commit 519742afc48cb60e9045c1c2f3e5701a1ba80c50 Author: zyppe <210hcl@gmail.com> Date: Sun Feb 4 20:42:58 2024 +0800 Initialize for audit diff --git a/.audit.metadata b/.audit.metadata new file mode 100644 index 0000000..be9d783 --- /dev/null +++ b/.audit.metadata @@ -0,0 +1 @@ +60ea3fa2be849b6b05a2c321e9ba1492ae1eec8317c2c7adfbc93b3acacf563a audit-3.0.6.tar.gz diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..725c7ba --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +audit-3.0.6.tar.gz diff --git a/README-BEFORE-ADDING-PATCHES b/README-BEFORE-ADDING-PATCHES new file mode 100644 index 0000000..2c8651e --- /dev/null +++ b/README-BEFORE-ADDING-PATCHES @@ -0,0 +1,16 @@ +All patches need to have a kernel-style patch description header. + +PATCHES LACKING THIS OR NOT CORRECTLY FOLLOWING DESCRIPTION BELOW WILL BE +REJECTED OR REVERTED + +From: Joe Smoe +Subject: Summary of fix +Date: Date of fix +References: Bugzilla reference [bsc#xxxx] +References: URL of relevant discussion thread, opensuse or upstream ML etc +Git-commit: Full SHA of upstream commit [if applicable] +Git-repo: [if different from https://github.com/linux-audit/audit-userspace.git] +Patch-mainline: revision of audit package or explanation if not [i.e v2.8.1 or "queued with maintainer" or "never; because ...." ] +Signed-Off-by: Joe Smoe + +Short paragraph describing problem/fix. diff --git a/audit.changes b/audit.changes new file mode 100644 index 0000000..b9af56a --- /dev/null +++ b/audit.changes @@ -0,0 +1,1102 @@ +* Mon Mar 20 2023 ematsumiya@suse.de +- Enable livepatching on main library on x86_64. +* Mon Apr 11 2022 jengelh@inai.de +- Modernize specfile constructs. +* Sun Nov 7 2021 gmbr3@opensuse.org +- Update to version 3.0.6: + * fixes a segfault on some SELINUX_ERR records + * makes IPX packet interpretation dependent on the ipx header + file existing + * adds b32/b64 support to ausyscall + * adds support for armv8l + * fixes auditctl list of syscalls on PPC + * auditd.service now restarts auditd under some conditions +* Thu Sep 16 2021 ematsumiya@suse.com +- Update to version 3.0.5: + * In auditd, flush uid/gid caches when user/group added/deleted/modified + * Fixed various issues when dealing with corrupted logs + * In auditd, check if log_file is valid before closing handle +- Include fixed from 3.0.4: + * Apply performance speedups to auparse library + * Optimize rule loading in auditctl + * Fix an auparse memory leak caused by glibc-2.33 by replacing realpath + * Update syscall table to the 5.14 kernel + * Fixed various issues when dealing with corrupted logs +* Fri Jul 30 2021 ematsumiya@suse.com +- Update to version 3.0.3: + * Dont interpret audit netlink groups unless AUDIT_NLGRP_MAX is defined + * Add support for AUDIT_RESP_ORIGIN_UNBLOCK_TIMED to ids + * Change auparse_feed_has_data in auparse to include incomplete events + * Auditd, stop linking against -lrt + * Add ProtectHome and RestrictRealtime to auditd.service + * In auditd, read up to 3 netlink packets in a row + * In auditd, do not validate path to plugin unless active + * In auparse, only emit config errors when AUPARSE_DEBUG env variable exists +- use https source urls +* Mon Jun 14 2021 ematsumiya@suse.com +- Adjust audit.spec and audit-secondary.spec to support new version +- Include fix for libev + * add libev-werror.patch +- Update to version 3.0.2 +- In audispd-statsd pluging, use struct sockaddr_storage (Ville Heikkinen) +- Optionally interpret auid in auditctl -l +- Update some syscall argument interpretations +- In auditd, do not allow spaces in the hostname name format +- Big documentation cleanup (MIZUTA Takeshi) +- Update syscall table to the 5.12 kernel +- Update the auparse normalizer for new event types +- Fix compiler warnings in ids subsystem +- Block a couple signals from flush & reconfigure threads +- In auditd, don't wait on flush thread when exiting +- Output error message if the path of input files are too long ausearch/report + Included fixes from 3.0.1 +- Update syscall table to the 5.11 kernel +- Add new --eoe-timeout option to ausearch and aureport (Burn Alting) +- Only enable periodic timers when listening on the network +- Upgrade libev to 4.33 +- Add auparse_new_buffer function to auparse library +- Use the select libev backend unless aggregating events +- Add sudoers to some base audit rules +- Update the auparse normalizer for some new syscalls and event types + Included fixes from 3.0 +- Generate checkpoint file even when no results are returned (Burn Alting) +- Fix log file creation when file logging is disabled entirely (Vlad Glagolev) +- Convert auparse_test to run with python3 (Tomáš Chvátal) +- Drop support for prelude +- Adjust backlog_wait_time in rules to the kernel default (#1482848) +- Remove ids key syntax checking of rules in auditctl +- Use SIGCONT to dump auditd internal state (#1504251) +- Fix parsing of virtual timestamp fields in ausearch_expression (#1515903) +- Fix parsing of uid & success for ausearch +- Add support for not equal operator in audit by executable (Ondrej Mosnacek) +- Hide lru symbols in auparse +- Add systemd process protections +- Fix aureport summary time range reporting +- Allow unlimited retries on startup for remote logging +- Add queue_depth to remote logging stats and increase default queue_depth size +- Fix segfault on shutdown +- Merge auditd and audispd code +- Close on execute init_pipe fd (#1587995) +- Breakout audisp syslog plugin to be standalone program +- Create a common internal library to reduce code +- Move all audispd config files under /etc/audit/ +- Move audispd.conf settings into auditd.conf +- Add queue depth statistics to internal state dump report +- Add network statistics to internal state dump report +- SIGUSR now also restarts queue processing if its suspended +- Update lookup tables for the 4.18 kernel +- Add auparse_normalizer support for SOFTWARE_UPDATE event +- Add 30-ospp-v42.rules to meet new Common Criteria requirements +- Deprecate enable_krb and replace with transport config opt for remote logging +- Mark netlabel events as simple events so that get processed quicker +- When auditd is reconfiguring, only SIGHUP plugins with valid pid (#1614833) +- In aureport, fix segfault in file report +- Add auparse_normalizer support for labeled networking events +- Fix memory leak in audisp-remote plugin when using krb5 transport. (#1622194) +- In ausearch/auparse, event aging is off by a second +- In ausearch/auparse, correct event ordering to process oldest first +- Migrate auparse python test to python3 +- auparse_reset was not clearing everything it should +- Add support for AUDIT_MAC_CALIPSO_ADD, AUDIT_MAC_CALIPSO_DEL events +- In ausearch/report, lightly parse selinux portion of USER_AVC events +- Add bpf syscall command argument interpretation to auparse +- In ausearch/report, limit record size when malformed +- Port af_unix plugin to libev +- In auditd, fix extract_type function for network originating events +- In auditd, calculate right size and location for network originating events +- Make legacy script wait for auditd to terminate (#1643567) +- Treat all network originating events as VER2 so dispatcher doesn't format it +- If an event has a node name make it VER2 so dispatcher doesnt format it +- In audisp-remote do an initial connection attempt (#1625156) +- In auditd, allow expression of space left as a percentage (#1650670) +- On PPC64LE systems, only allow 64 bit rules (#1462178) +- Make some parts of auditd state report optional based on config +- Update to libev-4.25 +- Fix ausearch when checkpointing a single file (Burn Alting) +- Fix scripting in 31-privileged.rules wrt filecap (#1662516) +- In ausearch, do not checkpt if stdin is input source +- In libev, remove __cold__ attribute for functions to allow proper hardening +- Add tests to configure.ac for openldap support +- Make systemd support files use /run rather than /var/run (Christian