Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package audit for openSUSE:Factory checked
in at 2021-11-12 15:58:53
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/audit (Old)
and /work/SRC/openSUSE:Factory/.audit.new.1890 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "audit"
Fri Nov 12 15:58:53 2021 rev:99 rq:930227 version:3.0.6
Changes:
--------
--- /work/SRC/openSUSE:Factory/audit/audit-secondary.changes 2021-10-20
20:22:56.481328336 +0200
+++ /work/SRC/openSUSE:Factory/.audit.new.1890/audit-secondary.changes
2021-11-12 15:58:56.478556064 +0100
@@ -1,0 +2,12 @@
+Sun Nov 7 13:34:20 UTC 2021 - Callum Farmer <gm...@opensuse.org>
+
+- Update to version 3.0.6:
+ * fixes a segfault on some SELINUX_ERR records
+ * makes IPX packet interpretation dependent on the ipx header
+ file existing
+ * adds b32/b64 support to ausyscall
+ * adds support for armv8l
+ * fixes auditctl list of syscalls on PPC
+ * auditd.service now restarts auditd under some conditions
+
+-------------------------------------------------------------------
audit.changes: same change
Old:
----
audit-3.0.5.tar.gz
New:
----
audit-3.0.6.tar.gz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ audit-secondary.spec ++++++
--- /var/tmp/diff_new_pack.oXVBeX/_old 2021-11-12 15:58:57.282556430 +0100
+++ /var/tmp/diff_new_pack.oXVBeX/_new 2021-11-12 15:58:57.286556431 +0100
@@ -22,7 +22,7 @@
# The seperation is required to minimize unnecessary build cycles.
%define _name audit
Name: audit-secondary
-Version: 3.0.5
+Version: 3.0.6
Release: 0
Summary: Linux kernel audit subsystem utilities
License: GPL-2.0-or-later
++++++ audit.spec ++++++
--- /var/tmp/diff_new_pack.oXVBeX/_old 2021-11-12 15:58:57.302556439 +0100
+++ /var/tmp/diff_new_pack.oXVBeX/_new 2021-11-12 15:58:57.306556441 +0100
@@ -17,7 +17,7 @@
Name: audit
-Version: 3.0.5
+Version: 3.0.6
Release: 0
Summary: Linux kernel audit subsystem utilities
License: GPL-2.0-or-later
++++++ audit-3.0.5.tar.gz -> audit-3.0.6.tar.gz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/audit-3.0.5/ChangeLog new/audit-3.0.6/ChangeLog
--- old/audit-3.0.5/ChangeLog 2021-08-11 22:24:20.000000000 +0200
+++ new/audit-3.0.6/ChangeLog 2021-10-01 18:36:30.000000000 +0200
@@ -1,3 +1,11 @@
+3.0.6
+- Fixed various issues when dealing with corrupted logs
+- Make IPX packet interpretation dependent on the ipx header file existing
+- Add b32/b64 support to ausyscall (Egor Ignatov)
+- Add support for armv8l (Egor Ignatov)
+- Fix auditctl list of syscalls in PPC (Egor Ignatov)
+- auditd.service now restarts auditd under some conditions (Timoth??e Ravier)
+
3.0.5
- In auditd, flush uid/gid caches when user/group added/deleted/modified
- Fixed various issues when dealing with corrupted logs
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/audit-3.0.5/README new/audit-3.0.6/README
--- old/audit-3.0.5/README 2021-08-11 22:24:20.000000000 +0200
+++ new/audit-3.0.6/README 2021-10-01 18:36:30.000000000 +0200
@@ -8,7 +8,7 @@
BUILDING
========
-See the README-install File.
+See the Install(.tmp) file.
