Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package audit for openSUSE:Factory checked
in at 2021-10-20 20:22:44
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/audit (Old)
and /work/SRC/openSUSE:Factory/.audit.new.1890 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "audit"
Wed Oct 20 20:22:44 2021 rev:98 rq:926074 version:3.0.5
Changes:
--------
--- /work/SRC/openSUSE:Factory/audit/audit-secondary.changes 2021-10-01
22:28:53.961356972 +0200
+++ /work/SRC/openSUSE:Factory/.audit.new.1890/audit-secondary.changes
2021-10-20 20:22:56.481328336 +0200
@@ -1,0 +2,18 @@
+Fri Oct 15 11:13:26 UTC 2021 - Callum Farmer <gm...@opensuse.org>
+
+- Add CONFIG parameter to %sysusers_generate_pre
+
+-------------------------------------------------------------------
+Wed Oct 13 19:12:06 UTC 2021 - Enzo Matsumiya <ematsum...@suse.com>
+
+- Create separate service for augenrules (bsc#1191614, bsc#1181400)
+ * add create-augenrules-service.patch
+ Remove ReadWritePaths=/etc/audit from auditd.service, also removes
+ augenrules call from ExecStartPost.
+ Create augenrules.service with the ReadWritePaths directive above.
+ This makes /etc/audit only accessible by augenrules.service and
+ let auditd.service (and daemon) to be sandboxed again.
+
+- Update audit-secondary.spec to accomodate the new service file.
+
+-------------------------------------------------------------------
New:
----
create-augenrules-service.patch
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ audit-secondary.spec ++++++
--- /var/tmp/diff_new_pack.WsBUj1/_old 2021-10-20 20:22:57.149328748 +0200
+++ /var/tmp/diff_new_pack.WsBUj1/_new 2021-10-20 20:22:57.153328751 +0200
@@ -40,6 +40,7 @@
Patch8: change-default-log_format.patch
Patch9: fix-hardened-service.patch
Patch10: enable-stop-rules.patch
+Patch11: create-augenrules-service.patch
BuildRequires: audit-devel = %{version}
BuildRequires: autoconf >= 2.12
BuildRequires: gcc-c++
@@ -135,6 +136,7 @@
%patch8 -p1
%patch9 -p1
%patch10 -p1
+%patch11 -p1
%if %{without python2} && %{with python3}
# Fix python env call in tests if we only have Python3.
@@ -165,7 +167,7 @@
make %{?_smp_mflags}
-%sysusers_generate_pre %{SOURCE1} audit
+%sysusers_generate_pre %{SOURCE1} audit system-group-audit.conf
%install
%make_install
@@ -215,6 +217,7 @@
# rcauditd symlink
ln -s service %{buildroot}%{_sbindir}/rcauditd
chmod 0644 %{buildroot}%{_unitdir}/auditd.service
+chmod 0644 %{buildroot}%{_unitdir}/augenrules.service
%check
make %{?_smp_mflags} check
@@ -231,17 +234,21 @@
cp %{_sysconfdir}/audit/rules.d/audit.rules %{_sysconfdir}/audit/audit.rules
fi
%service_add_post auditd.service
+%service_add_post augenrules.service
%pre -n audit
%service_add_pre auditd.service
+%service_add_pre augenrules.service
%pre -n system-group-audit -f audit.pre
%preun -n audit
%service_del_preun auditd.service
+%service_del_preun augenrules.service
%postun -n audit
%service_del_postun auditd.service
+%service_del_postun augenrules.service
%files -n audit
%license COPYING
@@ -292,6 +299,7 @@
%ghost %config(noreplace) %attr(640,root,audit)
%{_localstatedir}/log/audit/audit.log
%dir %attr(700,root,root) %{_localstatedir}/spool/audit
%{_unitdir}/auditd.service
+%{_unitdir}/augenrules.service
%{_sbindir}/rcauditd
%{_datadir}/audit/
++++++ create-augenrules-service.patch ++++++
--- /dev/null
+++ b/init.d/augenrules.service
@@ -0,0 +1,33 @@
+[Unit]
+Description=auditd rules generation
+After=auditd.service
+PartOf=auditd.service
+Documentation=man:augenrules(8)
+
+[Service]
+Type=oneshot
+## NOTE: augenrules expect any rules to be added to /etc/audit/rules.d/
+ExecStart=/sbin/augenrules --load
+# We need RemainAfterExit=true so augenrules is called again
+# in case auditd.service is restarted.