Hesse) +- Fix minor memory leak in auditd kerberos credentials code +- Allow exclude and user filter by executable name (Ondrej Mosnacek) +- Fix auditd regression where keep_logs is limited by rotate_logs 2 file test +- In ausearch/report fix --end to use midnight time instead of now (#1671338) +- Add substitue functions for strndupa & rawmemchr +- Fix memleak in auparse caused by corrected event ordering +- Fix legacy reload script to reload audit rules when daemon is reloaded +- Support for unescaping in trusted messages (Dmitry Voronin) +- In auditd, use standard template for DEAMON events (Richard Guy Briggs) +- In aureport, fix segfault for malformed USER_CMD events +- Add exe field to audit_log_user_command in libaudit +- In auditctl support filter on socket address families (Richard Guy Briggs) +- Deprecate support for Alpha & IA64 processors +- If space_left_action is rotate, allow it every time (#1718444) +- In auparse, drop standalone EOE events +- Add milliseconds column for ausearch extra time csv format +- Fix aureport first event reporting when no start given +- In audisp-remote, add new config item for startup connection errors +- Remove dependency on chkconfig +- Install rules to /usr/share/audit/sample-rules/ +- Split up ospp rules to make SCAP scanning easier (#1746018) +- In audisp-syslog, support interpreting records (#1497279) +- Audit USER events now sends msg as name value pair +- Add support for AUDIT_BPF event +- Auditd should not process AUDIT_REPLACE events +- Update syscall tables to the 5.5 kernel +- Improve personality interpretation by using PERS_MASK +- Speedup ausearch/report parsing RAW logging format by caching uid/name lookup +- Change auparse python bindings to shared object (Issue #121) +- Add error messages for watch permissions +- If audit rules file doesn't exist log error message instead of info message +- Revise error message for unmatched options in auditctl +- In audisp-remote, fixup remote endpoint disappearin in ascii format +- Add backlog_wait_time_actual reporting / resetting to auditctl (Max Englander) +- In auditctl, add support for sending a signal to auditd +- Remove audit-fno-common.patch: fixed in upstream +- Remove audit-python3.patch: fixed in upstream +* Wed Dec 2 2020 abergmann@suse.com +- Enable Aarch64 processor support. (bsc#1179515 bsc#1179806) +* Mon Jun 1 2020 ematsumiya@suse.com +- Fix specfile to require libauparse0 and libaudit1 after splitting + audit-libs (bsc#1172295) +* Mon Jan 13 2020 tonyj@suse.com +- Update to version 2.8.5: + * Fix segfault on shutdown + * Fix hang on startup (#1587995) + * Add sleep to script to dump state so file is ready when needed + * Add auparse_normalizer support for SOFTWARE_UPDATE event + * Mark netlabel events as simple events so that get processed quicker + * When audispd is reconfiguring, only SIGHUP plugins with valid pid (#1614833) + * Add 30-ospp-v42.rules to meet new Common Criteria requirements + * Update lookup tables for the 4.18 kernel + * In aureport, fix segfault in file report + * Add auparse_normalizer support for labeled networking events + * Fix memory leak in audisp-remote plugin when using krb5 transport. (#1622194) + * Event aging is off by a second + * In ausearch/auparse, correct event ordering to process oldest first + * auparse_reset was not clearing everything it should + * Add support for AUDIT_MAC_CALIPSO_ADD, AUDIT_MAC_CALIPSO_DEL events + * In ausearch/report, lightly parse selinux portion of USER_AVC events + * In ausearch/report, limit record size when malformed + * In auditd, fix extract_type function for network originating events + * In auditd, calculate right size and location for network originating events + * Treat all network originating events as VER2 so dispatcher doesn't format it + * In audisp-remote do an initial connection attempt (#1625156) + * In auditd, allow expression of space left as a percentage (#1650670) + * On PPC64LE systems, only allow 64 bit rules (#1462178) + * Make some parts of auditd state report optional based on config + * Fix ausearch when checkpointing a single file (Burn Alting) + * Fix scripting in 31-privileged.rules wrt filecap (#1662516) + * In ausearch, do not checkpt if stdin is input source + * In libev, remove __cold__ attribute for functions to allow proper hardening + * Add tests to configure.ac for openldap support + * Make systemd support files use /run rather than /var/run (Christian Hesse) + * Fix minor memory leak in auditd kerberos credentials code + * Fix auditd regression where keep_logs is limited by rotate_logs 2 file test + * In ausearch/report fix --end to use midnight time instead of now (#1671338) +- Remote zos building is now a configurable option. + It should be disabled in audit (and left enabled in audit-secondary). +* Thu Mar 21 2019 jengelh@inai.de +- Make use of some %%make_install. +* Sat Jun 23 2018 antoine.belvire@opensuse.org +- Update to version 2.8.4: + * Generate checkpoint file even when not results are returned + (Burn Alting). + * Fix log file creation when file logging is disabled entirely + (Vlad Glagolev). + * Use SIGCONT to dump auditd internal state (rh#1504251). + * Fix parsing of virtual timestamp fields in ausearch_expression + (rh#1515903). + * Fix parsing of uid & success for ausearch. + * Hide lru symbols in auparse. + * Fix aureport summary time range reporting. + * Allow unlimited retries on startup for remote logging. + * Add queue_depth to remote logging stats and increase default + queue_depth size. +* Sun Jun 17 2018 antoine.belvire@opensuse.org +- Update to version 2.8.3: + * Correct msg function name in lru debug code. + * Fix a segfault in auditd when dns resolution isn't available. + * Make a reload legacy service for auditd. + * In auparse python bindings, expose some new types that were + missing. + * In normalizer, pickup subject kind for user_login events. + * Fix interpretation of unknown ioctcmds (rh#1540507). + * Add ANOM_LOGIN_SERVICE, RESP_ORIGIN_BLOCK, & + RESP_ORIGIN_BLOCK_TIMED events. + * In auparse_normalize for USER_LOGIN events, map acct for + subj_kind. + * Fix logging of IPv6 addresses in DAEMON_ACCEPT events + (rh#1534748). + * Do not rotate auditd logs when num_logs < 2 (brozs). +* Fri Mar 16 2018 tonyj@suse.com +- Update header in audit-python3.patch +- Update patch guidelines in README-BEFORE-ADDING-PATCHES +* Wed Feb 7 2018 tchvatal@suse.com +- Add patch to fix test run without python2 interpreter: + * audit-python3.patch +- Update to 2.8.2 release: + * Update tables for 4.14 kernel + * Fixup ipv6 server side binding + * AVC report from aureport was missing result column header (#1511606) + * Add SOFTWARE_UPDATE event + * In ausearch/report pickup any path and new-disk fields as a file + * Fix value returned by auditctl --reset-lost (Richard Guy Briggs) + * In auparse, fix expr_create_timestamp_comparison_ex to be numeric field + * Fix building on old systems without linux/fanotify.h + * Fix shell portability issues reported by shellcheck + * Auditd validate_email should not use gethostbyname +* Sat Nov 4 2017 aavindraa@gmail.com +- Update to version 2.8.1 release (includes 2.8 and 2.7.8 changes) + * many features added to auparse_normalize + * cli option added to auditd and audispd for setting config dir + * in auditd, restore the umask after creating a log file + * option added to auditd for skipping email verification +- Full changelog: http://people.redhat.com/sgrubb/audit/ChangeLog +* Mon Jul 24 2017 jengelh@inai.de +- Rectify RPM groups, diversify descriptions. +- Remove mentions of static libraries because they are not built. +* Tue Jul 18 2017 tonyj@suse.com +- Update to version 2.7.7 release + Changelog: https://people.redhat.com/sgrubb/audit/ChangeLog +* Sat Apr 2 2016 tchvatal@suse.com +- Create folder for the m4 file from previous commit to avoid install + failure +* Fri Apr 1 2016 tchvatal@suse.com +- Version update to 2.5 release +- Refresh two patches