=500 -F auid!=4294967295 -C auid!=obj_uid -F key=power-abuse ++#-a always,exit -F dir=/home -F uid=0 -F auid>=1000 -F auid!=4294967295 -C auid!=obj_uid -F key=power-abuse + + ## Optional - log container creation + #-a always,exit -F arch=b32 -S clone -F a0&0x7C020000 -F key=container-create +diff -ur audit-2.4.1.orig/docs/audit.rules.7 audit-2.4.1/docs/audit.rules.7 +--- audit-2.4.1.orig/docs/audit.rules.7 2014-10-27 16:54:03.000000000 -0400 ++++ audit-2.4.1/docs/audit.rules.7 2014-10-28 14:23:00.014833616 -0400 +@@ -76,10 +76,10 @@ + .B \-F + options that fine tune what to match against. Rather than list all the valid field types here, the reader should look at the auditctl man page which has a full listing of each field and what it means. But its worth mentioning a couple things. + +-The audit system considers uids to be unsigned numbers. The audit system uses the number \-1 to indicate that a loginuid is not set. This means that when its printed out, it looks like 4294967295. If you write a rule that you wanted try to get the valid users of the system, you need to look in /etc/login.defs to see where user accounts start. For example, if UID_MIN is 500, then you would also need to take into account that the unsigned representation of \-1 is higher than 500. So you would address this with the following piece of a rule: ++The audit system considers uids to be unsigned numbers. The audit system uses the number \-1 to indicate that a loginuid is not set. This means that when its printed out, it looks like 4294967295. If you write a rule that you wanted try to get the valid users of the system, you need to look in /etc/login.defs to see where user accounts start. For example, if UID_MIN is 1000, then you would also need to take into account that the unsigned representation of \-1 is higher than 1000. So you would address this with the following piece of a rule: + + .nf +-\-F auid>=500 \-F auid!=4294967295 ++\-F auid>=1000 \-F auid!=4294967295 + .fi + + These individual checks are "anded" and both have to be true. diff --git a/SOURCES/audit-2.4.2-ipsec.patch b/SOURCES/audit-2.4.2-ipsec.patch new file mode 100644 index 0000000..f77316b --- /dev/null +++ b/SOURCES/audit-2.4.2-ipsec.patch @@ -0,0 +1,26 @@ +diff -urp audit-2.4.1.orig/lib/libaudit.h audit-2.4.1/lib/libaudit.h +--- audit-2.4.1.orig/lib/libaudit.h 2014-10-27 16:54:03.000000000 -0400 ++++ audit-2.4.1/lib/libaudit.h 2014-12-16 13:37:12.798853979 -0500 +@@ -200,6 +200,10 @@ extern "C" { + #define AUDIT_CRYPTO_REPLAY_USER 2406 /* Crypto replay detected */ + #define AUDIT_CRYPTO_SESSION 2407 /* Record parameters set during + TLS session establishment */ ++#define AUDIT_CRYPTO_IKE_SA 2408 /* Record parameters related to ++ IKE SA */ ++#define AUDIT_CRYPTO_IPSEC_SA 2409 /* Record parameters related to ++ IPSEC SA */ + + #define AUDIT_LAST_CRYPTO_MSG 2499 + +diff -urp audit-2.4.1.orig/lib/msg_typetab.h audit-2.4.1/lib/msg_typetab.h +--- audit-2.4.1.orig/lib/msg_typetab.h 2014-10-27 16:54:03.000000000 -0400 ++++ audit-2.4.1/lib/msg_typetab.h 2014-12-16 13:37:12.798853979 -0500 +@@ -205,6 +205,8 @@ _S(AUDIT_CRYPTO_KEY_USER, "CR + _S(AUDIT_CRYPTO_FAILURE_USER, "CRYPTO_FAILURE_USER" ) + _S(AUDIT_CRYPTO_REPLAY_USER, "CRYPTO_REPLAY_USER" ) + _S(AUDIT_CRYPTO_SESSION, "CRYPTO_SESSION" ) ++_S(AUDIT_CRYPTO_IKE_SA, "CRYPTO_IKE_SA" ) ++_S(AUDIT_CRYPTO_IPSEC_SA, "CRYPTO_IPSEC_SA" ) + _S(AUDIT_VIRT_CONTROL, "VIRT_CONTROL" ) + _S(AUDIT_VIRT_RESOURCE, "VIRT_RESOURCE" ) + _S(AUDIT_VIRT_MACHINE_ID, "VIRT_MACHINE_ID" ) diff --git a/SOURCES/audit-2.4.2-ppc-machine.patch b/SOURCES/audit-2.4.2-ppc-machine.patch new file mode 100644 index 0000000..b431900 --- /dev/null +++ b/SOURCES/audit-2.4.2-ppc-machine.patch @@ -0,0 +1,21 @@ +Index: /trunk/lib/libaudit.c +=================================================================== +--- /trunk/lib/libaudit.c (revision 1065) ++++ /trunk/lib/libaudit.c (revision 1066) +@@ -1214,12 +1214,8 @@ + break; + #endif +- case MACH_PPC64LE: +- if (bits != __AUDIT_ARCH_64BIT) +- return -6; +- break; +- +- case MACH_86_64: /* fallthrough */ +- case MACH_PPC64: /* fallthrough */ +- case MACH_S390X: /* fallthrough */ ++ case MACH_86_64: /* fallthrough */ ++ case MACH_PPC64: /* fallthrough */ ++ case MACH_PPC64LE: /* fallthrough */ ++ case MACH_S390X: /* fallthrough */ + break; + default: diff --git a/SPECS/audit.spec b/SPECS/audit.spec index 54f16cc..229bee2 100644 --- a/SPECS/audit.spec +++ b/SPECS/audit.spec @@ -5,28 +5,20 @@ Summary: User space tools for 2.6 kernel auditing Name: audit -Version: 2.3.3 -Release: 4%{?dist} +Version: 2.4.1 +Release: 5%{?dist} License: GPLv2+ Group: System Environment/Daemons URL: http://people.redhat.com/sgrubb/audit/ Source0: http://people.redhat.com/sgrubb/audit/%{name}-%{version}.tar.gz -# CRYPTO_KEY_USER fp field interpretation collision -Patch1: audit-2.3.5-fp.patch -# Add --debug option to ausearch -Patch2: audit-2.3.5-debug.patch -# Correct parsing of AUDIT_LOGIN events due to kernel changes -Patch3: audit-2.3.3-login.patch -# When shifting logs, ignore num_logs (#950158) -Patch4: audit-2.3.5-rotate.patch -# Interpret syscall in AUDIT_SECCOMP events -Patch5: audit-2.3.5-seccomp.patch -# Fix retry logic when temporary network failure during remote logging #1028635 -Patch6: audit-2.3.3-remote.patch # Default to using augenrules to create audit.rules -Patch7: audit-2.3.3-augenrules.patch +Patch1: audit-2.3.3-augenrules.patch # Adjust beginning user id's to 1000 -Patch8: audit-2.3.3-uid-1000.patch +Patch2: audit-2.4.1-uid-1000.patch +# Add 2 ipsec related events +Patch3: audit-2.4.2-ipsec.patch +# Fix detection of audit elf type when ppc64le is specified in a rule +Patch4: audit-2.4.2-ppc-machine.patch BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) BuildRequires: swig python-devel BuildRequires: tcp_wrappers-devel krb5-devel libcap-ng-devel @@ -59,7 +51,7 @@ applications to use the audit framework. Summary: Header files for libaudit License: LGPLv2+ Group: Development/Libraries -Requires: %{name}-libs = %{version} +Requires: %{name}-libs = %{version}-%{release} Requires: kernel-headers >= 2.6.29 %description libs-devel @@ -104,25 +96,18 @@ behavior. %prep %setup -q -# CRYPTO_KEY_USER +# augenrules %patch1 -p1 -# --debug +# uid 1000 %patch2 -p1 -# AUDIT_LOGIN +# Add