From 738da8d693c76fe19fecc5f1b71b44b6f666707a Mon Sep 17 00:00:00 2001 From: =?utf8?q?Jan=20R=C4=99korajski?= Date: Sun, 8 Dec 2013 12:41:50 +0100 Subject: [PATCH] - dropped pie bcond (gcc 3.3? really?) - use upstream systemd service file, but without RefuseManualStop - updated SySv init script and sysconfig with changes from upstream - make example cron job work with both SysV and systemd init script/service - cleanup build and install - added trigger and post for changes location of rules file - rel 1 --- audit-cronjob.patch | 12 +++++++++ audit-no-refusemanualstop.patch | 10 +++++++ audit.spec | 48 +++++++++++++++------------------ auditd.init | 24 ++++++++++++++++- auditd.service | 11 -------- auditd.sysconfig | 27 ++++++++++++++----- 6 files changed, 86 insertions(+), 46 deletions(-) create mode 100644 audit-cronjob.patch create mode 100644 audit-no-refusemanualstop.patch delete mode 100644 auditd.service diff --git a/audit-cronjob.patch b/audit-cronjob.patch new file mode 100644 index 0000000..9510fc6 --- /dev/null +++ b/audit-cronjob.patch @@ -0,0 +1,12 @@ +--- audit-2.3.2/init.d/auditd.cron.orig 2013-07-29 23:36:59.000000000 +0200 ++++ audit-2.3.2/init.d/auditd.cron 2013-12-08 12:29:45.000000000 +0100 +@@ -1,7 +1,8 @@ + # based on a cron job. + ########## + +-/sbin/service auditd rotate ++p=$(pidof auditd) ++[ -n "$p" ] && kill -USR1 $p + EXITVALUE=$? + if [ $EXITVALUE != 0 ]; then + /usr/bin/logger -t auditd "ALERT exited abnormally with [$EXITVALUE]" diff --git a/audit-no-refusemanualstop.patch b/audit-no-refusemanualstop.patch new file mode 100644 index 0000000..47b843a --- /dev/null +++ b/audit-no-refusemanualstop.patch @@ -0,0 +1,10 @@ +--- a/init.d/auditd.service ++++ b/init.d/auditd.service +@@ -4,7 +4,6 @@ DefaultDependencies=no + After=local-fs.target + Conflicts=shutdown.target + Before=sysinit.target shutdown.target +-RefuseManualStop=yes + + [Service] + ExecStart=/sbin/auditd -n diff --git a/audit.spec b/audit.spec index 0d45412..dc80580 100644 --- a/audit.spec +++ b/audit.spec @@ -1,10 +1,5 @@ -# TODO: - revise our auditd.service vs upstream version -# - add triggers for existing rules -# look at https://www.redhat.com/archives/linux-audit/2013-May/msg00000.html -# # Conditional build: %bcond_without kerberos5 # do not build with heimdal -%bcond_without pie # auditd as PIE binary %bcond_without prelude # prelude audisp plugin %bcond_without python # don't build python bindings %bcond_without zos_remote # do not build zos-remote audisp plugin (LDAP dep) @@ -13,24 +8,24 @@ Summary: User space tools for 2.6 kernel auditing Summary(pl.UTF-8): Narzędzia przestrzeni użytkownika do audytu jąder 2.6 Name: audit Version: 2.3.2 -Release: 0.1 +Release: 1 License: GPL v2+ Group: Daemons Source0: http://people.redhat.com/sgrubb/audit/%{name}-%{version}.tar.gz # Source0-md5: 4e8d065b5cc16b77b9b61e93a9ed160e Source2: %{name}d.init Source3: %{name}d.sysconfig -Source4: %{name}d.service Patch0: %{name}-install.patch Patch1: %{name}-m4.patch Patch2: %{name}-nolibs.patch Patch3: %{name}-no_zos_remote.patch Patch4: %{name}-systemd-notonly.patch Patch5: %{name}-am.patch +Patch6: %{name}-no-refusemanualstop.patch +Patch7: %{name}-cronjob.patch URL: http://people.redhat.com/sgrubb/audit/ BuildRequires: autoconf >= 2.59 BuildRequires: automake >= 1:1.9 -%{?with_pie:BuildRequires: gcc >= 5:3.4} BuildRequires: glibc-headers >= 6:2.3.6 %{?with_kerberos5:BuildRequires: heimdal-devel} BuildRequires: libcap-ng-devel @@ -151,6 +146,8 @@ Pythonowy interfejs do biblioteki libaudit. %{!?with_zos_remote:%patch3 -p1} %patch4 -p1 %patch5 -p1 +%patch6 -p1 +%patch7 -p1 %if %{without python} sed 's#swig/Makefile ##' -i configure.ac @@ -169,12 +166,8 @@ sed 's/swig//' -i Makefile.am --with-apparmor \ --with-libwrap \ %{?with_prelude:--with-prelude} -# override auditd_{C,LD}FLAGS to avoid -fPIE unsupported by gcc 3.3 -%{__make} \ - %{!?with_pie:auditd_CFLAGS="-D_REENTRANT -D_GNU_SOURCE" auditd_LDFLAGS="-Wl,-z,relro"} -# temporarily not included in all -%{__make} -C auparse +%{__make} %install rm -rf $RPM_BUILD_ROOT @@ -183,9 +176,8 @@ install -d $RPM_BUILD_ROOT%{_var}/log/audit %{__make} install \ DESTDIR=$RPM_BUILD_ROOT -# temporarily not included in all -%{__make} -C auparse install \ - DESTDIR=$RPM_BUILD_ROOT +install %{SOURCE2} $RPM_BUILD_ROOT/etc/rc.d/init.d/auditd +install %{SOURCE3} $RPM_BUILD_ROOT/etc/sysconfig/auditd install -d $RPM_BUILD_ROOT/%{_lib} mv -f $RPM_BUILD_ROOT%{_libdir}/libaudit.so.* $RPM_BUILD_ROOT/%{_lib} @@ -195,21 +187,13 @@ mv -f $RPM_BUILD_ROOT%{_libdir}/libauparse.so.* $RPM_BUILD_ROOT/%{_lib} ln -sf /%{_lib}/$(basename $RPM_BUILD_ROOT/%{_lib}/libauparse.so.*.*.*) \ $RPM_BUILD_ROOT%{_libdir}/libauparse.so -# We manually install this since Makefile doesn't -install -d $RPM_BUILD_ROOT{%{_includedir},%{systemdunitdir}} -install lib/libaudit.h $RPM_BUILD_ROOT%{_includedir} - -install %{SOURCE2} $RPM_BUILD_ROOT/etc/rc.d/init.d/auditd -install %{SOURCE3} $RPM_BUILD_ROOT/etc/sysconfig/auditd -install %{SOURCE4} $RPM_BUILD_ROOT%{systemdunitdir} - -# seems RH initscripts-specific -%{__rm} -r $RPM_BUILD_ROOT%{_libdir}/initscripts +# RH initscripts-specific +%{__rm} -r $RPM_BUILD_ROOT%{_libexecdir}/initscripts %if %{with python} %py_comp $RPM_BUILD_ROOT%{py_sitedir} %py_ocomp $RPM_BUILD_ROOT%{py_sitedir} -%{__rm} $RPM_BUILD_ROOT%{py_sitedir}/*.py +%py_postclean %{__rm} $RPM_BUILD_ROOT%{py_sitedir}/*.{la,a} %endif @@ -220,6 +204,10 @@ rm -rf $RPM_BUILD_ROOT %postun libs -p /sbin/ldconfig %post +# Copy default rules into place on new installation +if [ ! -e %{_sysconfdir}/audit/audit.rules ] ; then + cp -a %{_sysconfdir}/audit/rules.d/audit.rules %{_sysconfdir}/audit/audit.rules +fi /sbin/chkconfig --add auditd %service auditd restart "audit daemon" %systemd_post auditd.service @@ -237,9 +225,15 @@ fi %triggerpostun -- %{name} < 2.2-2 %systemd_trigger auditd.service +%triggerpostun -- %{name} < 2.3-1 +if [ -e %{_sysconfdir}/audit/audit.rules.rpmsave ] ; then + %{__mv} %{_sysconfdir}/audit/audit.rules{.rpmsave,} +fi + %files %defattr(644,root,root,755) %doc AUTHORS ChangeLog README THANKS TODO +%doc contrib/{capp,nispom,lspp,stig}.rules init.d/auditd.cron %attr(750,root,root) %{_bindir}/aulast %attr(750,root,root) %{_bindir}/aulastlog %attr(750,root,root) %{_bindir}/ausyscall