diff --git a/.audit.metadata b/.audit.metadata index fd91c28..63590d6 100644 --- a/.audit.metadata +++ b/.audit.metadata @@ -1 +1 @@ -ed97614e377d0f9cf647d218d91b29398a21c4e2 SOURCES/audit-2.8.1.tar.gz +026235ab9e8b19f6c2b1112ce13d180f35cf0ff4 SOURCES/audit-2.8.4.tar.gz diff --git a/.gitignore b/.gitignore index ed1bf79..957e97b 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/audit-2.8.1.tar.gz +SOURCES/audit-2.8.4.tar.gz diff --git a/SOURCES/audit-2.8.2-auparse-numeric_field.patch b/SOURCES/audit-2.8.2-auparse-numeric_field.patch deleted file mode 100644 index f2c0787..0000000 --- a/SOURCES/audit-2.8.2-auparse-numeric_field.patch +++ /dev/null @@ -1,12 +0,0 @@ -diff --git a/auparse/expression.c b/auparse/expression.c -index 17213eb..1e8876e 100644 ---- a/auparse/expression.c -+++ b/auparse/expression.c -@@ -854,6 +854,7 @@ expr_create_timestamp_comparison_ex(unsigned op, time_t sec, unsigned milli, - || op == EO_VALUE_LE || op == EO_VALUE_GT || op == EO_VALUE_GE); - res->op = op; - res->virtual_field = 1; -+ res->numeric_field = 1; - res->v.p.field.id = EF_TIMESTAMP_EX; - res->precomputed_value = 1; - res->v.p.value.timestamp_ex.sec = sec; diff --git a/SOURCES/audit-2.8.2-fix-reset-lost-return.patch b/SOURCES/audit-2.8.2-fix-reset-lost-return.patch deleted file mode 100644 index 3f438aa..0000000 --- a/SOURCES/audit-2.8.2-fix-reset-lost-return.patch +++ /dev/null @@ -1,141 +0,0 @@ -Subject: [PATCH 2/2] lost_reset: return value rather than sequence number when zero -Date: Wed, 22 Nov 2017 19:00:57 -0500 - -The kernel always returns negative values on error, so zero and anything -positive is valid success. Lost_reset returned a positive value at the -time of reset, including zero that got interpreted as success and -replaced with the packet sequence number "2". - -Rename audit_send() to __audit_send() and pass the sequence number back -via a parameter rather than return value. - -Have a new stub audit_send() call __audit_send() and mimic the previous -behaviour of audit_send(). - -There are legacy functions that actually use a sequence number: - audit_request_rules_list_data() - delete_all_rules() - audit_request_signal_info() - src/auditd.c:get_reply() -A number of others don't appear to need it, but expose it in libaudit: - audit_send_user_message() - audit_log_user_comm_message() - audit_log_acct_message() - audit_log_user_avc_message() - audit_log_semanage_message() - audit_log_user_command() - audit_request_status() - audit_set_enabled() - audit_set_failure() - audit_set_rate_limit() - audit_set_backlog_limit() - audit_set_backlog_wait_time() - audit_add_rule_data() - audit_delete_rule_data() - -Passes all audit-testsuite tests. - -See: https://github.com/linux-audit/audit-userspace/issues/31 - -Signed-off-by: Richard Guy Briggs ---- - lib/libaudit.c | 3 ++- - lib/netlink.c | 28 ++++++++++++++++++++-------- - lib/private.h | 1 + - 3 files changed, 23 insertions(+), 9 deletions(-) - -diff --git a/lib/libaudit.c b/lib/libaudit.c -index a9ba575..aa8258c 100644 ---- a/lib/libaudit.c -+++ b/lib/libaudit.c -@@ -519,6 +519,7 @@ int audit_set_backlog_wait_time(int fd, uint32_t bwt) - int audit_reset_lost(int fd) - { - int rc; -+ int seq; - struct audit_status s; - - if ((audit_get_features() & AUDIT_FEATURE_BITMAP_LOST_RESET) == 0) -@@ -527,7 +528,7 @@ int audit_reset_lost(int fd) - memset(&s, 0, sizeof(s)); - s.mask = AUDIT_STATUS_LOST; - s.lost = 0; -- rc = audit_send(fd, AUDIT_SET, &s, sizeof(s)); -+ rc = __audit_send(fd, AUDIT_SET, &s, sizeof(s), &seq); - if (rc < 0) - audit_msg(audit_priority(errno), - "Error sending lost reset request (%s)", -diff --git a/lib/netlink.c b/lib/netlink.c -index 6e23883..5b2028f 100644 ---- a/lib/netlink.c -+++ b/lib/netlink.c -@@ -203,7 +203,7 @@ static int adjust_reply(struct audit_reply *rep, int len) - * error: -errno - * short: 0 - */ --int audit_send(int fd, int type, const void *data, unsigned int size) -+int __audit_send(int fd, int type, const void *data, unsigned int size, int *seq) - { - static int sequence = 0; - struct audit_message req; -@@ -224,6 +224,7 @@ int audit_send(int fd, int type, const void *data, unsigned int size) - - if (++sequence < 0) - sequence = 1; -+ *seq = sequence; - - memset(&req, 0, sizeof(req)); - req.nlh.nlmsg_len = NLMSG_SPACE(size); -@@ -241,18 +242,29 @@ int audit_send(int fd, int type, const void *data, unsigned int size) - retval = sendto(fd, &req, req.nlh.nlmsg_len, 0, - (struct sockaddr*)&addr, sizeof(addr)); - } while (retval < 0 && errno == EINTR); -- if (retval == (int)req.nlh.nlmsg_len) { -- if ((retval = check_ack(fd)) == 0) -- return sequence; -- else -- return retval; -- } -- if (retval < 0) -+ if (retval == (int)req.nlh.nlmsg_len) -+ return check_ack(fd); -+ if (retval < 0) { - return -errno; -+ } else if (retval > 0) { -+ errno = EINVAL; -+ return -errno; -+ } - - return 0; - } - -+int audit_send(int fd, int type, const void *data, unsigned int size) -+{ -+ int rc; -+ int