ipsec audit events %patch3 -p1 -# ignore num_logs -%patch4 -p1 -# AUDIT_SECCOMP -%patch5 -p1 -# Remote logging -%patch6 -p1 -# augenrules -%patch7 -p1 -# uid 1000 -%patch8 -p1 +# Fix ppc64le elf type translation +%patch4 -p2 %build -%configure --sbindir=/sbin --libdir=/%{_lib} --with-python=yes --with-libwrap --enable-gssapi-krb5=yes --with-libcap-ng=yes --with-armeb --with-aarch64 \ +%configure --sbindir=/sbin --libdir=/%{_lib} --with-python=yes --with-libwrap --enable-gssapi-krb5=yes --with-libcap-ng=yes --with-arm --with-aarch64 \ +--without-golang \ %if %{WITH_SYSTEMD} --enable-systemd %endif @@ -165,11 +150,14 @@ rm -f $RPM_BUILD_ROOT/%{_libdir}/python?.?/site-packages/_auparse.la rm -f $RPM_BUILD_ROOT/%{_libdir}/python?.?/site-packages/auparse.a rm -f $RPM_BUILD_ROOT/%{_libdir}/python?.?/site-packages/auparse.la +# Move the pkgconfig file +mv $RPM_BUILD_ROOT/%{_lib}/pkgconfig $RPM_BUILD_ROOT%{_libdir} + # On platforms with 32 & 64 bit libs, we need to coordinate the timestamp touch -r ./audit.spec $RPM_BUILD_ROOT/etc/libaudit.conf touch -r ./audit.spec $RPM_BUILD_ROOT/usr/share/man/man5/libaudit.conf.5.gz -%ifnarch ppc ppc64 +%ifnarch aarch64 ppc %{power64} s390 s390x %{ix86} %check make check %endif @@ -209,8 +197,8 @@ fi %files libs %defattr(-,root,root,-) -%attr(755,root,root) /%{_lib}/libaudit.so.1* -%attr(755,root,root) /%{_lib}/libauparse.* +/%{_lib}/libaudit.so.1* +/%{_lib}/libauparse.* %config(noreplace) %attr(640,root,root) /etc/libaudit.conf %{_mandir}/man5/libaudit.conf.5.gz @@ -222,6 +210,7 @@ fi %{_includedir}/libaudit.h %{_includedir}/auparse.h %{_includedir}/auparse-defs.h +%{_libdir}/pkgconfig/audit.pc %{_mandir}/man3/* %files libs-static @@ -302,7 +291,32 @@ fi %attr(644,root,root) %{_mandir}/man8/audisp-remote.8.gz %changelog -* Tue Mar 17 2014 Steve Grubb 2.3.3-4 +* Wed Jan 14 2015 Steve Grubb 2.4.1-5 +resolves: #1180675 - rules with "-F arch=ppc64le" fail to load + +* Tue Jan 13 2015 Steve Grubb 2.4.1-4 +- Remove golang bindings added under the following bz +resolves: #1115196 - Add golang bindings for libaudit + +* Wed Dec 17 2014 Steve Grubb 2.4.1-2 +resolves: #1173160 - Audit package needs update for new VPN crypto events + +* Tue Oct 28 2014 Steve Grubb 2.4.1-1 +resolves: #963353 - aarch64 userspace auditing needs to be written +resolves: #1150202 - perf trace sleep 1 does not list any syscall information +resolves: #1142989 - Update audit package to 2.4.1 +resolves: #1155221 - adjust fstatat naming to match kernel uapi + +* Thu Sep 18 2014 Steve Grubb 2.4-1 +resolves: #1115196 - Add golang bindings for libaudit +resolves: #1105150 - audispd config file parser fails on long input +resolves: #1104973 - auparse truncating selinux context after first category +resolves: #1088593 - auditctl man page examples use deprecated syscalls +resolves: #1087849 - support for setting loginuid immutable +resolves: #1073063 - AUDIT_SECCOMP events syscall field is not interpretted +resolves: #975796 - confusing aulast records for bad logins + +* Tue Mar 18 2014 Steve Grubb 2.3.3-4 resolves: #1077249 - Audit update, various issues * Fri Jan 24 2014 Daniel Mach - 2.3.3-3