USAGE
=====
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/audit-3.0.5/TODO new/audit-3.0.6/TODO
--- old/audit-3.0.5/TODO 2021-08-11 22:24:20.000000000 +0200
+++ new/audit-3.0.6/TODO 2021-10-01 18:36:30.000000000 +0200
@@ -4,7 +4,7 @@
* Basic HIDS based on reactive audit component
* Add keywords for time: month-ago, this-hour, last-hour
* If searching user/group doesn't map to uid/gid, do translated string search
-* In audispd, look into non-blocking handling of write to plugins
+* In auditd, look into non-blocking handling of write to plugins
* Support multiple time streams when searching
3.1.1
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/audit-3.0.5/audit.spec new/audit-3.0.6/audit.spec
--- old/audit-3.0.5/audit.spec 2021-08-11 22:24:20.000000000 +0200
+++ new/audit-3.0.6/audit.spec 2021-10-01 18:36:30.000000000 +0200
@@ -1,7 +1,7 @@
Summary: User space tools for kernel auditing
Name: audit
-Version: 3.0.5
+Version: 3.0.6
Release: 1%{dist}
License: GPLv2+
Group: System Environment/Daemons
@@ -256,6 +256,6 @@
%changelog
-* Wed Aug 11 2021 Steve Grubb <sgr...@redhat.com> 3.0.5-1
+* Fri Oct 01 2021 Steve Grubb <sgr...@redhat.com> 3.0.6-1
- New upstream release
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/audit-3.0.5/auparse/auparse.c
new/audit-3.0.6/auparse/auparse.c
--- old/audit-3.0.5/auparse/auparse.c 2021-08-11 22:24:20.000000000 +0200
+++ new/audit-3.0.6/auparse/auparse.c 2021-10-01 18:36:30.000000000 +0200
@@ -1202,7 +1202,7 @@
// at this point we have type=
ptr = audit_strsplit(NULL);
// strlen is for fuzzers that make invalid lines
- if (ptr && strnlen(ptr, 28) > 24) {
+ if (ptr && strnlen(ptr, 20) > 18) {
if (*(ptr+9) == '(')
ptr+=9;
else
@@ -1582,8 +1582,11 @@
if (debug)
printf("Adding event to
building event\n");
#endif /* LOL_EVENTS_DEBUG01 */
- aup_list_append(cur->l, au->cur_buf,
- au->list_idx, au->line_number);
+ if (aup_list_append(cur->l, au->cur_buf,
+ au->list_idx, au->line_number) < 0)
{
+ au->cur_buf = NULL;
+ continue;
+ }
au->cur_buf = NULL;
free((char *)e.host);
au_check_events(au, e.sec);
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/audit-3.0.5/auparse/ellist.c
new/audit-3.0.6/auparse/ellist.c
--- old/audit-3.0.5/auparse/ellist.c 2021-08-11 22:24:20.000000000 +0200
+++ new/audit-3.0.6/auparse/ellist.c 2021-10-01 18:36:30.000000000 +0200
@@ -103,7 +103,7 @@
static int parse_up_record(rnode* r)
{
char *ptr, *buf, *saved=NULL;
- unsigned int offset = 0;
+ unsigned int offset = 0, len;
// Potentially cut the record in two
ptr = strchr(r->record, AUDIT_INTERP_SEPARATOR);
@@ -112,10 +112,19 @@
ptr++;
}
r->interp = ptr;
- r->nv.record = buf = strdup(r->record);
+ // Rather than call strndup, we will do it ourselves to reduce
+ // the number of interations across the record.
+ // len includes the string terminator.
+ len = strlen(r->record) + 1;
+ r->nv.record = buf = malloc(len);
+ if (r->nv.record == NULL)
+ return -1;
+ memcpy(r->nv.record, r->record, len);
+ r->nv.end = r->nv.record + len;
ptr = audit_strsplit_r(buf, &saved);
if (ptr == NULL) {
free(buf);
+ r->nv.record = NULL;
return -1;
}
@@ -322,6 +331,8 @@
// If for some reason it was useless, delete buf
if (r->nv.cnt == 0) {
free(buf);
+ r->nv.record = NULL;
+ r->nv.end = NULL;
free((void *)r->cwd);
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/audit-3.0.5/auparse/interpret.c
new/audit-3.0.6/auparse/interpret.c
--- old/audit-3.0.5/auparse/interpret.c 2021-08-11 22:24:20.000000000 +0200
+++ new/audit-3.0.6/auparse/interpret.c 2021-10-01 18:36:30.000000000 +0200
@@ -44,8 +44,10 @@
#include <linux/ax25.h>
#include <linux/atm.h>
#include <linux/x25.h>
-#include <linux/if.h> // FIXME: remove when ipx.h is fixed
-#include <linux/ipx.h>
+#ifdef HAVE_IPX_HEADERS
+ #include <linux/if.h> // FIXME: remove when ipx.h is fixed
+ #include <linux/ipx.h>
+#endif
#include <linux/capability.h>
#include <sys/personality.h>
#include <sys/prctl.h>
@@ -840,6 +842,9 @@
{
char *out;
+ if (val == NULL)
+ return strdup(" ");
+
if (*val == '"') {
char *term;
val++;
@@ -1276,6 +1281,7 @@
x->sax25_call.ax25_call[6]);
}
break;
+#ifdef HAVE_IPX_HEADERS
case AF_IPX:
{
const struct sockaddr_ipx *ip =
@@ -1285,6 +1291,7 @@
str, ip->sipx_port, ip->sipx_network);
}
break;
+#endif
case AF_ATMPVC:
{
const struct sockaddr_atmpvc* at =
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/audit-3.0.5/auparse/nvlist.c
new/audit-3.0.6/auparse/nvlist.c
--- old/audit-3.0.5/auparse/nvlist.c 2021-08-11 22:24:20.000000000 +0200
+++ new/audit-3.0.6/auparse/nvlist.c 2021-10-01 18:36:30.000000000 +0200
@@ -36,11 +36,13 @@
l->cur = 0;
l->cnt = 0;
l->record = NULL;
+ l->end = NULL;
}
}
nvnode *nvlist_next(nvlist *l)
{
+ // Since cur will be incremented, check for 1 less that total
if (l->cnt && l->cur < (l->cnt - 1)) {
l->cur++;
return &l->array[l->cur];
@@ -119,17 +121,29 @@
const char *nvlist_interp_cur_val(rnode *r, auparse_esc_t escape_mode)
{
nvlist *l = &r->nv;
+ if (l->cnt == 0)
+ return NULL;
nvnode *node = &l->array[l->cur];
if (node->interp_val)
return node->interp_val;
return do_interpret(r, escape_mode);
}
+// This function determines if a chunk of memory is part of the parsed up
+// record. If it is, do not free it since it gets free'd at the very end.