seq; -+ -+ rc = __audit_send(fd, type, data, size, &seq); -+ if (rc == 0) -+ rc = seq; -+ return rc; -+} -+ - /* - * This function will take a peek into the next packet and see if there's - * an error. If so, the error is returned and its non-zero. Otherwise a -diff --git a/lib/private.h b/lib/private.h -index dbe0f74..560740f 100644 ---- a/lib/private.h -+++ b/lib/private.h -@@ -121,6 +121,7 @@ void audit_msg(int priority, const char *fmt, ...) - #endif - - extern int audit_send(int fd, int type, const void *data, unsigned int size); -+extern int __audit_send(int fd, int type, const void *data, unsigned int size, int *seq); - - AUDIT_HIDDEN_START - --- -1.8.3.1 - - diff --git a/SOURCES/audit-2.8.2-ipv6-bind.patch b/SOURCES/audit-2.8.2-ipv6-bind.patch deleted file mode 100644 index 7d63f42..0000000 --- a/SOURCES/audit-2.8.2-ipv6-bind.patch +++ /dev/null @@ -1,76 +0,0 @@ -From 659bfd369dc6810ac5349c433455c0d317482354 Mon Sep 17 00:00:00 2001 -From: Steve Grubb -Date: Tue, 17 Oct 2017 14:31:46 -0400 -Subject: [PATCH] Fixup ipv6 server side binding - ---- - src/auditd-listen.c | 32 ++++++++++++++++++++++++++++++++ - 2 files changed, 33 insertions(+) - -diff --git a/src/auditd-listen.c b/src/auditd-listen.c -index 7a5c2c6..0d1717f 100644 ---- a/src/auditd-listen.c -+++ b/src/auditd-listen.c -@@ -914,6 +914,7 @@ int auditd_tcp_listen_init(struct ev_loop *loop, struct daemon_conf *config) - struct addrinfo hints; - char local[16]; - int one = 1, rc; -+ int prefer_ipv6 = 0; - - ev_periodic_init(&periodic_watcher, periodic_handler, - 0, config->tcp_client_max_idle, NULL); -@@ -929,6 +930,7 @@ int auditd_tcp_listen_init(struct ev_loop *loop, struct daemon_conf *config) - memset(&hints, '\0', sizeof(hints)); - hints.ai_flags = AI_PASSIVE | AI_ADDRCONFIG; - hints.ai_socktype = SOCK_STREAM; -+ hints.ai_family = AF_UNSPEC; - snprintf(local, sizeof(local), "%ld", config->tcp_listen_port); - - rc = getaddrinfo(NULL, local, &hints, &ai); -@@ -937,9 +939,32 @@ int auditd_tcp_listen_init(struct ev_loop *loop, struct daemon_conf *config) - return 1; - } - -+ { -+ int ipv4 = 0, ipv6 = 0; - nlsocks = 0; - runp = ai; - while (runp && nlsocks < N_SOCKS) { -+ // Let's take a pass through and see what we got. -+ if (runp->ai_family == AF_INET) -+ ipv4++; -+ else if (runp->ai_family == AF_INET6) -+ ipv6++; -+ runp = runp->ai_next; -+ nlsocks++; -+ } -+ -+ if (nlsocks == 2 && ipv4 && ipv6) -+ prefer_ipv6 = 1; -+ } -+ -+ nlsocks = 0; -+ runp = ai; -+ while (runp && nlsocks < N_SOCKS) { -+ // On linux, ipv6 sockets by default include ipv4 so -+ // we only need one. -+ if (runp->ai_family == AF_INET && prefer_ipv6) -+ goto next_try; -+ - listen_socket[nlsocks] = socket(runp->ai_family, - runp->ai_socktype, runp->ai_protocol); - if (listen_socket[nlsocks] < 0) { -@@ -950,6 +975,13 @@ int auditd_tcp_listen_init(struct ev_loop *loop, struct daemon_conf *config) - /* This avoids problems if auditd needs to be restarted. */ - setsockopt(listen_socket[nlsocks], SOL_SOCKET, SO_REUSEADDR, - (char *)&one, sizeof (int)); -+ -+ // If we had more than 2 addresses suggested we'll -+ // separate the sockets. -+ if (!prefer_ipv6 && runp->ai_family == AF_INET6) -+ setsockopt(listen_socket[nlsocks], IPPROTO_IPV6, -+ IPV6_V6ONLY, &one, sizeof(int)); -+ - set_close_on_exec(listen_socket[nlsocks]); - - if (bind(listen_socket[nlsocks], runp->ai_addr, diff --git a/SOURCES/audit-2.8.2-style-fix.patch b/SOURCES/audit-2.8.2-style-fix.patch deleted file mode 100644 index c5541f2..0000000 --- a/SOURCES/audit-2.8.2-style-fix.patch +++ /dev/null @@ -1,578 +0,0 @@ -From 63151c4f0e9d1d037f80f10cb7809573a49da6c7 Mon Sep 17 00:00:00 2001 -From: Steve Grubb -Date: Tue, 17 Oct 2017 13:33:28 -0400 -Subject: [PATCH] make style match rest of audit system - ---- - src/auditd-listen.c | 176 ++++++++++++++++++++++++++-------------------------- - 1 file changed, 88 insertions(+), 88 deletions(-) - -diff --git a/src/auditd-listen.c b/src/auditd-listen.c -index b4dc097..7a5c2c6 100644 ---- a/src/auditd-listen.c -+++ b/src/auditd-listen.c -@@ -114,11 +114,11 @@ static char *sockaddr_to_addr4(struct sockaddr_in *addr) - - static void set_close_on_exec(int fd) - { -- int flags = fcntl (fd, F_GETFD); -+ int flags = fcntl(fd, F_GETFD); - if (flags == -1) - flags = 0; - flags |= FD_CLOEXEC; -- fcntl (fd, F_SETFD, flags); -+ fcntl(fd, F_SETFD, flags); - } - - static void release_client(struct ev_tcp *client) -@@ -144,11 +144,11 @@ static void release_client(struct ev_tcp *client) - - static void close_client(struct ev_tcp *client) - { -- release_client (client); -- free (client); -+ release_client(client); -+ free(client); - } - --static int ar_write (int sock, const void *buf, int len) -+static int ar_write(int sock, const void *buf, int len) - { - int rc = 0, w; - while (len > 0) { -@@ -167,7 +167,7 @@ static int ar_write (int sock, const void *buf, int len) - } - - #ifdef USE_GSSAPI --static int ar_read (int sock, void *buf, int len) -+static