diff --git a/auditd.init b/auditd.init index fdabdbc..d3c279e 100755 --- a/auditd.init +++ b/auditd.init @@ -15,7 +15,8 @@ PATH=/sbin:/bin:/usr/bin:/usr/sbin # Source function library . /etc/rc.d/init.d/functions -AUDITD_CLEAN_STOP=yes +AUDITD_CLEAN_STOP="yes" +AUDITD_STOP_DISABLE="yes" EXTRAOPTIONS= AUDIT_RULES=/etc/audit/audit.rules @@ -30,11 +31,29 @@ start() { local rc msg_starting auditd + # Localization for auditd is controlled in /etc/synconfig/auditd + if [ -z "$AUDITD_LANG" -o "$AUDITD_LANG" = "C" -o "$AUDITD_LANG" = "none" -o "$AUDITD_LANG" = "NONE" ]; then + unset LANG LC_TIME LC_ALL LC_MESSAGES LC_NUMERIC LC_MONETARY LC_COLLATE + else + LANG="$AUDITD_LANG" + LC_TIME="$AUDITD_LANG" + LC_ALL="$AUDITD_LANG" + LC_MESSAGES="$AUDITD_LANG" + LC_NUMERIC="$AUDITD_LANG" + LC_MONETARY="$AUDITD_LANG" + LC_COLLATE="$AUDITD_LANG" + export LANG LC_TIME LC_ALL LC_MESSAGES LC_NUMERIC LC_MONETARY LC_COLLATE + fi unset HOME MAIL USER USERNAME daemon /sbin/auditd "$EXTRAOPTIONS" RETVAL=$? # Load the default rules if daemon started if [ $RETVAL -eq 0 ] && [ -f $AUDIT_RULES ]; then + # Prepare the default rules + if is_yes "$USE_AUGENRULES"; then + /sbin/augenrules + fi + # Load the default rules /sbin/auditctl -R $AUDIT_RULES >/dev/null rc=$? # add error code, if it was an error @@ -56,6 +75,9 @@ stop() { if ! is_no "$AUDITD_CLEAN_STOP"; then /sbin/auditctl -D >/dev/null fi + if ! is_no "$AUDITD_STOP_DISABLE"; then + /sbin/auditctl -e 0 >/dev/null + fi } condrestart() { diff --git a/auditd.service b/auditd.service deleted file mode 100644 index 04b0b36..0000000 --- a/auditd.service +++ /dev/null @@ -1,11 +0,0 @@ -[Unit] -Description=Security Auditing Service -After=syslog.target - -[Service] -ExecStart=/sbin/auditd -n -ExecStartPost=/sbin/auditctl -R /etc/audit/audit.rules - -[Install] -WantedBy=multi-user.target - diff --git a/auditd.sysconfig b/auditd.sysconfig index 51154f4..e46687b 100644 --- a/auditd.sysconfig +++ b/auditd.sysconfig @@ -3,13 +3,26 @@ # Nice level for auditd #SERVICE_RUN_NICE_LEVEL=0 -# You can set audit locale here -#LC_ALL=C - +# Add extra options here +EXTRAOPTIONS="" +# +# This is the locale information that audit uses. +# To remove all locale information from audit's environment, set +# AUDITD_LANG to the empty string or the string "none". +#AUDITD_LANG="pl_PL" +# # This option is used to determine if rules & watches should be deleted on # shutdown. This is beneficial in most cases so that a watch doesn't linger # on a drive that is being unmounted. If set to no, it will NOT be cleaned up. -AUDITD_CLEAN_STOP=yes - -# Extra options for auditd -#EXTRAOPTIONS= +AUDITD_CLEAN_STOP="yes" +# +# This option determines whether the audit system should be disabled when +# the audit daemon is shutdown +AUDITD_STOP_DISABLE="yes" +# +# This option determines whether or not to call augenrules to compile the +# audit.rule file from /etc/audit/rules.d. The default is "no" so that nothing +# happens to existing rules. When setting this up, any existing rules need to +# be copied into /etc/audit/rules.d or it will be lost when audit.rule gets +# overwritten. +USE_AUGENRULES="no" -- 2.43.0