Projects
openEuler:Mainline
audit
Sign Up
Log In
Username
Password
We truncated the diff of some files because they were too big. If you want to see the full diff for every file,
click here
.
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
Expand all
Collapse all
Changes of Revision 2
View file
_service:tar_scm:audit.spec
Changed
@@ -1,7 +1,7 @@ Summary: User space tools for kernel auditing Name: audit Epoch: 1 -Version: 3.0.1 +Version: 3.0.9 Release: 2 License: GPLv2+ and LGPLv2+ URL: https://people.redhat.com/sgrubb/audit/ @@ -11,27 +11,10 @@ Patch0: bugfix-audit-support-armv7b.patch Patch1: bugfix-audit-userspace-missing-syscalls-for-aarm64.patch Patch2: bugfix-audit-reload-coredump.patch -Patch3: backport-Fix-the-default-location-for-zos-remote.conf-171.patch -Patch4: backport-Add-missing-call-to-free_interpretation_list.patch -Patch5: backport-fix-2-more-issues-found-by-fuzzing.patch -Patch6: backport-Fix-an-auparse-memory-leak-caused-in-recent-glibc.patch -Patch7: backport-Fix-double-free-with-corrupted-logs.patch -Patch8: backport-Fix-the-closing-timing-of-audit_fd-166.patch -Patch9: backport-Fix-some-string-length-issues.patch -Patch10: backport-Move-the-free_config-to-success-path.patch -Patch11: backport-Check-for-fuzzer-induced-invalid-value.patch -Patch12: backport-error-out-if-log-is-mangled.patch -Patch13: backport-Dont-run-off-the-end-with-corrupt-logs.patch -Patch14: backport-Another-hardening-measure-for-corrupted-logs.patch -Patch15: backport-Fix-busy-loop-in-normalizer-when-logs-are-corrupt.patch -Patch16: backport-Better-fix-for-busy-loop-in-normalizer-when-logs-are.patch -Patch17: backport-flush-uid-gid-caches-when-user-group-added-deleted-m.patch -Patch18: backport-In-auditd-check-if-log_file-is-valid-before-closing-.patch -Patch19: backport-Check-ctime-return-code.patch -Patch20: backport-When-interpreting-if-val-is-NULL-return-an-empty-str.patch -Patch21: backport-auditd.service-Restart-on-failure-ignoring-some-exit.patch -Patch22: backport-0001-In-auditd-close-the-logging-file-descriptor-when-log.patch -Patch23: backport-0002-In-auditd-close-the-logging-file-descriptor-when-log.patch +Patch3: audit-Add-sw64-architecture.patch +Patch4: backport-audit-flex-array-workaround.patch +Patch5: backport-audit-undo-flex-array.patch +Patch6: backport-Try-to-interpret-OPENAT2-fields-correctly.patch BuildRequires: gcc swig libtool systemd kernel-headers >= 2.6.29 BuildRequires: openldap-devel krb5-devel libcap-ng-devel @@ -105,8 +88,16 @@ %package_help %prep -%autosetup -n %{name}-%{version} -p1 +%setup -n %{name}-%{version} -q cp %{SOURCE1} . +cp /usr/include/linux/audit.h lib/ +%patch0 -p1 +%patch1 -p1 +%patch2 -p1 +%patch3 -p1 +%patch4 -p1 +#The patch5 will be patched after the installation phase +%patch6 -p1 autoreconf -f -i %build @@ -150,12 +141,16 @@ touch -r ./audit.spec $RPM_BUILD_ROOT/etc/libaudit.conf touch -r ./audit.spec $RPM_BUILD_ROOT/usr/share/man/man5/libaudit.conf.5.gz +cur=`pwd` +cd $RPM_BUILD_ROOT +patch -p1 < %{PATCH5} +find . -name '*.orig' -delete +cd $cur + %delete_la %check -%ifarch %{golang_arches} make check -%endif rm -f rules/Makefile* %pre @@ -307,6 +302,7 @@ %attr(750,root,root) %{_libexecdir}/initscripts/legacy-actions/auditd/rotate %attr(750,root,root) %{_libexecdir}/initscripts/legacy-actions/auditd/state %attr(750,root,root) %{_libexecdir}/initscripts/legacy-actions/auditd/stop +%attr(750,root,root) %{_libexecdir}/audit-functions %ghost %{_localstatedir}/run/auditd.state %attr(750,root,root) %dir %{_var}/log/audit %attr(750,root,root) %dir /etc/audit @@ -369,6 +365,21 @@ %attr(644,root,root) %{_mandir}/man8/*.8.gz %changelog +* Fri Mar 24 2023 dongyuzhen <dongyuzhen@h-partners.com> - 1:3.0.9-2 +- backport patches from upstream + +* Thu Feb 2 2023 zhangguangzhi<zhangguangzhi3@huawei.com> - 1:3.0.9-1 +- update version to 3.0.9 + +* Mon Jan 16 2023 zhangguangzhi<zhangguangzhi3@huawei.com> - 1:3.0.1-5 +- backport patch adapt to kernel 6.1 + +* Wed Nov 23 2022 zhangguangzhi<zhangguangzhi3@huawei.com> - 1:3.0.1-4 +- del golang_arches for check + +* Tue Oct 18 2022 wuzx<wuzx1226@qq.com> - 3.0.1-3 +- add sw64 patch + * Sat Feb 12 2022 yixiangzhike <yixiangzhike007@163.com> - 3.0.1-2 - Fix failure of stopping auditd before uninstalling
View file
_service:tar_scm:audit-Add-sw64-architecture.patch
Added
@@ -0,0 +1,113 @@ +From df547703bb90026dcff152e64bc55503ad26d815 Mon Sep 17 00:00:00 2001 +From: wuzx <wuzx1226@qq.com> +Date: Fri, 18 Nov 2022 13:19:49 +0800 +Subject: PATCH Add sw64 architecture + +Add sw64 architecture in file bindings/swig/python/audit.py config.guess config.sub lib/libaudit.h src/libev/ev.c and tools/ausyscall/ausyscall.c to support sw64 architecture. + +Signed-off-by: wuzx <wuzx1226@qq.com> +--- + bindings/swig/python/audit.py | 1 + + config.guess | 8 ++++++++ + config.sub | 1 + + lib/libaudit.h | 1 + + src/libev/ev.c | 3 +++ + tools/ausyscall/ausyscall.c | 6 ++++++ + 6 files changed, 20 insertions(+) + +diff --git a/bindings/swig/python/audit.py b/bindings/swig/python/audit.py +index 69631a7..14fa89b 100644 +--- a/bindings/swig/python/audit.py ++++ b/bindings/swig/python/audit.py +@@ -607,6 +607,7 @@ MACH_PPC = _audit.MACH_PPC + MACH_S390X = _audit.MACH_S390X + MACH_S390 = _audit.MACH_S390 + MACH_ALPHA = _audit.MACH_ALPHA ++MACH_SW_64 = _audit.MACH_SW_64 + MACH_ARM = _audit.MACH_ARM + MACH_AARCH64 = _audit.MACH_AARCH64 + MACH_PPC64LE = _audit.MACH_PPC64LE +diff --git a/config.guess b/config.guess +index b33c9e8..69e3005 100755 +--- a/config.guess ++++ b/config.guess +@@ -976,6 +976,14 @@ EOF + UNAME_MACHINE=aarch64_be + GUESS=$UNAME_MACHINE-unknown-linux-$LIBC + ;; ++ sw_64:Linux:*:*) ++ case `sed -n '/^cpu model/s/^.*: \(.*\)/\1/p' /proc/cpuinfo 2>/dev/null` in ++ sw) UNAME_MACHINE=sw_64 ;; ++ esac ++ objdump --private-headers /bin/sh | grep -q ld.so.1 ++ if test "$?" = 0 ; then LIBC=gnulibc1 ; fi ++ GUESS=$UNAME_MACHINE-sunway-linux-$LIBC ++ ;; + alpha:Linux:*:*) + case `sed -n '/^cpu model/s/^.*: \(.*\)/\1/p' /proc/cpuinfo 2>/dev/null` in + EV5) UNAME_MACHINE=alphaev5 ;; +diff --git a/config.sub b/config.sub +index b51fb8c..76babe9 100755 +--- a/config.sub ++++ b/config.sub +@@ -1157,6 +1157,7 @@ case $cpu-$vendor in + | a29k \ + | aarch64 | aarch64_be \ + | abacus \ ++ | sw_64 \ + | alpha | alphaev4-8 | alphaev56 | alphaev678 \ + | alpha64 | alpha64ev4-8 | alpha64ev56 | alpha64ev678 \ + | alphapca567 | alpha64pca567 \ +diff --git a/lib/libaudit.h b/lib/libaudit.h +index 3a8e8c8..16af222 100644 +--- a/lib/libaudit.h ++++ b/lib/libaudit.h +@@ -561,6 +561,7 @@ typedef enum { + MACH_S390X, + MACH_S390, + MACH_ALPHA, // Deprecated but has to stay ++ MACH_SW_64, // Deprecated but has to stay + MACH_ARM, + MACH_AARCH64, + MACH_PPC64LE +diff --git a/src/libev/ev.c b/src/libev/ev.c +index 5ff936c..72765b5 100644 +--- a/src/libev/ev.c ++++ b/src/libev/ev.c +@@ -828,6 +828,8 @@ struct signalfd_siginfo + #define ECB_MEMORY_FENCE __asm__ __volatile__ (".set mips2; sync; .set mips0" : : : "memory") + #elif defined __alpha__ + #define ECB_MEMORY_FENCE __asm__ __volatile__ ("mb" : : : "memory") ++ #elif defined __sw_64__ ++ #define ECB_MEMORY_FENCE __asm__ __volatile__ ("memb" : : : "memory") + #elif defined __hppa__ + #define ECB_MEMORY_FENCE __asm__ __volatile__ ("" : : : "memory") + #define ECB_MEMORY_FENCE_RELEASE __asm__ __volatile__ ("") +@@ -1550,6 +1552,7 @@ ecb_binary32_to_binary16 (uint32_t x) + || defined __s390__ || defined __s390x__ \ + || defined __mips__ \ + || defined __alpha__ \ ++ || defined __sw_64__ \ + || defined __hppa__ \ + || defined __ia64__ \ + || defined __m68k__ \ +diff --git a/tools/ausyscall/ausyscall.c b/tools/ausyscall/ausyscall.c +index 4fb8f09..206e9ff 100644 +--- a/tools/ausyscall/ausyscall.c ++++ b/tools/ausyscall/ausyscall.c +@@ -73,6 +73,12 @@ int main(int argc, char *argv) + } else if (strcmp("ia64", argvi) == 0) { + fputs("IA64 processor support is deprecated\n", + stderr); ++#ifndef WITH_SW_64 ++ } else if (strcmp("sw_64", argvi) == 0) { ++ fputs("Sw_64 eabi processor support is not enabled\n", ++ stderr); ++ exit(1); ++#endif + #ifndef WITH_ARM + } else if (strcmp("arm", argvi) == 0) { + fputs("Arm eabi processor support is not enabled\n", +-- +2.33.0 +
View file
_service:tar_scm:backport-0001-In-auditd-close-the-logging-file-descriptor-when-log.patch
Deleted
@@ -1,32 +0,0 @@ -From d62c38a55520e58220d8e42497c4ab343185106f Mon Sep 17 00:00:00 2001 -From: Steve Grubb <sgrubb@redhat.com> -Date: Thu, 28 Oct 2021 13:22:24 -0400 -Subject: PATCH 2237/2246 In auditd, close the logging file descriptor when - logging is suspended - ---- - src/auditd-event.c | 8 ++++++++ - 1 files changed, 8 insertions(+) - -diff --git a/src/auditd-event.c b/src/auditd-event.c -index f886b67..4dee990 100644 ---- a/src/auditd-event.c -+++ b/src/auditd-event.c -@@ -723,6 +723,14 @@ static void check_log_file_size(void) - case SZ_SUSPEND: - audit_msg(LOG_ERR, - "Audit daemon is suspending logging due to logfile size."); -+ // We need to close the file so that manual -+ // intervention can move or delete the file. -+ // We don't want to keep logging to a deleted -+ // file. -+ if (log_file) -+ fclose(log_file); -+ log_file = NULL; -+ log_fd = -1; - logging_suspended = 1; - break; - case SZ_ROTATE: --- -1.8.3.1 -
View file
_service:tar_scm:backport-0002-In-auditd-close-the-logging-file-descriptor-when-log.patch
Deleted
@@ -1,59 +0,0 @@ -From 770e4f538103f8a055f46c04a9e2514f88f175c3 Mon Sep 17 00:00:00 2001 -From: Steve Grubb <sgrubb@redhat.com> -Date: Mon, 1 Nov 2021 08:29:56 -0400 -Subject: PATCH 2244/2246 In auditd, close the logging file descriptor when - logging is suspended - ---- - src/auditd-event.c | 21 +++++++++++++++++++++ - 1 file changed, 21 insertions(+) - -diff --git a/src/auditd-event.c b/src/auditd-event.c -index 4a0a351..e88ef6e 100644 ---- a/src/auditd-event.c -+++ b/src/auditd-event.c -@@ -861,6 +861,13 @@ static void do_space_left_action(int admin) - case FA_SUSPEND: - audit_msg(LOG_ALERT, - "Audit daemon is suspending logging due to low disk space."); -+ // We need to close the file so that manual -+ // intervention can move or delete the file. We -+ // don't want to keep logging to a deleted file. -+ if (log_file) -+ fclose(log_file); -+ log_file = NULL; -+ log_fd = -1; - logging_suspended = 1; - break; - case FA_SINGLE: -@@ -909,6 +916,13 @@ static void do_disk_full_action(void) - case FA_SUSPEND: - audit_msg(LOG_ALERT, - "Audit daemon is suspending logging due to no space left on logging partition."); -+ // We need to close the file so that manual -+ // intervention can move or delete the file. We -+ // don't want to keep logging to a deleted file. -+ if (log_file) -+ fclose(log_file); -+ log_file = NULL; -+ log_fd = -1; - logging_suspended = 1; - break; - case FA_SINGLE: -@@ -957,6 +971,13 @@ static void do_disk_error_action(const char *func, int err) - case FA_SUSPEND: - audit_msg(LOG_ALERT, - "Audit daemon is suspending logging due to previously mentioned write error"); -+ // We need to close the file so that manual -+ // intervention can move or delete the file. We -+ // don't want to keep logging to a deleted file. -+ if (log_file) -+ fclose(log_file); -+ log_file = NULL; -+ log_fd = -1; - logging_suspended = 1; - break; - case FA_SINGLE: --- -1.8.3.1 -
View file
_service:tar_scm:backport-Add-missing-call-to-free_interpretation_list.patch
Deleted
@@ -1,30 +0,0 @@ -From a9668df44bd635d40b6e7b4db2d12e5cf91c8013 Mon Sep 17 00:00:00 2001 -From: Steve Grubb <sgrubb@redhat.com> -Date: Thu, 5 Aug 2021 09:54:44 -0400 -Subject: PATCH Add missing call to free_interpretation_list - ---- - auparse/auparse.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/auparse/auparse.c b/auparse/auparse.c -index ee3c97b..18f1127 100644 ---- a/auparse/auparse.c -+++ b/auparse/auparse.c -@@ -1,5 +1,5 @@ - /* auparse.c -- -- * Copyright 2006-08,2012-19 Red Hat Inc., Durham, North Carolina. -+ * Copyright 2006-08,2012-19,21 Red Hat Inc. - * All Rights Reserved. - * - * This library is free software; you can redistribute it and/or -@@ -2014,6 +2014,7 @@ const char *auparse_find_field_next(auparse_state_t *au) - r = aup_list_next(au->le); - if (r) { - aup_list_first_field(au->le); -+ free_interpretation_list(); - load_interpretation_list(r->interp); - } - } --- -
View file
_service:tar_scm:backport-Another-hardening-measure-for-corrupted-logs.patch
Deleted
@@ -1,85 +0,0 @@ -From ab8f522953a56c860cac2cca2a7d7874419111d5 Mon Sep 17 00:00:00 2001 -From: Steve Grubb <sgrubb@redhat.com> -Date: Sat, 7 Aug 2021 13:13:19 -0400 -Subject: PATCH 2198/2246 Another hardening measure for corrupted logs - ---- - src/ausearch-lookup.c | 3 +++ - src/ausearch-parse.c | 25 +++++++++++++++---------- - 2 files changed, 18 insertions(+), 10 deletions(-) - -diff --git a/src/ausearch-lookup.c b/src/ausearch-lookup.c -index e27c784..dd58c36 100644 ---- a/src/ausearch-lookup.c -+++ b/src/ausearch-lookup.c -@@ -300,6 +300,9 @@ char *unescape(const char *buf) - while (isxdigit(*ptr)) - ptr++; - } -+ if ((ptr - buf) == 0) -+ return NULL; -+ - str = strndup(buf, ptr - buf); - - if (*buf == '(') -diff --git a/src/ausearch-parse.c b/src/ausearch-parse.c -index d051137..78dc44c 100644 ---- a/src/ausearch-parse.c -+++ b/src/ausearch-parse.c -@@ -1658,12 +1658,21 @@ static int parse_sockaddr(const lnode *n, search_items *s) - if (event_hostname || event_filename) { - str = strstr(n->message, "saddr="); - if (str) { -- int len; -+ unsigned int len = 0; - struct sockaddr *saddr; - char nameNI_MAXHOST; - - str += 6; -- len = strlen(str)/2; -+ const char *ptr = str; -+ if (*ptr == '(') { -+ const char *ptr2 = strchr(ptr, ')'); -+ if (ptr2) -+ len = (ptr2 - ptr) + 1; -+ } else { -+ while (isxdigit(ptrlen)) -+ len++; -+ len /= 2; -+ } - s->hostname = unescape(str); - if (s->hostname == NULL) - return 4; -@@ -1683,17 +1692,13 @@ static int parse_sockaddr(const lnode *n, search_items *s) - } - len = sizeof(struct sockaddr_in6); - } else if (saddr->sa_family == AF_UNIX) { -- struct sockaddr_un *un = -- (struct sockaddr_un *)saddr; -- if (un->sun_path0) -- len = strlen(un->sun_path); -- else // abstract name -- len = strlen(&un->sun_path1); -- if (len == 0) { -+ if (len < 4) { - fprintf(stderr, - "sun_path len too short\n"); - return 3; - } -+ struct sockaddr_un *un = -+ (struct sockaddr_un *)saddr; - if (event_filename) { - if (!s->filename) { - //create -@@ -1736,7 +1741,7 @@ static int parse_sockaddr(const lnode *n, search_items *s) - s->hostname = NULL; - return 0; - } -- if (getnameinfo(saddr, len, name, NI_MAXHOST, -+ if (getnameinfo(saddr, len, name, NI_MAXHOST, - NULL, 0, NI_NUMERICHOST) ) { - free(s->hostname); - s->hostname = NULL; --- -1.8.3.1 -
View file
_service:tar_scm:backport-Better-fix-for-busy-loop-in-normalizer-when-logs-are.patch
Deleted
@@ -1,31 +0,0 @@ -From ad62fa01c7a963c56bac75d8f7db6a5c76be4655 Mon Sep 17 00:00:00 2001 -From: Steve Grubb <sgrubb@redhat.com> -Date: Sat, 7 Aug 2021 13:59:40 -0400 -Subject: PATCH 2200/2246 Better fix for busy loop in normalizer when logs - are corrupt - ---- - auparse/normalize.c | 5 +++-- - 1 file changed, 3 insertions(+), 2 deletions(-) - -diff --git a/auparse/normalize.c b/auparse/normalize.c -index cd0a7c2..0ccabc5 100644 ---- a/auparse/normalize.c -+++ b/auparse/normalize.c -@@ -346,10 +346,11 @@ static void collect_id_obj2(auparse_state_t *au, const char *syscall) - if ((strcmp(str, "unset") == 0) && errno == 0) { - // Only move it if its safe to - if (cnt < limit) { -- auparse_next_field(au); -+ if (auparse_next_field(au) == 0) -+ return; - cnt++; - } else -- break; -+ return; - } else - break; - } --- -1.8.3.1 -
View file
_service:tar_scm:backport-Check-ctime-return-code.patch
Deleted
@@ -1,47 +0,0 @@ -From fd76e380ea117000d9d350405e2cfbd070c5c01a Mon Sep 17 00:00:00 2001 -From: Steve Grubb <sgrubb@redhat.com> -Date: Sat, 21 Aug 2021 10:18:30 -0400 -Subject: PATCH 2213/2246 Check ctime return code - ---- - tools/aulast/aulast.c | 16 +++++++++++----- - 1 file changed, 11 insertions(+), 5 deletions(-) - -diff --git a/tools/aulast/aulast.c b/tools/aulast/aulast.c -index c513aac..8a25f3b 100644 ---- a/tools/aulast/aulast.c -+++ b/tools/aulast/aulast.c -@@ -96,8 +96,11 @@ static void report_session(lnode* cur) - int mins, hours, days; - if (notime) - printf("- %-7.5s", " "); -- else -- printf("- %-7.5s", ctime(&cur->end) + 11); -+ else { -+ char *ttime = ctime(&cur->end); -+ printf("- %-7.5s", ttime ? ttime + 11 : -+ "bad value"); -+ } - secs = cur->end - cur->start; - mins = (secs / 60) % 60; - hours = (secs / 3600) % 24; -@@ -128,10 +131,13 @@ static void report_session(lnode* cur) - strftime(start, sizeof(start), "%x %T", btm); - if (cur->end != 0) { - btm = localtime(&cur->end); -- strftime(end, sizeof(end), "%x %T", btm); -- printf(" ausearch --start %s --end %s", -- start, end); -+ if (btm) { -+ strftime(end, sizeof(end), "%x %T", btm); -+ printf(" ausearch --start %s --end %s", -+ start, end); -+ } else goto no_end; - } else { -+no_end: - printf(" ausearch --start %s", start); - } - if (cur->name == NULL) --- -1.8.3.1 -
View file
_service:tar_scm:backport-Check-for-fuzzer-induced-invalid-value.patch
Deleted
@@ -1,26 +0,0 @@ -From a3db7a4f849f52105b13fa412e64fc76c6b2895b Mon Sep 17 00:00:00 2001 -From: Steve Grubb <sgrubb@redhat.com> -Date: Thu, 5 Aug 2021 21:51:33 -0400 -Subject: PATCH 2182/2246 Check for fuzzer induced invalid value - ---- - auparse/ellist.c | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/auparse/ellist.c b/auparse/ellist.c -index 17384a7..175e44e 100644 ---- a/auparse/ellist.c -+++ b/auparse/ellist.c -@@ -151,6 +151,9 @@ static int parse_up_record(rnode* r) - n.val = strdup(val); - // Remove trailing punctuation - len = strlen(n.val); -+ // Check for invalid val -+ if (!len) -+ continue; - if (len && n.vallen-1 == ':') { - n.vallen-1 = 0; - len--; --- -1.8.3.1 -
View file
_service:tar_scm:backport-Dont-run-off-the-end-with-corrupt-logs.patch
Deleted
@@ -1,43 +0,0 @@ -From 50c65ae25e64b7bd4489ce22a4c7789fa9a81f2f Mon Sep 17 00:00:00 2001 -From: Steve Grubb <sgrubb@redhat.com> -Date: Sat, 7 Aug 2021 11:33:20 -0400 -Subject: PATCH 2197/2246 Dont run off the end with corrupt logs - ---- - src/ausearch-parse.c | 6 +++--- - 1 file changed, 3 insertions(+), 3 deletions(-) - -diff --git a/src/ausearch-parse.c b/src/ausearch-parse.c -index 81ef319..d051137 100644 ---- a/src/ausearch-parse.c -+++ b/src/ausearch-parse.c -@@ -1031,7 +1031,7 @@ static int parse_user(const lnode *n, search_items *s, anode *avc) - if (str) { - str += 5; - term = str; -- while (*term != ' ' && *term != ':') -+ while (*term != ' ' && *term != ':' && *term) - term++; - if (term == str) - return 24; -@@ -1244,7 +1244,7 @@ skip: - char *end = str; - int legacy = 0; - -- while (*end != ' ') { -+ while (*end != ' ' && *end) { - if (!isxdigit(*end)) { - legacy = 1; - } -@@ -1295,7 +1295,7 @@ skip: - char *end = str; - int legacy = 0; - -- while (*end != ' ') { -+ while (*end != ' ' && *end) { - if (!isxdigit(*end)) { - legacy = 1; - } --- -1.8.3.1 -