and README to contain SUSE and not SuSE + * audit-allow-manual-stop.patch + * audit-plugins-path.patch +- Cleanup with spec-cleaner and do not use subshells but rather use + - C parameter of make +- Install m4 file to the devel package +* Wed Dec 2 2015 p.drouand@gmail.com +- Do not depend on insserv nor fillup; the package provides + neither sysconfig nor sysvinit files +* Fri Aug 21 2015 tonyj@suse.com +- Update to version 2.4.4 (bsc#941922, CVE-2015-5186) +- Remove patch 'audit-no_m4_dir.patch' + (added Fri Apr 26 11:14:39 UTC 2013 by mmeister@suse.com) + No idea what earlier 'automake' build error this was trying to fix but + it broke the handling of "--without-libcap-ng". Anyways, no build error + occurs now and m4 path is also needed in v2.4.4 to find ax_prog_cc_for_build +- Require pkgconfig for build + Changelog 2.4.4 + - Fix linked list correctness in ausearch/report + - Add more cross compile fixups (Clayton Shotwell) + - Update auparse python bindings + - Update libev to 4.20 + - Fix CVE-2015-5186 Audit: log terminal emulator escape sequences handling + Changelog 2.4.3 + - Add python3 support for libaudit + - Cleanup automake warnings + - Add AuParser_search_add_timestamp_item_ex to python bindings + - Add AuParser_get_type_name to python bindings + - Correct processing of obj_gid in auditctl (Aleksander Zdyb) + - Make plugin config file parsing more robust for long lines (#1235457) + - Make auditctl status print lost field as unsigned number + - Add interpretation mode for auditctl -s + - Add python3 support to auparse library + - Make --enable-zos-remote a build time configuration option (Clayton Shotwell) + - Updates for cross compiling (Clayton Shotwell) + - Add MAC_CHECK audit event type + - Add libauparse pkgconfig file (Aleksander Zdyb) + Changelog 2.4.2 + - Ausearch should parse exe field in SECCOMP events + - Improve output for short mode interpretations in auparse + - Add CRYPTO_IKE_SA and CRYPTO_IPSEC_SA events + - If auditctl is reading rules from a file, send messages to syslog (#1144252) + - Correct lookup of ppc64le when determining machine type + - Increase time buffer for wide character numbers in ausearch/report (#1200314) + - In aureport, add USER_TTY events to tty report + - In audispd, limit reporting of queue full messages (#1203810) + - In auditctl, don't segfault when invalid options passed (#1206516) + - In autrace, remove some older unimplemented syscalls for aarch64 (#1185892) + - In auditctl, correct lookup of aarch64 in arch field (#1186313) + - Update lookup tables for 4.1 kernel +* Mon Nov 24 2014 mq@suse.cz +- Update to version 2.4.1 + Changelog 2.4.1 + - Make python3 support easier + - Add support for ppc64le (Tony Jones) + - Add some translations for a1 of ioctl system calls + - Add command & virtualization reports to aureport + - Update aureport config report for new events + - Add account modification summary report to aureport + - Add GRP_MGMT and GRP_CHAUTHTOK event types + - Correct aureport account change reports + - Add integrity event report to aureport + - Add config change summary report to aureport + - Adjust some syslogging level settings in audispd + - Improve parsing performance in everything + - When ausearch outputs a line, use the previously parsed values (Burn Alting) + - Improve searching and interpreting groups in events + - Fully interpret the proctitle field in auparse + - Correct libaudit and auditctl support for kernel features + - Add support for backlog_time_wait setting via auditctl + - Update syscall tables for the 3.18 kernel + - Ignore DNS failure for email validation in auditd (#1138674) + - Allow rotate as action for space_left and disk_full in auditd.conf + - Correct login summary report of aureport + - Auditctl syscalls can be comma separated list now + - Update rules for new subsystems and capabilities +- Drop patch audit-add-ppc64le-mach-support.patch (already upstream) +* Tue Sep 2 2014 tonyj@suse.com +- Update to version 2.4 + Changelog 2.4 + - Optionally parse loginuids, (e)uids, & (e)gids in ausearch/report + - In auvirt, anomaly events don't have uuid (#1111448) + - Fix category handling in various records (#1120286) + - Fix ausearch handling of session id on 32 bit systems + - Set systemd startup to wait until systemd-tmpfiles-setup.service (#1097314) + - Interpret a0 of socketcall and ipccall syscalls + - Add pkgconfig file for libaudit + - Add go language bindings for limited use of libaudit + - Fix ausearch handling of exit code on 32 bit systems + - Fix bug in aureport string linked list handling + - Document week-ago time setting in ausearch/report man page + - Update tables for 3.16 kernel + - In aulast, on bad logins only record user_login proof and use it + - Add libaudit API for kernel features + - If audit=0 on kernel cmnd line, skip systemd activation (Cristian Rodríguez) + - Add checkpoint --start option to ausearch (Burn Alting) + - Fix arch matching in ausearch + - Add --loginuid-immutable option to auditctl + - Fix memory leak in auditd when log_format is set to NOLOG + - Update auditctl to display features in the status command + - Add ausearch_add_timestamp_item_ex() to auparse + Changelog 2.3.7 + - Limit number of options in a rule in libaudit + - Auditctl cannot load rule with lots of syscalls (#1089713) + - In ausearch, fix checkpointing when inode is reused by new log (Burn Alting) + - Add PROCTITLE and FEATURE_CHANGE event types +* Tue Sep 2 2014 tonyj@suse.com +- Add support for ppc64le (bnc#891861) + New patch: audit-add-ppc64le-mach-support.patch +* Tue Apr 15 2014 tonyj@suse.com +- Update to version 2.3.6 + Changelog 2.3.6 + - Add an option to auditctl to interpret a0 - a3 of syscall rules when listing + - Improve ARM and AARCH64 support (AKASHI Takahiro) + - Add ausearch --checkpoint feature (Burn Alting) + - Add --arch option to ausearch + - Improve too long config line in audispd, auditd, and auparse (#1071580) + - Fix aulast to accept the new AUDIT_LOGIN record format + - Remove clear_config symbol in auparse + Changelog 2.3.5 + - In CRYPTO_KEY_USER events, do not interpret the 'fp' field + - Change formatting of rules listing in auditctl to look like audit.rules + - Change auditctl to do all netlink comm and then print rules + - Add a debug option to ausearch to find skipped events + - Parse subject, auid, and ses in LOGIN events (3.14 kernel changed format) + - In auditd, when shifting logs, ignore the num_logs setting (#950158) + - Allow passing a directory as the input file for ausearch/report (LC Bruzenak) + - Interpret syscall fields in SECCOMP events + - Increase a couple buffers to handle longer input + Changelog 2.3.4 + - Parse path in CONFIG_CHANGE events + - In audisp-remote, fix retry logic for temporary network failures + - In auparse, add get_type_name function + - Add --no-config command option to aureport + - Fix interpretting MCS seliunx contexts in ausearch (#970675) + - In auparse, classify selinux contexts as MAC_LABEL field type + - In ausearch/report parse vm-ctx and img-ctx as selinux labels + - Update translation tables for the 3.14 kernel +* Tue Feb 4 2014 tonyj@suse.com +- Update to version 2.3.3 + Changelog 2.3.3 + - Documentation updates + - Add AUDIT_USER_MAC_CONFIG_CHANGE event for MAC policy changes + - Update interpreting scheduler policy names + - Update automake files to automake-1.13.4 + - Remove CAP_COMPROMISE_KERNEL interpretation + - Parse name field in AVC's (#1049916) + - Add missing typedef for auparse_type_t enumeration (#1053424) + - Fix parsing encoded filenames in records + - Parse SECCOMP events +* Tue Nov 26 2013 tonyj@suse.com +- Update to version 2.3.2 + Changelog 2.3.2 + - Put RefuseManualStop in the right systemd section (#969345) + - Add legacy restart scripts for systemd support + - Add more syscall argument interpretations + - Add 'unset' keyword for uid & gid values in auditctl + - In ausearch, parse obj in IPC records + - In ausearch, parse