+RemainAfterExit=true
+
+### Security Settings ###
+MemoryDenyWriteExecute=true
+LockPersonality=true
+ProtectControlGroups=true
+ProtectKernelModules=true
+ProtectHome=true
+RestrictRealtime=true
+# for details please see
+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
+ProtectSystem=full
+PrivateDevices=true
+ProtectHostname=true
+ProtectClock=true
+ProtectKernelTunables=true
+ProtectKernelLogs=true
+ReadWritePaths=/etc/audit
+
+[Install]
+WantedBy=multi-user.target
--- a/init.d/auditd.service
+++ b/init.d/auditd.service
@@ -18,10 +18,8 @@ Documentation=man:auditd(8) https://gith
Type=forking
PIDFile=/run/auditd.pid
ExecStart=/sbin/auditd
-## To not use augenrules, copy this file to /etc/systemd/system/auditd.service
-## and comment/delete the next line and uncomment the auditctl line.
-## NOTE: augenrules expect any rules to be added to /etc/audit/rules.d/
-ExecStartPost=-/sbin/augenrules --load
+## To not use augenrules: copy this file to /etc/systemd/system/auditd.service,
+## uncomment the next line, and run "systemctl disable --now
augenrules.service".
#ExecStartPost=-/sbin/auditctl -R /etc/audit/audit.rules
# By default we don't clear the rules on exit. To enable this, uncomment
# the next line after copying the file to /etc/systemd/system/auditd.service
@@ -42,7 +40,6 @@ ProtectClock=true
ProtectKernelTunables=true
ProtectKernelLogs=true
# end of automatic additions
-ReadWritePaths=/etc/audit
[Install]
WantedBy=multi-user.target
--- a/init.d/Makefile.am
+++ b/init.d/Makefile.am
@@ -26,7 +26,7 @@ EXTRA_DIST = auditd.init auditd.service
auditd.cron libaudit.conf auditd.condrestart \
auditd.reload auditd.restart auditd.resume \
auditd.rotate auditd.state auditd.stop \
- audit-stop.rules augenrules
+ audit-stop.rules augenrules augenrules.service
libconfig = libaudit.conf
if ENABLE_SYSTEMD
initdir = /usr/lib/systemd/system
@@ -53,6 +53,7 @@ if ENABLE_SYSTEMD
mkdir -p ${DESTDIR}${initdir}
mkdir -p ${DESTDIR}${legacydir}
$(INSTALL_SCRIPT) -D -m 644 ${srcdir}/auditd.service
${DESTDIR}${initdir}
+ $(INSTALL_SCRIPT) -D -m 644 ${srcdir}/augenrules.service
${DESTDIR}${initdir}
$(INSTALL_SCRIPT) -D -m 750 ${srcdir}/auditd.rotate
${DESTDIR}${legacydir}/rotate
$(INSTALL_SCRIPT) -D -m 750 ${srcdir}/auditd.resume
${DESTDIR}${legacydir}/resume
$(INSTALL_SCRIPT) -D -m 750 ${srcdir}/auditd.reload
${DESTDIR}${legacydir}/reload
@@ -70,6 +71,7 @@ uninstall-hook:
rm ${DESTDIR}${sysconfdir}/${libconfig}
if ENABLE_SYSTEMD
rm ${DESTDIR}${initdir}/auditd.service
+ rm ${DESTDIR}${initdir}/augenrules.service
rm ${DESTDIR}${legacydir}/rotate
rm ${DESTDIR}${legacydir}/resume
rm ${DESTDIR}${legacydir}/reload