View file
_service:tar_scm:backport-Fix-an-auparse-memory-leak-caused-in-recent-glibc.patch
Deleted
@@ -1,35 +0,0 @@ -From 16246878c503d7395ae668817bf629e05361fec5 Mon Sep 17 00:00:00 2001 -From: Steve Grubb <sgrubb@redhat.com> -Date: Thu, 29 Jul 2021 18:39:22 -0400 -Subject: PATCH Fix an auparse memory leak caused in recent glibc - ---- - auparse/interpret.c | 4 ++++- - 1 files changed, 4 insertions(+), 1 deletion(-) - -diff --git a/auparse/interpret.c b/auparse/interpret.c -index 2813acb..33c173e 100644 ---- a/auparse/interpret.c -+++ b/auparse/interpret.c -@@ -50,6 +50,7 @@ - #include <sys/personality.h> - #include <sys/prctl.h> - #include <sched.h> -+#include <limits.h> /* PATH_MAX */ - #ifdef USE_FANOTIFY - #include <linux/fanotify.h> - #else -@@ -865,8 +866,10 @@ static const char *print_escaped_ext(const idata *id) - str1 = NULL; - } - errno = 0; -- out = realpath(str3, NULL); -+ out = malloc(PATH_MAX); -+ realpath(str3, out); - if (errno) { // If there's an error, just return the original -+ free(out); - free(str1); - free(str2); - return str3; --- -
View file
_service:tar_scm:backport-Fix-busy-loop-in-normalizer-when-logs-are-corrupt.patch
Deleted
@@ -1,26 +0,0 @@ -From 2b34fea50a9f6a65dd51a2b7abf67e6f19c8d1f5 Mon Sep 17 00:00:00 2001 -From: Steve Grubb <sgrubb@redhat.com> -Date: Sat, 7 Aug 2021 13:51:30 -0400 -Subject: PATCH 2199/2246 Fix busy loop in normalizer when logs are corrupt - ---- - auparse/normalize.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/auparse/normalize.c b/auparse/normalize.c -index 99f9803..cd0a7c2 100644 ---- a/auparse/normalize.c -+++ b/auparse/normalize.c -@@ -348,7 +348,8 @@ static void collect_id_obj2(auparse_state_t *au, const char *syscall) - if (cnt < limit) { - auparse_next_field(au); - cnt++; -- } -+ } else -+ break; - } else - break; - } --- -1.8.3.1 -
View file
_service:tar_scm:backport-Fix-double-free-with-corrupted-logs.patch
Deleted
@@ -1,36 +0,0 @@ -From 0177e03f0809da0007f09504b789eba4b8cbe739 Mon Sep 17 00:00:00 2001 -From: Steve Grubb <sgrubb@redhat.com> -Date: Fri, 6 Aug 2021 17:03:41 -0400 -Subject: PATCH Fix double free with corrupted logs - ---- - src/ausearch-parse.c | 6 ++++-- - 1 file changed, 4 insertions(+), 2 deletions(-) - -diff --git a/src/ausearch-parse.c b/src/ausearch-parse.c -index 9ee4a4f..cb7d481 100644 ---- a/src/ausearch-parse.c -+++ b/src/ausearch-parse.c -@@ -420,8 +420,10 @@ try_again: - str = strstr(term, "comm="); - if (str) { - /* Make the syscall one override */ -- if (s->comm) -+ if (s->comm) { - free(s->comm); -+ s->comm = NULL; -+ } - str += 5; - if (*str == '"') { - str++; -@@ -431,7 +433,7 @@ try_again: - *term = 0; - s->comm = strdup(str); - *term = '"'; -- } else -+ } else - s->comm = unescape(str); - } else - return 38; --- -
View file
_service:tar_scm:backport-Fix-some-string-length-issues.patch
Deleted
@@ -1,64 +0,0 @@ -From 39f868fef95f95786358bc3690a327d4f11d2d43 Mon Sep 17 00:00:00 2001 -From: Steve Grubb <sgrubb@redhat.com> -Date: Thu, 3 Jun 2021 16:18:36 -0400 -Subject: PATCH 2084/2246 Fix some string length issues - -In interpret, fix the size so that we need to size it again later if new -strings get added. The ausearch/report issues have the size information -available, so FORTIFY_SOURCE should keep things in check. ---- - auparse/interpret.c | 2 +- - src/aureport.c | 4 ++-- - src/ausearch.c | 4 ++-- - 3 files changed, 5 insertions(+), 5 deletions(-) - -diff --git a/auparse/interpret.c b/auparse/interpret.c -index e22cae7..5d6f31a 100644 ---- a/auparse/interpret.c -+++ b/auparse/interpret.c -@@ -1242,7 +1242,7 @@ static const char *print_flags(const char *val) - { - int flags, cnt = 0; - size_t i; -- char *out, buf80; -+ char *out, bufsizeof(flag_strings); - - errno = 0; - flags = strtoul(val, NULL, 16); -diff --git a/src/aureport.c b/src/aureport.c -index d0251a4..22618f0 100644 ---- a/src/aureport.c -+++ b/src/aureport.c -@@ -168,10 +168,10 @@ static int process_logs(void) - int num = 0; - - if (user_file && userfile_is_dir) { -- char dirnameMAXPATHLEN; -+ char dirnameMAXPATHLEN+1; - clear_config (&config); - -- strcpy(dirname, user_file); -+ strncpy(dirname, user_file, MAXPATHLEN-32); - if (dirnamestrlen(dirname)-1 != '/') - strcat(dirname, "/"); - strcat (dirname, "audit.log"); -diff --git a/src/ausearch.c b/src/ausearch.c -index 97f89bf..768807e 100644 ---- a/src/ausearch.c -+++ b/src/ausearch.c -@@ -228,10 +228,10 @@ static int process_logs(void) - int ret; - - if (user_file && userfile_is_dir) { -- char dirnameMAXPATHLEN; -+ char dirnameMAXPATHLEN+1; - clear_config (&config); - -- strcpy(dirname, user_file); -+ strncpy(dirname, user_file, MAXPATHLEN-32); - if (dirnamestrlen(dirname)-1 != '/') - strcat(dirname, "/"); - strcat (dirname, "audit.log"); --- -1.8.3.1 -
View file
_service:tar_scm:backport-Fix-the-closing-timing-of-audit_fd-166.patch
Deleted
@@ -1,28 +0,0 @@ -From 72996b1821b5dbd22f5e08c477660a75a38e4414 Mon Sep 17 00:00:00 2001 -From: MIZUTA Takeshi <mizuta.takeshi@fujitsu.com> -Date: Wed, 14 Apr 2021 20:08:17 +0900 -Subject: PATCH 2048/2246 Fix the closing timing of audit_fd (#166) - ---- - lib/netlink.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/lib/netlink.c b/lib/netlink.c -index 9525b8d..f7cbeb0 100644 ---- a/lib/netlink.c -+++ b/lib/netlink.c -@@ -64,10 +64,10 @@ int audit_open(void) - } - if (fcntl(fd, F_SETFD, FD_CLOEXEC) == -1) { - saved_errno = errno; -- close(fd); - audit_msg(LOG_ERR, - "Error setting audit netlink socket CLOEXEC flag (%s)", - strerror(errno)); -+ close(fd); - errno = saved_errno; - return -1; - } --- -1.8.3.1 -
View file
_service:tar_scm:backport-Fix-the-default-location-for-zos-remote.conf-171.patch
Deleted
@@ -1,37 +0,0 @@ -From ea21005f1abba62ed4acd7432c6e721504909511 Mon Sep 17 00:00:00 2001 -From: Pythoner <yixiangzhike007@163.com> -Date: Mon, 19 Apr 2021 14:10:14 -0500 -Subject: PATCH 2052/2052 Fix the default location for zos-remote.conf (#171) - ---- - audisp/plugins/zos-remote/audispd-zos-remote.conf | 2 +- - docs/zos-remote.conf.5 | 2 +- - 2 files changed, 2 insertions(+), 2 deletions(-) - -diff --git a/audisp/plugins/zos-remote/audispd-zos-remote.conf b/audisp/plugins/zos-remote/audispd-zos-remote.conf -index 13aef2c..eda199e 100644 ---- a/audisp/plugins/zos-remote/audispd-zos-remote.conf -+++ b/audisp/plugins/zos-remote/audispd-zos-remote.conf -@@ -10,5 +10,5 @@ active = no - direction = out - path = /sbin/audispd-zos-remote - type = always --args = /etc/audisp/zos-remote.conf -+args = /etc/audit/zos-remote.conf - format = string -diff --git a/docs/zos-remote.conf.5 b/docs/zos-remote.conf.5 -index 4bf504d..7ee92e3 100644 ---- a/docs/zos-remote.conf.5 -+++ b/docs/zos-remote.conf.5 -@@ -26,7 +26,7 @@ zos\-remote.conf \- the audisp-racf plugin configuration file - controls the configuration for the - .BR audispd\-zos\-remote (8) - Audit dispatcher plugin. The default location for this file is --.IR /etc/audisp/zos\-remote.conf , -+.IR /etc/audit/zos\-remote.conf , - however, a different file can be specified as the first argument to the - .B audispd\-zos\-remote - plugin. See --- -1.8.3.1 -
View file
_service:tar_scm:backport-In-auditd-check-if-log_file-is-valid-before-closing-.patch
Deleted
@@ -1,135 +0,0 @@ -From 6531c7dfb832ea245d8004662ea7c4e90107c0df Mon Sep 17 00:00:00 2001 -From: Steve Grubb <sgrubb@redhat.com> -Date: Wed, 11 Aug 2021 15:10:18 -0400 -Subject: PATCH 2207/2246 In auditd, check if log_file is valid before - closing handle - ---- - src/auditd-event.c | 44 +++++++++++++++++++++++++++++++---------------- - 1 files changed, 29 insertions(+), 15 deletions(-) - -diff --git a/src/auditd-event.c b/src/auditd-event.c -index 3655726..788c44a 100644 ---- a/src/auditd-event.c -+++ b/src/auditd-event.c -@@ -71,7 +71,7 @@ static void init_flush_thread(void); - /* Local Data */ - static struct daemon_conf *config; - static volatile int log_fd; --static FILE *log_file; -+static FILE *log_file = NULL; - static unsigned int disk_err_warning = 0; - static int fs_space_warning = 0; - static int fs_admin_space_warning = 0; -@@ -174,7 +175,8 @@ int init_event(struct daemon_conf *conf) - format_buf = (char *)malloc(FORMAT_BUF_LEN); - if (format_buf == NULL) { - audit_msg(LOG_ERR, "No memory for formatting, exiting"); -- fclose(log_file); -+ if (log_file) -+ fclose(log_file); - log_file = NULL; - return 1; - } -@@ -212,7 +214,8 @@ static void *flush_thread_main(void *arg) - flush = 0; - pthread_mutex_unlock(&flush_lock); - -- fsync(log_fd); -+ if (log_fd >= 0) -+ fsync(log_fd); - } - return NULL; - } -@@ -589,7 +592,8 @@ void handle_event(struct auditd_event *e) - if (config->daemonize == D_BACKGROUND) { - if (config->flush == FT_INCREMENTAL) { - /* EIO is only likely failure */ -- if (fsync(log_fd) != 0) { -+ if (log_fd >= 0 && -+ fsync(log_fd) != 0) { - do_disk_error_action( - "fsync", - errno); -@@ -744,6 +748,9 @@ static void check_space_left(void) - int rc; - struct statfs buf; - -+ if (log_fd < 0) -+ return; -+ - rc = fstatfs(log_fd, &buf); - if (rc == 0) { - if (buf.f_bavail < 5) { -@@ -831,7 +838,8 @@ static void do_space_left_action(int admin) - case FA_EXEC: - // Close the logging file in case the script zips or - // moves the file. We'll reopen in sigusr2 handler -- fclose(log_file); -+ if (log_file) -+ fclose(log_file); - log_file = NULL; - log_fd = -1; - logging_suspended = 1; -@@ -881,7 +889,8 @@ static void do_disk_full_action(void) - case FA_EXEC: - // Close the logging file in case the script zips or - // moves the file. We'll reopen in sigusr2 handler -- fclose(log_file); -+ if (log_file) -+ fclose(log_file); - log_file = NULL; - log_fd = -1; - logging_suspended = 1; -@@ -928,7 +937,8 @@ static void do_disk_error_action(const char *func, int err) - case FA_EXEC: - // Close the logging file in case the script zips or - // moves the file. We'll reopen in sigusr2 handler -- fclose(log_file); -+ if (log_file) -+ fclose(log_file); - log_file = NULL; - log_fd = -1; - logging_suspended = 1; -@@ -1053,17 +1063,21 @@ static void rotate_logs(unsigned int num_logs, unsigned int keep_logs) - /* Close audit file. fchmod and fchown errors are not fatal because we - * already adjusted log file permissions and ownership when opening the - * log file. */ -- if (fchmod(log_fd, config->log_group ? S_IRUSR|S_IRGRP : S_IRUSR) < 0){ -- audit_msg(LOG_WARNING, "Couldn't change permissions while " -+ if (log_fd >= 0) { -+ if (fchmod(log_fd, config->log_group ? S_IRUSR|S_IRGRP : -+ S_IRUSR) < 0){ -+ audit_msg(LOG_WARNING, "Couldn't change permissions while " - "rotating log file (%s)", strerror(errno)); -- } -- if (fchown(log_fd, 0, config->log_group) < 0) { -- audit_msg(LOG_WARNING, "Couldn't change ownership while " -+ } -+ if (fchown(log_fd, 0, config->log_group) < 0) { -+ audit_msg(LOG_WARNING, "Couldn't change ownership while " - "rotating log file (%s)", strerror(errno)); -+ } - } -- fclose(log_file); -+ if (log_file) -+ fclose(log_file); - log_file = NULL; -- -+ - /* Rotate */ - len = strlen(config->log_file) + 16; - oldname = (char *)malloc(len); -@@ -1470,7 +1484,8 @@ static void reconfigure(struct auditd_event *e) - free((void *)nconf->log_file); - - if (need_reopen) { -- fclose(log_file); -+ if (log_file) -+ fclose(log_file); - log_file = NULL; - fix_disk_permissions(); - if (open_audit_log()) { --- -1.8.3.1 -
View file
_service:tar_scm:backport-Move-the-free_config-to-success-path.patch
Deleted
@@ -1,28 +0,0 @@ -From d89e5647d9e090f45146c144d920bd1f686a8230 Mon Sep 17 00:00:00 2001 -From: Steve Grubb <sgrubb@redhat.com> -Date: Thu, 15 Jul 2021 11:36:17 -0400 -Subject: PATCH 2163/2246 Move the free_config to success path - ---- - src/auditd.c | 4 +++--- - 1 file changed, 3 insertions(+), 1 deletions(-) - -diff --git a/src/auditd.c b/src/auditd.c -index ca69d3b..5478cc4 100644 ---- a/src/auditd.c -+++ b/src/auditd.c -@@ -457,8 +457,10 @@ static int become_daemon(void) - return -1; - - /* Success - die a happy death */ -- if (status == SUCCESS) -+ if (status == SUCCESS) { -+ free_config(&config); - _exit(0); -+ } - return -1; - } - --- -1.8.3.1 -
View file
_service:tar_scm:backport-Try-to-interpret-OPENAT2-fields-correctly.patch
Added
@@ -0,0 +1,75 @@ +From 83214d7469274dbd60959e32f6c26dda016de048 Mon Sep 17 00:00:00 2001 +From: Steve Grubb <sgrubb@redhat.com> +Date: Wed, 8 Feb 2023 13:45:32 -0500 +Subject: PATCH Try to interpret OPENAT2 fields correctly + +Conflict: delete ChangeLog +Reference:https://github.com/linux-audit/audit-userspace/commit/83214d7469274dbd60959e32f6c26dda016de048 +--- + auparse/interpret.c | 18 +++++++++--------- + 1 file changed, 9 insertions(+), 9 deletions(-) + +diff --git a/auparse/interpret.c b/auparse/interpret.c +index 373851f..4d2f0d4 100644 +--- a/auparse/interpret.c ++++ b/auparse/interpret.c +@@ -1490,15 +1490,15 @@ static const char *print_success(const char *val) + return strdup(val); + } + +-static const char *print_open_flags(const char *val) ++static const char *print_open_flags(const char *val, int base) + { + size_t i; +- unsigned int flags; ++ unsigned long flags; + int cnt = 0; + char *out, bufsizeof(open_flag_strings)+OPEN_FLAG_NUM_ENTRIES+1; + + errno = 0; +- flags = strtoul(val, NULL, 16); ++ flags = strtoul(val, NULL, base); + if (errno) { + if (asprintf(&out, "conversion error(%s)", val) < 0) + out = NULL; +@@ -2504,10 +2504,10 @@ static const char *print_a1(const char *val, const idata *id) + else if (strcmp(sys, "mknod") == 0) + return print_mode(val, 16); + else if (strcmp(sys, "mq_open") == 0) +- return print_open_flags(val); ++ return print_open_flags(val, 16); + } + else if (strcmp(sys, "open") == 0) +- return print_open_flags(val); ++ return print_open_flags(val, 16); + else if (strcmp(sys, "access") == 0) + return print_access(val); + else if (strcmp(sys, "epoll_ctl") == 0) +@@ -2581,11 +2581,11 @@ static const char *print_a2(const char *val, const idata *id) + goto normal; + } else if (*sys == 'o') { + if (strcmp(sys, "openat") == 0) +- return print_open_flags(val); ++ return print_open_flags(val, 16); + if ((strcmp(sys, "open") == 0) && (id->a1 & O_CREAT)) + return print_mode_short(val, 16); + if (strcmp(sys, "open_by_handle_at") == 0) +- return print_open_flags(val); ++ return print_open_flags(val, 16); + } else if (*sys == 'f') { + if (strcmp(sys, "fchmodat") == 0) + return print_mode_short(val, 16); +@@ -3256,8 +3256,8 @@ unknown: + case AUPARSE_TYPE_SECCOMP: + out = print_seccomp_code(id->val); + break; +- case AUPARSE_TYPE_OFLAG: +- out = print_open_flags(id->val); ++ case AUPARSE_TYPE_OFLAG: // AUDIT_OPENAT2,MQ_OPEN ++ out = print_open_flags(id->val, 0); + break; + case AUPARSE_TYPE_MMAP: + out = print_mmap(id->val); +-- +2.33.0 +
View file
_service:tar_scm:backport-When-interpreting-if-val-is-NULL-return-an-empty-str.patch
Deleted
@@ -1,27 +0,0 @@ -From ce58837d44b7d9fcb4e140c23f68e0c94d95ab6e Mon Sep 17 00:00:00 2001 -From: Steve Grubb <sgrubb@redhat.com> -Date: Sat, 21 Aug 2021 10:20:11 -0400 -Subject: PATCH 2214/2246 When interpreting, if val is NULL return an empty - string - ---- - auparse/interpret.c | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/auparse/interpret.c b/auparse/interpret.c -index 177ab82..63829aa 100644 ---- a/auparse/interpret.c -+++ b/auparse/interpret.c -@@ -840,6 +840,9 @@ static char *print_escaped(const char *val) - { - char *out; - -+ if (val == NULL) -+ return strdup(" "); -+ - if (*val == '"') { - char *term; - val++; --- -1.8.3.1 -
View file
_service:tar_scm:backport-audit-flex-array-workaround.patch
Added
@@ -0,0 +1,47 @@ +commit 0d31f225faef8da3fcd0f69f6544aa274102fe53 +Author: Steve Grubb <sgrubb@redhat.com> +Date: Wed Feb 23 14:24:50 2022 -0500 +Subject: workaround a kernel change that breaks the build + +--- + bindings/swig/src.auditswig.i | 2 +- + lib/audit.h | 2 +- + lib/libaudit.h | 2 +- + 3 files changed, 3 insertions(+)m 3 deletions(-) + +diff --git a/bindings/swig/src/auditswig.i b/bindings/swig/src/auditswig.i +--- a/bindings/swig/src/auditswig.i ++++ b/bindings/swig/src/auditswig.i +@@ -39,7 +39,7 @@ signed + #define __attribute(X) /*nothing*/ + typedef unsigned __u32; + typedef unsigned uid_t; +-%include "/usr/include/linux/audit.h" ++%include "../lib/audit.h" + #define __extension__ /*nothing*/ + %include <stdint.i> + %include "../lib/libaudit.h" +diff --git a/lib/audit.h b/lib/audit.h +--- a/lib/audit.h ++++ b/lib/audit.h +@@ -514,7 +514,7 @@ struct audit_rule_data { + __u32 valuesAUDIT_MAX_FIELDS; + __u32 fieldflagsAUDIT_MAX_FIELDS; + __u32 buflen; /* total length of string fields */ +- char buf; /* string fields buffer */ ++ char buf0; /* string fields buffer */ + }; + + #endif /* _LINUX_AUDIT_H_ */ +diff --git a/lib/libaudit.h b/lib/libaudit.h +--- a/lib/libaudit.h ++++ b/lib/libaudit.h +@@ -27,7 +27,7 @@ + #include <stdint.h> + #include <sys/socket.h> + #include <linux/netlink.h> +-#include <linux/audit.h> ++#include "audit.h" + #include <stdarg.h> + #include <syslog.h> + #ifndef __attr_access
View file
_service:tar_scm:backport-audit-undo-flex-array.patch
Added
@@ -0,0 +1,21 @@ +commit 2df0fecef9ea2225de116c1e969462cb4846241d +Author: Steve Grubb <sgrubb@redhat.com> +Date: Thu Feb 24 09:11:06 2022 -0500 +Subject: Undo fix to libaudit.h before installing + +--- + ./usr/include/libaudit.h | 2 +- + 1 flies changed, 1 insertions(+), 1 deletions(-) + +diff --git a/./usr/include/libaudit.h b/.user/include/libaudit.h +--- a/./usr/include/libaudit.h ++++ b/./usr/include/libaudit.h +@@ -32,7 +32,7 @@ + #include <stdint.h> + #include <sys/socket.h> + #include <linux/netlink.h> +-#include "audit.h" ++#include <linux/audit.h> + #include <stdarg.h> + #include <syslog.h> +
View file
_service:tar_scm:backport-auditd.service-Restart-on-failure-ignoring-some-exit.patch
Deleted
@@ -1,35 +0,0 @@ -From 30382bfcc0f64f451bc084c9657a546cb34492a7 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Timoth=C3=A9e=20Ravier?= <travier@redhat.com> -Date: Fri, 1 Oct 2021 16:35:57 +0200 -Subject: PATCH 2228/2246 auditd.service: Restart 'on-failure', ignoring some - exit codes (#217) - -Use `Restart=on-failure` to automatically restart `auditd`. Do not -restart for intentional exits. See EXIT CODES section in auditd(8). - -See: -- https://www.freedesktop.org/software/systemd/man/systemd.service.html#Restart= -- https://www.freedesktop.org/software/systemd/man/systemd.service.html#RestartPreventExitStatus= - -Fixes: https://github.com/linux-audit/audit-userspace/issues/211 ---- - init.d/auditd.service | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/init.d/auditd.service b/init.d/auditd.service -index 67cda58..e801281 100644 ---- a/init.d/auditd.service -+++ b/init.d/auditd.service -@@ -27,6 +27,9 @@ ExecStartPost=-/sbin/augenrules --load - # By default we don't clear the rules on exit. To enable this, uncomment - # the next line after copying the file to /etc/systemd/system/auditd.service - #ExecStopPost=/sbin/auditctl -R /etc/audit/audit-stop.rules -+Restart=on-failure -+# Do not restart for intentional exits. See EXIT CODES section in auditd(8). -+RestartPreventExitStatus=2 4 6 - - ### Security Settings ### - MemoryDenyWriteExecute=true --- -1.8.3.1 -