subj in DAEMON_ROTATE records + - Fix interpretation of MQ_OPEN and MQ_NOTIFY events + - In auditd, restart dispatcher on SIGHUP if it had previously exited + - In audispd, exit when no active plugins are detected on reconfigure + - In audispd, clear signal mask set by libev so that SIGHUP works again + - In audispd, track binary plugins and restart if binary was updated + - In audispd, make sure we send signals to the correct process + - In auditd, clear signal mask when spawning any child process + - In audispd, make builtin plugins respond to SIGHUP + - In auparse, interpret mode flags of open syscall if O_CREAT is passed + - In audisp-remote, don't make address lookup always a permanent failure + - In audisp-remote, remove EOE events more efficiently + - In auditd, log the reason when email account is not valid + - In audisp-remote, change default remote_ending action to reconnect + - Add support for Aarch64 processors + Changelog 2.3.1 + - Rearrange auditd setting enabled and pid to avoid a race (#910568) + - Interpret the ocomm field from OBJ_PID records + - Fix missing 'then' statement in sysvinit script + - Switch ausearch to use libauparse for interpretting fields + - In libauparse, interpret prctl arg0, sched_setscheduler arg1 + - In auparse, check source_list isn't NULL when opening next file (Liequan Che) + - In libauparse, interpret send* flags argument + - In libauparse, interpret level and name options for set/getsockopt + - In ausearch/report, don't flush events until last file (Burn Alting) + - Don't use systemctl to stop the audit daemon + Changelog 2.3 + - The clone(2) man page is really clone(3), fix interpretation of clone syscall + - Add systemd support for reload (#901533) + - Allow -F msgtype on the user filter + - Add legacy support for resuming logging under systemd (#830780) + - Add legacy support for rotating logs under systemd (#916611) + - In auditd, collect SIGUSR2 info for DAEMON_RESUME events + - Updated man pages + - Update libev to 4.15 + - Update syscall tables for 3.9 kernel + - Interpret MQ_OPEN events + - Add augenrules support (Burn Alting) + - Consume less stack sending audit events +* Fri Jun 28 2013 coolo@suse.com +- remove libcap-ng too from audit.spec as it's only needed for plugins + (and libcap-ng itself needs python to build bindings) +* Thu Jun 27 2013 tonyj@suse.com +- Eliminate build cycles. audit.spec now builds only libs/devel. + Remainder (including daemon) built from audit-secondary.spec +* Fri Apr 26 2013 mmeister@suse.com +- audit-no_m4_dir.patch: Removed AC_CONFIG_MACRO_DIR([m4]) from + configure.ac to fix build with new automake +* Mon Mar 25 2013 crrodriguez@opensuse.org +- --with-libcap-ng=yes has no effect if libcap-ng is not + buildrequired and the lack of those requires causes a broken + configure script after autoreconf add pkgconfig(libcap-ng) + to both audit and audit-secondary, cap-ng is actually only + use in the latter. +* Mon Mar 25 2013 crrodriguez@opensuse.org +- Version 2.2.3 +- Code cleanups +- In spec file, don't own lib64/audit +- Update man pages +- Aureport no longer reads auditd.conf when stdin is used +- Don't let systemd kill auditd if auditctl errors out +- Update syscall table for 3.7 and 3.8 kernels +- Add interpretation for setns and unshare syscalls +- Code cleanup (Tyler Hicks) +- Documentation cleanups (Laurent Bigonville) +- Add dirfd interpretation to the *at functions +- Add termination signal to clone flags interpretation +- Update stig.rules +- In auditctl, when listing rules don't print numeric value of dir fields +- Add support for rng resource type in auvirt +- Fix aulast bad login output (#922508) +- In ausearch, allow negative numbers for session and auid searches +- In audisp-remote, if disk_full_action is stop then stop sending (#908977) +* Fri Mar 22 2013 crrodriguez@opensuse.org +- remove sysvinit scripts. +* Wed Jan 30 2013 crrodriguez@opensuse.org +- remove old tarball and update -secondary spec +* Wed Jan 30 2013 crrodriguez@opensuse.org +- Audit 2.2.2 , the purpose of this update is too add compatibility + with systemd for 12.3 +- In auditd, tcp_max_per_addr was allowing 1 more connection than specified +- In ausearch, fix matching of object records +- Auditctl was returning -1 when listing rules filtered on a key field +- Add interpretations for CAP_BLOCK_SUSPEND and CAP_COMPROMISE_KERNEL +- Add armv5tejl, armv5tel, armv6l and armv7l machine types (Nathaniel Husted) +- Updates for the 3.6 kernel +- Add auparse_feed_has_data function to libauparse +- Update audisp-prelude to use auparse_feed_has_data +- Add support to conditionally build auditd network listener (Tyler Hicks) +- In auditd, reset a flag after receiving USR1 signal info when rotating logs +- Add optional systemd init script support +- Add support for SECCOMP event type +- Don't interpret aN_len field in EXECVE records (#869555) +- In audisp-remote, do better job of draining queue +- Fix capability parsing in ausearch/auparse +- Interpret BPRM_FCAPS capability fields +- Add ANOM_LINK event type +* Tue Jan 22 2013 jengelh@inai.de +- Executing autoreconf requires autoconf +* Fri Oct 12 2012 coolo@suse.com +- update to 2.2.1, upstream changelog: + 2.2.1 + - Add more interpretations in auparse for syscall parameters + - Add some interpretations to ausearch for syscall parameters + - In ausearch/report and auparse, allocate extra space for node names + - Update syscall tables for the 3.3.0 kernel + - Update libev to 4.0.4 + - Reduce the size of some applications + - In auditctl, check usage against euid rather than uid + 2.2 + - Correct all rules for clock_settime + - Fix possible segfault in auparse library + - Handle malformed socket addresses better + - Improve performance in audit_log_user_message() + - Improve performance in writing to the log file in auditd + - Syscall update for accept4 and recvmmsg + - Update autrace resource usage mode syscall list + - Improved sample rules for recent syscalls + - Add some debug info to audisp-remote startup and shutdown + - Make compiling with Python optional + - In auditd, if disk_error_action is ignore, don't syslog anything + - Fix some memory leaks + - If audispd is stopping, don't restart children + - Add support in auditctl for shell escaped filenames (Alexander) + - Add search support for virt events (Marcelo Cerri) + - Update interpretation tables + - Sync auparse's auditd config parser with auditd's parser + - In ausearch, also use cwd fields in file name searchs + - In ausearch, parse cwd in USER_CMD events + - In ausearch, correct parsing of uid in user space events + - In ausearch, update parsing of integrity events + - Apply some text cleanups from Debian (Russell Coker) + - In auditd, relax some permission checks for external apps + - Add ROLE_MODIFY event type + - In auditctl, new -c option to continue through bad rules but with failed exit + - Add auvirt program to do special reporting on virt events (Marcelo Cerri) + - Add interfield comparison support to auditctl (Peter Moody) + - Update auparse type intepretation for apparmor (Marcelo Cerri) + - Increase tcp_max_per_addr maximum to 1024. +- remove audit-no_python.patch, there is a configure switch for that now +- remove prereq on sysvinit +* Tue Feb 28 2012 tonyj@suse.com +- Update to version 2.1.3, upstream changelog: + - 2.1.3 + - Fix parsing of EXECVE records to not escape argc field + - If auditd's disk is full, send the right reason to client (#715315) + - Add CAP_WAKE_ALARM to interpretations + - Some updates to audisp-remote's remote-fgets function (Mirek Trmac) + - Add detection of TTY events to audisp-prelude (Matteo Sessa) + - Updated syscall tables for the 3.0 kernel + - Update linker flags for better relro support + - Make default size of logs bigger (#727310) + - Extract obj from NETFILTER_PKT events + - Disable 2 kerberos config options in audisp-remote.conf + - 2.1.2 + - In ausearch/report, fix a segfault caused by