Here's a debdiff which backports the upstream patches that disable the auditd network listener and splits up the auditd package into auditd- common, auditd, and auditd-light. I've tested the resulting packages and everything looks good except for these dpkg warnings when doing a dist- upgrade to the new auditd package:
... Preparing to replace auditd 1.7.18-1ubuntu1 (using .../auditd_1.7.18-1ubuntu2_amd64.deb) ... Unpacking replacement auditd ... dpkg: warning: unable to delete old directory '/etc/audit': Directory not empty dpkg: warning: unable to delete old directory '/etc/audisp/plugins.d': Directory not empty dpkg: warning: unable to delete old directory '/etc/audisp': Directory not empty dpkg: warning: unable to delete old directory '/var/log/audit': Directory not empty ... Those directories were moved from the auditd package to the auditd- common package. This is the first time that I've done a package split, so I'm not sure how serious those warnings are or how to fix them. ** Patch added: "audit_1.7.18-1ubuntu2.debdiff" https://bugs.launchpad.net/ubuntu/+source/audit/+bug/1026852/+attachment/3444387/+files/audit_1.7.18-1ubuntu2.debdiff ** Summary changed: - [MIR] audit (pulls in libprelude and maybe libev) + [MIR] audit (pulls in libprelude) ** Description changed: This is a MIR to bring a portion of binary packages built from the audit source - package into main. The binary packages of interest are: - - auditd + package into main. The binary packages of interest (some of which are created by the attached debdiff for the audit package) are: + - auditd-common + - auditd-light - libaudit0 - libaudit-dev - python-audit The binary pacakges that may remain in universe are: + - auditd - audispd-plugins - system-config-audit Availability: - Available in universe for all arches Rationale: - Discussed as part of the P and Q security catch all blueprints + https://blueprints.launchpad.net/ubuntu/+spec/security-p-catch-all + https://blueprints.launchpad.net/ubuntu/+spec/security-q-catch-all - libaudit0 is a build dependency of the Debian cron package + https://launchpad.net/bugs/878155 - The audit log can already used by AppArmor + http://wiki.apparmor.net/index.php/AppArmor_Failures#Messages_in_the_Log_files Security: - One CVE (CVE-2008-1628) in the project's history - Note that CVEs have been assigned for the kernel audit subsystem, but those are unrelated to the audit userspace code - Security risk involved since auditd is a daemon that runs as root + Implementing privilege dropping would not be trivial: http://www.redhat.com/archives/linux-audit/2009-October/msg00011.html - auditd can open up a port and listen for audit messages from remote machines + The default auditd.conf is *not* configured to open a port + auditd doesn't create a socket unless tcp_listen_port is set in auditd.conf (see auditd_tcp_listen_init() in src/auditd-listen.c) + The upstream build system does not allow disabling of the networking code - The audispd-plugins binary package contains functionality to send audit messages to remote machines but a main inclusion is not being requested for audispd-plugins Quality Assurance: - Basic audit logging works immediately after auditd package installation - The upstream maintainer is active on the mailing list + https://www.redhat.com/mailman/listinfo/linux-audit - The lastest upstream release was on March 23, 2012 - 4 "normal" bugs (one linked to a Debian bug) opened against Ubuntu audit source package + https://bugs.launchpad.net/ubuntu/+source/audit - 5 "normal" bugs opened against the Debian audit source package + http://bugs.debian.org/cgi-bin/pkgreport.cgi?src=audit - 'make check' tests are enabled in the build - debian/watch exists UI Standards: - The only end-user application is in the system-config-audit binary package, which is not included in this MIR Dependencies: - - Two build dependencies are not in main + - One build dependency is not in main + libprelude-dev binary and source package is in universe - + libev-dev binary and source package is in universe + + NOTE: libev-dev is a current Build-Dependency, but it is not required because + audit contains its own libev. The attached debdiff removes it from audit's + Build-Dependency list. - All relevant binary dependencies are in in main + check-mir points out menu and chkconfig, but they are dependencies of system-config-audit, which is not included in this MIR Standards Compliance: - No lintian errors - 9 overridden lintian warnings due to non-standard file/dir permissions because config and log files are intentionally installed with restrictive file permissions due to the security-related nature of the package (see debian/auditd.lintian-overrides) Maintenance: - This is a relatively simple package that seems to be well maintained upstream and in Debian - Should not require a dedicated maintainer in Ubuntu -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1026852 Title: [MIR] audit (pulls in libprelude) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/audit/+bug/1026852/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