View file
_service:tar_scm:backport-error-out-if-log-is-mangled.patch
Deleted
@@ -1,27 +0,0 @@ -From fc97c70fdba18280985747198a6ce836d39cce9e Mon Sep 17 00:00:00 2001 -From: Steve Grubb <sgrubb@redhat.com> -Date: Sat, 7 Aug 2021 10:29:07 -0400 -Subject: PATCH 2196/2246 error out if log is mangled - ---- - src/ausearch-parse.c | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/src/ausearch-parse.c b/src/ausearch-parse.c -index b0c8b2a..81ef319 100644 ---- a/src/ausearch-parse.c -+++ b/src/ausearch-parse.c -@@ -1995,6 +1995,10 @@ other_avc: - *term = '"'; - } else { - s->comm = unescape(str); -+ if (s->comm == NULL) { -+ rc = 11; -+ goto err; -+ } - term = str + 6; - } - } --- -1.8.3.1 -
View file
_service:tar_scm:backport-fix-2-more-issues-found-by-fuzzing.patch
Deleted
@@ -1,46 +0,0 @@ -From f4683d04eadb7d76b98497af834f027d6005d893 Mon Sep 17 00:00:00 2001 -From: Steve Grubb <sgrubb@redhat.com> -Date: Mon, 9 Aug 2021 17:14:17 -0400 -Subject: PATCH fix 2 more issues found by fuzzing - ---- - auparse/auparse.c | 8 +++++++- - auparse/ellist.c | 4 +++- - 2 files changed, 10 insertions(+), 2 deletions(-) - -diff --git a/auparse/auparse.c b/auparse/auparse.c -index b0e685a..3cf512a 100644 ---- a/auparse/auparse.c -+++ b/auparse/auparse.c -@@ -1611,7 +1611,13 @@ static int au_auparse_next_event(auparse_state_t *au) - } - aup_list_create(l); - aup_list_set_event(l, &e); -- aup_list_append(l, au->cur_buf, au->list_idx, au->line_number); -+ if (aup_list_append(l, au->cur_buf, au->list_idx, -+ au->line_number) < 0) { -+ au->cur_buf = NULL; -+ aup_list_clear(l); -+ free(l); -+ continue; -+ } - // Eat standalone EOE - main event was already marked complete - if (l->head->type == AUDIT_EOE) { - au->cur_buf = NULL; -diff --git a/auparse/ellist.c b/auparse/ellist.c -index 7d9c552..dd711bc 100644 ---- a/auparse/ellist.c -+++ b/auparse/ellist.c -@@ -290,7 +290,9 @@ static int parse_up_record(rnode* r) - while (ptr && *ptr != '}') { - len = strlen(ptr); - if ((len+1) >= (256-total)) { -- free(buf); -+ if (nvlist_get_cnt(&r->nv) -+ == 0) -+ free(buf); - return -1; - } - if (tmpctx0) { --- -
View file
_service:tar_scm:backport-flush-uid-gid-caches-when-user-group-added-deleted-m.patch
Deleted
@@ -1,128 +0,0 @@ -From 8662f61108f8b9365f96ef49ca8ca331a7880f24 Mon Sep 17 00:00:00 2001 -From: Steve Grubb <sgrubb@redhat.com> -Date: Tue, 10 Aug 2021 11:27:16 -0400 -Subject: PATCH 2205/2246 flush uid/gid caches when user/group - added/deleted/modified - -It was reported in issue #209 that in the enriched format that auditd -is creating the wrong account associations. This is due to caching -previous lookups. The fix is to monitor for account lifecycle changes -and flush the LRUs if any are seen. ---- - auparse/auparse-idata.h | 3 ++- - auparse/interpret.c | 12 ++++++++++++ - src/auditd-event.c | 27 +++++++++++++++++++++++++-- - 3 files changed, 39 insertions(+), 3 deletions(-) - -diff --git a/auparse/auparse-idata.h b/auparse/auparse-idata.h -index 660901a..eaca86a 100644 ---- a/auparse/auparse-idata.h -+++ b/auparse/auparse-idata.h -@@ -1,6 +1,6 @@ - /* - * idata.h - Header file for ausearch-lookup.c --* Copyright (c) 2013,2016-17 Red Hat Inc., Durham, North Carolina. -+* Copyright (c) 2013,2016-17,2021 Red Hat Inc. - * All Rights Reserved. - * - * This library is free software; you can redistribute it and/or -@@ -45,6 +45,7 @@ char *auparse_do_interpretation(int type, const idata *id, - void _auparse_load_interpretations(const char *buf); - void _auparse_free_interpretations(void); - const char *_auparse_lookup_interpretation(const char *name); -+void _auparse_flush_caches(void); - - #endif - -diff --git a/auparse/interpret.c b/auparse/interpret.c -index 046867b..eef377a 100644 ---- a/auparse/interpret.c -+++ b/auparse/interpret.c -@@ -653,6 +653,18 @@ void aulookup_destroy_gid_list(void) - gid_cache_created = 0; - } - -+void _auparse_flush_caches(void) -+{ -+ if (uid_cache_created) { -+ destroy_lru(uid_cache); -+ uid_cache_created = 0; -+ } -+ if (gid_cache_created) { -+ destroy_lru(gid_cache); -+ gid_cache_created = 0; -+ } -+} -+ - static const char *print_uid(const char *val, unsigned int base) - { - int uid; -diff --git a/src/auditd-event.c b/src/auditd-event.c -index cb29fee..3655726 100644 ---- a/src/auditd-event.c -+++ b/src/auditd-event.c -@@ -42,6 +42,7 @@ - #include "libaudit.h" - #include "private.h" - #include "auparse.h" -+#include "auparse-idata.h" - - /* This is defined in auditd.c */ - extern volatile int stop; -@@ -56,7 +57,7 @@ static void do_space_left_action(int admin); - static void do_disk_full_action(void); - static void do_disk_error_action(const char *func, int err); - static void fix_disk_permissions(void); --static void check_excess_logs(void); -+static void check_excess_logs(void); - static void rotate_logs_now(void); - static void rotate_logs(unsigned int num_logs, unsigned int keep_logs); - static void shift_logs(void); -@@ -394,7 +395,7 @@ static const char *format_enrich(const struct audit_reply *rep) - snprintf(format_buf, MAX_AUDIT_MESSAGE_LENGTH, - "type=DAEMON_ERR op=format-enriched msg=NULL res=failed"); - } else { -- int rc; -+ int rc, rtype; - size_t mlen, len; - char *message; - // Do raw format to get event started -@@ -427,6 +428,17 @@ static const char *format_enrich(const struct audit_reply *rep) - - // Loop over all fields while possible to add field - rc = auparse_first_record(au); -+ rtype = auparse_get_type(au); -+ switch (rtype) -+ { // Flush before adding to pickup new associations -+ case AUDIT_ADD_USER: -+ case AUDIT_ADD_GROUP: -+ _auparse_flush_caches(); -+ break; -+ default: -+ break; -+ } -+ - while (rc > 0 && len > MIN_SPACE_LEFT) { - // See what kind of field we have - size_t vlen; -@@ -454,6 +466,17 @@ static const char *format_enrich(const struct audit_reply *rep) - rc = auparse_next_field(au); - } - -+ switch(rtype) -+ { // Flush after modification to remove stale entries -+ case AUDIT_USER_MGMT: -+ case AUDIT_DEL_USER: -+ case AUDIT_DEL_GROUP: -+ case AUDIT_GRP_MGMT: -+ _auparse_flush_caches(); -+ break; -+ default: -+ break; -+ } - free(message); - } - return format_buf; --- -1.8.3.1 -
View file
_service:tar_scm:bugfix-audit-reload-coredump.patch
Changed
@@ -5,11 +5,11 @@ --- src/auditd-reconfig.c | 2 ++ - src/auditd.c | 36 +++++++++++++++++++++++++++++------- - 2 files changed, 31 insertions(+), 7 deletions(-) + src/auditd.c | 26 ++++++++++++++++++++++++-- + 2 files changed, 26 insertions(+), 2 deletions(-) diff --git a/src/auditd-reconfig.c b/src/auditd-reconfig.c -index f5b00e6..5ea9126 100644 +index 37e0adc..66ded38 100644 --- a/src/auditd-reconfig.c +++ b/src/auditd-reconfig.c @@ -35,6 +35,7 @@ @@ -29,7 +29,7 @@ pthread_mutex_unlock(&config_lock); diff --git a/src/auditd.c b/src/auditd.c -index fa783a2..0d76e0c 100644 +index 5933703..53f4803 100644 --- a/src/auditd.c +++ b/src/auditd.c @@ -76,6 +76,7 @@ static int hup_info_requested = 0; @@ -40,45 +40,33 @@ /* Local function prototypes */ int send_audit_event(int type, const char *str); -@@ -519,15 +520,30 @@ static void netlink_handler(struct ev_loop *loop, struct ev_io *io, - char hupMAX_AUDIT_MESSAGE_LENGTH; - audit_msg(LOG_DEBUG, +@@ -525,8 +526,23 @@ static void netlink_handler(struct ev_loop *loop, struct ev_io *io, + char hupMAX_AUDIT_MESSAGE_LENGTH; + audit_msg(LOG_DEBUG, "HUP detected, starting config manager"); -- reconfig_ev = cur_event; -- if (start_config_manager(cur_event)) { -+ if(hup_flag == 0) -+ { -+ hup_flag = 1; -+ reconfig_ev = cur_event; -+ if (start_config_manager(cur_event)) { -+ audit_format_signal_info(hup, -+ sizeof(hup), -+ "reconfigure state=no-change", -+ &cur_event->reply, -+ "failed"); -+ send_audit_event(AUDIT_DAEMON_CONFIG, -+ hup); -+ hup_flag = 0; +- reconfig_ev = cur_event; +- if (start_config_manager(cur_event)) { ++ if(hup_flag == 0) ++ { ++ hup_flag = 1; ++ reconfig_ev = cur_event; ++ if (start_config_manager(cur_event)) { ++ audit_format_signal_info(hup, ++ sizeof(hup), ++ "reconfigure state=no-change", ++ &cur_event->reply, ++ "failed"); ++ send_audit_event(AUDIT_DAEMON_CONFIG, ++ hup); ++ hup_flag = 0; ++ } + } -+ } -+ else -+ { - audit_format_signal_info(hup, -- sizeof(hup), -- "reconfigure state=no-change", -- &cur_event->reply, -- "failed"); -+ sizeof(hup), -+ "reconfigure state=no-change", -+ &cur_event->reply, -+ "failed"); - send_audit_event(AUDIT_DAEMON_CONFIG, -- hup); -+ hup); - } - cur_event = NULL; - hup_info_requested = 0; -@@ -571,9 +587,15 @@ static void pipe_handler(struct ev_loop *loop, struct ev_io *io, ++ else ++ { + audit_format_signal_info(hup, + sizeof(hup), + "reconfigure state=no-change", +@@ -576,9 +592,15 @@ static void pipe_handler(struct ev_loop *loop, struct ev_io *io, // Drain the pipe - won't block because libev sets non-blocking mode read(pipefds0, buf, sizeof(buf)); enqueue_event(reconfig_ev); @@ -95,5 +83,5 @@ { const char *msg = "ready\n"; -- -1.8.3.1 +2.27.0
View file
_service:tar_scm:bugfix-audit-userspace-missing-syscalls-for-aarm64.patch
Changed
@@ -8,17 +8,18 @@ Signed-off-by: jinbo <jinbo8@huawei.com> --- - lib/aarch64_table.h | 43 +++++++++++++++++++++++++++++++++++++++++ - 1 file changed, 43 insertions(+) + lib/aarch64_table.h | 44 +++++++++++++++++++++++++++++++++++++++++- + 1 file changed, 43 insertions(+), 1 deletion(-) diff --git a/lib/aarch64_table.h b/lib/aarch64_table.h index c61aa91..ea634c1 100644 --- a/lib/aarch64_table.h +++ b/lib/aarch64_table.h -@@ -311,3 +311,46 @@ _S(438, "pidfd_getfd") - _S(439, "faccessat2") - _S(440, "process_madvise") - _S(441, "epoll_pwait2") +@@ -326,4 +326,46 @@ _S(447, "memfd_secret") + _S(448, "process_mrelease") + _S(449, "futex_waitv") + _S(450, "set_mempolicy_home_node") +- +_S(1024, "open") +_S(1025, "link") +_S(1026, "unlink")
View file
_service
Changed
@@ -2,7 +2,7 @@ <service name="tar_scm"> <param name="scm">git</param> <param name="url">git@gitee.com:src-openeuler/audit.git</param> - <param name="revision">13569e5cb983984e445738c14c56ad72c48054a3</param> + <param name="revision">master</param> <param name="exclude">*</param> <param name="extract">*</param> </service>
View file
_service:tar_scm:audit-3.0.1.tar.gz/ChangeLog -> _service:tar_scm:audit-3.0.9.tar.gz/ChangeLog
Changed
@@ -1,3 +1,72 @@ +3.0.9 +- In auditd, release the async flush lock on stop +- Don't allow auditd to log directly into /var/log when log_group is non-zero +- Cleanup krb5 memory leaks on error paths +- Update auditd.cron to use auditctl --signal +- In auparse, if too many fields, realloc array bigger (Paul Wolneykien) +- In auparse, special case kernel module name interpretation +- If overflow_action is ignore, don't treat as an error + +3.0.8 +- Add gcc function attributes for access and allocation +- Add some more man pages (MIZUTA Takeshi) +- In auditd, change the reinitializing of the plugin queue +- Fix path normalization in auparse (Sergio Correia) +- In libaudit, handle ECONNREFUSED for network uid/gid lookups (Enzo Matsumiya) +- In audisp-remote, fix hang with disk_low_action=suspend (Enzo Matsumiya) +- Drop ProtectHome from auditd.service as it interferes with rules + +3.0.7 +- Add support for the OPENAT2 record type (Richard Guy Briggs) +- In auditd, close the logging file descriptor when logging is suspended +- Update the capabilities lookup table to match 5.16 kernel +- Improve interpretation of renamat & faccessat family of syscalls +- Update syscall table for the 5.16 kernel +- Reduce dependency from initscripts to initscripts-service + +3.0.6 +- Fixed various issues when dealing with corrupted logs +- Make IPX packet interpretation dependent on the ipx header file existing +- Add b32/b64 support to ausyscall (Egor Ignatov) +- Add support for armv8l (Egor Ignatov) +- Fix auditctl list of syscalls in PPC (Egor Ignatov) +- auditd.service now restarts auditd under some conditions (Timothée Ravier) + +3.0.5 +- In auditd, flush uid/gid caches when user/group added/deleted/modified +- Fixed various issues when dealing with corrupted logs +- In auditd, check if log_file is valid before closing handle + +3.0.4 +- Apply performance speedups to auparse library +- Optimize rule loading in auditctl +- Fix an auparse memory leak caused by glibc-2.33 by replacing realpath +- Update syscall table to the 5.14 kernel +- Fixed various issues when dealing with corrupted logs + +3.0.3 +- Dont interpret audit netlink groups unless AUDIT_NLGRP_MAX is defined +- Add support for AUDIT_RESP_ORIGIN_UNBLOCK_TIMED to ids +- Change auparse_feed_has_data in auparse to include incomplete events +- Auditd, stop linking against -lrt +- Add ProtectHome and RestrictRealtime to auditd.service +- In auditd, read up to 3 netlink packets in a row +- In auditd, do not validate path to plugin unless active +- In auparse, only emit config errors when AUPARSE_DEBUG env variable exists + +3.0.2 +- In audispd-statsd plugin, use struct sockaddr_storage (Ville Heikkinen) +- Optionally interpret auid in auditctl -l +- Update some syscall argument interpretations +- In auditd, do not allow spaces in the hostname name format +- Big documentation cleanup (MIZUTA Takeshi) +- Update syscall table to the 5.12 kernel +- Update the auparse normalizer for new event types +- Fix compiler warnings in ids subsystem +- Block a couple signals from flush & reconfigure threads +- In auditd, don't wait on flush thread when exiting +- Output error message if the path of input files are too long ausearch/report + 3.0.1 - Update syscall table to the 5.11 kernel - Add new --eoe-timeout option to ausearch and aureport (Burn Alting) @@ -64,7 +133,7 @@ - Update to libev-4.25 - Fix ausearch when checkpointing a single file (Burn Alting) - Fix scripting in 31-privileged.rules wrt filecap (#1662516) -- In ausearch, do not checkpt if stdin is input source +- In ausearch, do not checkpoint if stdin is input source - In libev, remove __cold__ attribute for functions to allow proper hardening - Add tests to configure.ac for openldap support - Make systemd support files use /run rather than /var/run (Christian Hesse) @@ -72,7 +141,7 @@ - Allow exclude and user filter by executable name (Ondrej Mosnacek) - Fix auditd regression where keep_logs is limited by rotate_logs 2 file test - In ausearch/report fix --end to use midnight time instead of now (#1671338) -- Add substitue functions for strndupa & rawmemchr +- Add substitute functions for strndupa & rawmemchr - Fix memleak in auparse caused by corrected event ordering - Fix legacy reload script to reload audit rules when daemon is reloaded - Support for unescaping in trusted messages (Dmitry Voronin) @@ -100,7 +169,7 @@ - Add error messages for watch permissions - If audit rules file doesn't exist log error message instead of info message - Revise error message for unmatched options in auditctl -- In audisp-remote, fixup remote endpoint disappearin in ascii format +- In audisp-remote, fixup remote endpoint disappearing in ascii format - Add backlog_wait_time_actual reporting / resetting to auditctl (Max Englander) - In auditctl, add support for sending a signal to auditd
View file
_service:tar_scm:audit-3.0.1.tar.gz/Makefile.am -> _service:tar_scm:audit-3.0.9.tar.gz/Makefile.am
Changed
@@ -13,8 +13,9 @@ # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +# along with this program; see the file COPYING. If not, write to the +# Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor +# Boston, MA 02110-1335, USA. # # Authors: # Steve Grubb <sgrubb@redhat.com>
View file
_service:tar_scm:audit-3.0.1.tar.gz/Makefile.in -> _service:tar_scm:audit-3.0.9.tar.gz/Makefile.in
Changed
@@ -1,7 +1,7 @@ -# Makefile.in generated by automake 1.16.2 from Makefile.am. +# Makefile.in generated by automake 1.16.5 from Makefile.am. # @configure_input@ -# Copyright (C) 1994-2020 Free Software Foundation, Inc. +# Copyright (C) 1994-2021 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -29,8 +29,9 @@ # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +# along with this program; see the file COPYING. If not, write to the +# Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor +# Boston, MA 02110-1335, USA. # # Authors: # Steve Grubb <sgrubb@redhat.com> @@ -180,9 +181,6 @@ unique=`for i in $$list; do \ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ done | $(am__uniquify_input)` -ETAGS = etags -CTAGS = ctags -CSCOPE = cscope DIST_SUBDIRS = $(SUBDIRS) am__DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/config.h.in AUTHORS \ COPYING COPYING.LIB ChangeLog INSTALL NEWS README THANKS TODO \ @@ -225,6 +223,8 @@ DIST_ARCHIVES = $(distdir).tar.gz GZIP_ENV = --best DIST_TARGETS = dist-gzip +# Exists only to be overridden by the user if desired. +AM_DISTCHECK_DVI_TARGET = dvi distuninstallcheck_listfiles = find . -type f -print am__distuninstallcheck_listfiles = $(distuninstallcheck_listfiles) \ | sed 's|^\./|$(prefix)/|' | grep -v '$(infodir)/dir$$' @@ -249,6 +249,8 @@ CPPFLAGS = @CPPFLAGS@ CPPFLAGS_FOR_BUILD = @CPPFLAGS_FOR_BUILD@ CPP_FOR_BUILD = @CPP_FOR_BUILD@ +CSCOPE = @CSCOPE@ +CTAGS = @CTAGS@ CYGPATH_W = @CYGPATH_W@ DEBUG = @DEBUG@ DEFS = @DEFS@ @@ -260,8 +262,10 @@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ +ETAGS = @ETAGS@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FILECMD = @FILECMD@ GOLANG = @GOLANG@ GOROOT = @GOROOT@ GREP = @GREP@ @@ -317,6 +321,7 @@ SHELL = @SHELL@ STRIP = @STRIP@ VERSION = @VERSION@ +WFLAGS = @WFLAGS@ abs_builddir = @abs_builddir@ abs_srcdir = @abs_srcdir@ abs_top_builddir = @abs_top_builddir@ @@ -370,6 +375,7 @@ pyexecdir = @pyexecdir@ python3dir = @python3dir@ pythondir = @pythondir@ +runstatedir = @runstatedir@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ @@ -560,7 +566,6 @@ distclean-tags: -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags -rm -f cscope.out cscope.in.out cscope.po.out cscope.files - distdir: $(BUILT_SOURCES) $(MAKE) $(AM_MAKEFLAGS) distdir-am @@ -707,7 +712,7 @@ $(DISTCHECK_CONFIGURE_FLAGS) \ --srcdir=../.. --prefix="$$dc_install_base" \ && $(MAKE) $(AM_MAKEFLAGS) \ - && $(MAKE) $(AM_MAKEFLAGS) dvi \ + && $(MAKE) $(AM_MAKEFLAGS) $(AM_DISTCHECK_DVI_TARGET) \ && $(MAKE) $(AM_MAKEFLAGS) check \ && $(MAKE) $(AM_MAKEFLAGS) install \ && $(MAKE) $(AM_MAKEFLAGS) installcheck \
View file
_service:tar_scm:audit-3.0.1.tar.gz/README -> _service:tar_scm:audit-3.0.9.tar.gz/README
Changed
@@ -8,7 +8,7 @@ BUILDING ======== -See the README-install File. +See the Install(.tmp) file. USAGE =====
View file
_service:tar_scm:audit-3.0.1.tar.gz/TODO -> _service:tar_scm:audit-3.0.9.tar.gz/TODO
Changed