MAC_POLICY_LOAD records + - In ausearch/report, add and update parsers + - In auditd, cleanup DAEMON_ACCEPT and DAEMON_CLOSE addr fields + - In ausearch/report, parse addr field of DAEMON_ACCEPT & DAEMON_CLOSE records + - In auditd, move startup success to after events are registered + - If auditd shutsdown due to failed tcp init, write a DAEMON_ABORT event + - Update auditd to avoid the oom killer in new kernels (Andreas Jaeger) + - Parse and interpret NETFILTER_PKT events correctly + - Return error if auditctl -l fails (#709345) + - In audisp-remote, replace glibc's fgets with custom implementation +* Fri Sep 30 2011 coolo@suse.com +- add libtool as buildrequire to make the spec file more reliable +* Sat Sep 17 2011 jengelh@medozas.de +- Remove redundant tags/sections from specfile +- Add audit-devel to baselibs +* Wed May 11 2011 meissner@suse.de +- Adjust license of libaudit and libauparse to be + LGPLv2.1 or later. +* Wed Apr 27 2011 tonyj@novell.com +- Update to version 2.1.1, upstream changelog: + - 2.1.1 + - When ausearch is interpretting, output "as is" if no = is found + - Correct socket setup in remote logging + - Adjusted a couple default settings for remote logging and init script + - Audispd was not marking restarted plugins as active + - Audisp-remote should keep a capability if local_port < 1024 + - When audispd restarts plugin, send event in its preferred format + - In audisp-remote, make all I/O asynchronous + - In audisp-remote, add sigusr1 handler to dump internal state + - Fix autrace to use correct syscalls on s390 and s390x systems + - Add shutdown syscall to remote logging teardowns + - Correct autrace rule for 32 bits systems + 2.1 + - Update auditctl man page for new field on user filter + - Fix crash in aulast when auid is foreign to the system + - Code cleanups + - Add store and forward model to audispd-remote (Mirek Trmac) + - Free memory on failed startups in audisp-prelude + - Fix memory leak in aureport + - Fix parsing state problem in libauparse + - Improve the robustness of libaudit field encoding functions + - Update capability tables + - In auditd, make failure action config checking consistent + - In auditd, check that NULL is not being passed to safe_exec + - In audisp-remote, overflow_action wasn't suspending if that action was chosen + - Update interpretations for virt events + - Improve remote logging warning and error messages + - Add interpretations for netfilter events + 2.0.6 + - ausearch/report performance improvements + - Synchronize all sample syscall rules to use action,list + - If program name provided to audit_log_acct_message, escape it + - Fix man page for the audit_encode_nv_string function (#647131) + - If value is NULL, don't segfault (#647128) + - Fix simple event parsing to not assume session id can't be last (Peng Haitao) + - Add support for new mmap audit event type + - Add ability for audispd syslog plugin to choose facility local0-7 (#593340) + - Fix autrace to use correct syscalls on i386 systems (Peng Haitao) + - On startup and reconfig, check for excess logs and unlink them + - Add a couple missing parser debug messages + - Fix error output resolving numeric address and update man page + - Add netfilter event types + - Fix spelling error in audit.rules man page (#667845) + - Improve warning in auditctl regarding immutable mode (#654883) + - Update syscall tables for the 2.6.37 kernel + - In ausearch, allow searching for auid -1 + - Add queue overflow_action to audisp-remote to control queue overflows + - Update sample rules for new syscalls and packages +* Mon Feb 21 2011 aj@suse.de +- Fix value of oom_score_adj. +* Tue Dec 7 2010 coolo@novell.com +- prereq init script syslog +* Sun Nov 7 2010 cristian.rodriguez@opensuse.org +- use full RELRO. +* Tue Sep 28 2010 tonyj@novell.com +- Update to version 2.0.5 (drop: audit-as_needed.patch) +- Update README-BEFORE-ADDING-PATCHES +- Upstream 2.0.5 changelog: + - Make auparse handle empty AUSOURCE_FILE_ARRAY correctly (Miloslav Trmač) + - On i386, audit rules do not work on inode's with a large number (#554553) + - Fix displaying of inode values to be unsigned integers when listing rules + - Correct Makefile install of audispd (Jason Tang) + - Syscall table updates for 2.6.34 kernel + - Add definitions for service start and stop + - Fix handling of ignore errors in auditctl + - Fix gssapi support to build with new linker options + - Add virtualization event types + - Update aureport program help and man pages to show all options +* Tue Sep 28 2010 aj@suse.de +- Annotate patch audit-oom_score_adj. +* Mon Sep 27 2010 aj@suse.de +- Use /proc//oom_score_adj if available. +* Mon Jun 28 2010 jengelh@medozas.de +- use %%_smp_mflags +* Fri Jun 25 2010 tonyj@novell.com +- Minor changes to README-BEFORE-ADDING-PATCHES file. +- Add this file as %%source in spec +* Fri Jun 25 2010 dmueller@suse.de +- obsolete -XXbit package +* Tue May 4 2010 tonyj@suse.de +- Update to version 2.0.4. This is a major version update, + libaudit.so has changed version. There is no backward compatibility. + audit-libs has been split into libaudit1 and libauparse0. +- Redhat changelog for 2.0 - 2.0.4 follows: + * 2.0.4 + - Make alpha processor support optional + - Add support for the arm eabi processor + - add a compatible regexp processing capability to auparse (Miloslav Trmač) + - Fix regression in parsing user space originating records in aureport + - Add tcp_max_per_addr option in auditd.conf to limit concurrent connections + - Rearrange shutdown of auditd to allow DAEMON_END event more time + * 2.0.3 + - In auditd, tell libev to stop processing a connection when idle timeout + - In auditd, tell libev to stop processing a connection when shutting down + - Interpret CAPSET records in ausearch/auparse + * 2.0.2 + - If audisp-remote plugin has a queue at exit, use non-zero exit code + - Fix autrace to use the exit filter + - In audisp-remote, add a sigchld handler + - In auditd, check for duplicate remote connections before accepting + - Remove trailing ':' if any are at the end of acct fields in ausearch + - Update remote logging code to do better sanity check of data + - Fix audisp-prelude to prefer files if multiple path records are encountered + - Add libaudit.conf man page + - In auditd, disconnect idle clients + * 2.0.1 + - Aulast now reads daemon_start events for the kernel version of reboot + - Clarify the man pages for ausearch/report regarding locale and date formats + - Fix getloginuid for python bindings + - Disable the audispd af_unix plugin by default + - Add a couple new init script actions for LSB 3.2 + - In audisp-remote plugin, timeout network reads (#514090) + - Make some error logging in audisp-remote plugin more prominent + - Add audit.rules man page + - Interpret the session field in audit events + * 2.0 + - Remove system-config-audit + - Get rid of () from userspace originating events + - Removed old syscall rules API - not needed since 2.6.16 + - Remove all use of the old rule structs from API + - Fix uninitialized variable in auditd log rotation + - Add libcap-ng support for audispd plugins + - Removed ancient defines that are part of kernel 2.6.29 headers + - Bump soname number for libaudit + - In auditctl, deprecate the entry filter and move rules to exit filter + - Parse integrity audit records in ausearch/report (Mimi Zohar) + - Updated syscall table for 2.6.31 kernel + - Remove support for the legacy negate syscall rule operator + - In auditd reset syslog warnings if disk space becomes available +* Sun Dec 13 2009 jengelh@medozas.de +- add baselibs.conf as a source +* Tue Nov 3 2009 coolo@novell.com +- updated patches to apply with fuzz=0 +* Mon Sep 28 2009 crrodriguez@suse.de +- do not package static libraries +- fix -devel package dependencies +* Sat Jun 20 2009 cmorve69@yahoo.es +- fixed build with --as-needed +* Fri Jun 19 2009 coolo@novell.com +- disable as-needed for this package as it fails to build