+// NOTE: This function causes invalid-pointer-pair errors with ASAN
+static inline int not_in_rec_buf(nvlist *l, const char *ptr)
+{
+ if (ptr >= l->record && ptr < l->end)
+ return 0;
+ return 1;
+}
+
// free_interp does not apply to thing coming from interpretation_list
-void nvlist_clear(nvlist* l, int free_interp)
+void nvlist_clear(nvlist *l, int free_interp)
{
unsigned int i = 0;
- register nvnode* current;
+ register nvnode *current;
if (l->cnt == 0)
return;
@@ -140,11 +154,9 @@
free(current->interp_val);
// A couple items are not in parsed up list.
// These all come from the aup_list_append path.
- if ((strcmp(current->name, "key") == 0) ||
- (strcmp(current->name, "seperms") == 0) ||
- (strcmp(current->name, "seresult") == 0)) {
+ if (not_in_rec_buf(l, current->name)) {
// seperms & key values are strdup'ed
- if (current->name[2] != 'r')
+ if (not_in_rec_buf(l, current->val))
free(current->val);
free(current->name);
}
@@ -153,6 +165,7 @@
}
free((void *)l->record);
l->record = NULL;
+ l->end = NULL;
l->cur = 0;
l->cnt = 0;
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/audit-3.0.5/auparse/nvlist.h
new/audit-3.0.6/auparse/nvlist.h
--- old/audit-3.0.5/auparse/nvlist.h 2021-08-11 22:24:20.000000000 +0200
+++ new/audit-3.0.6/auparse/nvlist.h 2021-10-01 18:36:30.000000000 +0200
@@ -45,7 +45,7 @@
AUDIT_HIDDEN_START
void nvlist_create(nvlist *l);
-void nvlist_clear(nvlist* l, int free_interp);
+void nvlist_clear(nvlist *l, int free_interp);
nvnode *nvlist_next(nvlist *l);
int nvlist_get_cur_type(rnode *r);
const char *nvlist_interp_cur_val(rnode *r, auparse_esc_t escape_mode);
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/audit-3.0.5/auparse/rnode.h
new/audit-3.0.6/auparse/rnode.h
--- old/audit-3.0.5/auparse/rnode.h 2021-08-11 22:24:20.000000000 +0200
+++ new/audit-3.0.6/auparse/rnode.h 2021-10-01 18:36:30.000000000 +0200
@@ -40,6 +40,7 @@
unsigned int cur; // Index to current node
unsigned int cnt; // How many items in this list
char *record; // Holds the parsed up record
+ char *end; // End of the parsed up record
} nvlist;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/audit-3.0.5/config.h.in new/audit-3.0.6/config.h.in
--- old/audit-3.0.5/config.h.in 2021-08-11 22:24:25.000000000 +0200
+++ new/audit-3.0.6/config.h.in 2021-10-01 18:36:35.000000000 +0200
@@ -44,6 +44,9 @@
/* Define to 1 if you have the <inttypes.h> header file. */
#undef HAVE_INTTYPES_H
+/* IPX packet interpretation */
+#undef HAVE_IPX_HEADERS
+
/* Define to 1 if linux/fs.h defined kernel_rwf_t */
#undef HAVE_KERNEL_RWF_T
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/audit-3.0.5/configure new/audit-3.0.6/configure
--- old/audit-3.0.5/configure 2021-08-11 22:24:24.000000000 +0200
+++ new/audit-3.0.6/configure 2021-10-01 18:36:35.000000000 +0200
@@ -1,7 +1,7 @@
#! /bin/sh
# From configure.ac Revision: 1.3 .
# Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.69 for audit 3.0.5.
+# Generated by GNU Autoconf 2.69 for audit 3.0.6.
#
#
# Copyright (C) 1992-1996, 1998-2012 Free Software Foundation, Inc.
@@ -588,8 +588,8 @@
# Identity of this package.
PACKAGE_NAME='audit'
PACKAGE_TARNAME='audit'
-PACKAGE_VERSION='3.0.5'
-PACKAGE_STRING='audit 3.0.5'
+PACKAGE_VERSION='3.0.6'
+PACKAGE_STRING='audit 3.0.6'
PACKAGE_BUGREPORT=''
PACKAGE_URL=''
@@ -1398,7 +1398,7 @@
# Omit some internal or obsolete options to make the list less imposing.
# This message is too long to be a string in the A/UX 3.1 sh.
cat <<_ACEOF
-\`configure' configures audit 3.0.5 to adapt to many kinds of systems.