@@ -1,20 +1,18 @@ Future roadmap (subject to change): =================================== -3.0.2 -* If searching user/group doesn't map to uid/gid, do translated string search -* audisp-remote, add config to say what home network is so laptops don't try if their not on a network that can reach the server. -* Basic HIDS based on reactive audit component - 3.1 +* Basic HIDS based on reactive audit component * Multi-thread audisp-remote -* Support TLS PSK as remote logging transport -* Support multiple time streams when searching -* In audispd, look into non-blocking handling of write to plugins * Add keywords for time: month-ago, this-hour, last-hour -* Container support +* If searching user/group doesn't map to uid/gid, do translated string search +* In auditd, look into non-blocking handling of write to plugins +* Support multiple time streams when searching -3.1.1 +3.2 +* Container support +* Support TLS PSK as remote logging transport * Add rule verify to detect mismatch between in-kernel and on-disk rules +* audisp-remote, add config to say what home network is so laptops don't try if their not on a network that can reach the server. * Fix audit.pc.in to use Requires.private * Change ausearch to output name="" unless its a real null. (mount) ausearch-report.c, 523. FIXME * Fix SIGHUP for auditd network settings
View file
_service:tar_scm:audit-3.0.1.tar.gz/aclocal.m4 -> _service:tar_scm:audit-3.0.9.tar.gz/aclocal.m4
Changed
@@ -1,6 +1,6 @@ -# generated automatically by aclocal 1.16.2 -*- Autoconf -*- +# generated automatically by aclocal 1.16.5 -*- Autoconf -*- -# Copyright (C) 1996-2020 Free Software Foundation, Inc. +# Copyright (C) 1996-2021 Free Software Foundation, Inc. # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -14,13 +14,13 @@ m4_ifndef(AC_CONFIG_MACRO_DIRS, m4_defun(_AM_CONFIG_MACRO_DIRS, )m4_defun(AC_CONFIG_MACRO_DIRS, _AM_CONFIG_MACRO_DIRS($@))) m4_ifndef(AC_AUTOCONF_VERSION, m4_copy(m4_PACKAGE_VERSION, AC_AUTOCONF_VERSION))dnl -m4_if(m4_defn(AC_AUTOCONF_VERSION), 2.69,, -m4_warning(this file was generated for autoconf 2.69. +m4_if(m4_defn(AC_AUTOCONF_VERSION), 2.71,, +m4_warning(this file was generated for autoconf 2.71. You have another version of autoconf. It may work, but is not guaranteed to. If you have problems, you may need to regenerate the build system entirely. To do so, use the procedure documented by the package, typically 'autoreconf'.)) -# Copyright (C) 2002-2020 Free Software Foundation, Inc. +# Copyright (C) 2002-2021 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -35,7 +35,7 @@ am__api_version='1.16' dnl Some users find AM_AUTOMAKE_VERSION and mistake it for a way to dnl require some minimum version. Point them to the right macro. -m4_if($1, 1.16.2, , +m4_if($1, 1.16.5, , AC_FATAL(Do not call $0, use AM_INIT_AUTOMAKE($1).))dnl ) @@ -51,14 +51,14 @@ # Call AM_AUTOMAKE_VERSION and AM_AUTOMAKE_VERSION so they can be traced. # This function is AC_REQUIREd by AM_INIT_AUTOMAKE. AC_DEFUN(AM_SET_CURRENT_AUTOMAKE_VERSION, -AM_AUTOMAKE_VERSION(1.16.2)dnl +AM_AUTOMAKE_VERSION(1.16.5)dnl m4_ifndef(AC_AUTOCONF_VERSION, m4_copy(m4_PACKAGE_VERSION, AC_AUTOCONF_VERSION))dnl _AM_AUTOCONF_VERSION(m4_defn(AC_AUTOCONF_VERSION))) # AM_AUX_DIR_EXPAND -*- Autoconf -*- -# Copyright (C) 2001-2020 Free Software Foundation, Inc. +# Copyright (C) 2001-2021 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -110,7 +110,7 @@ # AM_CONDITIONAL -*- Autoconf -*- -# Copyright (C) 1997-2020 Free Software Foundation, Inc. +# Copyright (C) 1997-2021 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -141,7 +141,7 @@ Usually this means the macro was only invoked conditionally.) fi)) -# Copyright (C) 1999-2020 Free Software Foundation, Inc. +# Copyright (C) 1999-2021 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -332,7 +332,7 @@ # Generate code to set up dependency tracking. -*- Autoconf -*- -# Copyright (C) 1999-2020 Free Software Foundation, Inc. +# Copyright (C) 1999-2021 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -400,7 +400,7 @@ # Do all the work for Automake. -*- Autoconf -*- -# Copyright (C) 1996-2020 Free Software Foundation, Inc. +# Copyright (C) 1996-2021 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -428,6 +428,10 @@ # release and drop the old call support. AC_DEFUN(AM_INIT_AUTOMAKE, AC_PREREQ(2.65)dnl +m4_ifdef(_$0_ALREADY_INIT, + m4_fatal($0 expanded multiple times +m4_defn(_$0_ALREADY_INIT)), + m4_define(_$0_ALREADY_INIT, m4_expansion_stack))dnl dnl Autoconf wants to disallow AM_ names. We explicitly allow dnl the ones we care about. m4_pattern_allow(^AM_A-Z+FLAGS$)dnl @@ -464,7 +468,7 @@ _AM_SET_OPTIONS($1)dnl dnl Diagnose old-style AC_INIT with new-style AM_AUTOMAKE_INIT. m4_if( - m4_ifdef(AC_PACKAGE_NAME, ok):m4_ifdef(AC_PACKAGE_VERSION, ok), + m4_ifset(AC_PACKAGE_NAME, ok):m4_ifset(AC_PACKAGE_VERSION, ok), ok:ok,, m4_fatal(AC_INIT should be called with package and version arguments))dnl AC_SUBST(PACKAGE, 'AC_PACKAGE_TARNAME')dnl @@ -516,6 +520,20 @@ m4_define(AC_PROG_OBJCXX, m4_defn(AC_PROG_OBJCXX)_AM_DEPENDENCIES(OBJCXX)))dnl ) +# Variables for tags utilities; see am/tags.am +if test -z "$CTAGS"; then + CTAGS=ctags +fi +AC_SUBST(CTAGS) +if test -z "$ETAGS"; then + ETAGS=etags +fi +AC_SUBST(ETAGS) +if test -z "$CSCOPE"; then + CSCOPE=cscope +fi +AC_SUBST(CSCOPE) + AC_REQUIRE(AM_SILENT_RULES)dnl dnl The testsuite driver may need to know about EXEEXT, so add the dnl 'am__EXEEXT' conditional if _AM_COMPILER_EXEEXT was seen. This @@ -597,7 +615,7 @@ done echo "timestamp for $_am_arg" >`AS_DIRNAME("$_am_arg")`/stamp-h$_am_stamp_count) -# Copyright (C) 2001-2020 Free Software Foundation, Inc. +# Copyright (C) 2001-2021 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -618,7 +636,7 @@ fi AC_SUBST(install_sh)) -# Copyright (C) 2003-2020 Free Software Foundation, Inc. +# Copyright (C) 2003-2021 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -639,7 +657,7 @@ # Check to see how 'make' treats includes. -*- Autoconf -*- -# Copyright (C) 2001-2020 Free Software Foundation, Inc. +# Copyright (C) 2001-2021 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -682,7 +700,7 @@ # Fake the existence of programs that GNU maintainers use. -*- Autoconf -*- -# Copyright (C) 1997-2020 Free Software Foundation, Inc. +# Copyright (C) 1997-2021 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -703,12 +721,7 @@ AC_REQUIRE(AM_AUX_DIR_EXPAND)dnl AC_REQUIRE_AUX_FILE(missing)dnl if test x"${MISSING+set}" != xset; then - case $am_aux_dir in - *\ * | *\ *) - MISSING="\${SHELL} \"$am_aux_dir/missing\"" ;; - *) - MISSING="\${SHELL} $am_aux_dir/missing" ;; - esac + MISSING="\${SHELL} '$am_aux_dir/missing'" fi # Use eval to expand $SHELL if eval "$MISSING --is-lightweight"; then @@ -723,7 +736,7 @@ # Obsolete and "removed" macros, that must however still report explicit # error messages when used, to smooth transition. # -# Copyright (C) 1996-2020 Free Software Foundation, Inc. +# Copyright (C) 1996-2021 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -750,7 +763,7 @@ # Helper functions for option handling. -*- Autoconf -*- -# Copyright (C) 2001-2020 Free Software Foundation, Inc. +# Copyright (C) 2001-2021 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -779,7 +792,7 @@ AC_DEFUN(_AM_IF_OPTION, m4_ifset(_AM_MANGLE_OPTION($1), $2, $3))
View file
_service:tar_scm:audit-3.0.1.tar.gz/audisp/Makefile.am -> _service:tar_scm:audit-3.0.9.tar.gz/audisp/Makefile.am
Changed
@@ -13,8 +13,9 @@ # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +# along with this program; see the file COPYING. If not, write to the +# Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor +# Boston, MA 02110-1335, USA. # # Authors: # Steve Grubb <sgrubb@redhat.com> @@ -23,13 +24,13 @@ SUBDIRS = plugins CONFIG_CLEAN_FILES = *.rej *.orig AM_CPPFLAGS = -D_GNU_SOURCE -fPIC -DPIC -I${top_srcdir} -I${top_srcdir}/lib -I${top_srcdir}/src -I${top_srcdir}/src/libev -LIBS = -L${top_builddir}/lib -laudit +LIBS = ${top_builddir}/lib/libaudit.la LDADD = -lpthread noinst_HEADERS = audispd-pconfig.h audispd-llist.h audispd-config.h \ queue.h audispd-builtins.h libdisp.h -libdisp_a_SOURCES = audispd.c audispd-pconfig.c queue.c \ +libdisp_la_SOURCES = audispd.c audispd-pconfig.c queue.c \ audispd-llist.c audispd-builtins.c -libdisp_a_CFLAGS = -fno-strict-aliasing -noinst_LIBRARIES = libdisp.a - +libdisp_la_CFLAGS = -fno-strict-aliasing ${WFLAGS} +libdisp_la_LDFLAGS = -no-undefined -static +noinst_LTLIBRARIES = libdisp.la
View file
_service:tar_scm:audit-3.0.1.tar.gz/audisp/Makefile.in -> _service:tar_scm:audit-3.0.9.tar.gz/audisp/Makefile.in
Changed
@@ -1,7 +1,7 @@ -# Makefile.in generated by automake 1.16.2 from Makefile.am. +# Makefile.in generated by automake 1.16.5 from Makefile.am. # @configure_input@ -# Copyright (C) 1994-2020 Free Software Foundation, Inc. +# Copyright (C) 1994-2021 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -29,8 +29,9 @@ # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +# along with this program; see the file COPYING. If not, write to the +# Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor +# Boston, MA 02110-1335, USA. # # Authors: # Steve Grubb <sgrubb@redhat.com> @@ -126,19 +127,19 @@ mkinstalldirs = $(install_sh) -d CONFIG_HEADER = $(top_builddir)/config.h CONFIG_CLEAN_VPATH_FILES = -LIBRARIES = $(noinst_LIBRARIES) -ARFLAGS = cru -AM_V_AR = $(am__v_AR_@AM_V@) -am__v_AR_ = $(am__v_AR_@AM_DEFAULT_V@) -am__v_AR_0 = @echo " AR " $@; -am__v_AR_1 = -libdisp_a_AR = $(AR) $(ARFLAGS) -libdisp_a_LIBADD = -am_libdisp_a_OBJECTS = libdisp_a-audispd.$(OBJEXT) \ - libdisp_a-audispd-pconfig.$(OBJEXT) libdisp_a-queue.$(OBJEXT) \ - libdisp_a-audispd-llist.$(OBJEXT) \ - libdisp_a-audispd-builtins.$(OBJEXT) -libdisp_a_OBJECTS = $(am_libdisp_a_OBJECTS) +LTLIBRARIES = $(noinst_LTLIBRARIES) +libdisp_la_LIBADD = +am_libdisp_la_OBJECTS = libdisp_la-audispd.lo \ + libdisp_la-audispd-pconfig.lo libdisp_la-queue.lo \ + libdisp_la-audispd-llist.lo libdisp_la-audispd-builtins.lo +libdisp_la_OBJECTS = $(am_libdisp_la_OBJECTS) +AM_V_lt = $(am__v_lt_@AM_V@) +am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@) +am__v_lt_0 = --silent +am__v_lt_1 = +libdisp_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ + $(LIBTOOLFLAGS) --mode=link $(CCLD) $(libdisp_la_CFLAGS) \ + $(CFLAGS) $(libdisp_la_LDFLAGS) $(LDFLAGS) -o $@ AM_V_P = $(am__v_P_@AM_V@) am__v_P_ = $(am__v_P_@AM_DEFAULT_V@) am__v_P_0 = false @@ -154,16 +155,12 @@ DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir) depcomp = $(SHELL) $(top_srcdir)/depcomp am__maybe_remake_depfiles = depfiles -am__depfiles_remade = ./$(DEPDIR)/libdisp_a-audispd-builtins.Po \ - ./$(DEPDIR)/libdisp_a-audispd-llist.Po \ - ./$(DEPDIR)/libdisp_a-audispd-pconfig.Po \ - ./$(DEPDIR)/libdisp_a-audispd.Po \ - ./$(DEPDIR)/libdisp_a-queue.Po +am__depfiles_remade = ./$(DEPDIR)/libdisp_la-audispd-builtins.Plo \ + ./$(DEPDIR)/libdisp_la-audispd-llist.Plo \ + ./$(DEPDIR)/libdisp_la-audispd-pconfig.Plo \ + ./$(DEPDIR)/libdisp_la-audispd.Plo \ + ./$(DEPDIR)/libdisp_la-queue.Plo am__mv = mv -f -AM_V_lt = $(am__v_lt_@AM_V@) -am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@) -am__v_lt_0 = --silent -am__v_lt_1 = COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ @@ -182,8 +179,8 @@ am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@) am__v_CCLD_0 = @echo " CCLD " $@; am__v_CCLD_1 = -SOURCES = $(libdisp_a_SOURCES) -DIST_SOURCES = $(libdisp_a_SOURCES) +SOURCES = $(libdisp_la_SOURCES) +DIST_SOURCES = $(libdisp_la_SOURCES) RECURSIVE_TARGETS = all-recursive check-recursive cscopelist-recursive \ ctags-recursive dvi-recursive html-recursive info-recursive \ install-data-recursive install-dvi-recursive \ @@ -223,8 +220,6 @@ unique=`for i in $$list; do \ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ done | $(am__uniquify_input)` -ETAGS = etags -CTAGS = ctags DIST_SUBDIRS = $(SUBDIRS) am__DIST_COMMON = $(srcdir)/Makefile.in $(top_srcdir)/depcomp DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) @@ -273,6 +268,8 @@ CPPFLAGS = @CPPFLAGS@ CPPFLAGS_FOR_BUILD = @CPPFLAGS_FOR_BUILD@ CPP_FOR_BUILD = @CPP_FOR_BUILD@ +CSCOPE = @CSCOPE@ +CTAGS = @CTAGS@ CYGPATH_W = @CYGPATH_W@ DEBUG = @DEBUG@ DEFS = @DEFS@ @@ -284,8 +281,10 @@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ +ETAGS = @ETAGS@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FILECMD = @FILECMD@ GOLANG = @GOLANG@ GOROOT = @GOROOT@ GREP = @GREP@ @@ -298,7 +297,7 @@ LDFLAGS = @LDFLAGS@ LDFLAGS_FOR_BUILD = @LDFLAGS_FOR_BUILD@ LIBOBJS = @LIBOBJS@ -LIBS = -L${top_builddir}/lib -laudit +LIBS = ${top_builddir}/lib/libaudit.la LIBTOOL = @LIBTOOL@ LIBTOOL_DEPS = @LIBTOOL_DEPS@ LIBWRAP_LIBS = @LIBWRAP_LIBS@ @@ -341,6 +340,7 @@ SHELL = @SHELL@ STRIP = @STRIP@ VERSION = @VERSION@ +WFLAGS = @WFLAGS@ abs_builddir = @abs_builddir@ abs_srcdir = @abs_srcdir@ abs_top_builddir = @abs_top_builddir@ @@ -394,6 +394,7 @@ pyexecdir = @pyexecdir@ python3dir = @python3dir@ pythondir = @pythondir@ +runstatedir = @runstatedir@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ @@ -414,11 +415,12 @@ noinst_HEADERS = audispd-pconfig.h audispd-llist.h audispd-config.h \ queue.h audispd-builtins.h libdisp.h -libdisp_a_SOURCES = audispd.c audispd-pconfig.c queue.c \ +libdisp_la_SOURCES = audispd.c audispd-pconfig.c queue.c \ audispd-llist.c audispd-builtins.c -libdisp_a_CFLAGS = -fno-strict-aliasing -noinst_LIBRARIES = libdisp.a +libdisp_la_CFLAGS = -fno-strict-aliasing ${WFLAGS} +libdisp_la_LDFLAGS = -no-undefined -static +noinst_LTLIBRARIES = libdisp.la all: all-recursive .SUFFIXES: @@ -453,13 +455,19 @@ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh $(am__aclocal_m4_deps): -clean-noinstLIBRARIES: - -test -z "$(noinst_LIBRARIES)" || rm -f $(noinst_LIBRARIES) +clean-noinstLTLIBRARIES: + -test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES) + @list='$(noinst_LTLIBRARIES)'; \ + locs=`for p in $$list; do echo $$p; done | \ + sed 's|^^/*$$|.|; s|/^/*$$||; s|$$|/so_locations|' | \ + sort -u`; \ + test -z "$$locs" || { \ + echo rm -f $${locs}; \ + rm -f $${locs}; \ + } -libdisp.a: $(libdisp_a_OBJECTS) $(libdisp_a_DEPENDENCIES) $(EXTRA_libdisp_a_DEPENDENCIES) - $(AM_V_at)-rm -f libdisp.a - $(AM_V_AR)$(libdisp_a_AR) libdisp.a $(libdisp_a_OBJECTS) $(libdisp_a_LIBADD) - $(AM_V_at)$(RANLIB) libdisp.a +libdisp.la: $(libdisp_la_OBJECTS) $(libdisp_la_DEPENDENCIES) $(EXTRA_libdisp_la_DEPENDENCIES) + $(AM_V_CCLD)$(libdisp_la_LINK) $(libdisp_la_OBJECTS) $(libdisp_la_LIBADD) $(LIBS) mostlyclean-compile: -rm -f *.$(OBJEXT) @@ -467,11 +475,11 @@ distclean-compile: -rm -f *.tab.c -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libdisp_a-audispd-builtins.Po@am__quote@ # am--include-marker -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libdisp_a-audispd-llist.Po@am__quote@ # am--include-marker -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libdisp_a-audispd-pconfig.Po@am__quote@ # am--include-marker -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libdisp_a-audispd.Po@am__quote@ # am--include-marker -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libdisp_a-queue.Po@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libdisp_la-audispd-builtins.Plo@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libdisp_la-audispd-llist.Plo@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libdisp_la-audispd-pconfig.Plo@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libdisp_la-audispd.Plo@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libdisp_la-queue.Plo@am__quote@ # am--include-marker $(am__depfiles_remade):
View file
_service:tar_scm:audit-3.0.1.tar.gz/audisp/audispd-builtins.h -> _service:tar_scm:audit-3.0.9.tar.gz/audisp/audispd-builtins.h
Changed
@@ -1,7 +1,7 @@ /* * audispd-builtins.h - Interface to builtin plugins -* Copyright (c) 2007,2013,2018 Red Hat Inc., Durham, North Carolina. -* All Rights Reserved. +* Copyright (c) 2007,2013,2018,2022 Red Hat Inc. +* All Rights Reserved. * * This software may be freely redistributed and/or modified under the * terms of the GNU General Public License as published by the Free @@ -26,10 +26,14 @@ #define AUDISPD_BUILTINS_HEADER #include "queue.h" +#ifndef __attr_access +# define __attr_access(x) +#endif void start_builtin(plugin_conf_t *conf); void stop_builtin(plugin_conf_t *conf); -void send_af_unix_string(const char *s, unsigned int len); +void send_af_unix_string(const char *s, unsigned int len) + __attr_access ((__read_only__, 1, 2)); void send_af_unix_binary(event_t *e); void destroy_af_unix(void);
View file
_service:tar_scm:audit-3.0.1.tar.gz/audisp/audispd-pconfig.c -> _service:tar_scm:audit-3.0.9.tar.gz/audisp/audispd-pconfig.c
Changed
@@ -1,5 +1,5 @@ -/* audispd-pconfig.c -- - * Copyright 2007,2010,2015 Red Hat Inc., Durham, North Carolina. +/* audispd-pconfig.c -- + * Copyright 2007,2010,2015,2021 Red Hat Inc. * All Rights Reserved. * * This program is free software; you can redistribute it and/or modify @@ -18,7 +18,7 @@ * * Authors: * Steve Grubb <sgrubb@redhat.com> - * + * */ #include "config.h" @@ -41,7 +41,7 @@ const char *option; }; -struct kw_pair +struct kw_pair { const char *name; int (*parser)(struct nv_pair *, int, plugin_conf_t *); @@ -49,7 +49,7 @@ }; struct nv_list -{ +{ const char *name; int option; }; @@ -162,25 +162,25 @@ * not symlink. */ if (fstat(fd, &st) < 0) { - audit_msg(LOG_ERR, "Error fstat'ing config file (%s)", + audit_msg(LOG_ERR, "Error fstat'ing config file (%s)", strerror(errno)); close(fd); return 1; } if (st.st_uid != 0) { - audit_msg(LOG_ERR, "Error - %s isn't owned by root", + audit_msg(LOG_ERR, "Error - %s isn't owned by root", file); close(fd); return 1; } if ((st.st_mode & S_IWOTH) == S_IWOTH) { - audit_msg(LOG_ERR, "Error - %s is world writable", + audit_msg(LOG_ERR, "Error - %s is world writable", file); close(fd); return 1; } if (!S_ISREG(st.st_mode)) { - audit_msg(LOG_ERR, "Error - %s is not a regular file", + audit_msg(LOG_ERR, "Error - %s is not a regular file", file); close(fd); return 1; @@ -189,7 +189,7 @@ /* it's ok, read line by line */ f = fdopen(fd, "rm"); if (f == NULL) { - audit_msg(LOG_ERR, "Error - fdopen failed (%s)", + audit_msg(LOG_ERR, "Error - fdopen failed (%s)", strerror(errno)); close(fd); return 1; @@ -204,18 +204,18 @@ case 0: // fine break; case 1: // not the right number of tokens. - audit_msg(LOG_ERR, - "Wrong number of arguments for line %d in %s", + audit_msg(LOG_ERR, + "Wrong number of arguments for line %d in %s", lineno, file); break; case 2: // no '=' sign - audit_msg(LOG_ERR, - "Missing equal sign for line %d in %s", + audit_msg(LOG_ERR, + "Missing equal sign for line %d in %s", lineno, file); break; - default: // something else went wrong... - audit_msg(LOG_ERR, - "Unknown error for line %d in %s", + default: // something else went wrong... + audit_msg(LOG_ERR, + "Unknown error for line %d in %s", lineno, file); break; } @@ -231,8 +231,8 @@ /* identify keyword or error */ kw = kw_lookup(nv.name); if (kw->name == NULL) { - audit_msg(LOG_ERR, - "Unknown keyword \"%s\" in line %d of %s", + audit_msg(LOG_ERR, + "Unknown keyword \"%s\" in line %d of %s", nv.name, lineno, file); fclose(f); return 1; @@ -240,9 +240,9 @@ /* Check number of options */ if (kw->max_options == 0 && nv.option != NULL) { - audit_msg(LOG_ERR, + audit_msg(LOG_ERR, "Keyword \"%s\" has invalid option " - "\"%s\" in line %d of %s", + "\"%s\" in line %d of %s", nv.name, nv.option, lineno, file); fclose(f); return 1; @@ -347,8 +347,8 @@ } return &keywordsi; } - -static int active_parser(struct nv_pair *nv, int line, + +static int active_parser(struct nv_pair *nv, int line, plugin_conf_t *config) { int i; @@ -363,7 +363,7 @@ return 1; } -static int direction_parser(struct nv_pair *nv, int line, +static int direction_parser(struct nv_pair *nv, int line, plugin_conf_t *config) { int i; @@ -382,7 +382,6 @@ plugin_conf_t *config) { char *dir = NULL, *tdir; - struct stat buf; if (nv->value == NULL) { config->path = NULL; @@ -407,35 +406,14 @@ } free((void *)tdir); - /* If the file exists, see that its regular, owned by root, - * and not world anything */ - if (stat(nv->value, &buf) < 0) { - audit_msg(LOG_ERR, "Unable to stat %s (%s)", nv->value, - strerror(errno)); - return 1; - } - if (!S_ISREG(buf.st_mode)) { - audit_msg(LOG_ERR, "%s is not a regular file", nv->value); - return 1; - } - if (buf.st_uid != 0) { - audit_msg(LOG_ERR, "%s is not owned by root", nv->value); - return 1; - } - if ((buf.st_mode & (S_IRUSR|S_IWUSR|S_IXUSR|S_IRGRP|S_IXGRP)) != - (S_IRUSR|S_IWUSR|S_IXUSR|S_IRGRP|S_IXGRP)) { - audit_msg(LOG_ERR, "%s permissions should be 0750", nv->value); - return 1; - } free((void *)config->path); config->path = strdup(nv->value); - config->inode = buf.st_ino; if (config->path == NULL) return 1; return 0; } -static int service_type_parser(struct nv_pair *nv, int line, +static int service_type_parser(struct nv_pair *nv, int line, plugin_conf_t *config) { int i; @@ -466,7 +444,7 @@ return 0; } -static int format_parser(struct nv_pair *nv, int line, +static int format_parser(struct nv_pair *nv, int line, plugin_conf_t *config) { int i; @@ -489,11 +467,45 @@ static int sanity_check(plugin_conf_t *config, const char *file) {