with it +* Mon May 11 2009 tonyj@suse.de +- Update from 1.7.7 to 1.7.13. +- Redhat changelog for 1.7.8 - 1.7.13 follows: + * Tue Apr 21 2009 Steve Grubb 1.7.13-1 + - Disable libev asserts unless --with-debug passed to configure + - Handle kernel 2.6.29's audit = 0 boot parameter better + - Install audit.py file in arch specific python directory (Dan Walsh) + - Fix problem with negative uids in audit rules on 32 bit systems + - When file type is unknown, output octal for mode field (Miloslav Trmač) + - Update tty keystroke interpretations (Miloslav Trmač) + * Tue Feb 24 2009 Steve Grubb 1.7.12-1 + - Add definitions for crypto events + - Fix regression where msgtype couldn't be used as a range in audit rules + - In libaudit, extend time spent checking reply + - In acct events, prefer id over acct if given + - In aulast, try id and acct in USER_LOGIN events + - When in immutable mode, have auditctl tell user instead of sending rules + - Add option to sysconfig to disable audit system on auditd stop + - Add tcp_wrappers config option to auditd + - Aulastlog can now take input from stdin + - Update libaudit python bindings to throw exceptions on error + - Adjust formatting of TTY data in libauparse to be like ausearch/report + - Add more key mappings to TTY interpretations + - Add internal queue to audisp-remote + - Fix failure action code to allow executables in audisp-remote (Chu Li) + - Fix memory leak when NOLOG log_format option given to auditd + - Quieten some of the reconnect text being sent to syslog in audisp-remote + - Apply some libev fixups to auditd + - Cleanup shutdown sequence of auditd + - Allow auditd log rotation via SIGUSR1 when NOLOG log format option given + * Sat Jan 10 2009 Steve Grubb 1.7.11-1 + - Don't error out in auditd when calling setsid + - Reformat a couple auditd error messages (Oden Eriksson) + - If log rotate fails, leave the old log writable + - Fixed bug in setting up auditd event loop when listening + - Warn if on biarch machine and auditctl rules show a syscall mismatch + - Audisp-remote was not parsing some config options correctly + - In auparse, check for single key in addition to virtual keys + - When auditd shuts down, send AUDIT_RMW_TYPE_ENDING messages to clients + - Created reconnect option to remote ending setting of audisp-remote + * Sat Dec 13 2008 Steve Grubb 1.7.10-1 + - Fix ausearch and aureport to handle out of order events + - Add line-buffer option to ausearch & timeout pipe input (Tony Jones) + - Add support in ausearch/report for tty data + - In audisp-remote, allow the keyword "any" for local_port + - Tighten parsing for -m and -w options in auditctl + - Add session query hint for aulast proof + - Fix audisp-remote to tolerate krb5 config options when not supported + - Created new aureport option for tty keystroke report + - audispd should detect backup config files and not use them + - When checking for ack in netlink interface, retry on EAGAIN a few times + - In aureport, fix mods report to show acct acted upon + * Wed Nov 05 2008 Steve Grubb 1.7.9-1 + - Fix uninitialized variable in aureport causing segfault + - Quieten down the gssapi not supported messages + - Fix bug interpretting i386 logs on x86_64 machines + - If kernel is in immutable mode, auditd should not send enable command + - Fix ausearch/report recent and now time keyword lookups + - Created aulast program + - prelude plugin should pull auid for login alert from 2nd uid field + - Add system boot, shutdown, and run level change events + - Add max_restarts to audispd.conf to limit times a plugin is restarted + - Expand session detection in ausearch + * Wed Oct 22 2008 Steve Grubb 1.7.8-1 + - Interpret TTY audit data in auparse (Miloslav Trmač) + - Extract terminal from USER_AVC events for ausearch/report (Peng Haitao) + - Add USER_AVCs to aureport's avc reporting (Peng Haitao) + - Short circuit hostname resolution in libaudit if host is empty + - If log_group and user are not root, don't check dispatcher perms + - Fix a bug when executing "ausearch -te today PM" + - Add --exit search option to ausearch + - Fix parsing config file when kerberos is disabled +* Tue Apr 14 2009 dmueller@suse.de +- refresh patches +* Wed Dec 10 2008 olh@suse.de +- use Obsoletes: -XXbit only for ppc64 to help solver during distupgrade + (bnc#437293) +* Fri Dec 5 2008 tonyj@suse.de +- Revision to previous fix for bnc#445353. + These should go into SLES11 RC1. + 1) Add --line-buffered option to limit when stdout is flushed (performance). + 2) Testing found a related bug where (if input is a pipe) the last logical + record would permanently be queued waiting for a subsequent record indicating + end of the previous. This subsequent record may never arrive. Timer is + now run causing this record to be flushed if no new record arrives within + timeout. This fix is upstream also. +* Fri Nov 21 2008 tonyj@suse.de +- Force ausearch to flush stdout if pipe (bnc#445353) +* Thu Oct 30 2008 olh@suse.de +- obsolete old -XXbit packages (bnc#437293) +* Fri Sep 26 2008 tonyj@suse.de +- Update from 1.7.4 to 1.7.7. GSS support disabled for present +- Redhat changelog for 1.7.5 - 1.7.7 follows: + * Wed Sep 11 2008 Steve Grubb 1.7.7-1 + - Bug fixes for gss code in remote logging (DJ Delorie) + - Fix ausearch -i to keep the node field in the output + - ausyscall now does strstr match on syscall names + - Makefile cleanup (Philipp Hahn) + - Add watched syscall support to audisp-prelude + - Use the right define for tcp_wrappers in auditd + - Expose encoding API for fields being logged from user space + * Wed Sep 11 2008 Steve Grubb 1.7.6-1 + - Update event record list and aureport classifications (Yu Zhiguo/Peng Haitao) + - Add subject to audit daemon events (Chu Li) + - Fix parsing of acct & exe fields in user records (Peng Haitao) + - Make client error handling in audisp-remote robust (DJ Delorie) + - Add tcp_wrappers support for auditd + - Updated syscall tables for 2.6.27 kernel + - Add heartbeat exchange to remote logging protocol (DJ Delorie) + - Audit connect/disconnect of remote clients + - In ausearch, collect pid from AVC records (Peng Haitao) + - Add auparse_get_field_type function to describe field's contents + - Add GSS/Kerberos encryption to the remote protocol (DJ Delorie) + * Mon Aug 25 2008 Steve Grubb 1.7.5-1 + - Update system-config-audit to 0.4.8 + - Whole lot of bug fixes - see ChangeLog for details + - Reimplement auditd main loop using libev + - Add TCP listener to auditd to receive remote events +* Tue Aug 5 2008 tonyj@suse.de +- Remove audit rules on audit stop (bnc#409093) +* Tue Jun 24 2008 tonyj@suse.de +- Update from 1.7.2 to 1.7.4 +- Redhat changelog for 1.7.3 - 1.7.4 follows: + * Mon May 19 2008 Steve Grubb 1.7.4-1 + - Fix interpreting of keys in syscall records + - Interpret audit rule config change list fields + - Don't error on name=(null) PATH records in ausearch/report + - Add key report to aureport + - Fix --end today to be now + - Added python bindings for auparse_goto_record_num + - Update system-config-audit to 0.4.7 (Miloslav Trmac) + - Add support for the filetype field option in auditctl + - In audispd boost priority after starting children + * Fri May 09 2008 Steve Grubb 1.7.3-1 + - Fix path processing in AVC records. + - auparse_find_field_next() wasn't resetting field ptr going to next record. + - auparse_find_field() wasn't checking current field before iterating + - cleanup some string handling in audisp-prelude plugin + - Update auditctl man page + - Fix output of keys in ausearch interpretted mode + - Fix ausearch/report --start now to not be reset to midnight + - Added auparse_goto_record_num function + - Prelude plugin now uses auparse_goto_record_num to avoid skipping a record + - audispd now has a priority boost config option + - Look for laddr in avcs reported via prelude + - Detect page 0 mmaps and alert via prelude +- Update from 1.6.8 to 1.7.2 +- Complete fix for BNC# 378725 +- Redhat