+\`configure' configures audit 3.0.6 to adapt to many kinds of systems.
Usage: $0 [OPTION]... [VAR=VALUE]...
@@ -1470,7 +1470,7 @@
if test -n "$ac_init_help"; then
case $ac_init_help in
- short | recursive ) echo "Configuration of audit 3.0.5:";;
+ short | recursive ) echo "Configuration of audit 3.0.6:";;
esac
cat <<\_ACEOF
@@ -1596,7 +1596,7 @@
test -n "$ac_init_help" && exit $ac_status
if $ac_init_version; then
cat <<\_ACEOF
-audit configure 3.0.5
+audit configure 3.0.6
generated by GNU Autoconf 2.69
Copyright (C) 2012 Free Software Foundation, Inc.
@@ -2301,7 +2301,7 @@
This file contains any messages produced by compilers while
running configure, to aid debugging if configure makes a mistake.
-It was created by audit $as_me 3.0.5, which was
+It was created by audit $as_me 3.0.6, which was
generated by GNU Autoconf 2.69. Invocation command line was
$ $0 $@
@@ -3280,7 +3280,7 @@
# Define the identity of the package.
PACKAGE='audit'
- VERSION='3.0.5'
+ VERSION='3.0.6'
cat >>confdefs.h <<_ACEOF
@@ -16047,6 +16047,21 @@
fi
+# linux/ipx.h - deprecated in 2018
+ac_fn_c_check_header_mongrel "$LINENO" "linux/ipx.h"
"ac_cv_header_linux_ipx_h" "$ac_includes_default"
+if test "x$ac_cv_header_linux_ipx_h" = xyes; then :
+ ipx_headers=yes
+else
+ ipx_headers=no
+fi
+
+
+if test $ipx_headers = yes ; then
+
+$as_echo "#define HAVE_IPX_HEADERS 1" >>confdefs.h
+
+fi
+
# See if we want to support lower capabilities for plugins
@@ -16735,7 +16750,7 @@
# report actual input values of CONFIG_FILES etc. instead of their
# values after options handling.
ac_log="
-This file was extended by audit $as_me 3.0.5, which was
+This file was extended by audit $as_me 3.0.6, which was
generated by GNU Autoconf 2.69. Invocation command line was
CONFIG_FILES = $CONFIG_FILES
@@ -16801,7 +16816,7 @@
cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //;
s/[\\""\`\$]/\\\\&/g'`"
ac_cs_version="\\
-audit config.status 3.0.5
+audit config.status 3.0.6
configured by $0, generated by GNU Autoconf 2.69,
with options \\"\$ac_cs_config\\"
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/audit-3.0.5/configure.ac new/audit-3.0.6/configure.ac
--- old/audit-3.0.5/configure.ac 2021-08-11 22:24:20.000000000 +0200
+++ new/audit-3.0.6/configure.ac 2021-10-01 18:36:30.000000000 +0200
@@ -29,7 +29,7 @@
])
AC_REVISION($Revision: 1.3 $)dnl
-AC_INIT(audit,3.0.5)
+AC_INIT(audit,3.0.6)
AC_PREREQ(2.12)dnl
AM_CONFIG_HEADER(config.h)
@@ -418,6 +418,12 @@
AC_DEFINE_UNQUOTED(HAVE_LIBWRAP, [], Define if tcp_wrappers support is
enabled )
fi
+# linux/ipx.h - deprecated in 2018
+AC_CHECK_HEADER(linux/ipx.h, ipx_headers=yes, ipx_headers=no)
+if test $ipx_headers = yes ; then
+ AC_DEFINE(HAVE_IPX_HEADERS,1,[IPX packet interpretation])
+fi
+
# See if we want to support lower capabilities for plugins
LIBCAP_NG_PATH
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/audit-3.0.5/contrib/plugin/audisp-example.c
new/audit-3.0.6/contrib/plugin/audisp-example.c
--- old/audit-3.0.5/contrib/plugin/audisp-example.c 2021-08-11
22:24:20.000000000 +0200
+++ new/audit-3.0.6/contrib/plugin/audisp-example.c 2021-10-01
18:36:30.000000000 +0200
@@ -58,7 +58,7 @@
/*
* SIGTERM handler
*/
-static void term_handler( int sig )
+static void term_handler(int sig)
{
stop = 1;
}
@@ -66,7 +66,7 @@
/*
* SIGHUP handler: re-read config
*/
-static void hup_handler( int sig )
+static void hup_handler(int sig)
{
hup = 1;
}
@@ -74,6 +74,11 @@
static void reload_config(void)
{
hup = 0;
+
+ /*
+ * Add your code here that re-reads the config file and changes
+ * how your plugin works.