View file
_service:tar_scm:audit-3.0.1.tar.gz/audisp/audispd.c -> _service:tar_scm:audit-3.0.9.tar.gz/audisp/audispd.c
Changed
@@ -306,7 +306,16 @@ return plist_count_active(&plugin_conf); } -/* Return 0 on success and 1 on failure */ +/* + * Return 0 on success and 1 on failure + * + * Call tree: auditd.c main + * auditd-dispatch.c init_dispatcher + * + * And: auditd-event.c reconfigure + * auditd-dispatch.c reconfigure_dispatcher + * + * */ int libdisp_init(const struct daemon_conf *c) { int i; @@ -475,7 +484,7 @@ while (stop == 0) { event_t *e; char *v, *ptr, unknown32; - unsigned int len; + int len; lnode *conf; /* This is where we block until we have an event */ @@ -539,20 +548,21 @@ rc = write_to_plugin(e, v, len, conf); if (rc < 0 && errno == EPIPE) { /* Child disappeared ? */ - audit_msg(LOG_ERR, + if (!stop) + audit_msg(LOG_ERR, "plugin %s terminated unexpectedly", conf->p->path); conf->p->pid = 0; conf->p->restart_cnt++; - if (conf->p->restart_cnt > + close(conf->p->plug_pipe1); + conf->p->plug_pipe1 = -1; + conf->p->active = A_NO; + if (!stop && conf->p->restart_cnt > daemon_config.max_restarts) { audit_msg(LOG_ERR, "plugin %s has exceeded max_restarts", conf->p->path); } - close(conf->p->plug_pipe1); - conf->p->plug_pipe1 = -1; - conf->p->active = A_NO; if (!stop && start_one_plugin(conf)) { rc = write_to_plugin(e, v, len, conf); @@ -598,6 +608,10 @@ nudge_queue(); } +/* + * Called by: auditd-event.c reconfigure + * auditd-dispatch.c reconfigure_dispatcher + */ void libdisp_reconfigure(const struct daemon_conf *c) { // If the dispatcher thread is dead, start a new one
View file
_service:tar_scm:audit-3.0.1.tar.gz/audisp/plugins/Makefile.am -> _service:tar_scm:audit-3.0.9.tar.gz/audisp/plugins/Makefile.am
Changed
@@ -12,9 +12,10 @@ # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU # Lesser General Public License for more details. # -# You should have received a copy of the GNU Lesser General Public -# License along with this library; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +# You should have received a copy of the GNU General Public License +# along with this program; see the file COPYING. If not, write to the +# Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor +# Boston, MA 02110-1335, USA. # # Authors: # Steve Grubb <sgrubb@redhat.com>
View file
_service:tar_scm:audit-3.0.1.tar.gz/audisp/plugins/Makefile.in -> _service:tar_scm:audit-3.0.9.tar.gz/audisp/plugins/Makefile.in
Changed
@@ -1,7 +1,7 @@ -# Makefile.in generated by automake 1.16.2 from Makefile.am. +# Makefile.in generated by automake 1.16.5 from Makefile.am. # @configure_input@ -# Copyright (C) 1994-2020 Free Software Foundation, Inc. +# Copyright (C) 1994-2021 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -28,9 +28,10 @@ # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU # Lesser General Public License for more details. # -# You should have received a copy of the GNU Lesser General Public -# License along with this library; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +# You should have received a copy of the GNU General Public License +# along with this program; see the file COPYING. If not, write to the +# Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor +# Boston, MA 02110-1335, USA. # # Authors: # Steve Grubb <sgrubb@redhat.com> @@ -177,8 +178,6 @@ unique=`for i in $$list; do \ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ done | $(am__uniquify_input)` -ETAGS = etags -CTAGS = ctags DIST_SUBDIRS = builtins remote syslog ids statsd zos-remote am__DIST_COMMON = $(srcdir)/Makefile.in DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) @@ -227,6 +226,8 @@ CPPFLAGS = @CPPFLAGS@ CPPFLAGS_FOR_BUILD = @CPPFLAGS_FOR_BUILD@ CPP_FOR_BUILD = @CPP_FOR_BUILD@ +CSCOPE = @CSCOPE@ +CTAGS = @CTAGS@ CYGPATH_W = @CYGPATH_W@ DEBUG = @DEBUG@ DEFS = @DEFS@ @@ -238,8 +239,10 @@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ +ETAGS = @ETAGS@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FILECMD = @FILECMD@ GOLANG = @GOLANG@ GOROOT = @GOROOT@ GREP = @GREP@ @@ -295,6 +298,7 @@ SHELL = @SHELL@ STRIP = @STRIP@ VERSION = @VERSION@ +WFLAGS = @WFLAGS@ abs_builddir = @abs_builddir@ abs_srcdir = @abs_srcdir@ abs_top_builddir = @abs_top_builddir@ @@ -348,6 +352,7 @@ pyexecdir = @pyexecdir@ python3dir = @python3dir@ pythondir = @pythondir@ +runstatedir = @runstatedir@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ @@ -500,7 +505,6 @@ distclean-tags: -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags - distdir: $(BUILT_SOURCES) $(MAKE) $(AM_MAKEFLAGS) distdir-am
View file
_service:tar_scm:audit-3.0.1.tar.gz/audisp/plugins/builtins/Makefile.am -> _service:tar_scm:audit-3.0.9.tar.gz/audisp/plugins/builtins/Makefile.am
Changed
@@ -13,8 +13,9 @@ # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +# along with this program; see the file COPYING. If not, write to the +# Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor +# Boston, MA 02110-1335, USA. # # Authors: # Steve Grubb <sgrubb@redhat.com>
View file
_service:tar_scm:audit-3.0.1.tar.gz/audisp/plugins/builtins/Makefile.in -> _service:tar_scm:audit-3.0.9.tar.gz/audisp/plugins/builtins/Makefile.in
Changed
@@ -1,7 +1,7 @@ -# Makefile.in generated by automake 1.16.2 from Makefile.am. +# Makefile.in generated by automake 1.16.5 from Makefile.am. # @configure_input@ -# Copyright (C) 1994-2020 Free Software Foundation, Inc. +# Copyright (C) 1994-2021 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -29,8 +29,9 @@ # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +# along with this program; see the file COPYING. If not, write to the +# Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor +# Boston, MA 02110-1335, USA. # # Authors: # Steve Grubb <sgrubb@redhat.com> @@ -165,6 +166,8 @@ CPPFLAGS = @CPPFLAGS@ CPPFLAGS_FOR_BUILD = @CPPFLAGS_FOR_BUILD@ CPP_FOR_BUILD = @CPP_FOR_BUILD@ +CSCOPE = @CSCOPE@ +CTAGS = @CTAGS@ CYGPATH_W = @CYGPATH_W@ DEBUG = @DEBUG@ DEFS = @DEFS@ @@ -176,8 +179,10 @@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ +ETAGS = @ETAGS@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FILECMD = @FILECMD@ GOLANG = @GOLANG@ GOROOT = @GOROOT@ GREP = @GREP@ @@ -233,6 +238,7 @@ SHELL = @SHELL@ STRIP = @STRIP@ VERSION = @VERSION@ +WFLAGS = @WFLAGS@ abs_builddir = @abs_builddir@ abs_srcdir = @abs_srcdir@ abs_top_builddir = @abs_top_builddir@ @@ -286,6 +292,7 @@ pyexecdir = @pyexecdir@ python3dir = @python3dir@ pythondir = @pythondir@ +runstatedir = @runstatedir@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ @@ -347,7 +354,6 @@ cscope cscopelist: - distdir: $(BUILT_SOURCES) $(MAKE) $(AM_MAKEFLAGS) distdir-am
View file
_service:tar_scm:audit-3.0.1.tar.gz/audisp/plugins/ids/Makefile.am -> _service:tar_scm:audit-3.0.9.tar.gz/audisp/plugins/ids/Makefile.am
Changed
@@ -11,9 +11,10 @@ # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU # Lesser General Public License for more details. # -# You should have received a copy of the GNU Lesser General Public -# License along with this library; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +# You should have received a copy of the GNU General Public License +# along with this program; see the file COPYING. If not, write to the +# Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor +# Boston, MA 02110-1335, USA. # # Authors: # Steve Grubb <sgrubb@redhat.com> @@ -22,7 +23,7 @@ CONFIG_CLEAN_FILES = *.loT *.rej *.orig EXTRA_DIST = audisp-ids.conf ids.conf TODO README.md SUBDIRS = rules -AM_CPPFLAGS = -I${top_srcdir} -I${top_srcdir}/lib -I${top_srcdir}/common +AM_CPPFLAGS = -I${top_srcdir} -I${top_srcdir}/lib -I${top_srcdir}/common -I${top_srcdir}/auparse prog_confdir = $(sysconfdir)/audit prog_conf = ids.conf plugin_confdir=$(prog_confdir)/plugins.d @@ -36,8 +37,8 @@ audisp_ids_SOURCES = account.c avl.c ids.c ids_config.c model_bad_event.c \ model_behavior.c nvpair.c origin.c reactions.c session.c \ timer-services.c -audisp_ids_CFLAGS = -D_GNU_SOURCE -audisp_ids_LDADD = -L${top_builddir}/lib -laudit -L${top_builddir}/auparse -lauparse -L${top_builddir}/common -laucommon -lpthread +audisp_ids_CFLAGS = -D_GNU_SOURCE ${WFLAGS} +audisp_ids_LDADD = ${top_builddir}/lib/libaudit.la ${top_builddir}/auparse/libauparse.la ${top_builddir}/common/libaucommon.la install-data-hook: mkdir -p -m 0750 ${DESTDIR}${plugin_confdir}
View file
_service:tar_scm:audit-3.0.1.tar.gz/audisp/plugins/ids/Makefile.in -> _service:tar_scm:audit-3.0.9.tar.gz/audisp/plugins/ids/Makefile.in
Changed
@@ -1,7 +1,7 @@ -# Makefile.in generated by automake 1.16.2 from Makefile.am. +# Makefile.in generated by automake 1.16.5 from Makefile.am. # @configure_input@ -# Copyright (C) 1994-2020 Free Software Foundation, Inc. +# Copyright (C) 1994-2021 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -27,9 +27,10 @@ # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU # Lesser General Public License for more details. # -# You should have received a copy of the GNU Lesser General Public -# License along with this library; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +# You should have received a copy of the GNU General Public License +# along with this program; see the file COPYING. If not, write to the +# Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor +# Boston, MA 02110-1335, USA. # # Authors: # Steve Grubb <sgrubb@redhat.com> @@ -229,10 +230,9 @@ unique=`for i in $$list; do \ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ done | $(am__uniquify_input)` -ETAGS = etags -CTAGS = ctags DIST_SUBDIRS = $(SUBDIRS) -am__DIST_COMMON = $(srcdir)/Makefile.in $(top_srcdir)/depcomp TODO +am__DIST_COMMON = $(srcdir)/Makefile.in $(top_srcdir)/depcomp \ + README.md TODO DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) am__relativize = \ dir0=`pwd`; \ @@ -279,6 +279,8 @@ CPPFLAGS = @CPPFLAGS@ CPPFLAGS_FOR_BUILD = @CPPFLAGS_FOR_BUILD@ CPP_FOR_BUILD = @CPP_FOR_BUILD@ +CSCOPE = @CSCOPE@ +CTAGS = @CTAGS@ CYGPATH_W = @CYGPATH_W@ DEBUG = @DEBUG@ DEFS = @DEFS@ @@ -290,8 +292,10 @@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ +ETAGS = @ETAGS@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FILECMD = @FILECMD@ GOLANG = @GOLANG@ GOROOT = @GOROOT@ GREP = @GREP@ @@ -347,6 +351,7 @@ SHELL = @SHELL@ STRIP = @STRIP@ VERSION = @VERSION@ +WFLAGS = @WFLAGS@ abs_builddir = @abs_builddir@ abs_srcdir = @abs_srcdir@ abs_top_builddir = @abs_top_builddir@ @@ -400,6 +405,7 @@ pyexecdir = @pyexecdir@ python3dir = @python3dir@ pythondir = @pythondir@ +runstatedir = @runstatedir@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ @@ -416,7 +422,7 @@ CONFIG_CLEAN_FILES = *.loT *.rej *.orig EXTRA_DIST = audisp-ids.conf ids.conf TODO README.md SUBDIRS = rules -AM_CPPFLAGS = -I${top_srcdir} -I${top_srcdir}/lib -I${top_srcdir}/common +AM_CPPFLAGS = -I${top_srcdir} -I${top_srcdir}/lib -I${top_srcdir}/common -I${top_srcdir}/auparse prog_confdir = $(sysconfdir)/audit prog_conf = ids.conf plugin_confdir = $(prog_confdir)/plugins.d @@ -430,8 +436,8 @@ model_behavior.c nvpair.c origin.c reactions.c session.c \ timer-services.c -audisp_ids_CFLAGS = -D_GNU_SOURCE -audisp_ids_LDADD = -L${top_builddir}/lib -laudit -L${top_builddir}/auparse -lauparse -L${top_builddir}/common -laucommon -lpthread +audisp_ids_CFLAGS = -D_GNU_SOURCE ${WFLAGS} +audisp_ids_LDADD = ${top_builddir}/lib/libaudit.la ${top_builddir}/auparse/libauparse.la ${top_builddir}/common/libaucommon.la all: all-recursive .SUFFIXES: @@ -822,7 +828,6 @@ distclean-tags: -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags - distdir: $(BUILT_SOURCES) $(MAKE) $(AM_MAKEFLAGS) distdir-am
View file
_service:tar_scm:audit-3.0.1.tar.gz/audisp/plugins/ids/account.c -> _service:tar_scm:audit-3.0.9.tar.gz/audisp/plugins/ids/account.c
Changed
@@ -81,7 +81,7 @@ cur = NULL; } -account_data_t *new_account(const char *name) +void new_account(const char *name) { account_data_t *tmp = (account_data_t *)malloc(sizeof(account_data_t)); if (tmp) { @@ -89,7 +89,6 @@ tmp->karma = 0; add_account(tmp); } - return tmp; } void destroy_accounts(void) @@ -155,8 +154,12 @@ my_printf("account: deleting unknown name"); return 1; } - } else if (debug) - my_printf("account: didn't find name"); + } else { + if (debug) + my_printf("account: didn't find name"); + + return 1; + } // Now free any data pointed to by tmp2 free_account(tmp2);
View file
_service:tar_scm:audit-3.0.1.tar.gz/audisp/plugins/ids/account.h -> _service:tar_scm:audit-3.0.9.tar.gz/audisp/plugins/ids/account.h
Changed
@@ -21,7 +21,7 @@ void init_accounts(void); void destroy_accounts(void); -account_data_t *new_account(const char *name); +void new_account(const char *name); unsigned int get_num_accounts(void); void traverse_accounts(FILE *f);
View file
_service:tar_scm:audit-3.0.1.tar.gz/audisp/plugins/ids/ids.c -> _service:tar_scm:audit-3.0.9.tar.gz/audisp/plugins/ids/ids.c
Changed
@@ -28,11 +28,12 @@ #include <string.h> #include <sys/select.h> #include <errno.h> -#include <libaudit.h> -#include <auparse.h> #include <stdarg.h> #include <sys/wait.h> #include <sys/stat.h> // umask +#include <unistd.h> +#include <sys/timerfd.h> +#include "auparse.h" #include "common.h" #include "ids.h" #include "ids_config.h" @@ -42,20 +43,21 @@ #include "model_bad_event.h" #include "model_behavior.h" #include "timer-services.h" -#include "reactions.h" /* Global Data */ int debug = 1; -// mode 2 == syslog, 1 == stderr, 0 == nothing +// mode 3 == file, mode 2 == syslog, 1 == stderr, 0 == nothing int mode = 0; /* Local Data */ +static FILE *l = NULL; // Log file static volatile int stop = 0; static volatile int hup = 0; static volatile int dump_state = 0; static auparse_state_t *au = NULL; #define NO_ACTIONS (!hup && !stop && !dump_state) #define STATE_FILE "/var/run/ids-state" +#define TIMER_INTERVAL 30 // Run every 30 seconds static struct ids_conf config; /* Local declarations */ @@ -72,6 +74,17 @@ else if (mode == 1) { vfprintf(stderr, fmt, ap); fputc('\n', stderr); + } else if (mode == 3) { + if (l == NULL) { + l = fopen("/var/run/audisp-ids.log", "wt"); + if (l == NULL) { + va_end(ap); + return; + } + setlinebuf(l); + } + vfprintf(l, fmt, ap); + fputc('\n', l); } va_end(ap); } @@ -86,11 +99,13 @@ } } + static void destroy_audit(void) { audit_close(audit_fd); } + void log_audit_event(int type, const char *text, int res) { audit_log_user_message(audit_fd, type, text, NULL, NULL, NULL, res); @@ -105,6 +120,7 @@ stop = 1; } + static void child_handler(int sig __attribute__((unused))) { int status; @@ -112,6 +128,7 @@ ; /* empty */ } + /* * SIGHUP handler: re-read config */ @@ -120,6 +137,7 @@ hup = 1; } + static void reload_config(void) { hup = 0; @@ -127,11 +145,13 @@ load_config(&config); } + static void sigusr1_handler(int sig __attribute__((unused))) { dump_state = 1; } + static void output_state(void) { FILE *f = fopen(STATE_FILE, "wt"); @@ -147,10 +167,13 @@ } } + int main(void) { char tmpMAX_AUDIT_MESSAGE_LENGTH+1; struct sigaction sa; + struct itimerspec itval; + int tfd; fd_set read_mask; /* Register sighandlers */ @@ -183,12 +206,23 @@ my_printf("ids is exiting due to auparse init errors"); return -1; } + auparse_set_eoe_timeout(2); auparse_add_callback(au, handle_event, NULL, NULL); - + init_timer_services(); + tfd = timerfd_create (CLOCK_MONOTONIC, TFD_NONBLOCK|TFD_CLOEXEC); + if (tfd < 0) { + my_printf("ids is exiting due to timerfd_create failing"); + return -1; + } + itval.it_interval.tv_sec = TIMER_INTERVAL; + itval.it_interval.tv_nsec = 0; + itval.it_value.tv_sec = itval.it_interval.tv_sec; + itval.it_value.tv_nsec = 0; + timerfd_settime(tfd, 0, &itval, NULL); do { - int retval = -1; + int retval; /* Handle dump_state */ if (dump_state) @@ -202,31 +236,61 @@ if (stop) break; - FD_ZERO(&read_mask); - FD_SET(0, &read_mask); do { - retval= select(1, &read_mask, NULL, NULL, NULL); + FD_ZERO(&read_mask); + FD_SET(0, &read_mask); + FD_SET(tfd, &read_mask); + + if (auparse_feed_has_data(au)) { + // We'll do a 1 second timeout to try to + // age events as quick as possible + struct timeval tv; + tv.tv_sec = 1; + tv.tv_usec = 0; + //my_printf("auparse_feed_has_data"); + retval= select(tfd+1, &read_mask, + NULL, NULL, &tv); + } else + retval= select(tfd+1, &read_mask, + NULL, NULL, NULL); + + /* If we timed out & have events, shake them loose */ + if (retval == 0 && auparse_feed_has_data(au)) { + //my_printf("auparse_feed_age_events"); + auparse_feed_age_events(au); + } } while (retval == -1 && errno == EINTR && NO_ACTIONS); /* Now the event loop */ if (NO_ACTIONS && retval > 0) { if (FD_ISSET(0, &read_mask)) { do { - if (audit_fgets(tmp, - MAX_AUDIT_MESSAGE_LENGTH, 0)) { - auparse_feed(au, tmp, - strnlen(tmp, - MAX_AUDIT_MESSAGE_LENGTH)); + int len; + if ((len = audit_fgets(tmp, + MAX_AUDIT_MESSAGE_LENGTH, + 0)) > 0) { + /* char *buf = strndup(tmp, 40); + my_printf("auparse_feed %s", buf); + free(buf); */ + auparse_feed(au, tmp, len); } } while (audit_fgets_more(
View file
_service:tar_scm:audit-3.0.1.tar.gz/audisp/plugins/ids/ids.h -> _service:tar_scm:audit-3.0.9.tar.gz/audisp/plugins/ids/ids.h
Changed
@@ -8,8 +8,9 @@ #ifndef IDS_HEADER #define IDS_HEADER -#include <libaudit.h> +#include "libaudit.h" #define DAEMON_SESSION "4294967295" +#define UNSET 4294967295 extern int debug; extern void my_printf(const char *fmt, ...)