changelog for 1.6.9-1.7.2 follows: + * Wed Apr 09 2008 Steve Grubb 1.7.2-1 + - gen_table.c now includes IPC defines to avoid glibc-headers wild goose chase + - ausyscall program added for cross referencing syscall name and number info + - Add login session ID search capability to ausearch + * Tue Apr 08 2008 Steve Grubb 1.7.1-1 + - Remove LSB headers info for init scripts + - Fix buffer overflow in audit_log_user_command, again (#438840) + - Fix memory leak in EOE code in auditd (#440075) + - In auditctl, don't use new operators in legacy rule format + - Made a couple corrections in alpha & x86_64 syscall tables (Miloslav Trmac) + - Add example STIG rules file + - Add string table lookup performance improvement patch (Miloslav Trmac) + - auparse_find_field_next performance improvement + * Sun Mar 30 2008 Steve Grubb 1.7-1 + - Improve input error handling in audispd + - Improve end of event detection in auparse library + - Improve handling of abstract namespaces + - Add test mode for prelude plugin + - Handle user space avcs in prelude plugin + - Audit event serial number now recorded in idmef alert + - Add --just-one option to ausearch + - Fix watched account login detection for some failed login attempts + - Couple fixups in audit logging functions (Miloslav Trmac) + - Add support in auditctl for virtual keys + - Added new type for user space MAC policy load events + - auparse_find_field_next was not iterating correctly, fixed it + - Add idmef alerts for access or execution of watched file + - Fix buffer overflow in audit_log_user_command + - Add basic remote logging plugin - only sends & no flow control + - Update ausearch with interpret fixes from auparse + * Sun Mar 09 2008 Steve Grubb 1.6.9-1 + - Apply hidden attribute cleanup patch (Miloslav Trmac) + - Apply auparse expression interface patch (Miloslav Trmac) + - Fix potential memleak in audit event dispatcher + - Change default audispd queue depth to 80 + - Update system-config-audit to version 0.4.6 (Miloslav Trmac) + - audisp-prelude alerts now controlled by config file + - Updated syscall table for 2.6.25 kernel + - Apply patch correcting acct field being misencoded (Miloslav Trmac) + - Added watched account login detection for prelude plugin +* Wed Apr 23 2008 tonyj@suse.de +- Fix for bnc#378725 VUL-0: audit buffer overflow +* Thu Apr 10 2008 ro@suse.de +- added baselibs.conf file to build xxbit packages + for multilib support +* Wed Mar 26 2008 tonyj@suse.de +- Update from 1.6.2 to 1.6.8. +- Move audisp-plugins to new secondary spec (along with existing + python libs). +- Redhat changelog follows: + * Thu Feb 14 2008 Steve Grubb 1.6.8-1 + - Update for gcc 4.3 + - Cleanup descriptors in audispd before running plugin + - Fix 'recent' keyword for aureport/search + - Fix SE Linux policy for zos_remote plugin + - Add event type for group password authentication attempts + - Couple of updates to the translation tables + - Add detection of failed group authentication to audisp-prelude + * Thu Jan 31 2008 Steve Grubb 1.6.7-1 + - In ausearch/report, prefer -if to stdin + - In ausearch/report, add new command line option --input-logs (#428860) + - Updated audisp-prelude based on feedback from prelude-devel + - Added prelude alert for promiscuous socket being opened + - Added prelude alert for SE Linux policy enforcement changes + - Added prelude alerts for Forbidden Login Locations and Time + - Applied patch to auparse fixing error handling of searching by + interpreted value (Miloslav Trmac) + * Sat Jan 19 2008 Steve Grubb 1.6.6-1 + - Add prelude IDS plugin for IDMEF alerts + - Add --user option to aulastlog command + - Use desktop-file-install for system-config-audit + * Mon Jan 07 2008 Steve Grubb 1.6.5-1 + - Add more errno strings for exit codes in auditctl + - Fix config parser to allow either 0640 or 0600 for audit logs (#427062) + - Check for audit log being writable by owner in auditd + - If auditd logging was suspended, it can be resumed with SIGUSR2 (#251639) + - Updated CAPP, LSPP, and NISPOM rules for new capabilities + - Added aulastlog utility + * Sat Dec 29 2007 Steve Grubb 1.6.4-1 + - fchmod of log file was on wrong variable (#426934) + - Allow use of errno strings for exit codes in audit rules + * Thu Dec 27 2007 Steve Grubb 1.6.3-1 + - Add kernel release string to DEAMON_START events + - Fix keep_logs when num_logs option disabled (#325561) + - Fix auparse to handle node fields for syscall records + - Update system-config-audit to version 0.4.5 (Miloslav Trmac) + - Add keyword week-ago to aureport & ausearch start/end times + - Fix audit log permissions on rotate. If group is root 0400, otherwise 0440 + - Add RACF zos remote audispd plugin (Klaus Kiwi) + - Add event queue overflow action to audispd +* Tue Mar 18 2008 schwab@suse.de +- Use autoreconf. +* Wed Oct 31 2007 tonyj@suse.de +- Incorporate 1 more Redhat fixe post 1.6.2 +- Go back to 10.2 behaviour wrt to starting in disabled state. + This time using patch submitted upstream, fix for #Bug 333739 +* Wed Oct 10 2007 tonyj@suse.de +- Upgrade to 1.6.2 + Plus two bugs discovered in Fedora, will be fixed in 1.6.3 +* Tue Jul 24 2007 tonyj@suse.de +- Upgrade to 1.5.5 + Correct bug in audit_make_equivalent function (Al Viro) + Local: add AppArmor audit ID (upstream in 1.5.6) + don't build RedHat system-config-audit +* Wed Jul 11 2007 tonyj@suse.de +- Upgrade to 1.5.4 + Add feed interface to auparse library (John Dennis) + Apply patch to libauparse for unresolved symbols (#241178) + Apply patch to add line numbers for file events in libauparse (John Dennis) + Change seresults to seresult in libauparse (John Dennis) + Add unit32_t definition to swig (#244210) + Add support for directory auditing + Update acct field to be escaped +- Fix for #280487 "%%ghost /var/log/audit/audit.log will remove the logfile" +* Mon May 7 2007 rguenther@suse.de +- Drop pkg-config BuildRequires introduced by last change. +* Wed May 2 2007 tonyj@suse.de +- Upgrade to 1.5.3. Drop AUDITD_DISABLE_CONTEXTS from audit sysconfig +* Wed Nov 29 2006 tonyj@suse.de +- Upgrade to 1.2.9 (drop several patches which are now upstream) +- Move to using /etc/audit directory for config files +* Thu Aug 31 2006 tonyj@suse.de +- Upgrade to 1.2.6-1 +* Sat Aug 26 2006 olh@suse.de +- do not define __KERNEL__ in userland apps +- remove unused sys/syscall.h include +* Wed Aug 16 2006 cthiel@suse.de +- split audit into audit and audit-libs-python +* Fri May 5 2006 sbeattie@suse.de +- disable syscall audit context creation by default #172154 +* Mon Mar 20 2006 meissner@suse.de +- Do not print a misleading errormessage when audit + is not compiled into the kernel. #152733 +* Mon Mar 6 2006 meissner@suse.de +- On kernels without auditing, which report ECONNREFUSED, + do not output stuff to stderr on startup. #152733 +* Sat Feb 25 2006 kukuk@suse.de +- Fix moving of devel libraries, don't install .la file +* Wed Feb 22 2006 meissner@suse.de +- moved libaudit.so symlink to /usr/lib and to -devel package, + as requested by Thorsten. +* Fri Feb 17 2006 meissner@suse.de +- check sendto() return against -1 (error with errno set). +* Wed Jan 25 2006 mls@suse.de +- converted neededforbuild to BuildRequires +* Wed Jan 25 2006 ro@suse.de +- fix fillup call since filename != packagename +* Tue Jan 24 2006 ro@suse.de +- do not skip fillup in postinstall +* Mon Jan 23 2006 dreynolds@suse.de +- Modified inssrv macro args to enable on boot +* Wed Jan 18 2006 tonyj@suse.de +- Add support for AppArmor (submitted upstream for 1.1.4) +* Fri Jan 13 2006 meissner@suse.de +- Updated to 1.1.3. +- Moved audispd to /usr/sbin since it uses /usr/lib/libstdc++ +- Updated sysconfig snippet. +* Tue Nov 8 2005 meissner@suse.de +- upgraded to 1.0.12. +* Fri Nov 4 2005 kukuk@suse.de +- Update to 1.0.9. +* Wed Oct 12 2005 meissner@suse.de +- upgraded to 1.0.6. ptrdift patch now solved upstream. +* Wed Oct 5 2005 meissner@suse.de +- Upgraded to 1.0.5 +* Wed Oct 5 2005 