+ */
}
int main(int argc, char *argv[])
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/audit-3.0.5/docs/auditctl.8
new/audit-3.0.6/docs/auditctl.8
--- old/audit-3.0.5/docs/auditctl.8 2021-08-11 22:24:20.000000000 +0200
+++ new/audit-3.0.6/docs/auditctl.8 2021-10-01 18:36:30.000000000 +0200
@@ -261,7 +261,7 @@
Any \fIsyscall name\fP or \fInumber\fP may be used. The word '\fBall\fP' may
also be used. If the given syscall is made by a program, then start an audit
record. If a field rule is given and no syscall is specified, it will default
to all syscalls. You may also specify multiple syscalls in the same rule by
using multiple \-S options in the same rule. Doing so improves performance
since fewer rules need to be evaluated. Alternatively, you may pass a comma
separated list of syscall names. If you are on a bi-arch system, like x86_64,
you should be aware that auditctl simply takes the text, looks it up for the
native arch (in this case b64) and sends that rule to the kernel. If there are
no additional arch directives, IT WILL APPLY TO BOTH 32 & 64 BIT SYSCALLS. This
can have undesirable effects since there is no guarantee that any syscall has
the same number on both 32 and 64 bit interfaces. You will likely want to
control this and write 2 rules, one with arch equal to b32 and one with
b64 to make sure the kernel finds the events that you intend. See the arch
field discussion for more info.
.TP
.BI \-w\ path
-Insert a watch for the file system object at \fIpath\fP. You cannot insert a
watch to the top level directory. This is prohibited by the kernel. Wildcards
are not supported either and will generate a warning. The way that watches work
is by tracking the inode internally. If you place a watch on a file, its the
same as using the \-F path option on a syscall rule. If you place a watch on a
directory, its the same as using the \-F dir option on a syscall rule. The \-w
form of writing watches is for backwards compatibility and the syscall based
form is more expressive. Unlike most syscall auditing rules, watches do not
impact performance based on the number of rules sent to the kernel. The only
valid options when using a watch are the \-p and \-k. If you need to anything
fancy like audit a specific user accessing a file, then use the syscall
auditing form with the path or dir fields. See the EXAMPLES section for an
example of converting one form to another.
+Insert a watch for the file system object at \fIpath\fP. You cannot insert a
watch to the top level directory. This is prohibited by the kernel. Wildcards
are not supported either and will generate a warning. The way that watches work
is by tracking the inode internally. If you place a watch on a file, its the
same as using the \-F path option on a syscall rule. If you place a watch on a
directory, its the same as using the \-F dir option on a syscall rule. The \-w
form of writing watches is for backwards compatibility and the syscall based
form is more expressive. Unlike most syscall auditing rules, watches do not
impact performance based on the number of rules sent to the kernel. The only
valid options when using a watch are the \-p and \-k. If you need to do
anything fancy like audit a specific user accessing a file, then use the
syscall auditing form with the path or dir fields. See the EXAMPLES section for
an example of converting one form to another.
.TP
.BI \-W\ path
Remove a watch for the file system object at \fIpath\fP. The rule must match
exactly. See \fB-d\fP discussion for more info.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/audit-3.0.5/docs/auditd.8
new/audit-3.0.6/docs/auditd.8
--- old/audit-3.0.5/docs/auditd.8 2021-08-11 22:24:20.000000000 +0200
+++ new/audit-3.0.6/docs/auditd.8 2021-10-01 18:36:30.000000000 +0200
@@ -1,4 +1,4 @@
-.TH "AUDITD" "8" "Sept 2013" "Red Hat" "System Administration Utilities"
+.TH "AUDITD" "8" "Sept 2021" "Red Hat" "System Administration Utilities"
.SH NAME
auditd \- The Linux Audit daemon
.SH SYNOPSIS
@@ -35,24 +35,41 @@
be passed to the dispatcher. (default: /etc/audit/)
.SH SIGNALS
.TP
-SIGHUP
+.B SIGHUP
causes auditd to reconfigure. This means that auditd re-reads the
configuration file. If there are no syntax errors, it will proceed to implement
the requested changes. If the reconfigure is successful, a DAEMON_CONFIG event
is recorded in the logs. If not successful, error handling is controlled by
space_left_action, admin_space_left_action, disk_full_action, and
disk_error_action parameters in auditd.conf.
.TP
-SIGTERM
+.B SIGTERM
caused auditd to discontinue processing audit events, write a shutdown audit
event, and exit.
.TP
-SIGUSR1
+.B SIGUSR1
causes auditd to immediately rotate the logs. It will consult the
max_log_file_action to see if it should keep the logs or not.
.TP
-SIGUSR2
+.B SIGUSR2
causes auditd to attempt to resume logging and passing events to plugins. This
is usually needed after logging has been suspended or the internal queue is
overflowed. Either of these conditions depends on the applicable configuration
settings.
.TP
-SIGCONT
+.B SIGCONT
causes auditd to dump a report of internal state to /var/run/auditd.state.