View file
_service:tar_scm:audit-3.0.1.tar.gz/audisp/plugins/ids/model_bad_event.c -> _service:tar_scm:audit-3.0.9.tar.gz/audisp/plugins/ids/model_bad_event.c
Changed
@@ -9,11 +9,12 @@ #include <arpa/inet.h> // inet_pton #include <libaudit.h> #include <string.h> +#include <stdlib.h> #include "ids.h" #include "session.h" #include "origin.h" #include "model_bad_event.h" - +#include "reactions.h" /* Local Data */ @@ -29,6 +30,10 @@ destroy_sessions(); } +// Look at the acct, is it a daemon acct and forbidden +// Is the acct root and forbidden +// is it a bad login +// is it a new session static void start_session(auparse_state_t *au, struct ids_conf *config) { unsigned int a; @@ -38,46 +43,60 @@ else a = -1; + int service_acct = 0; + const char *acct = NULL; + const char *atype = auparse_normalize_subject_kind(au); + if (atype && strncmp(atype, "service", 7) == 0) + service_acct = 1; + if (auparse_normalize_subject_primary(au) == 1) + acct = strdup(auparse_interpret_field(au)); + + // Have we seen this endpoint before? + origin_data_t *o = find_origin(a); + if (o == NULL) { + new_origin(a); + o = find_origin(a); + } + + // Is this login a service account? + if (service_acct && !config->option_service_login_allowed) { + my_printf("bad_service_login_origin: %s", acct); + bad_service_login_origin(o, config, acct); + } + + // Is this a root login + else if (!config->option_root_login_allowed && acct && + strcmp(acct, "root") == 0) { + my_printf("watched_login_origin: %s", acct); + watched_login_origin(o, config, acct); + } + + // Check if it's a failed login if (auparse_normalize_get_results(au) == 1) { // Handle a bad login const char *res = auparse_interpret_field(au); if (res && strcmp(res, "failed") == 0) { - int service_acct = 0; - const char *acct = NULL; - const char *atype = auparse_normalize_subject_kind(au); - if (atype && strncmp(atype, "service", 7) == 0) - service_acct = 1; - if (auparse_normalize_subject_primary(au) == 1) - acct = auparse_interpret_field(au); - - origin_data_t *o = find_origin(a); - if (o == NULL) - o = new_origin(a); - if(service_acct && - !config->option_service_login_allowed) - bad_service_login_origin(o, config, acct); - else if (!config->option_root_login_allowed && acct && - strcmp(acct, "root") == 0) - watched_login_origin(o, config, acct); - else - bad_login_origin(o, config); + // Since the login failed, we don't need to + // start a new session + bad_login_origin(o, config); + free((void *)acct); return; } } + + // Look for new login sessions if (auparse_normalize_session(au) == 1) { - const char *ses = auparse_get_field_str(au); - if (ses) { - if (strcmp(ses, DAEMON_SESSION)) { - unsigned int s = auparse_get_field_int(au); - if (auparse_normalize_subject_primary(au) == 1){ - new_session(s, a, strdup( - auparse_interpret_field(au))); - } - } // else we have a strange daemon login + unsigned int s = auparse_get_field_int(au); + if (s != UNSET) { + // new_session takes custody of acct + new_session(s, a, acct); + acct = NULL; + // otherwise we have a strange daemon login } else if (debug) - my_printf("start_session: can't find session in serial %lu", - auparse_get_serial(au)); + my_printf("start_session: can't find session in serial %s", + auparse_get_type_name(au)); } + free((void *)acct); } static void end_session(auparse_state_t *au) @@ -92,7 +111,7 @@ } /* This function receives a single complete event from the auparse library. */ -unsigned int process_bad_event_model(auparse_state_t *au, +void process_bad_event_model(auparse_state_t *au, struct ids_conf *config) { unsigned int answer = 0; @@ -115,7 +134,7 @@ { // Do not process our own events const char *exe = auparse_normalize_how(au); - if (exe && strcmp(exe, "ids") == 0) + if (exe && strcmp(exe, "/usr/sbin/audisp-ids") == 0) break; } // fallthrough if pam related @@ -139,9 +158,11 @@ origin_data_t *o = current_origin(); if (o) { if (o->karma >= config->option_origin_failed_logins_threshold && - !o->blocked) + !o->blocked) { + //AUDIT_ANOM_ORIGIN_FAILURES answer |= config->option_origin_failed_logins_reaction; + do_reaction(answer, "login_failures"); + } } - return answer; }
View file
_service:tar_scm:audit-3.0.1.tar.gz/audisp/plugins/ids/model_bad_event.h -> _service:tar_scm:audit-3.0.9.tar.gz/audisp/plugins/ids/model_bad_event.h
Changed
@@ -1,10 +1,10 @@ -#ifndef MODEL_BAD_EVENT_HEADER -#define MODEL_BAD_EVENT_HEADER +#ifndef MODEL_BAD_EVENT_HEADER +#define MODEL_BAD_EVENT_HEADER -#include <auparse.h> +#include "auparse.h" #include "ids_config.h" -unsigned int process_bad_event_model(auparse_state_t *au, +void process_bad_event_model(auparse_state_t *au, struct ids_conf *config); #endif
View file
_service:tar_scm:audit-3.0.1.tar.gz/audisp/plugins/ids/model_behavior.c -> _service:tar_scm:audit-3.0.9.tar.gz/audisp/plugins/ids/model_behavior.c
Changed
@@ -12,7 +12,7 @@ #include "session.h" #include "origin.h" #include "model_behavior.h" - +#include "reactions.h" /* Local Data */ @@ -71,8 +71,7 @@ } /* This function receives a single complete event from the auparse library. */ -unsigned int process_behavior_model(auparse_state_t *au, - struct ids_conf *config) +void process_behavior_model(auparse_state_t *au, struct ids_conf *config) { unsigned int answer = 0; auparse_first_record(au); @@ -115,7 +114,9 @@ if (o && s) { if (s->score >= config->option_session_badness1_threshold && s->killed == 0) { + //AUDIT_ANOM_SESSION answer |= config->option_session_badness1_reaction; + do_reaction(answer, "session_bad"); if (s->killed >= 1) add_to_score_origin(o, 5); else @@ -124,9 +125,10 @@ } if (o && o->karma >= config->option_origin_failed_logins_threshold && - !o->blocked) + !o->blocked) { + //AUDIT_ANOM_ORIGIN_FAILURES answer |= config->option_origin_failed_logins_reaction; - - return answer; + do_reaction(answer, "failed_login"); + } }
View file
_service:tar_scm:audit-3.0.1.tar.gz/audisp/plugins/ids/model_behavior.h -> _service:tar_scm:audit-3.0.9.tar.gz/audisp/plugins/ids/model_behavior.h
Changed
@@ -1,10 +1,10 @@ -#ifndef MODEL_BEHAVIOR_HEADER -#define MODEL_BEHAVIOR_HEADER +#ifndef MODEL_BEHAVIOR_HEADER +#define MODEL_BEHAVIOR_HEADER -#include <auparse.h> +#include "auparse.h" #include "ids_config.h" -unsigned int process_behavior_model(auparse_state_t *au, +void process_behavior_model(auparse_state_t *au, struct ids_conf *config); #endif
View file
_service:tar_scm:audit-3.0.1.tar.gz/audisp/plugins/ids/origin.c -> _service:tar_scm:audit-3.0.9.tar.gz/audisp/plugins/ids/origin.c
Changed
@@ -66,7 +66,7 @@ free(o); } -origin_data_t *new_origin(unsigned int a) +void new_origin(unsigned int a) { origin_data_t *tmp = (origin_data_t *)malloc(sizeof(origin_data_t)); if (tmp) { @@ -75,7 +75,6 @@ tmp->blocked = 0; add_origin(tmp); } - return tmp; } static void destroy_origin(void) @@ -151,8 +150,11 @@ my_printf("origin: deleting unknown address"); return 1; } - } else if (debug) - my_printf("origin: didn't find address"); + } else { + if (debug) + my_printf("origin: didn't find address"); + return 1; + } // Now free any data pointed to by tmp2 free_origin(tmp2); @@ -163,13 +165,25 @@ char *sockint_to_ipv4(unsigned int addr) { unsigned char *uaddr = (unsigned char *)&(addr); - static char buf40; + static char buf16; snprintf(buf, sizeof(buf), "%u.%u.%u.%u", uaddr0, uaddr1, uaddr2, uaddr3); return buf; } +unsigned int ipv4_to_sockint(const char *buf) +{ + unsigned int addr; + unsigned int ip4 = {0, 0, 0, 0}; + + if (sscanf(buf, "%u.%u.%u.%u", &ip3, &ip2, &ip1, &ip0) != 4) + return 0; + + addr = ip0 << 24 | ip1 << 16 | ip2 << 8 | ip3; + return addr; +} + void bad_login_origin(origin_data_t *o, struct ids_conf *config) { // We will just add a 1 for a bad login. add_to_score_origin(o, config->option_bad_login_weight); @@ -178,9 +192,10 @@ void bad_service_login_origin(origin_data_t *o, struct ids_conf *config, const char *acct) { // We will just add a 5 for a bad service login. - char buf32; + char buf62; const char *addr = sockint_to_ipv4(o->address); - snprintf(buf, sizeof(buf), "acct=%s daddr=%s", + // account names can be up to 32 characters. IPv4 can be 16 + snprintf(buf, sizeof(buf), "acct=%.32s daddr=%.16s", acct ? acct : "?", addr); log_audit_event(AUDIT_ANOM_LOGIN_SERVICE, buf, 1); @@ -190,9 +205,9 @@ void watched_login_origin(origin_data_t *o, struct ids_conf *config, const char *acct) { // We will just add a 5 for a watched login. - char buf32; + char buf62; const char *addr = sockint_to_ipv4(o->address); - snprintf(buf, sizeof(buf), "acct=%s daddr=%s", + snprintf(buf, sizeof(buf), "acct=%.32s daddr=%.16s", acct ? acct : "?", addr); log_audit_event(AUDIT_ANOM_LOGIN_ACCT, buf, 1); @@ -213,3 +228,15 @@ my_printf("origin karma: %u", o->karma); } +// Returns 1 on success and 0 on failure +int unblock_origin(const char *addr) +{ + unsigned int uaddr = ipv4_to_sockint(addr); + origin_data_t *o = find_origin(uaddr); + if (o) { + o->blocked = 0; + return 1; + } + + return 0; +}
View file
_service:tar_scm:audit-3.0.1.tar.gz/audisp/plugins/ids/origin.h -> _service:tar_scm:audit-3.0.9.tar.gz/audisp/plugins/ids/origin.h
Changed
@@ -22,7 +22,7 @@ void init_origins(void); -origin_data_t *new_origin(unsigned int a); +void new_origin(unsigned int a); void destroy_origins(void); unsigned int get_num_origins(void); void traverse_origins(FILE *f); @@ -37,7 +37,9 @@ void watched_login_origin(origin_data_t *o, struct ids_conf *config, const char *acct); void add_to_score_origin(origin_data_t *o, unsigned int adj); +int unblock_origin(const char *addr); char *sockint_to_ipv4(unsigned int addr); +unsigned int ipv4_to_sockint(const char *buf); #endif
View file
_service:tar_scm:audit-3.0.1.tar.gz/audisp/plugins/ids/reactions.c -> _service:tar_scm:audit-3.0.9.tar.gz/audisp/plugins/ids/reactions.c
Changed
@@ -18,10 +18,12 @@ #include <pwd.h> #include <string.h> #include "ids.h" +#include "ids_config.h" #include "reactions.h" +#include "session.h" #include "timer-services.h" - +// Returns 0 on success and 1 on failure static int safe_exec(const char *exe, ...) { char **argv; @@ -230,6 +232,44 @@ return 0; } +#define MINUTES 60 +#define HOURS 60*MINUTES +#define DAYS 24*HOURS +#define WEEKS 7*DAYS +#define MONTHS 30*DAYS + +static void block_address(unsigned int reaction, const char *reason) +{ + // FIXME: This should be configurable + unsigned time_out = 2*MINUTES; + int res; + char buf80; + origin_data_t *o = current_origin(); + const char *addr = sockint_to_ipv4(o->address); + + if (debug) + my_printf("Blocking address %s b/c %s", addr, reason); + + if (reaction == REACTION_BLOCK_ADDRESS) + res = block_ip_address(addr); + else + res = block_ip_address_timed(addr, time_out); + + if (res == 0) { + o->blocked = 1; + if (reaction == REACTION_BLOCK_ADDRESS) { + snprintf(buf, sizeof(buf), "daddr=%.16s reason=%s", + addr, reason); + log_audit_event(AUDIT_RESP_ORIGIN_BLOCK, buf, 1); + } else { + snprintf(buf, sizeof(buf), + "daddr=%.16s reason=%s time_out=%u", + addr, reason, time_out/MINUTES); + log_audit_event(AUDIT_RESP_ORIGIN_BLOCK_TIMED, buf, 1); + } + } +} + int unblock_ip_address(const char *addr) { if (debug) @@ -255,3 +295,50 @@ return safe_exec("/sbin/init", "0"); } +void do_reaction(unsigned int answer, const char *reason) +{ +//my_printf("Answer: %u", answer); + unsigned int num = 0; + + do { + unsigned int tmp = 1 << num; + if (answer & tmp) { + switch (tmp) { + // FIXME: do the reactions + case REACTION_IGNORE: + break; + case REACTION_LOG: + case REACTION_EMAIL: + case REACTION_TERMINATE_PROCESS: + break; + case REACTION_TERMINATE_SESSION: + { + // FIXME: need to add audit events + session_data_t *s = current_session(); + kill_session(s->session); + break; + } + case REACTION_RESTRICT_ROLE: + case REACTION_PASSWORD_RESET: + case REACTION_LOCK_ACCOUNT_TIMED: + case REACTION_LOCK_ACCOUNT: + break; + case REACTION_BLOCK_ADDRESS_TIMED: + case REACTION_BLOCK_ADDRESS: + block_address(tmp, reason); + break; + case REACTION_SYSTEM_REBOOT: + case REACTION_SYSTEM_SINGLE_USER: + case REACTION_SYSTEM_HALT: + break; + default: + if (debug) + my_printf("Unknown reaction: %X", + tmp); + break; + } + } + num++; + } while (num < 32); +} +
View file
_service:tar_scm:audit-3.0.1.tar.gz/audisp/plugins/ids/reactions.h -> _service:tar_scm:audit-3.0.9.tar.gz/audisp/plugins/ids/reactions.h
Changed
@@ -21,5 +21,6 @@ int system_reboot(void); int system_single_user(void); int system_halt(void); +void do_reaction(unsigned int answer, const char *reason); #endif
View file
_service:tar_scm:audit-3.0.1.tar.gz/audisp/plugins/ids/rules/Makefile.am -> _service:tar_scm:audit-3.0.9.tar.gz/audisp/plugins/ids/rules/Makefile.am
Changed
@@ -11,9 +11,10 @@ # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU # Lesser General Public License for more details. # -# You should have received a copy of the GNU Lesser General Public -# License along with this library; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +# You should have received a copy of the GNU General Public License +# along with this program; see the file COPYING. If not, write to the +# Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor +# Boston, MA 02110-1335, USA. # # Authors: # Steve Grubb <sgrubb@redhat.com>
View file
_service:tar_scm:audit-3.0.1.tar.gz/audisp/plugins/ids/rules/Makefile.in -> _service:tar_scm:audit-3.0.9.tar.gz/audisp/plugins/ids/rules/Makefile.in
Changed
@@ -1,7 +1,7 @@ -# Makefile.in generated by automake 1.16.2 from Makefile.am. +# Makefile.in generated by automake 1.16.5 from Makefile.am. # @configure_input@ -# Copyright (C) 1994-2020 Free Software Foundation, Inc. +# Copyright (C) 1994-2021 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -27,9 +27,10 @@ # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU # Lesser General Public License for more details. # -# You should have received a copy of the GNU Lesser General Public -# License along with this library; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +# You should have received a copy of the GNU General Public License +# along with this program; see the file COPYING. If not, write to the +# Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor +# Boston, MA 02110-1335, USA. # # Authors: # Steve Grubb <sgrubb@redhat.com> @@ -195,6 +196,8 @@ CPPFLAGS = @CPPFLAGS@ CPPFLAGS_FOR_BUILD = @CPPFLAGS_FOR_BUILD@ CPP_FOR_BUILD = @CPP_FOR_BUILD@ +CSCOPE = @CSCOPE@ +CTAGS = @CTAGS@ CYGPATH_W = @CYGPATH_W@ DEBUG = @DEBUG@ DEFS = @DEFS@ @@ -206,8 +209,10 @@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ +ETAGS = @ETAGS@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FILECMD = @FILECMD@ GOLANG = @GOLANG@ GOROOT = @GOROOT@ GREP = @GREP@ @@ -263,6 +268,7 @@ SHELL = @SHELL@ STRIP = @STRIP@ VERSION = @VERSION@ +WFLAGS = @WFLAGS@ abs_builddir = @abs_builddir@ abs_srcdir = @abs_srcdir@ abs_top_builddir = @abs_top_builddir@ @@ -316,6 +322,7 @@ pyexecdir = @pyexecdir@ python3dir = @python3dir@ pythondir = @pythondir@ +runstatedir = @runstatedir@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ @@ -398,7 +405,6 @@ cscope cscopelist: - distdir: $(BUILT_SOURCES) $(MAKE) $(AM_MAKEFLAGS) distdir-am
View file
_service:tar_scm:audit-3.0.1.tar.gz/audisp/plugins/ids/session.c -> _service:tar_scm:audit-3.0.9.tar.gz/audisp/plugins/ids/session.c
Changed
@@ -85,7 +85,7 @@ cur = NULL; } -session_data_t *new_session(unsigned int s, unsigned int o, const char *acct) +void new_session(unsigned int s, unsigned int o, const char *acct) { session_data_t *tmp = malloc(sizeof(session_data_t)); if (tmp) { @@ -96,7 +96,6 @@ tmp->acct = acct ? acct : strdup(""); add_session(tmp); } - return tmp; } void destroy_sessions(void)
View file
_service:tar_scm:audit-3.0.1.tar.gz/audisp/plugins/ids/session.h -> _service:tar_scm:audit-3.0.9.tar.gz/audisp/plugins/ids/session.h
Changed
@@ -25,7 +25,7 @@ void init_sessions(void); -session_data_t *new_session(unsigned int s, unsigned int o, const char *acct); +void new_session(unsigned int s, unsigned int o, const char *acct); void destroy_sessions(void); unsigned int get_num_sessions(void); void traverse_sessions(FILE *f);
View file
_service:tar_scm:audit-3.0.1.tar.gz/audisp/plugins/ids/timer-services.c -> _service:tar_scm:audit-3.0.9.tar.gz/audisp/plugins/ids/timer-services.c
Changed
@@ -22,79 +22,70 @@ */ #include "config.h" -#include <pthread.h> -#include <stdatomic.h> #include <string.h> #include <unistd.h> -#include <signal.h> +#include <stdio.h> // for snprintf #include "timer-services.h" #include "nvpair.h" #include "reactions.h" #include "ids.h" +#include "origin.h" -static pthread_t timer_thread; -static void *timer_thread_main(void *arg); static nvlist jobs; -static volatile atomic_int halt = 0, locked = 0; - +static time_t now; // Something to think about, jobs should probably be peristent so that // we can resume them after starting back up. void init_timer_services(void) { nvpair_list_create(&jobs); - pthread_create(&timer_thread, NULL, timer_thread_main, NULL); + now = time(NULL); } -static void *timer_thread_main(void *arg __attribute__((unused))) +void do_timer_services(unsigned int interval) { - sigset_t sigs; - time_t now; + now += interval; +rerun_jobs: + while (nvpair_list_find_job(&jobs, now)) { + nvnode *j = nvpair_list_get_cur(&jobs); + switch (j->job) { + case UNLOCK_ACCOUNT: + unlock_account(j->arg); + // Should we reset the stats? + break; + case UNBLOCK_ADDRESS: + { + // Send iptables rule + int res = unblock_ip_address(j->arg); - /* This is a worker thread. Don't handle signals. */ - sigemptyset(&sigs); - sigaddset(&sigs, SIGTERM); - sigaddset(&sigs, SIGCHLD); - sigaddset(&sigs, SIGHUP); - sigaddset(&sigs, SIGUSR1); - pthread_sigmask(SIG_SETMASK, &sigs, NULL); + // Log that its back in business + char buf24; + snprintf(buf, sizeof(buf), + "daddr=%.16s", j->arg); + log_audit_event( + AUDIT_RESP_ORIGIN_UNBLOCK_TIMED, + buf, !res); - now = time(NULL); - while (!halt) { - sleep(5); - now += 5; -rerun_jobs: - while (__sync_lock_test_and_set(&locked, 1)); - while (!halt && nvpair_list_find_job(&jobs, now)) { - nvnode *j = nvpair_list_get_cur(&jobs); - switch (j->job) { - case UNLOCK_ACCOUNT: - unlock_account(j->arg); - // Should we reset the stats? - break; - case UNBLOCK_ADDRESS: - unblock_ip_address(j->arg); - // Should we reset the stats? - break; - default: - break; - } - nvpair_list_delete_cur(&jobs); + // Reset origin state + unblock_origin(j->arg); + } + break; + default: + break; } - __sync_lock_release(&locked); + nvpair_list_delete_cur(&jobs); + } - // Every 5 minutes resync to the clock - if (now%600 == 0) { - time_t cur = now; - now = time(NULL); - if (now > cur) { - if (debug) - my_printf("Time jumped - rerunning jobs"); - goto rerun_jobs; - } + // Every 10 minutes resync to the clock + if (now%600 > interval) { + time_t cur = now; + now = time(NULL); + if (now > cur) { + if (debug) + my_printf("Time jumped - rerunning jobs"); + goto rerun_jobs; } } - return NULL; } void add_timer_job(jobs_t job, const char *arg, unsigned long length) @@ -105,20 +96,11 @@ node.arg = strdup(arg); node.expiration = time(NULL) + length; - while (__sync_lock_test_and_set(&locked, 1)); nvpair_list_append(&jobs, &node); - __sync_lock_release(&locked); } void shutdown_timer_services(void) { - halt = 1; - pthread_cancel(timer_thread); - - while (__sync_lock_test_and_set(&locked, 1)); nvpair_list_clear(&jobs); - __sync_lock_release(&locked); - - pthread_join(timer_thread, NULL); }