dmueller@suse.de +- add norootforbuild +* Mon Sep 26 2005 meissner@suse.de +- Upgraded to 1.0.4. + - Make rate & backlog 32 bit unsigned int in auditctl + - In auditctl, if -F arch is given with -t option, don't require list + - Update auditd man page + - Add size check to audit_send + - Update message for audit_open failure when kernel doesn't support audit +* Tue Aug 23 2005 meissner@suse.de +- Upgraded to 1.0.3 bugfix release: + - adjust file perms of newly created log file in auditd + - fix 2 memory leaks and an out of bounds access in auditd + - fix case where auditd was closing netlink descriptor too early + - fix watch rules not to take field arguments in auditctl + - fix bug where inode, devmajor, devminor, exit, and success fields in auditctl + rules were not getting the correct value stored +* Wed Aug 17 2005 meissner@suse.de +- Added /var/log/audit directory and ghost audit.log #105131 +* Wed Aug 10 2005 meissner@suse.de +- Upgraded to 1.0.2 +* Thu Aug 4 2005 meissner@suse.de +- Upgraded to 1.0.1. +* Mon Jul 11 2005 meissner@suse.de +- Update to version 0.9.16. +* Tue Jun 21 2005 meissner@suse.de +- Update to version 0.9.10. +* Fri Jun 17 2005 meissner@suse.de +- Update to version 0.9.7. +* Thu Jun 16 2005 kukuk@suse.de +- Update to version 0.9.5 +* Mon Jun 13 2005 ro@suse.de +- make it build with current includes +* Tue May 31 2005 meissner@suse.de +- Upgraded to 0.9. +* Fri May 13 2005 meissner@suse.de +- upgraded to 0.6.8 +* Tue Apr 19 2005 meissner@suse.de +- Upgraded to 0.6.11. +* Fri Apr 15 2005 pth@suse.de +- Make libaudit.h define pgoff_t by itself. +- Fix a minor warning. +* Wed Mar 30 2005 meissner@suse.de +- Upgraded to 0.6.9. +* Fri Mar 4 2005 meissner@suse.de +- Upgraded to 0.6.5. +* Thu Mar 3 2005 meissner@suse.de +- initial package of auditd for new kernel auditing system. diff --git a/audit.spec b/audit.spec new file mode 100644 index 0000000..c429740 --- /dev/null +++ b/audit.spec @@ -0,0 +1,171 @@ +# +# spec file for package audit +# +# Copyright (c) 2022-2023 ZhuningOS +# + + +%ifarch x86_64 +%bcond_without livepatching +%else +%bcond_with livepatching +%endif + +Name: audit +Version: 3.0.6 +Release: 150400.4.13.1 +Summary: Linux kernel audit subsystem utilities +License: GPL-2.0-or-later +Group: System/Monitoring +URL: https://people.redhat.com/sgrubb/audit/ +Source0: https://people.redhat.com/sgrubb/audit/%{name}-%{version}.tar.gz +Source1: baselibs.conf +Source2: README-BEFORE-ADDING-PATCHES +Patch0: change-default-log_group.patch +BuildRequires: autoconf >= 2.12 +BuildRequires: kernel-headers >= 2.6.30 +BuildRequires: libtool +BuildRequires: pkgconfig +BuildRequires: tcpd-devel +Requires: libaudit1 = %{version} +Requires: libauparse0 = %{version} +Provides: bundled(libev) = 4.33 + +%description +The audit package contains the user space utilities for storing and +processing the records generated by the audit subsystem in the +Linux kernel. + +%package -n libaudit1 +Summary: Library for interfacing with the kernel audit subsystem +License: LGPL-2.1-or-later +Group: System/Libraries +Obsoletes: %{name}-libs < 2.0.4 +Provides: %{name}-libs = %{version} + +%description -n libaudit1 +The libaudit package contains the shared libraries needed for +applications to use the audit framework. + +%package -n libauparse0 +Summary: Library for parsing and interpreting audit events +License: LGPL-2.1-or-later +Group: System/Libraries + +%description -n libauparse0 +The libauparse package contains the shared libraries needed to +parse audit records. + +%package -n audit-devel +Summary: Header files for libaudit +License: LGPL-2.1-or-later +Group: Development/Libraries/C and C++ +Requires: libaudit1 = %{version} +Requires: libauparse0 = %{version} + +%description -n audit-devel +The audit-devel package contains the header files +needed for developing applications that need to use the audit framework +libraries. + +%prep +%autosetup -p1 + +%build +autoreconf -fi +export CFLAGS="%{optflags} -fno-strict-aliasing" +export CXXFLAGS="$CFLAGS" +export LDFLAGS="-Wl,-z,relro,-z,now" +# no krb support (omit --enable-gssapi-krb5=yes), see audit-no-gss.patch +%configure \ +%ifarch aarch64 + --with-aarch64 \ +%endif + --enable-systemd \ + --libexecdir=%{_libexecdir}/%{name} \ + --with-apparmor \ + --with-libcap-ng=no \ + --disable-static \ + --with-python=no \ + --disable-zos-remote + +%make_build -C common +%make_build -C lib +%make_build -C auparse +%make_build -C docs + +%if %{with livepatching} +# Workaround bsc#1208721: remove _patchable_function_entry from static libs. +find . -name "*.a" -exec \ + objcopy --remove-section "__patchable_function_entries" {} \; + +%define tar_basename audit-livepatch-%{version}-%{release} +%define tar_package_name %{tar_basename}.%{_arch}.tar.xz +%define clones_dest_dir %{tar_basename}/%{_arch} + +# Ipa-clones are files generated by gcc which logs changes made across +# functions, and we need to know such changes to build livepatches +# correctly. These files are intended to be used by the livepatch +# developers and may be retrieved by using `osc getbinaries`. +# +# Create ipa-clones destination folder and move clones there. +mkdir -p ipa-clones/%{clones_dest_dir} +find . -name "*.ipa-clones" ! -empty \ + -exec cp -t ipa-clones/%{clones_dest_dir} --parents {} + + +# Create tarball with ipa-clones. +tar -cJf %{tar_package_name} -C ipa-clones \ + --owner root --group root --sort name %{tar_basename} + +# Copy tarball to the OTHER folder to store it as artifact. +cp %{tar_package_name} %{_topdir}/OTHER +%endif + +%install +%make_install -C common +%make_install -C lib +%make_install -C auparse +%make_install -C docs +rm -rf %{buildroot}/%{_mandir}/man[578] +mkdir -p %{buildroot}%{_sysconfdir} +mkdir -p %{buildroot}/%{_includedir} +mkdir -p %{buildroot}/%{_mandir}/man5 +# We manually install this since Makefile doesn't +install -m 0644 lib/libaudit.h %{buildroot}/%{_includedir} +install -D -m 0644 ./m4/audit.m4 %{buildroot}%{_datadir}/aclocal/audit.m4 +# Install libaudit.conf files by hand +install -m 0644 docs/libaudit.conf.5 %{buildroot}/%{_mandir}/man5 +install -m 0644 init.d/libaudit.conf %{buildroot}%{_sysconfdir} + +find %{buildroot} -type f -name "*.la" -delete -print + +%check +%make_build -C lib check +%make_build -C auparse check + +%post -n libaudit1 -p /sbin/ldconfig +%post -n libauparse0 -p /sbin/ldconfig +%postun -n libaudit1 -p /sbin/ldconfig +%postun -n libauparse0 -p /sbin/ldconfig + +%files -n libaudit1 +%{_libdir}/libaudit.so.* +%config(noreplace) %attr(640,root,root) %{_sysconfdir}/libaudit.conf +%{_mandir}/man5/libaudit.conf.5%{ext_man} + +%files -n libauparse0 +%{_libdir}/libauparse.so.* + +%files -n audit-devel +%doc contrib/plugin +%{_libdir}/libaudit.so +%{_libdir}/libauparse.so +%{_includedir}/libaudit.h +%{_includedir}/auparse.h +%{_includedir}/auparse-defs.h +%{_mandir}/man3/* +%{_datadir}/aclocal/audit.m4 +%{_libdir}/pkgconfig/audit.pc +%{_libdir}/pkgconfig/auparse.pc + +%changelog diff --git a/baselibs.conf b/baselibs.conf new file mode 100644 index 0000000..2501155 --- /dev/null +++ b/baselibs.conf @@ -0,0 +1,7 @@ +libaudit1 + obsoletes "audit-libs- < 2.0.4" +libauparse0 +audit-devel + requires -audit- + requires "libaudit1- = " + requires "libauparse0- = " diff --git a/change-default-log_group.patch b/change-default-log_group.patch new file mode 100644 index 0000000..024fd36 --- /dev/null +++ b/change-default-log_group.patch @@ -0,0 +1,21 @@ +From: Enzo Matsumiya +Date: Thu Jan 28 18:11:39 UTC 2021 +References: bsc#1178154 +Patch-mainline: Not yet, under review +Subject: change default log_group to "audit" + +Change the default log_group to newly added "audit" group. + +Signed-Off-by: Enzo Matsumiya + +--- a/init.d/auditd.conf ++++ b/init.d/auditd.conf +@@ -5,7 +5,7 @@ + local_events = yes + write_logs = yes + log_file = /var/log/audit/audit.log +-log_group = root ++log_group = audit + log_format = ENRICHED + flush = INCREMENTAL_ASYNC + freq = 50