+.SH EXIT CODES
+.TP
+.B 1
+Cannot adjust priority, daemonize, open audit netlink, write the pid file,
start up plugins, resolve the machine name, set audit pid, or other
initialization tasks.
+
+.TP
+.B 2
+Invalid or excessive command line arguments
+
+.TP
+.B 4
+The audit daemon doesn't have sufficient privilege
+
+.TP
+.B 6
+There is an error in the configuration file
+
.SH FILES
.B /etc/audit/auditd.conf
- configuration file for audit daemon
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/audit-3.0.5/init.d/auditd.service
new/audit-3.0.6/init.d/auditd.service
--- old/audit-3.0.5/init.d/auditd.service 2021-08-11 22:24:20.000000000
+0200
+++ new/audit-3.0.6/init.d/auditd.service 2021-10-01 18:36:30.000000000
+0200
@@ -27,6 +27,9 @@
# By default we don't clear the rules on exit. To enable this, uncomment
# the next line after copying the file to /etc/systemd/system/auditd.service
#ExecStopPost=/sbin/auditctl -R /etc/audit/audit-stop.rules
+Restart=on-failure
+# Do not restart for intentional exits. See EXIT CODES section in auditd(8).
+RestartPreventExitStatus=2 4 6
### Security Settings ###
MemoryDenyWriteExecute=true
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/audit-3.0.5/lib/libaudit.c
new/audit-3.0.6/lib/libaudit.c
--- old/audit-3.0.5/lib/libaudit.c 2021-08-11 22:24:20.000000000 +0200
+++ new/audit-3.0.6/lib/libaudit.c 2021-10-01 18:36:30.000000000 +0200
@@ -559,7 +559,7 @@
int audit_set_feature(int fd, unsigned feature, unsigned value, unsigned lock)
{
-#if defined(HAVE_DECL_AUDIT_FEATURE_VERSION)
+#if HAVE_DECL_AUDIT_FEATURE_VERSION == 1
int rc;
struct audit_features f;
@@ -583,7 +583,7 @@
int audit_request_features(int fd)
{
-#if defined(HAVE_DECL_AUDIT_FEATURE_VERSION)
+#if HAVE_DECL_AUDIT_FEATURE_VERSION == 1
int rc;
struct audit_features f;
@@ -602,7 +602,7 @@
extern int audit_set_loginuid_immutable(int fd)
{
-#if defined(HAVE_DECL_AUDIT_FEATURE_VERSION)
+#if HAVE_DECL_AUDIT_FEATURE_VERSION == 1
return audit_set_feature(fd, AUDIT_FEATURE_LOGINUID_IMMUTABLE, 1, 1);
#else
errno = EINVAL;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/audit-3.0.5/lib/machinetab.h
new/audit-3.0.6/lib/machinetab.h
--- old/audit-3.0.5/lib/machinetab.h 2021-08-11 22:24:20.000000000 +0200
+++ new/audit-3.0.6/lib/machinetab.h 2021-10-01 18:36:30.000000000 +0200
@@ -40,4 +40,5 @@
#endif
#ifdef WITH_AARCH64
_S(MACH_AARCH64, "aarch64" )
+_S(MACH_AARCH64, "armv8l")
#endif
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/audit-3.0.5/lib/netlink.c
new/audit-3.0.6/lib/netlink.c
--- old/audit-3.0.5/lib/netlink.c 2021-08-11 22:24:20.000000000 +0200
+++ new/audit-3.0.6/lib/netlink.c 2021-10-01 18:36:30.000000000 +0200
@@ -147,7 +147,7 @@
rep->error = NULL;
rep->signal_info = NULL;
rep->conf = NULL;
-#if defined(HAVE_DECL_AUDIT_FEATURE_VERSION)
+#if HAVE_DECL_AUDIT_FEATURE_VERSION == 1
rep->features = NULL;
#endif
if (!NLMSG_OK(rep->nlh, (unsigned int)len)) {
@@ -172,7 +172,7 @@
case AUDIT_GET:
rep->status = NLMSG_DATA(rep->nlh);
break;
-#if defined(HAVE_DECL_AUDIT_FEATURE_VERSION)
+#if HAVE_DECL_AUDIT_FEATURE_VERSION == 1
case AUDIT_GET_FEATURE:
rep->features = NLMSG_DATA(rep->nlh);
break;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/audit-3.0.5/src/auditctl-listing.c
new/audit-3.0.6/src/auditctl-listing.c
--- old/audit-3.0.5/src/auditctl-listing.c 2021-08-11 22:24:20.000000000
+0200
+++ new/audit-3.0.6/src/auditctl-listing.c 2021-10-01 18:36:30.000000000
+0200
@@ -585,7 +585,7 @@
#endif
printed = 1;
break;
-#if defined(HAVE_DECL_AUDIT_FEATURE_VERSION)
+#if HAVE_DECL_AUDIT_FEATURE_VERSION == 1
case AUDIT_GET_FEATURE:
{
uint32_t mask = AUDIT_FEATURE_TO_MASK(
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/audit-3.0.5/src/auditctl.c
new/audit-3.0.6/src/auditctl.c
--- old/audit-3.0.5/src/auditctl.c 2021-08-11 22:24:20.000000000 +0200
+++ new/audit-3.0.6/src/auditctl.c 2021-10-01 18:36:30.000000000 +0200