View file
_service:tar_scm:audit-3.0.1.tar.gz/audisp/plugins/ids/timer-services.h -> _service:tar_scm:audit-3.0.9.tar.gz/audisp/plugins/ids/timer-services.h
Changed
@@ -27,6 +27,7 @@ typedef enum {UNLOCK_ACCOUNT, UNBLOCK_ADDRESS} jobs_t; void init_timer_services(void); +void do_timer_services(unsigned int interval); void add_timer_job(jobs_t job, const char *arg, unsigned long length); void shutdown_timer_services(void);
View file
_service:tar_scm:audit-3.0.1.tar.gz/audisp/plugins/remote/Makefile.am -> _service:tar_scm:audit-3.0.9.tar.gz/audisp/plugins/remote/Makefile.am
Changed
@@ -12,9 +12,10 @@ # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU # Lesser General Public License for more details. # -# You should have received a copy of the GNU Lesser General Public -# License along with this library; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +# You should have received a copy of the GNU General Public License +# along with this program; see the file COPYING. If not, write to the +# Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor +# Boston, MA 02110-1335, USA. # # Authors: # Steve Grubb <sgrubb@redhat.com> @@ -35,9 +36,9 @@ audisp_remote_DEPENDENCIES = ${top_builddir}/common/libaucommon.la audisp_remote_SOURCES = audisp-remote.c remote-config.c queue.c -audisp_remote_CFLAGS = -fPIE -DPIE -g -D_REENTRANT -D_GNU_SOURCE -Wundef +audisp_remote_CFLAGS = -fPIE -DPIE -g -D_REENTRANT -D_GNU_SOURCE -Wundef ${WFLAGS} audisp_remote_LDFLAGS = -pie -Wl,-z,relro -Wl,-z,now -audisp_remote_LDADD = $(CAPNG_LDADD) $(gss_libs) -L${top_builddir}/common -laucommon +audisp_remote_LDADD = $(CAPNG_LDADD) $(gss_libs) ${top_builddir}/common/libaucommon.la test_queue_SOURCES = queue.c test-queue.c
View file
_service:tar_scm:audit-3.0.1.tar.gz/audisp/plugins/remote/Makefile.in -> _service:tar_scm:audit-3.0.9.tar.gz/audisp/plugins/remote/Makefile.in
Changed
@@ -1,7 +1,7 @@ -# Makefile.in generated by automake 1.16.2 from Makefile.am. +# Makefile.in generated by automake 1.16.5 from Makefile.am. # @configure_input@ -# Copyright (C) 1994-2020 Free Software Foundation, Inc. +# Copyright (C) 1994-2021 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -28,9 +28,10 @@ # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU # Lesser General Public License for more details. # -# You should have received a copy of the GNU Lesser General Public -# License along with this library; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +# You should have received a copy of the GNU General Public License +# along with this program; see the file COPYING. If not, write to the +# Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor +# Boston, MA 02110-1335, USA. # # Authors: # Steve Grubb <sgrubb@redhat.com> @@ -240,8 +241,6 @@ unique=`for i in $$list; do \ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ done | $(am__uniquify_input)` -ETAGS = etags -CTAGS = ctags am__tty_colors_dummy = \ mgn= red= grn= lgn= blu= brg= std=; \ am__color_tests=no @@ -397,6 +396,7 @@ bases='$(TEST_LOGS)'; \ bases=`for i in $$bases; do echo $$i; done | sed 's/\.log$$//'`; \ bases=`echo $$bases` +AM_TESTSUITE_SUMMARY_HEADER = ' for $(PACKAGE_STRING)' RECHECK_LOGS = $(TEST_LOGS) AM_RECURSIVE_TARGETS = check recheck TEST_SUITE_LOG = test-suite.log @@ -442,6 +442,8 @@ CPPFLAGS = @CPPFLAGS@ CPPFLAGS_FOR_BUILD = @CPPFLAGS_FOR_BUILD@ CPP_FOR_BUILD = @CPP_FOR_BUILD@ +CSCOPE = @CSCOPE@ +CTAGS = @CTAGS@ CYGPATH_W = @CYGPATH_W@ DEBUG = @DEBUG@ DEFS = @DEFS@ @@ -453,8 +455,10 @@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ +ETAGS = @ETAGS@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FILECMD = @FILECMD@ GOLANG = @GOLANG@ GOROOT = @GOROOT@ GREP = @GREP@ @@ -510,6 +514,7 @@ SHELL = @SHELL@ STRIP = @STRIP@ VERSION = @VERSION@ +WFLAGS = @WFLAGS@ abs_builddir = @abs_builddir@ abs_srcdir = @abs_srcdir@ abs_top_builddir = @abs_top_builddir@ @@ -563,6 +568,7 @@ pyexecdir = @pyexecdir@ python3dir = @python3dir@ pythondir = @pythondir@ +runstatedir = @runstatedir@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ @@ -588,9 +594,9 @@ TESTS = $(check_PROGRAMS) audisp_remote_DEPENDENCIES = ${top_builddir}/common/libaucommon.la audisp_remote_SOURCES = audisp-remote.c remote-config.c queue.c -audisp_remote_CFLAGS = -fPIE -DPIE -g -D_REENTRANT -D_GNU_SOURCE -Wundef +audisp_remote_CFLAGS = -fPIE -DPIE -g -D_REENTRANT -D_GNU_SOURCE -Wundef ${WFLAGS} audisp_remote_LDFLAGS = -pie -Wl,-z,relro -Wl,-z,now -audisp_remote_LDADD = $(CAPNG_LDADD) $(gss_libs) -L${top_builddir}/common -laucommon +audisp_remote_LDADD = $(CAPNG_LDADD) $(gss_libs) ${top_builddir}/common/libaucommon.la test_queue_SOURCES = queue.c test-queue.c all: all-am @@ -1024,7 +1030,7 @@ test x"$$VERBOSE" = x || cat $(TEST_SUITE_LOG); \ fi; \ echo "$${col}$$br$${std}"; \ - echo "$${col}Testsuite summary for $(PACKAGE_STRING)$${std}"; \ + echo "$${col}Testsuite summary"$(AM_TESTSUITE_SUMMARY_HEADER)"$${std}"; \ echo "$${col}$$br$${std}"; \ create_testsuite_report --maybe-color; \ echo "$$col$$br$$std"; \ @@ -1079,7 +1085,6 @@ @am__EXEEXT_TRUE@ --log-file $$b.log --trs-file $$b.trs \ @am__EXEEXT_TRUE@ $(am__common_driver_flags) $(AM_TEST_LOG_DRIVER_FLAGS) $(TEST_LOG_DRIVER_FLAGS) -- $(TEST_LOG_COMPILE) \ @am__EXEEXT_TRUE@ "$$tst" $(AM_TESTS_FD_REDIRECT) - distdir: $(BUILT_SOURCES) $(MAKE) $(AM_MAKEFLAGS) distdir-am
View file
_service:tar_scm:audit-3.0.1.tar.gz/audisp/plugins/remote/au-remote.conf -> _service:tar_scm:audit-3.0.9.tar.gz/audisp/plugins/remote/au-remote.conf
Changed
@@ -1,5 +1,5 @@ -# This file controls the audispd data path to the +# This file controls the auditd data path to the # remote event logger. This plugin will send events to # a remote machine (Central Logger).
View file
_service:tar_scm:audit-3.0.1.tar.gz/audisp/plugins/remote/audisp-remote.8 -> _service:tar_scm:audit-3.0.9.tar.gz/audisp/plugins/remote/audisp-remote.8
Changed
@@ -1,4 +1,4 @@ -.TH AUDISP-REMOTE: "8" "August 2018" "Red Hat" "System Administration Utilities" +.TH AUDISP-REMOTE "8" "August 2018" "Red Hat" "System Administration Utilities" .SH NAME audisp-remote \- plugin for remote logging .SH SYNOPSIS @@ -16,7 +16,7 @@ .IR suspend flag tells whether or not logging has been suspended. The .IR remote_ended -flage tells if the connection was broken by the server saying it can't log events. The +flag tells if the connection was broken by the server saying it can't log events. The .IR transport_ok flag tells whether or not the connection to the remote server is healthy. The .IR queue_size @@ -30,8 +30,8 @@ /etc/audit/plugins.d/au-remote.conf /etc/audit/auditd.conf .SH "SEE ALSO" -.BR auditd.conf(8), -.BR auditd-plugins(5), -.BR audisp-remote.conf(5). +.BR auditd.conf (8), +.BR auditd-plugins (5), +.BR audisp-remote.conf (5). .SH AUTHOR Steve Grubb
View file
_service:tar_scm:audit-3.0.1.tar.gz/audisp/plugins/remote/audisp-remote.c -> _service:tar_scm:audit-3.0.9.tar.gz/audisp/plugins/remote/audisp-remote.c
Changed
@@ -566,7 +566,7 @@ // See if input fd is also set if (FD_ISSET(ifd, &rfd)) { do { - if (audit_fgets(event, sizeof(event), ifd)) { + if (audit_fgets(event,sizeof(event),ifd) > 0) { if (!transport_ok && remote_ended && (config.remote_ending_action == FA_RECONNECT || @@ -619,7 +619,7 @@ // If stdin is a pipe, then flush the queue if (is_pipe(0)) { - while (q_queue_length(queue) && transport_ok) + while (q_queue_length(queue) && !suspend && transport_ok) send_one(queue); } @@ -757,9 +757,16 @@ gss_failure_2 (msg, minor_status, GSS_C_MECH_CODE); } -#define KCHECK(x,f) if (x) { \ - syslog (LOG_ERR, "krb5 error: %s in %s\n", krb5_get_error_message (kcontext, x), f); \ - return -1; } +#define KLOG(x,f) { \ + const char *kstr = krb5_get_error_message(kcontext, x); \ + syslog (LOG_ERR, "krb5 error: %s in %s\n", kstr, f); \ + krb5_free_error_message(kcontext, kstr); } +static krb5_context kcontext = NULL; +static char *realm_name = NULL; +static krb5_principal audit_princ; +static krb5_ccache ccache = NULL; +static krb5_get_init_creds_opt options; +static krb5_keytab keytab = NULL; /* Each time we connect to the server, we negotiate a set of credentials and a security context. To do this, we need our own credentials first. For @@ -782,13 +789,7 @@ we use Kerberos calls here. */ int krberr; - krb5_context kcontext = NULL; - char *realm_name; - krb5_principal audit_princ; - krb5_ccache ccache = NULL; krb5_creds my_creds; - krb5_get_init_creds_opt options; - krb5_keytab keytab = NULL; const char *krb5_client_name; char *slashptr; char host_name255; @@ -800,7 +801,10 @@ recv_tok.value = NULL; krberr = krb5_init_context (&kcontext); - KCHECK (krberr, "krb5_init_context"); + if (krberr) { + KLOG (krberr, "krb5_init_context"); + return -1; + } if (config.krb5_key_file) key_file = config.krb5_key_file; @@ -815,30 +819,33 @@ syslog (LOG_ERR, "%s is not mode 0400 (it's %#o) - compromised key?", key_file, st.st_mode & 07777); - return -1; + goto error1; } if (st.st_uid != 0) { if (!quiet) syslog (LOG_ERR, "%s is not owned by root (it's %d) - compromised key?", key_file, st.st_uid); - return -1; + goto error1; } } /* This looks up the default real (*our* realm) from /etc/krb5.conf (or wherever) */ krberr = krb5_get_default_realm (kcontext, &realm_name); - KCHECK (krberr, "krb5_get_default_realm"); + if (krberr) { + KLOG (krberr, "krb5_get_default_realm"); + goto error1; + } krb5_client_name = config.krb5_client_name ? config.krb5_client_name : "auditd"; if (gethostname(host_name, sizeof(host_name)) != 0) { if (!quiet) syslog (LOG_ERR, - "gethostname: host name longer than %ld characters?", + "gethostname: host name longer than %lu characters?", sizeof (host_name)); - return -1; + goto error2; } syslog (LOG_ERR, "kerberos principal: %s/%s@%s\n", @@ -847,17 +854,26 @@ krberr = krb5_build_principal (kcontext, &audit_princ, strlen(realm_name), realm_name, krb5_client_name, host_name, NULL); - KCHECK (krberr, "krb5_build_principal"); + if (krberr) { + KLOG (krberr, "krb5_build_principal"); + goto error2; + } /* Locate our machine's key table, where our private key is * held. */ krberr = krb5_kt_resolve (kcontext, key_file, &keytab); - KCHECK (krberr, "krb5_kt_resolve"); + if (krberr) { + KLOG (krberr, "krb5_kt_resolve"); + goto error3; + } /* Identify a cache to hold the key in. The GSS wrappers look up our credentials here. */ krberr = krb5_cc_resolve (kcontext, CCACHE_NAME, &ccache); - KCHECK (krberr, "krb5_cc_resolve"); + if (krberr) { + KLOG (krberr, "krb5_cc_resolve"); + goto error4; + } setenv("KRB5CCNAME", CCACHE_NAME, 1); @@ -872,15 +888,24 @@ krberr = krb5_get_init_creds_keytab(kcontext, &my_creds, audit_princ, keytab, 0, NULL, &options); - KCHECK (krberr, "krb5_get_init_creds_keytab"); + if (krberr) { + KLOG (krberr, "krb5_get_init_creds_keytab"); + goto error5; + } /* Create the cache... */ krberr = krb5_cc_initialize(kcontext, ccache, audit_princ); - KCHECK (krberr, "krb5_cc_initialize"); + if (krberr) { + KLOG (krberr, "krb5_cc_initialize"); + goto error5; + } /* ...and store our credentials in it. */ krberr = krb5_cc_store_cred(kcontext, ccache, &my_creds); - KCHECK (krberr, "krb5_cc_store_cred"); + if (krberr) { + KLOG (krberr, "krb5_cc_store_cred"); + goto error5; + } /* The GSS code now has a set of credentials for this program. I.e. we know who "we" are. Now we talk to the server to @@ -903,13 +928,13 @@ (gss_OID) gss_nt_service_name, &service_name_e); if (major_status != GSS_S_COMPLETE) { gss_failure("importing name", major_status, minor_status); - return -1; + goto error5; } /* Someone has to go first. In this case, it's us. */ if (send_token(sock, empty_token) < 0) { (void) gss_release_name(&minor_status, &service_name_e); - return -1; + goto error5; } /* The server starts this loop with the token we just sent @@ -936,7 +961,7 @@ &send_tok); (void) gss_release_name(&minor_status, &service_name_e); - return -1; + goto error5; } } (void) gss_release_buffer(&minor_status, &send_tok); @@ -949,7 +974,7 @@ if (*gss_context != GSS_C_NO_CONTEXT) gss_delete_sec_context(&minor_status, gss_context, GSS_C_NO_BUFFER); - return -1; + goto error5; } /* Now get any tokens the sever sends back. We use @@ -958,7 +983,7 @@ if (recv_token(sock, &recv_tok) < 0) { (void) gss_release_name(&minor_status, &service_name_e); - return -1;
View file
_service:tar_scm:audit-3.0.1.tar.gz/audisp/plugins/remote/audisp-remote.conf.5 -> _service:tar_scm:audit-3.0.9.tar.gz/audisp/plugins/remote/audisp-remote.conf.5
Changed
@@ -1,4 +1,4 @@ -.TH AUDISP-REMOTE.CONF: "5" "Aug 2018" "Red Hat" "System Administration Utilities" +.TH AUDISP-REMOTE.CONF "5" "Jul 2022" "Red Hat" "System Administration Utilities" .SH NAME audisp-remote.conf \- the audisp-remote configuration file .SH DESCRIPTION @@ -16,7 +16,7 @@ connect from on the local machine. If unspecified (the default) or set to the word .I any -then any available unpriviledged port is used. This is a security mechanism to prevent untrusted user space apps from injecting events into the audit daemon. You should set it to an unused port < 1024 to ensure that only privileged users can bind to that port. Then also set the tcp_client_ports in the aggregating auditd.conf file to match the ports that clients are sending from. +then any available unprivileged port is used. This is a security mechanism to prevent untrusted user space apps from injecting events into the audit daemon. You should set it to an unused port < 1024 to ensure that only privileged users can bind to that port. Then also set the tcp_client_ports in the aggregating auditd.conf file to match the ports that clients are sending from. .TP .I transport This parameter tells the remote logging app how to send events to the remote system. The valid options are @@ -48,7 +48,7 @@ .I forward mode of the .I mode -option and internal queueing for temporary network outtages. The default depth is 2048. +option and internal queueing for temporary network outages. The default depth is 2048. .TP .I format This parameter tells the remote logging app what data format will be @@ -62,7 +62,7 @@ overhead at all. The .I ascii format is a very simplistic protocol. If there are any network problems, it -willcause audisp-remote to exit. Auditd may or may not restart it on next +will cause audisp-remote to exit. Auditd may or may not restart it on next event. If something more robust is needed, use the .I managed format. If @@ -108,9 +108,9 @@ .I exec /path-to-script will execute the script. You cannot pass parameters to the script. If an event was sent, its dequeued. .I warn_once_continue -is like syslog execept that only one message is put in syslog until an event is successfully transferred. +is like syslog except that only one message is put in syslog until an event is successfully transferred. .I warn_once -is like warn_once_continue execept that the event is not dequeued. +is like warn_once_continue except that the event is not dequeued. .I Suspend will cause the remote logging app to stop sending records to the remote system. The logging app will still be alive. If an event was sent, it is not dequeued. The .I single @@ -179,7 +179,7 @@ .I exec /path-to-script will execute the script. You cannot pass parameters to the script. .I warn_once -is like syslog execept that only one message is put in syslog until an event is successfully transferred. +is like syslog except that only one message is put in syslog until an event is successfully transferred. .I warn_once_continue is like warn_once except it ignores the problem. This is the default. .TP @@ -235,10 +235,16 @@ the remote server is allowed in order to reboot, if you want to maintain logging across a reboot. +It is recommended to set a large q_depth in auditd.conf if using this +plugin. Also set an even bigger q_depth in audisp-remote.conf. Also +set the heartbeat_timeout to something non-zero but coordinate it with +the server so that it's half the size of the server's tcp_client_max_idle +setting. This is required to get retries in a reasonable time if the +network has a problem. + .SH "SEE ALSO" -.BR audispd (8), -.BR audisp-remote(8), -.BR auditd.conf(5). +.BR audisp-remote (8), +.BR auditd.conf (5). .SH AUTHOR Steve Grubb
View file
_service:tar_scm:audit-3.0.1.tar.gz/audisp/plugins/remote/notes.txt -> _service:tar_scm:audit-3.0.9.tar.gz/audisp/plugins/remote/notes.txt
Changed
@@ -23,9 +23,9 @@ is written before the header that indicates that it is present) - but ultimately resiliency against such failures is limited by other links in the audit record transmission chain - if the record is lost -within auditd or audispd, having a resilient queue file format does -not help; audit records generated within the kernel are necessarily -lost if the system crashes before they are read by auditd because +within auditd, having a resilient queue file format does not help; +audit records generated within the kernel are necessarily lost +if the system crashes before they are read by auditd because the kernel will not be able to regenerate/retransmit them after the next boot.