int ar_read(int sock, void *buf, int len) - { - int rc = 0, r; - while (len > 0) { -@@ -192,13 +192,13 @@ static int ar_read (int sock, void *buf, int len) - the tokens. The protocol we use for transferring tokens is to send - the length first, four bytes MSB first, then the token data. We - return nonzero on error. */ --static int recv_token (int s, gss_buffer_t tok) -+static int recv_token(int s, gss_buffer_t tok) - { - int ret; - unsigned char lenbuf[4]; - unsigned int len; - -- ret = ar_read(s, (char *) lenbuf, 4); -+ ret = ar_read(s, (char *)lenbuf, 4); - if (ret < 0) { - audit_msg(LOG_ERR, "GSS-API error reading token length"); - return -1; -@@ -220,13 +220,13 @@ static int recv_token (int s, gss_buffer_t tok) - } - tok->length = len; - -- tok->value = (char *) malloc(tok->length ? tok->length : 1); -+ tok->value = (char *)malloc(tok->length ? tok->length : 1); - if (tok->length && tok->value == NULL) { - audit_msg(LOG_ERR, "Out of memory allocating token data"); - return -1; - } - -- ret = ar_read(s, (char *) tok->value, tok->length); -+ ret = ar_read(s, (char *)tok->value, tok->length); - if (ret < 0) { - audit_msg(LOG_ERR, "GSS-API error reading token data"); - free(tok->value); -@@ -243,7 +243,7 @@ static int recv_token (int s, gss_buffer_t tok) - /* Same here. */ - int send_token(int s, gss_buffer_t tok) - { -- int ret; -+ int ret; - unsigned char lenbuf[4]; - unsigned int len; - -@@ -268,7 +268,7 @@ int send_token(int s, gss_buffer_t tok) - if (ret < 0) { - audit_msg(LOG_ERR, "GSS-API error sending token data"); - return -1; -- } else if (ret != (int) tok->length) { -+ } else if (ret != (int)tok->length) { - audit_msg(LOG_ERR, "GSS-API error sending token data"); - return -1; - } -@@ -277,14 +277,14 @@ int send_token(int s, gss_buffer_t tok) - } - - --static void gss_failure_2 (const char *msg, int status, int type) -+static void gss_failure_2(const char *msg, int status, int type) - { - OM_uint32 message_context = 0; - OM_uint32 min_status = 0; - gss_buffer_desc status_string; - - do { -- gss_display_status (&min_status, -+ gss_display_status(&min_status, - status, - type, - GSS_C_NO_OID, -@@ -298,11 +298,11 @@ static void gss_failure_2 (const char *msg, int status, int type) - } while (message_context != 0); - } - --static void gss_failure (const char *msg, int major_status, int minor_status) -+static void gss_failure(const char *msg, int major_status, int minor_status) - { -- gss_failure_2 (msg, major_status, GSS_C_GSS_CODE); -+ gss_failure_2(msg, major_status, GSS_C_GSS_CODE); - if (minor_status) -- gss_failure_2 (msg, minor_status, GSS_C_MECH_CODE); -+ gss_failure_2(msg, minor_status, GSS_C_MECH_CODE); - } - - #define KCHECK(x,f) if (x) { \ -@@ -323,7 +323,7 @@ static int server_acquire_creds(const char *service_name, - krb5_context kcontext = NULL; - int krberr; - -- my_service_name = strdup (service_name); -+ my_service_name = strdup(service_name); - name_buf.value = (char *)service_name; - name_buf.length = strlen(name_buf.value) + 1; - major_status = gss_import_name(&minor_status, &name_buf, -@@ -346,9 +346,9 @@ static int server_acquire_creds(const char *service_name, - - (void) gss_release_name(&minor_status, &server_name); - -- krberr = krb5_init_context (&kcontext); -+ krberr = krb5_init_context(&kcontext); - KCHECK (krberr, "krb5_init_context"); -- krberr = krb5_get_default_realm (kcontext, &my_gss_realm); -+ krberr = krb5_get_default_realm(kcontext, &my_gss_realm); - KCHECK (krberr, "krb5_get_default_realm"); - - audit_msg(LOG_DEBUG, "GSS creds for %s acquired", service_name); -@@ -360,7 +360,7 @@ static int server_acquire_creds(const char *service_name, - the case of Kerberos, this is where the key exchange happens. - FIXME: While everything else is strictly nonblocking, this - negotiation blocks. */ --static int negotiate_credentials (ev_tcp *io) -+static int negotiate_credentials(ev_tcp *io) - { - gss_buffer_desc send_tok, recv_tok; - gss_name_t client; -@@ -440,12 +440,12 @@ static int negotiate_credentials (ev_tcp *io) - - audit_msg(LOG_INFO, "GSS-API Accepted connection from: %s", - (char *)recv_tok.value); -- io->remote_name = strdup (recv_tok.value); -- io->remote_name_len = strlen (recv_tok.value); -+ io->remote_name = strdup(recv_tok.value); -+ io->remote_name_len = strlen(recv_tok.value); - gss_release_buffer(&min_stat, &recv_tok); - -- slashptr = strchr (io->remote_name, '/'); -- atptr = strchr (io->remote_name, '@'); -+ slashptr = strchr(io->remote_name, '/'); -+ atptr = strchr(io->remote_name, '@'); - - if (!slashptr || !atptr) { - audit_msg(LOG_ERR, "Invalid GSS name from remote client: %s", -@@ -454,14 +454,14 @@ static int negotiate_credentials (ev_tcp *io) - } - - *slashptr = 0; -- if (strcmp (io->remote_name, my_service_name)) { -+ if (strcmp(io->remote_name, my_service_name)) { - audit_msg(LOG_ERR, "Unauthorized GSS client name: %s (not %s)", - io->remote_name, my_service_name); - return -1; - } - *slashptr = '/'; - -- if (strcmp (atptr+1, my_gss_realm)) { -+ if (strcmp(atptr+1, my_gss_realm)) { - audit_msg(LOG_ERR, "Unauthorized GSS client realm: %s (not %s)", - atptr+1, my_gss_realm); - return -1; -@@ -473,7 +473,7 @@ static int negotiate_credentials (ev_tcp *io) - - /* This is called from auditd-event after the message has been logged. - The header is already filled in. */ --static void client_ack (void *ack_data, const unsigned char *header, -+static void client_ack(void *ack_data, const unsigned char *header, - const char *msg) - { - ev_tcp *io = (ev_tcp *)ack_data; -@@ -483,18 +483,18 @@ static void client_ack (void *ack_data, const unsigned char *header, - gss_buffer_desc utok, etok; - int rc, mlen; - -- mlen = strlen (msg); -+ mlen = strlen(msg); - utok.length = AUDIT_RMW_HEADER_SIZE + mlen; -- utok.value = malloc (utok.length + 1); -+ utok.value = malloc(utok.length + 1); - -- memcpy (utok.value, header, AUDIT_RMW_HEADER_SIZE); -- memcpy (utok.value+AUDIT_RMW_HEADER_SIZE, msg, mlen); -+ memcpy(utok.value, header, AUDIT_RMW_HEADER_SIZE); -+ memcpy(utok.value+AUDIT_RMW_HEADER_SIZE, msg, mlen); - - /* Wrapping the message creates a token for the - client. Then we just have to worry about sending - the token. */ - -- major_status = gss_wrap (&minor_status, -+ major_status = gss_wrap(&minor_status, - io->gss_context, - 1, - GSS_C_QOP_DEFAULT, -@@ -504,21 +504,21 @@ static void client_ack (void *ack_data, const unsigned char *header, - if (major_status != GSS_S_COMPLETE) { - gss_failure("encrypting message", major_status, - minor_status); -- free (utok.value); -+ free(utok.value); - return; - } - // FIXME: What were we going to do with rc? -- rc = send_token (io->io.fd, &etok); -- free (utok.value); -+ rc = send_token(io->io.fd, &etok); -+ free(utok.value); - (void) gss_release_buffer(&minor_status, &etok); - - return; - } - #endif - // Send the header and a text error message if it exists -- ar_write (io->io.fd, header, AUDIT_RMW_HEADER_SIZE); -+ ar_write(io->io.fd, header, AUDIT_RMW_HEADER_SIZE); - if (msg[0]) -- ar_write (io->io.fd, msg, strlen(msg)); -+ ar_write(io->io.fd, msg, strlen(msg)); - } - - extern void distribute_event(struct auditd_event *e); -@@ -540,7 +540,7 @@ static void client_message (struct ev_tcp *io, unsigned int length, - unsigned char ack[AUDIT_RMW_HEADER_SIZE]; - AUDIT_RMW_PACK_HEADER (ack, 0, AUDIT_RMW_TYPE_ACK, - 0, seq); -- client_ack (io, ack, ""); -+ client_ack(io, ack, ""); - } else { - struct auditd_event *e = create_event( - header+AUDIT_RMW_HEADER_SIZE, -@@ -552,10 +552,10 @@ static void client_message (struct ev_tcp *io, unsigned int length, - } - } - --static void auditd_tcp_client_handler( struct ev_loop *loop, -- struct ev_io *_io, int revents ) -+static void auditd_tcp_client_handler(struct ev_loop *loop, -+ struct ev_io *_io, int revents) - { -- struct ev_tcp *io = (struct ev_tcp *) _io; -+ struct ev_tcp *io = (struct ev_tcp *)_io; - int i, r; - int total_this_call = 0; - -@@ -586,18 +586,18 @@ static void auditd_tcp_client_handler( struct ev_loop *loop, - otherwise fails, the read will return -1. */ - if (r <= 0) { - if (r < 0) -- audit_msg (LOG_WARNING, -+ audit_msg(LOG_WARNING, - "client %s socket closed unexpectedly", - sockaddr_to_addr4(&io->addr)); - - /* There may have been a final message without a LF. */ - if (io->bufptr) { -- client_message (io, io->bufptr, io->buffer); -+ client_message(io, io->bufptr, io->buffer); - - } - -- ev_io_stop (loop, _io); -- close_client (io); -+ ev_io_stop(loop, _io); -+ close_client(io); - return; - } - -@@ -635,7 +635,7 @@ static void auditd_tcp_client_handler( struct ev_loop *loop, - - /* Unwrapping the token gives us the original message, - which we know is already a single record. */ -- major_status = gss_unwrap (&minor_status, io->gss_context, -+ major_status = gss_unwrap(&minor_status, io->gss_context, - &etok, &utok, NULL, NULL); - - if (major_status != GSS_S_COMPLETE) { -@@ -645,10 +645,10 @@ static void auditd_tcp_client_handler( struct ev_loop *loop, - /* client_message() wants to NUL terminate it, - so copy it to a bigger buffer. Plus, we - want to add our own tag. */ -- memcpy (msgbuf, utok.value, utok.length); -+ memcpy(msgbuf, utok.value, utok.length); - while (utok.length > 0 && msgbuf[utok.length-1] == '\n') - utok.length --; -- snprintf (msgbuf + utok.length, -+ snprintf(msgbuf + utok.length, - MAX_AUDIT_MESSAGE_LENGTH - utok.length, - " krb5=%s", io->remote_name); - utok.length += 6 + io->remote_name_len; -@@ -681,7 +681,7 @@ static void auditd_tcp_client_handler( struct ev_loop *loop, - return; - - /* We have an I-byte message in buffer. Send ACK */ -- client_message (io, i, io->buffer); -+ client_message(io, i, io->buffer); - - } else { - /* At this point, the buffer has IO->BUFPTR+R bytes in it. -@@ -701,7 +701,7 @@ static void auditd_tcp_client_handler( struct ev_loop *loop, - i++; - - /* We have an I-byte message in buffer. Send ACK */ -- client_message (io, i, io->buffer); -+ client_message(io, i, io->buffer); - } - - /* Now copy any remaining bytes to the beginning of the -@@ -730,7 +730,7 @@ static int auditd_tcpd_check(int sock) - - request_init(&request, RQ_DAEMON, "auditd", RQ_FILE, sock, 0); - fromhost(&request); -- if (! hosts_access(&request)) -+ if (!hosts_access(&request)) - return 1; - return 0; - } -@@ -759,7 +759,7 @@ static int check_num_connections(struct sockaddr_in *aaddr) - } - - static void auditd_tcp_listen_handler( struct ev_loop *loop, -- struct ev_io *_io, int revents ) -+ struct ev_io *_io, int revents) - { - int one=1; - int afd; -@@ -770,7 +770,7 @@ static void auditd_tcp_listen_handler( struct ev_loop *loop, - - /* Accept the connection and see where it's coming from. */ - aaddrlen = sizeof(aaddr); -- afd = accept (_io->fd, (struct sockaddr *)&aaddr, &aaddrlen); -+ afd = accept(_io->fd, (struct sockaddr *)&aaddr, &aaddrlen); - if (afd == -1) { - audit_msg(LOG_ERR, "Unable to accept TCP connection"); - return; -@@ -793,8 +793,8 @@ static void auditd_tcp_listen_handler( struct ev_loop *loop, - - /* Verify it's coming from an authorized port. We assume the firewall - * will block attempts from unauthorized machines. */ -- if (min_port > ntohs (aaddr.sin_port) || -- ntohs (aaddr.sin_port) > max_port) { -+ if (min_port > ntohs(aaddr.sin_port) || -+ ntohs(aaddr.sin_port) > max_port) { - audit_msg(LOG_ERR, "TCP connection from %s rejected", - sockaddr_to_addr4(&aaddr)); - snprintf(emsg, sizeof(emsg), -@@ -825,29 +825,29 @@ static void auditd_tcp_listen_handler( struct ev_loop *loop, - setsockopt(afd, SOL_SOCKET, SO_REUSEADDR, (char *)&one, sizeof (int)); - setsockopt(afd, SOL_SOCKET, SO_KEEPALIVE, (char *)&one, sizeof (int)); - setsockopt(afd, IPPROTO_TCP, TCP_NODELAY, (char *)&one, sizeof (int)); -- set_close_on_exec (afd); -+ set_close_on_exec(afd); - - /* Make the client data structure */ -- client = (struct ev_tcp *) malloc (sizeof (struct ev_tcp)); -+ client = (struct ev_tcp *)malloc (sizeof (struct ev_tcp)); - if (client == NULL) { - audit_msg(LOG_CRIT, "Unable to allocate TCP client data"); - snprintf(emsg, sizeof(emsg), - "op=alloc addr=%s port=%d res=no", - sockaddr_to_ipv4(&aaddr), -- ntohs (aaddr.sin_port)); -+ ntohs(aaddr.sin_port)); - send_audit_event(AUDIT_DAEMON_ACCEPT, emsg); - shutdown(afd, SHUT_RDWR); - close(afd); - return; - } - -- memset (client, 0, sizeof (struct ev_tcp)); -+ memset(client, 0, sizeof (struct ev_tcp)); - client->client_active = 1; - - // Was watching for EV_ERROR, but libev 3.48 took it away -- ev_io_init (&(client->io), auditd_tcp_client_handler, afd, EV_READ); -+ ev_io_init(&(client->io), auditd_tcp_client_handler, afd, EV_READ); - -- memcpy (&client->addr, &aaddr, sizeof (struct sockaddr_in)); -+ memcpy(&client->addr, &aaddr, sizeof (struct sockaddr_in)); - - #ifdef USE_GSSAPI - if (use_gss && negotiate_credentials (client)) { -@@ -860,7 +860,7 @@ static void auditd_tcp_listen_handler( struct ev_loop *loop, - #endif - - fcntl(afd, F_SETFL, O_NONBLOCK | O_NDELAY); -- ev_io_start (loop, &(client->io)); -+ ev_io_start(loop, &(client->io)); - - /* Add the new connection to a linked list of active clients. */ - client->next = client_chain; -@@ -883,7 +883,7 @@ static void auditd_set_ports(int minp, int maxp, int max_p_addr) - } - - static void periodic_handler(struct ev_loop *loop, struct ev_periodic *per, -- int revents ) -+ int revents) - { - struct daemon_conf *config = (struct daemon_conf *) per->data; - struct ev_tcp *ev, *next = NULL; -@@ -902,24 +902,24 @@ static void periodic_handler(struct ev_loop *loop, struct ev_periodic *per, - audit_msg(LOG_NOTICE, - "client %s idle too long - closing connection\n", - sockaddr_to_addr4(&(ev->addr))); -- ev_io_stop (loop, &ev->io); -+ ev_io_stop(loop, &ev->io); - release_client(ev); - free(ev); - } - } - --int auditd_tcp_listen_init ( struct ev_loop *loop, struct daemon_conf *config ) -+int auditd_tcp_listen_init(struct ev_loop *loop, struct daemon_conf *config) - { - struct addrinfo *ai, *runp; - struct addrinfo hints; - char local[16]; - int one = 1, rc; - -- ev_periodic_init (&periodic_watcher, periodic_handler, -+ ev_periodic_init(&periodic_watcher, periodic_handler, - 0, config->tcp_client_max_idle, NULL); - periodic_watcher.data = config; - if (config->tcp_client_max_idle) -- ev_periodic_start (loop, &periodic_watcher); -+ ev_periodic_start(loop, &periodic_watcher); - - /* If the port is not set, that means we aren't going to - listen for connections. */ -@@ -940,7 +940,7 @@ int auditd_tcp_listen_init ( struct ev_loop *loop, struct daemon_conf *config ) - nlsocks = 0; - runp = ai; - while (runp && nlsocks < N_SOCKS) { -- listen_socket[nlsocks] = socket (runp->ai_family, -+ listen_socket[nlsocks] = socket(runp->ai_family, - runp->ai_socktype, runp->ai_protocol); - if (listen_socket[nlsocks] < 0) { - audit_msg(LOG_ERR, "Cannot create tcp listener socket"); -@@ -950,7 +950,7 @@ int auditd_tcp_listen_init ( struct ev_loop *loop, struct daemon_conf *config ) - /* This avoids problems if auditd needs to be restarted. */ - setsockopt(listen_socket[nlsocks], SOL_SOCKET, SO_REUSEADDR, - (char *)&one, sizeof (int)); -- set_close_on_exec (listen_socket[nlsocks]); -+ set_close_on_exec(listen_socket[nlsocks]); - - if (bind(listen_socket[nlsocks], runp->ai_addr, - runp->ai_addrlen)) { -@@ -977,9 +977,9 @@ int auditd_tcp_listen_init ( struct ev_loop *loop, struct daemon_conf *config ) - p ? p->p_name: "?"); - endprotoent(); - -- ev_io_init (&tcp_listen_watcher, auditd_tcp_listen_handler, -+ ev_io_init(&tcp_listen_watcher, auditd_tcp_listen_handler, - listen_socket[nlsocks], EV_READ); -- ev_io_start (loop, &tcp_listen_watcher); -+ ev_io_start(loop, &tcp_listen_watcher); - non_fatal: - nlsocks++; - if (nlsocks == N_SOCKS) -@@ -1014,7 +1014,7 @@ int auditd_tcp_listen_init ( struct ev_loop *loop, struct daemon_conf *config ) - key_file = "/etc/audit/audit.key"; - setenv ("KRB5_KTNAME", key_file, 1); - -- if (stat (key_file, &st) == 0) { -+ if (stat(key_file, &st) == 0) { - if ((st.st_mode & 07777) != 0400) { - audit_msg (LOG_ERR, - "%s is not mode 0400 (it's %#o) - compromised key?", -@@ -1022,7 +1022,7 @@ int auditd_tcp_listen_init ( struct ev_loop *loop, struct daemon_conf *config ) - return -1; - } - if (st.st_uid != 0) { -- audit_msg (LOG_ERR, -+ audit_msg(LOG_ERR, - "%s is not owned by root (it's %d) - compromised key?", - key_file, st.st_uid); - return -1; -@@ -1036,17 +1036,16 @@ int auditd_tcp_listen_init ( struct ev_loop *loop, struct daemon_conf *config ) - return 0; - } - --void auditd_tcp_listen_uninit ( struct ev_loop *loop, -- struct daemon_conf *config ) -+void auditd_tcp_listen_uninit(struct ev_loop *loop, struct daemon_conf *config) - { - #ifdef USE_GSSAPI - OM_uint32 status; - #endif - -- ev_io_stop ( loop, &tcp_listen_watcher ); -+ ev_io_stop(loop, &tcp_listen_watcher); - while (nlsocks >= 0) { - nlsocks--; -- close ( listen_socket[nlsocks] ); -+ close (listen_socket[nlsocks]); - } - - #ifdef USE_GSSAPI -@@ -1060,29 +1059,29 @@ void auditd_tcp_listen_uninit ( struct ev_loop *loop, - unsigned char ack[AUDIT_RMW_HEADER_SIZE]; - - AUDIT_RMW_PACK_HEADER (ack, 0, AUDIT_RMW_TYPE_ENDING, 0, 0); -- client_ack (client_chain, ack, ""); -- ev_io_stop (loop, &client_chain->io); -- close_client (client_chain); -+ client_ack(client_chain, ack, ""); -+ ev_io_stop(loop, &client_chain->io); -+ close_client(client_chain); - } - - if (config->tcp_client_max_idle) -- ev_periodic_stop (loop, &periodic_watcher); -+ ev_periodic_stop(loop, &periodic_watcher); - } - - static void periodic_reconfigure(struct daemon_conf *config) - { -- struct ev_loop *loop = ev_default_loop (EVFLAG_AUTO); -+ struct ev_loop *loop = ev_default_loop(EVFLAG_AUTO); - if (config->tcp_client_max_idle) { -- ev_periodic_set (&periodic_watcher, ev_now (loop), -+ ev_periodic_set(&periodic_watcher, ev_now(loop), - config->tcp_client_max_idle, NULL); -- ev_periodic_start (loop, &periodic_watcher); -+ ev_periodic_start(loop, &periodic_watcher); - } else { -- ev_periodic_stop (loop, &periodic_watcher); -+ ev_periodic_stop(loop, &periodic_watcher); - } - } - --void auditd_tcp_listen_reconfigure ( struct daemon_conf *nconf, -- struct daemon_conf *oconf ) -+void auditd_tcp_listen_reconfigure(struct daemon_conf *nconf, -+ struct daemon_conf *oconf) - { - use_libwrap = nconf->use_libwrap; - -@@ -1112,3 +1111,4 @@ void auditd_tcp_listen_reconfigure ( struct daemon_conf *nconf, - // and recredential if needed. - oconf->krb5_principal = nconf->krb5_principal; - } -+ diff --git a/SOURCES/audit-2.8.4-close.patch b/SOURCES/audit-2.8.4-close.patch new file mode 100644 index 0000000..71271ea --- /dev/null +++ b/SOURCES/audit-2.8.4-close.patch @@ -0,0 +1,37 @@ +diff -urp audit-2.8.4.orig/src/auditd-event.c audit-2.8.4/src/auditd-event.c +--- audit-2.8.4.orig/src/auditd-event.c 2018-05-21 13:38:08.000000000 -0400 ++++ audit-2.8.4/src/auditd-event.c 2018-06-26 09:13:40.898668045 -0400 +@@ -119,7 +119,8 @@ void shutdown_events(void) + pthread_join(flush_thread, NULL); + + free((void *)format_buf); +- fclose(log_file); ++ if (log_file) ++ fclose(log_file); + auparse_destroy_ext(NULL, AUPARSE_DESTROY_ALL); + } + +@@ -156,6 +157,7 @@ int init_event(struct daemon_conf *conf) + if (format_buf == NULL) { + audit_msg(LOG_ERR, "No memory for formatting, exiting"); + fclose(log_file); ++ log_file = NULL; + return 1; + } + init_flush_thread(); +@@ -1003,6 +1005,7 @@ static void rotate_logs(unsigned int num + "rotating log file (%s)", strerror(errno)); + } + fclose(log_file); ++ log_file = NULL; + + /* Rotate */ + len = strlen(config->log_file) + 16; +@@ -1455,6 +1458,7 @@ static void reconfigure(struct auditd_ev + + if (need_reopen) { + fclose(log_file); ++ log_file = NULL; + fix_disk_permissions(); + if (open_audit_log()) { + int saved_errno = errno; diff --git a/SOURCES/audit-3.0-state-sleep.patch b/SOURCES/audit-3.0-state-sleep.patch new file mode 100644 