@@ -135,7 +135,7 @@
" -v Version\n"
" -w <path> Insert watch at <path>\n"
" -W <path> Remove watch at <path>\n"
-#if defined(HAVE_DECL_AUDIT_FEATURE_VERSION)
+#if HAVE_DECL_AUDIT_FEATURE_VERSION == 1
" --loginuid-immutable Make loginuids unchangeable once
set\n"
#endif
#if HAVE_DECL_AUDIT_VERSION_BACKLOG_WAIT_TIME == 1 || \
@@ -368,7 +368,7 @@
return 0;
}
-static void check_rule_mismatch(int lineno, const char *option)
+static int check_rule_mismatch(int lineno, const char *option)
{
struct audit_rule_data tmprule;
unsigned int old_audit_elf = _audit_elf;
@@ -386,17 +386,28 @@
_audit_elf = AUDIT_ARCH_S390;
break;
}
+
+ char *ptr, *saved, *tmp = strdup(option);
+ if (tmp == NULL)
+ return -1;
+ ptr = strtok_r(tmp, ",", &saved);
memset(&tmprule, 0, sizeof(struct audit_rule_data));
- audit_rule_syscallbyname_data(&tmprule, option);
+ while (ptr) {
+ audit_rule_syscallbyname_data(&tmprule, ptr);
+ ptr = strtok_r(NULL, ",", &saved);
+ }
if (memcmp(tmprule.mask, rule_new->mask, AUDIT_BITMASK_SIZE))
rc = 1;
+ free(tmp);
+
_audit_elf = old_audit_elf;
- if (rc) {
+ if (rc) {
if (lineno)
audit_msg(LOG_WARNING, "WARNING - 32/64 bit syscall
mismatch in line %d, you should specify an arch", lineno);
else
audit_msg(LOG_WARNING, "WARNING - 32/64 bit syscall
mismatch, you should specify an arch");
}
+ return 0;
}
@@ -532,7 +543,7 @@
static struct option long_opts[] =
{
-#if defined(HAVE_DECL_AUDIT_FEATURE_VERSION)
+#if HAVE_DECL_AUDIT_FEATURE_VERSION == 1
{"loginuid-immutable", 0, NULL, 1},
#endif
#if HAVE_DECL_AUDIT_VERSION_BACKLOG_WAIT_TIME == 1 || \
@@ -824,7 +835,8 @@
case 0:
_audit_syscalladded = 1;
if (unknown_arch && add != AUDIT_FILTER_UNSET)
- check_rule_mismatch(lineno, optarg);
+ if (check_rule_mismatch(lineno, optarg)
== -1)
+ retval = -1;
break;
case -1:
audit_msg(LOG_ERR, "Syscall name unknown: %s",
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/audit-3.0.5/src/auditd.c new/audit-3.0.6/src/auditd.c
--- old/audit-3.0.5/src/auditd.c 2021-08-11 22:24:20.000000000 +0200
+++ new/audit-3.0.6/src/auditd.c 2021-10-01 18:36:30.000000000 +0200
@@ -192,6 +192,7 @@
if (f == NULL)
return;
+ fprintf(f, "audit version = %s\n", VERSION);
time_t now = time(0);
strftime(buf, sizeof(buf), "%x %X", localtime(&now));
fprintf(f, "current time = %s\n", buf);
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/audit-3.0.5/src/ausearch-lol.c
new/audit-3.0.6/src/ausearch-lol.c
--- old/audit-3.0.5/src/ausearch-lol.c 2021-08-11 22:24:20.000000000 +0200
+++ new/audit-3.0.6/src/ausearch-lol.c 2021-10-01 18:36:30.000000000 +0200
@@ -194,7 +194,7 @@
// Now should be pointing to msg=
ptr = audit_strsplit(NULL);
// strlen is for fuzzers that make invalid lines
- if (ptr && strlen(ptr) > 24) {
+ if (ptr && strnlen(ptr, 20) > 18) {
if (*(ptr+9) == '(')
ptr+=9;
else
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/audit-3.0.5/tools/aulast/aulast.c
new/audit-3.0.6/tools/aulast/aulast.c
--- old/audit-3.0.5/tools/aulast/aulast.c 2021-08-11 22:24:20.000000000
+0200
+++ new/audit-3.0.6/tools/aulast/aulast.c 2021-10-01 18:36:30.000000000
+0200
@@ -96,8 +96,11 @@
int mins, hours, days;
if (notime)
printf("- %-7.5s", " ");
- else
- printf("- %-7.5s", ctime(&cur->end) + 11);
+ else {
+ char *ttime = ctime(&cur->end);
+ printf("- %-7.5s", ttime ? ttime + 11 :
+ "bad value");
+ }
secs = cur->end - cur->start;
mins = (secs / 60) % 60;
hours = (secs / 3600) % 24;
@@ -128,10 +131,13 @@
strftime(start, sizeof(start), "%x %T", btm);
if (cur->end != 0) {
btm = localtime(&cur->end);
- strftime(end, sizeof(end), "%x %T", btm);
- printf(" ausearch --start %s --end %s",
- start, end);
+ if (btm) {
+ strftime(end, sizeof(end), "%x %T", btm);
+ printf(" ausearch --start %s --end %s",
+ start, end);
+ } else goto no_end;
} else {
+no_end:
printf(" ausearch --start %s", start);
}
if (cur->name == NULL)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/audit-3.0.5/tools/ausyscall/ausyscall.8