index 0000000..b920b62 --- /dev/null +++ b/SOURCES/audit-3.0-state-sleep.patch @@ -0,0 +1,12 @@ +diff --git a/init.d/auditd.state b/init.d/auditd.state +index ce777da..9a6b622 100644 +--- a/init.d/auditd.state ++++ b/init.d/auditd.state +@@ -14,6 +14,7 @@ printf "Getting auditd internal state: " + killproc $prog -CONT + RETVAL=$? + echo -e "\n" ++sleep 1 + if [ $? -eq 0 ] ; then + if [ -e $state_file ] ; then + cat $state_file diff --git a/SOURCES/audit-3.0-sw-update.patch b/SOURCES/audit-3.0-sw-update.patch new file mode 100644 index 0000000..6ee64a5 --- /dev/null +++ b/SOURCES/audit-3.0-sw-update.patch @@ -0,0 +1,126 @@ +diff -urNp audit-3.0.orig/auparse/normalize.c audit-3.0/auparse/normalize.c +--- audit-3.0.orig/auparse/normalize.c 2018-05-21 13:38:08.000000000 -0400 ++++ audit-3.0/auparse/normalize.c 2018-07-01 10:22:28.772089011 -0400 +@@ -910,6 +910,7 @@ static const char *normalize_determine_e + case AUDIT_NETFILTER_CFG: + case AUDIT_FEATURE_CHANGE ... AUDIT_REPLACE: + case AUDIT_USER_DEVICE: ++ case AUDIT_SOFTWARE_UPDATE: + kind = NORM_EVTYPE_CONFIG; + break; + case AUDIT_SECCOMP: +@@ -1187,6 +1188,11 @@ static value_t find_simple_object(aupars + f = auparse_find_field(au, "device"); + D.thing.what = NORM_WHAT_KEYSTROKES; + break; ++ case AUDIT_SOFTWARE_UPDATE: ++ auparse_first_record(au); ++ f = auparse_find_field(au, "sw"); ++ D.thing.what = NORM_WHAT_SOFTWARE; ++ break; + case AUDIT_VIRT_MACHINE_ID: + f = auparse_find_field(au, "vm"); + D.thing.what = NORM_WHAT_VM; +@@ -1286,6 +1292,9 @@ static value_t find_simple_obj_secondary + case AUDIT_CRYPTO_SESSION: + f = auparse_find_field(au, "rport"); + break; ++ case AUDIT_SOFTWARE_UPDATE: ++ f = auparse_find_field(au, "sw_type"); ++ break; + default: + break; + } +@@ -1311,6 +1320,9 @@ static value_t find_simple_obj_primary2( + case AUDIT_VIRT_RESOURCE: + f = auparse_find_field(au, "vm"); + break; ++ case AUDIT_SOFTWARE_UPDATE: ++ f = auparse_find_field(au, "root_dir"); ++ break; + default: + break; + } +@@ -1628,6 +1640,10 @@ map: + if (D.opt == NORM_OPT_ALL) { + if (type == AUDIT_USER_DEVICE) { + add_obj_attr(au, "uuid", 0); ++ } else if (type == AUDIT_SOFTWARE_UPDATE) { ++ auparse_first_record(au); ++ add_obj_attr(au, "key_enforce", 0); ++ add_obj_attr(au, "gpg_res", 0); + } + } + +diff -urNp audit-3.0.orig/auparse/normalize-internal.h audit-3.0/auparse/normalize-internal.h +--- audit-3.0.orig/auparse/normalize-internal.h 2018-05-21 13:38:08.000000000 -0400 ++++ audit-3.0/auparse/normalize-internal.h 2018-07-01 10:24:07.029078467 -0400 +@@ -1,6 +1,6 @@ + /* + * normalize-internal.h +- * Copyright (c) 2016-17 Red Hat Inc., Durham, North Carolina. ++ * Copyright (c) 2016-18 Red Hat Inc., Durham, North Carolina. + * All Rights Reserved. + * + * This library is free software; you can redistribute it and/or +@@ -96,6 +96,7 @@ + #define NORM_WHAT_MEMORY 20 + #define NORM_WHAT_KEYSTROKES 21 + #define NORM_WHAT_DEVICE 22 ++#define NORM_WHAT_SOFTWARE 23 + + // This enum is used to map events to what kind they are + #define NORM_EVTYPE_UNKNOWN 0 +diff -urNp audit-3.0.orig/auparse/normalize_obj_kind_map.h audit-3.0/auparse/normalize_obj_kind_map.h +--- audit-3.0.orig/auparse/normalize_obj_kind_map.h 2018-05-21 13:38:08.000000000 -0400 ++++ audit-3.0/auparse/normalize_obj_kind_map.h 2018-07-01 10:22:28.806089007 -0400 +@@ -1,6 +1,6 @@ + /* + * normalize_obj_kind_map.h +- * Copyright (c) 2016-17 Red Hat Inc., Durham, North Carolina. ++ * Copyright (c) 2016-18 Red Hat Inc., Durham, North Carolina. + * All Rights Reserved. + * + * This library is free software; you can redistribute it and/or +@@ -45,4 +45,5 @@ _S(NORM_WHAT_MAC_CONFIG, "mac-config") + _S(NORM_WHAT_MEMORY, "memory") + _S(NORM_WHAT_KEYSTROKES, "keystrokes") + _S(NORM_WHAT_DEVICE, "device") ++_S(NORM_WHAT_SOFTWARE, "software") + //_S(, "") +diff -urNp audit-3.0.orig/auparse/normalize_record_map.h audit-3.0/auparse/normalize_record_map.h +--- audit-3.0.orig/auparse/normalize_record_map.h 2018-05-21 13:38:08.000000000 -0400 ++++ audit-3.0/auparse/normalize_record_map.h 2018-07-01 10:22:28.806089007 -0400 +@@ -1,6 +1,6 @@ + /* + * normalize_record_map.h +- * Copyright (c) 2016-17 Red Hat Inc., Durham, North Carolina. ++ * Copyright (c) 2016-18 Red Hat Inc., Durham, North Carolina. + * All Rights Reserved. + * + * This library is free software; you can redistribute it and/or +@@ -63,6 +63,7 @@ _S(AUDIT_MAC_CHECK, "mac-permission") + _S(AUDIT_ACCT_LOCK, "locked-account") + _S(AUDIT_ACCT_UNLOCK, "unlocked-account") + _S(AUDIT_USER_DEVICE, "configured-device") ++_S(AUDIT_SOFTWARE_UPDATE, "installed-software") + _S(AUDIT_DAEMON_START, "started-audit") + _S(AUDIT_DAEMON_END, "shutdown-audit") + _S(AUDIT_DAEMON_ABORT, "aborted-auditd-startup") +diff -urNp audit-3.0.orig/auparse/typetab.h audit-3.0/auparse/typetab.h +--- audit-3.0.orig/auparse/typetab.h 2018-05-21 13:38:08.000000000 -0400 ++++ audit-3.0/auparse/typetab.h 2018-07-01 10:22:28.807089007 -0400 +@@ -1,5 +1,5 @@ + /* typetab.h -- +- * Copyright 2007-09,2011-12,2014-17 Red Hat Inc., Durham, North Carolina. ++ * Copyright 2007-09,2011-12,2014-18 Red Hat Inc., Durham, North Carolina. + * All Rights Reserved. + * + * This library is free software; you can redistribute it and/or +@@ -140,4 +140,5 @@ _S(AUPARSE_TYPE_MACPROTO, "macproto" ) + _S(AUPARSE_TYPE_ESCAPED, "invalid_context") + _S(AUPARSE_TYPE_IOCTL_REQ, "ioctlcmd" ) + _S(AUPARSE_TYPE_FANOTIFY, "resp" ) +- ++_S(AUPARSE_TYPE_ESCAPED, "sw" ) ++_S(AUPARSE_TYPE_ESCAPED, "root_dir" ) diff --git a/SPECS/audit.spec b/SPECS/audit.spec index deca77f..9e766b0 100644 --- a/SPECS/audit.spec +++ b/SPECS/audit.spec @@ -2,8 +2,8 @@ Summary: User space tools for 2.6 kernel auditing Name: audit -Version: 2.8.1 -Release: 3%{?dist}.1 +Version: 2.8.4 +Release: 4%{?dist} License: GPLv2+ Group: System Environment/Daemons URL: http://people.redhat.com/sgrubb/audit/ @@ -12,16 +12,14 @@ Source0: http://people.redhat.com/sgrubb/audit/%{name}-%{version}.tar.gz Patch1: audit-2.7.1-rhel7-fixup.patch # DO NOT REMOVE - backlog_wait_time is not in RHEL 7 kernel Patch2: audit-2.7.5-no-backlog-wait-time.patch -# This patch is purely fomatting. Needed for Patch4 to apply -Patch3: audit-2.8.2-style-fix.patch -# This patch fixes issue reported in bz 1101605#c15 -Patch4: audit-2.8.2-ipv6-bind.patch -# This patch corrects the return value for auditctl --reset-lost -Patch5: audit-2.8.2-fix-reset-lost-return.patch -# This patch makes date a numeric field so auparse_search works -Patch6: audit-2.8.2-auparse-numeric_field.patch -# This patch fixes a hang during daemon start up (#1607298) -Patch7: audit-2.8.4-fix-hang.patch +# Fix a segfault on shutdown +Patch3: audit-2.8.4-close.patch +# Fix a hang on boot (#1587995) +Patch4: audit-2.8.4-fix-hang.patch +# Add a sleep so that the report can run before displying it +Patch5: audit-3.0-state-sleep.patch +# Add support for ausearch --format text for SOFTWARE_UPDATE events +Patch6: audit-3.0-sw-update.patch BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) BuildRequires: openldap-devel BuildRequires: swig @@ -101,7 +99,6 @@ like relay events to remote machines. %patch4 -p1 %patch5 -p1 %patch6 -p1 -%patch7 -p1 %build %configure --sbindir=/sbin --libdir=/%{_lib} --with-python=yes \ @@ -244,18 +241,21 @@ fi %attr(755,root,root) %{_bindir}/auvirt %attr(644,root,root) %{_unitdir}/auditd.service %attr(750,root,root) %dir %{_libexecdir}/initscripts/legacy-actions/auditd +%attr(750,root,root) %{_libexecdir}/initscripts/legacy-actions/auditd/condrestart +%attr(750,root,root) %{_libexecdir}/initscripts/legacy-actions/auditd/reload +%attr(750,root,root) %{_libexecdir}/initscripts/legacy-actions/auditd/restart %attr(750,root,root) %{_libexecdir}/initscripts/legacy-actions/auditd/resume %attr(750,root,root) %{_libexecdir}/initscripts/legacy-actions/auditd/rotate +%attr(750,root,root) %{_libexecdir}/initscripts/legacy-actions/auditd/state %attr(750,root,root) %{_libexecdir}/initscripts/legacy-actions/auditd/stop -%attr(750,root,root) %{_libexecdir}/initscripts/legacy-actions/auditd/restart -%attr(750,root,root) %{_libexecdir}/initscripts/legacy-actions/auditd/condrestart +%ghost %{_localstatedir}/run/auditd.state %attr(-,root,-) %dir %{_var}/log/audit %attr(750,root,root) %dir /etc/audit %attr(750,root,root) %dir /etc/audit/rules.d %attr(750,root,root) %dir /etc/audisp %attr(750,root,root) %dir /etc/audisp/plugins.d %config(noreplace) %attr(640,root,root) /etc/audit/auditd.conf -%ghost %config(noreplace) %attr(640,root,root) /etc/audit/rules.d/audit.rules +%ghost %config(noreplace) %attr(600,root,root) /etc/audit/rules.d/audit.rules %ghost %config(noreplace) %attr(640,root,root) /etc/audit/audit.rules %config(noreplace) %attr(640,root,root) /etc/audit/audit-stop.rules %config(noreplace) %attr(640,root,root) /etc/audisp/audispd.conf @@ -277,8 +277,22 @@ fi %attr(644,root,root) %{_mandir}/man8/audisp-remote.8.gz %changelog -* Mon Jul 23 2018 Steve Grubb 2.8.1-3.el7_5.1 -resolves: #1607298 - auditd sometimes in failed state after boot +* Tue Jul 17 2018 Steve Grubb 2.8.4-4 +resolves: #1559032 - Rebase audit package to 2.8.4 to pick up bug fixes + +* Wed Jun 27 2018 Steve Grubb 2.8.4-3 +resolves: #1587995 - auditd sometimes in failed state after boot + +* Tue Jun 26 2018 Steve Grubb 2.8.4-2 +resolves: #1559032 - Fix a segfault on shutdown + +* Wed Jun 20 2018 Steve Grubb 2.8.4-1 +resolves: #1559032 - Rebase audit package to 2.8.4 to pick up bug fixes +resolves: #1573889 - auditd busy loop in rotate_logs() with num_logs < 2 +resolves: #1534748 - incorrect addr field when using IPv6 for remote logging +resolves: #1515903 - ausearch-expression man page missing \timestamp_ex +resolves: #1511606 - aureport AVC report header is incomplete +resolves: #1504251 - make auditd dump internal state for log writing status * Tue Dec 12 2017 Steve Grubb 2.8.1-3 resolves: #1399314 - Allow non-equality comparisons for uid and gid fields