new/audit-3.0.6/tools/ausyscall/ausyscall.8
--- old/audit-3.0.5/tools/ausyscall/ausyscall.8 2021-08-11 22:24:20.000000000
+0200
+++ new/audit-3.0.6/tools/ausyscall/ausyscall.8 2021-10-01 18:36:30.000000000
+0200
@@ -4,13 +4,13 @@
.SH SYNOPSIS
.B ausyscall [arch] name | number | \-\-dump | \-\-exact
.SH DESCRIPTION
-\fBausyscall\fP is a program that prints out the mapping from syscall name to
number and reverse for the given arch. The arch can be anything returned by
`uname \-m`. If arch is not given, the program will take a guess based on the
running image. You may give the syscall name or number and it will find the
opposite. You can also dump the whole table with the \-\-dump option. By
default a syscall name lookup will be a substring match meaning that it will
try to match all occurrences of the given name with syscalls. So giving a name
of chown will match both fchown and chown as any other syscall with chown in
its name. If this behavior is not desired, pass the \-\-exact flag and it will
do an exact string match.
+\fBausyscall\fP is a program that prints out the mapping from syscall name to
number and reverse for the given arch. The arch can be anything returned by
`uname \-m`. If arch is not given, the program will take a guess based on the
running image. Or for convenience, you can pass \fBb32\fP or \fBb64\fP to use
the current arch but a specific ABI. You may give the syscall name or number
and it will find the opposite. You can also dump the whole table with the
\-\-dump option. By default a syscall name lookup will be a substring match
meaning that it will try to match all occurrences of the given name with
syscalls. So giving a name of chown will match both fchown and chown as any
other syscall with chown in its name. If this behavior is not desired, pass the
\-\-exact flag and it will do an exact string match.
This program can be used to verify syscall numbers on a biarch platform for
rule optimization. For example, suppose you had an auditctl rule:
.B \-a always, exit \-S open \-F exit=\-EPERM \-k fail\-open
-If you wanted to verify that both 32 and 64 bit programs would be audited, run
"ausyscall i386 open" and then "ausyscall x86_64 open". Look at the returned
numbers. If they are different, you will have to write two auditctl rules to
get complete coverage.
+If you wanted to verify that both 32 and 64 bit programs would be audited, run
"ausyscall i386 open" and then "ausyscall x86_64 open". (Or use the b32 and b64
option.) Look at the returned numbers. If they are different, you will have to
write two auditctl rules to get complete coverage.
.nf
.B \-a always,exit \-F arch=b32 \-S open \-F exit=\-EPERM \-k fail\-open
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/audit-3.0.5/tools/ausyscall/ausyscall.c
new/audit-3.0.6/tools/ausyscall/ausyscall.c
--- old/audit-3.0.5/tools/ausyscall/ausyscall.c 2021-08-11 22:24:20.000000000
+0200
+++ new/audit-3.0.6/tools/ausyscall/ausyscall.c 2021-10-01 18:36:30.000000000
+0200
@@ -56,7 +56,7 @@
usage();
}
syscall_num = strtol(argv[i], 0, 10);
- } else if ((rc = audit_name_to_machine(argv[i])) != -1) {
+ } else if ((rc = audit_determine_machine(argv[i])) >= 0) {
if (machine != -1) {
fputs("Two machine types not allowed\n",stderr);
usage();
++++++ enable-stop-rules.patch ++++++
--- /var/tmp/diff_new_pack.oXVBeX/_old 2021-11-12 15:58:57.570556561 +0100
+++ /var/tmp/diff_new_pack.oXVBeX/_new 2021-11-12 15:58:57.570556561 +0100
@@ -19,6 +19,6 @@
# the next line after copying the file to /etc/systemd/system/auditd.service
-#ExecStopPost=/sbin/auditctl -R /etc/audit/audit-stop.rules
+ExecStopPost=/sbin/auditctl -R /etc/audit/audit-stop.rules
-
- ### Security Settings ###
- MemoryDenyWriteExecute=true
+ Restart=on-failure
+ # Do not restart for intentional exits. See EXIT CODES section in auditd(8).
+ RestartPreventExitStatus=2 4 6