View file
_service:tar_scm:audit-3.0.1.tar.gz/audisp/plugins/remote/remote-config.c -> _service:tar_scm:audit-3.0.9.tar.gz/audisp/plugins/remote/remote-config.c
Changed
@@ -750,7 +750,7 @@ } /* - * This function is where we do the integrated check of the audispd config + * This function is where we do the integrated check of the config * options. At this point, all fields have been read. Returns 0 if no * problems and 1 if problems detected. */
View file
_service:tar_scm:audit-3.0.1.tar.gz/audisp/plugins/statsd/Makefile.am -> _service:tar_scm:audit-3.0.9.tar.gz/audisp/plugins/statsd/Makefile.am
Changed
@@ -12,9 +12,10 @@ # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU # Lesser General Public License for more details. # -# You should have received a copy of the GNU Lesser General Public -# License along with this library; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +# You should have received a copy of the GNU General Public License +# along with this program; see the file COPYING. If not, write to the +# Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor +# Boston, MA 02110-1335, USA. # # Authors: # Steve Grubb <sgrubb@redhat.com> @@ -29,8 +30,8 @@ sbin_PROGRAMS = audisp-statsd man_MANS = audisp-statsd.8 audisp_statsd_SOURCES = audisp-statsd.c -audisp_statsd_CFLAGS = -g -D_GNU_SOURCE -audisp_statsd_LDADD = -L${top_builddir}/auparse -lauparse -L${top_builddir}/lib -laudit +audisp_statsd_CFLAGS = -g -D_GNU_SOURCE ${WFLAGS} +audisp_statsd_LDADD = ${top_builddir}/auparse/libauparse.la ${top_builddir}/lib/libaudit.la install-data-hook: mkdir -p -m 0750 ${DESTDIR}${plugin_confdir}
View file
_service:tar_scm:audit-3.0.1.tar.gz/audisp/plugins/statsd/Makefile.in -> _service:tar_scm:audit-3.0.9.tar.gz/audisp/plugins/statsd/Makefile.in
Changed
@@ -1,7 +1,7 @@ -# Makefile.in generated by automake 1.16.2 from Makefile.am. +# Makefile.in generated by automake 1.16.5 from Makefile.am. # @configure_input@ -# Copyright (C) 1994-2020 Free Software Foundation, Inc. +# Copyright (C) 1994-2021 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -107,7 +107,8 @@ PROGRAMS = $(sbin_PROGRAMS) am_audisp_statsd_OBJECTS = audisp_statsd-audisp-statsd.$(OBJEXT) audisp_statsd_OBJECTS = $(am_audisp_statsd_OBJECTS) -audisp_statsd_DEPENDENCIES = +audisp_statsd_DEPENDENCIES = ${top_builddir}/auparse/libauparse.la \ + ${top_builddir}/lib/libaudit.la AM_V_lt = $(am__v_lt_@AM_V@) am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@) am__v_lt_0 = --silent @@ -204,8 +205,6 @@ unique=`for i in $$list; do \ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ done | $(am__uniquify_input)` -ETAGS = etags -CTAGS = ctags am__DIST_COMMON = $(srcdir)/Makefile.in $(top_srcdir)/depcomp DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ @@ -228,6 +227,8 @@ CPPFLAGS = @CPPFLAGS@ CPPFLAGS_FOR_BUILD = @CPPFLAGS_FOR_BUILD@ CPP_FOR_BUILD = @CPP_FOR_BUILD@ +CSCOPE = @CSCOPE@ +CTAGS = @CTAGS@ CYGPATH_W = @CYGPATH_W@ DEBUG = @DEBUG@ DEFS = @DEFS@ @@ -239,8 +240,10 @@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ +ETAGS = @ETAGS@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FILECMD = @FILECMD@ GOLANG = @GOLANG@ GOROOT = @GOROOT@ GREP = @GREP@ @@ -296,6 +299,7 @@ SHELL = @SHELL@ STRIP = @STRIP@ VERSION = @VERSION@ +WFLAGS = @WFLAGS@ abs_builddir = @abs_builddir@ abs_srcdir = @abs_srcdir@ abs_top_builddir = @abs_top_builddir@ @@ -349,6 +353,7 @@ pyexecdir = @pyexecdir@ python3dir = @python3dir@ pythondir = @pythondir@ +runstatedir = @runstatedir@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ @@ -377,9 +382,10 @@ # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU # Lesser General Public License for more details. # -# You should have received a copy of the GNU Lesser General Public -# License along with this library; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +# You should have received a copy of the GNU General Public License +# along with this program; see the file COPYING. If not, write to the +# Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor +# Boston, MA 02110-1335, USA. # # Authors: # Steve Grubb <sgrubb@redhat.com> @@ -393,8 +399,8 @@ plugin_conf = au-statsd.conf man_MANS = audisp-statsd.8 audisp_statsd_SOURCES = audisp-statsd.c -audisp_statsd_CFLAGS = -g -D_GNU_SOURCE -audisp_statsd_LDADD = -L${top_builddir}/auparse -lauparse -L${top_builddir}/lib -laudit +audisp_statsd_CFLAGS = -g -D_GNU_SOURCE ${WFLAGS} +audisp_statsd_LDADD = ${top_builddir}/auparse/libauparse.la ${top_builddir}/lib/libaudit.la all: all-am .SUFFIXES: @@ -631,7 +637,6 @@ distclean-tags: -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags - distdir: $(BUILT_SOURCES) $(MAKE) $(AM_MAKEFLAGS) distdir-am
View file
_service:tar_scm:audit-3.0.1.tar.gz/audisp/plugins/statsd/audisp-statsd.8 -> _service:tar_scm:audit-3.0.9.tar.gz/audisp/plugins/statsd/audisp-statsd.8
Changed
@@ -1,4 +1,4 @@ -.TH AUDISP-STATSD: "8" "February 2021" "Red Hat" "System Administration Utilities" +.TH AUDISP-STATSD "8" "February 2021" "Red Hat" "System Administration Utilities" .SH NAME audisp-statsd \- plugin to push audit metrics to a statsd service .SH SYNOPSIS @@ -55,7 +55,7 @@ /etc/audit/audisp-statsd.conf /etc/audit/plugins/au-statsd.conf .SH "SEE ALSO" -.BR auditd.conf(8), -.BR auditd-plugins(5), +.BR auditd.conf (8), +.BR auditd-plugins (5). .SH AUTHOR Steve Grubb
View file
_service:tar_scm:audit-3.0.1.tar.gz/audisp/plugins/statsd/audisp-statsd.c -> _service:tar_scm:audit-3.0.9.tar.gz/audisp/plugins/statsd/audisp-statsd.c
Changed
@@ -46,7 +46,7 @@ unsigned int port; unsigned int interval; int sock; - struct sockaddr addr; + struct sockaddr_storage addr; socklen_t addrlen; }; @@ -74,7 +74,7 @@ static pid_t auditd_pid = 0; static auparse_state_t *au = NULL; static int timer_fd = -1; -static char msgMAX_AUDIT_MESSAGE_LENGTH; +static char msgMAX_AUDIT_MESSAGE_LENGTH + 1; static struct daemon_config d; static struct audit_report r; @@ -148,9 +148,11 @@ break; default: fprintf(stderr, "unknown option\n"); + fclose(f); return 1; } } + fclose(f); if (status != 0x07) { fprintf(stderr, "Not all config options specified\n"); return 1; @@ -287,7 +289,8 @@ r.events_anomaly_count, r.events_response_count); if (len > 0 && len < (int)sizeof(message)) - sendto(d.sock, message, len, 0, &d.addr, d.addrlen); + sendto(d.sock, message, len, 0, (struct sockaddr *)&d.addr, + d.addrlen); } @@ -336,6 +339,11 @@ auparse_set_eoe_timeout(5); auparse_add_callback(au, handle_event, NULL, NULL); audit_fd = audit_open(); + if (audit_fd < 0) { + close(d.sock); + syslog(LOG_ERR, "unable to open audit socket"); + return 1; + } auditd_pid = getppid(); fcntl(0, F_SETFL, O_NONBLOCK); /* Set STDIN non-blocking */ pfd0.fd = 0; // add stdin to the poll group @@ -363,6 +371,9 @@ unsigned long long missed; missed=read(timer_fd, &missed, sizeof (missed)); kill(auditd_pid, SIGCONT); // Run auditd report + // Clear any old events if possible + if (auparse_feed_has_data(au)) + auparse_feed_age_events(au); get_kernel_status(); get_auditd_status(); send_statsd(); @@ -382,7 +393,6 @@ // tear down everything close(timer_fd); - auparse_flush_feed(au); auparse_destroy(au); close(audit_fd); close(d.sock);
View file
_service:tar_scm:audit-3.0.1.tar.gz/audisp/plugins/syslog/Makefile.am -> _service:tar_scm:audit-3.0.9.tar.gz/audisp/plugins/syslog/Makefile.am
Changed
@@ -12,9 +12,10 @@ # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU # Lesser General Public License for more details. # -# You should have received a copy of the GNU Lesser General Public -# License along with this library; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +# You should have received a copy of the GNU General Public License +# along with this program; see the file COPYING. If not, write to the +# Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor +# Boston, MA 02110-1335, USA. # # Authors: # Steve Grubb <sgrubb@redhat.com> @@ -31,9 +32,9 @@ audisp_syslog_DEPENDENCIES = ${top_builddir}/common/libaucommon.la audisp_syslog_SOURCES = audisp-syslog.c -audisp_syslog_CFLAGS = -fPIE -DPIE -g -D_GNU_SOURCE -Wundef +audisp_syslog_CFLAGS = -fPIE -DPIE -g -D_GNU_SOURCE -Wundef ${WFLAGS} audisp_syslog_LDFLAGS = -pie -Wl,-z,relro -Wl,-z,now -audisp_syslog_LDADD = $(CAPNG_LDADD) -L${top_builddir}/common -laucommon -L${top_builddir}/auparse -lauparse +audisp_syslog_LDADD = $(CAPNG_LDADD) ${top_builddir}/common/libaucommon.la ${top_builddir}/auparse/libauparse.la install-data-hook: mkdir -p -m 0750 ${DESTDIR}${plugin_confdir}
View file
_service:tar_scm:audit-3.0.1.tar.gz/audisp/plugins/syslog/Makefile.in -> _service:tar_scm:audit-3.0.9.tar.gz/audisp/plugins/syslog/Makefile.in
Changed
@@ -1,7 +1,7 @@ -# Makefile.in generated by automake 1.16.2 from Makefile.am. +# Makefile.in generated by automake 1.16.5 from Makefile.am. # @configure_input@ -# Copyright (C) 1994-2020 Free Software Foundation, Inc. +# Copyright (C) 1994-2021 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -28,9 +28,10 @@ # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU # Lesser General Public License for more details. # -# You should have received a copy of the GNU Lesser General Public -# License along with this library; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +# You should have received a copy of the GNU General Public License +# along with this program; see the file COPYING. If not, write to the +# Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor +# Boston, MA 02110-1335, USA. # # Authors: # Steve Grubb <sgrubb@redhat.com> @@ -226,8 +227,6 @@ unique=`for i in $$list; do \ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ done | $(am__uniquify_input)` -ETAGS = etags -CTAGS = ctags am__DIST_COMMON = $(srcdir)/Makefile.in $(top_srcdir)/depcomp DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ @@ -250,6 +249,8 @@ CPPFLAGS = @CPPFLAGS@ CPPFLAGS_FOR_BUILD = @CPPFLAGS_FOR_BUILD@ CPP_FOR_BUILD = @CPP_FOR_BUILD@ +CSCOPE = @CSCOPE@ +CTAGS = @CTAGS@ CYGPATH_W = @CYGPATH_W@ DEBUG = @DEBUG@ DEFS = @DEFS@ @@ -261,8 +262,10 @@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ +ETAGS = @ETAGS@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FILECMD = @FILECMD@ GOLANG = @GOLANG@ GOROOT = @GOROOT@ GREP = @GREP@ @@ -318,6 +321,7 @@ SHELL = @SHELL@ STRIP = @STRIP@ VERSION = @VERSION@ +WFLAGS = @WFLAGS@ abs_builddir = @abs_builddir@ abs_srcdir = @abs_srcdir@ abs_top_builddir = @abs_top_builddir@ @@ -371,6 +375,7 @@ pyexecdir = @pyexecdir@ python3dir = @python3dir@ pythondir = @pythondir@ +runstatedir = @runstatedir@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ @@ -393,9 +398,9 @@ man_MANS = audisp-syslog.8 audisp_syslog_DEPENDENCIES = ${top_builddir}/common/libaucommon.la audisp_syslog_SOURCES = audisp-syslog.c -audisp_syslog_CFLAGS = -fPIE -DPIE -g -D_GNU_SOURCE -Wundef +audisp_syslog_CFLAGS = -fPIE -DPIE -g -D_GNU_SOURCE -Wundef ${WFLAGS} audisp_syslog_LDFLAGS = -pie -Wl,-z,relro -Wl,-z,now -audisp_syslog_LDADD = $(CAPNG_LDADD) -L${top_builddir}/common -laucommon -L${top_builddir}/auparse -lauparse +audisp_syslog_LDADD = $(CAPNG_LDADD) ${top_builddir}/common/libaucommon.la ${top_builddir}/auparse/libauparse.la all: all-am .SUFFIXES: @@ -632,7 +637,6 @@ distclean-tags: -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags - distdir: $(BUILT_SOURCES) $(MAKE) $(AM_MAKEFLAGS) distdir-am
View file
_service:tar_scm:audit-3.0.1.tar.gz/audisp/plugins/syslog/audisp-syslog.8 -> _service:tar_scm:audit-3.0.9.tar.gz/audisp/plugins/syslog/audisp-syslog.8
Changed
@@ -1,4 +1,4 @@ -.TH AUDISP-SYSLOG: "8" "August 2018" "Red Hat" "System Administration Utilities" +.TH AUDISP-SYSLOG "8" "August 2018" "Red Hat" "System Administration Utilities" .SH NAME audisp-syslog \- plugin to push audit events into syslog .SH SYNOPSIS @@ -17,8 +17,8 @@ /etc/audit/syslog.conf /etc/audit/auditd.conf .SH "SEE ALSO" -.BR auditd.conf(8), -.BR auditd-plugins(5), -.BR syslog(3). +.BR auditd.conf (8), +.BR auditd-plugins (5), +.BR syslog (3). .SH AUTHOR Steve Grubb
View file
_service:tar_scm:audit-3.0.1.tar.gz/audisp/plugins/syslog/audisp-syslog.c -> _service:tar_scm:audit-3.0.9.tar.gz/audisp/plugins/syslog/audisp-syslog.c
Changed
@@ -249,7 +249,7 @@ if (FD_ISSET(0, &read_mask)) { do { if (audit_fgets(tmp, - MAX_AUDIT_MESSAGE_LENGTH, 0)) + MAX_AUDIT_MESSAGE_LENGTH, 0) > 0) write_syslog(tmp); } while (audit_fgets_more( MAX_AUDIT_MESSAGE_LENGTH));
View file
_service:tar_scm:audit-3.0.1.tar.gz/audisp/plugins/zos-remote/Makefile.am -> _service:tar_scm:audit-3.0.9.tar.gz/audisp/plugins/zos-remote/Makefile.am
Changed
@@ -14,8 +14,9 @@ # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +# along with this program; see the file COPYING. If not, write to the +# Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor +# Boston, MA 02110-1335, USA. # # Authors: # Klaus Heinrich Kiwi <klausk@br.ibm.com> @@ -24,7 +25,7 @@ AM_CPPFLAGS = -I${top_srcdir} -I${top_srcdir}/lib -I${top_srcdir}/auparse CONFIG_CLEAN_FILES = *.rej *.orig EXTRA_DIST = zos-remote.conf audispd-zos-remote.conf -LIBS = -L${top_builddir}/auparse -lauparse +LIBS = ${top_builddir}/auparse/libauparse.la LDADD = -lpthread -lldap -llber $(CAPNG_LDADD) plugin_confdir=$(sysconfdir)/audit plugin_conf = zos-remote.conf @@ -36,7 +37,7 @@ zos-remote-queue.h audispd_zos_remote_SOURCES = zos-remote-plugin.c zos-remote-log.c \ zos-remote-ldap.c zos-remote-config.c zos-remote-queue.c -audispd_zos_remote_CFLAGS = -W -Wall -Wundef -D_GNU_SOURCE -fPIE -DPIE +audispd_zos_remote_CFLAGS = -W -Wall -Wundef -D_GNU_SOURCE -fPIE -DPIE ${WFLAGS} audispd_zos_remote_LDFLAGS = -pie -Wl,-z,relro -Wl,-z,now install-data-hook:
View file
_service:tar_scm:audit-3.0.1.tar.gz/audisp/plugins/zos-remote/Makefile.in -> _service:tar_scm:audit-3.0.9.tar.gz/audisp/plugins/zos-remote/Makefile.in
Changed
@@ -1,7 +1,7 @@ -# Makefile.in generated by automake 1.16.2 from Makefile.am. +# Makefile.in generated by automake 1.16.5 from Makefile.am. # @configure_input@ -# Copyright (C) 1994-2020 Free Software Foundation, Inc. +# Copyright (C) 1994-2021 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -30,8 +30,9 @@ # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +# along with this program; see the file COPYING. If not, write to the +# Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor +# Boston, MA 02110-1335, USA. # # Authors: # Klaus Heinrich Kiwi <klausk@br.ibm.com> @@ -213,8 +214,6 @@ unique=`for i in $$list; do \ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ done | $(am__uniquify_input)` -ETAGS = etags -CTAGS = ctags am__DIST_COMMON = $(srcdir)/Makefile.in $(top_srcdir)/depcomp DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ @@ -237,6 +236,8 @@ CPPFLAGS = @CPPFLAGS@ CPPFLAGS_FOR_BUILD = @CPPFLAGS_FOR_BUILD@ CPP_FOR_BUILD = @CPP_FOR_BUILD@ +CSCOPE = @CSCOPE@ +CTAGS = @CTAGS@ CYGPATH_W = @CYGPATH_W@ DEBUG = @DEBUG@ DEFS = @DEFS@ @@ -248,8 +249,10 @@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ +ETAGS = @ETAGS@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FILECMD = @FILECMD@ GOLANG = @GOLANG@ GOROOT = @GOROOT@ GREP = @GREP@ @@ -262,7 +265,7 @@ LDFLAGS = @LDFLAGS@ LDFLAGS_FOR_BUILD = @LDFLAGS_FOR_BUILD@ LIBOBJS = @LIBOBJS@ -LIBS = -L${top_builddir}/auparse -lauparse +LIBS = ${top_builddir}/auparse/libauparse.la LIBTOOL = @LIBTOOL@ LIBTOOL_DEPS = @LIBTOOL_DEPS@ LIBWRAP_LIBS = @LIBWRAP_LIBS@ @@ -305,6 +308,7 @@ SHELL = @SHELL@ STRIP = @STRIP@ VERSION = @VERSION@ +WFLAGS = @WFLAGS@ abs_builddir = @abs_builddir@ abs_srcdir = @abs_srcdir@ abs_top_builddir = @abs_top_builddir@ @@ -358,6 +362,7 @@ pyexecdir = @pyexecdir@ python3dir = @python3dir@ pythondir = @pythondir@ +runstatedir = @runstatedir@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ @@ -385,7 +390,7 @@ audispd_zos_remote_SOURCES = zos-remote-plugin.c zos-remote-log.c \ zos-remote-ldap.c zos-remote-config.c zos-remote-queue.c -audispd_zos_remote_CFLAGS = -W -Wall -Wundef -D_GNU_SOURCE -fPIE -DPIE +audispd_zos_remote_CFLAGS = -W -Wall -Wundef -D_GNU_SOURCE -fPIE -DPIE ${WFLAGS} audispd_zos_remote_LDFLAGS = -pie -Wl,-z,relro -Wl,-z,now all: all-am @@ -640,7 +645,6 @@ distclean-tags: -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags - distdir: $(BUILT_SOURCES) $(MAKE) $(AM_MAKEFLAGS) distdir-am
View file
_service:tar_scm:audit-3.0.1.tar.gz/audisp/plugins/zos-remote/audispd-zos-remote.conf -> _service:tar_scm:audit-3.0.9.tar.gz/audisp/plugins/zos-remote/audispd-zos-remote.conf
Changed
@@ -1,5 +1,5 @@ # This is the configuration for the audispd-zos-remote -# audit dispatcher plugin - See audispd(8) +# audit dispatcher plugin - See auditd(8) # # Note that this specific plugin has a configuration file of # its own. The complete path for this file must be entered as @@ -10,5 +10,5 @@ direction = out path = /sbin/audispd-zos-remote type = always -args = /etc/audisp/zos-remote.conf +args = /etc/audit/zos-remote.conf format = string
View file
_service:tar_scm:audit-3.0.1.tar.gz/audisp/plugins/zos-remote/zos-remote-ldap.c -> _service:tar_scm:audit-3.0.9.tar.gz/audisp/plugins/zos-remote/zos-remote-ldap.c
Changed
@@ -69,7 +69,7 @@ {ZOS_REMOTE_MAJOR_RACROUTE, "RACROUTE - The R_auditx service returned an unexpected error"}, {ZOS_REMOTE_MAJOR_VAL_ERR, "VAL_ERR - Value error in request"}, {ZOS_REMOTE_MAJOR_ENC_ERR, "ENC_ERR - DER decoding error in request"}, - {ZOS_REMOTE_MAJOR_UNSUF_AUTH, "UNSUF_AUTH - The user has unsuficient authority for the requested function"}, + {ZOS_REMOTE_MAJOR_UNSUF_AUTH, "UNSUF_AUTH - The user has unsufficient authority for the requested function"}, {ZOS_REMOTE_MAJOR_EMPTY, "EMPTY - Empty request received - No items found within the ItemList"}, {ZOS_REMOTE_MAJOR_INVALID_VER, "INVALID_VER - Invalid RequestVersion"}, {ZOS_REMOTE_MAJOR_INTERNAL_ERR, "INTERNAL_ERR - An internal error was encountered within the ICTX component"},
View file
_service:tar_scm:audit-3.0.1.tar.gz/audisp/plugins/zos-remote/zos-remote-plugin.c -> _service:tar_scm:audit-3.0.9.tar.gz/audisp/plugins/zos-remote/zos-remote-plugin.c
Changed
@@ -34,7 +34,6 @@ #include <string.h> #include <time.h> #include <errno.h> -#include <string.h> #include <pthread.h> #include <lber.h> #include <netinet/in.h> @@ -54,7 +53,7 @@ */ volatile int stop = 0; volatile int hup = 0; -volatile ZOS_REMOTE zos_remote_inst; +static ZOS_REMOTE zos_remote_inst; static plugin_conf_t conf; static const char *def_config_file = "/etc/audit/zos-remote.conf"; static pthread_t submission_thread;
View file
_service:tar_scm:audit-3.0.1.tar.gz/audisp/queue.c -> _service:tar_scm:audit-3.0.9.tar.gz/audisp/queue.c
Changed
@@ -1,5 +1,5 @@ /* queue.c -- - * Copyright 2007,2013,2015,2018 Red Hat Inc., Durham, North Carolina. + * Copyright 2007,2013,2015,2018,2022 Red Hat Inc. * All Rights Reserved. * * This library is free software; you can redistribute it and/or @@ -46,26 +46,31 @@ int init_queue(unsigned int size) { - unsigned int i; - - processing_suspended = 0; - q_next = 0; - q_last = 0; - currently_used = 0; - max_used = 0; - overflowed = 0; - q_depth = size; - q = malloc(q_depth * sizeof(event_t *)); - if (q == NULL) - return -1; + // The global variables are initialized to zero by the + // compiler. We can sometimes get here by a reconfigure. + // If the queue was already initialized, q_depth will be + // non-zero. In that case, leave everything alone. If the + // queue was destroyed due to lack of plugins, q_depth, + // as well as other queue variables, is set to zero so + // they do not need reinitializing. + if (q_depth == 0) { + unsigned int i; - for (i=0; i < q_depth; i++) - qi = NULL; + q_depth = size; + q = malloc(q_depth * sizeof(event_t *)); + if (q == NULL) { + processing_suspended = 1; + return -1; + } - /* Setup IPC mechanisms */ - pthread_mutex_init(&queue_lock, NULL); - pthread_cond_init(&queue_nonempty, NULL); + for (i=0; i < q_depth; i++) + qi = NULL; + /* Setup IPC mechanisms */ + pthread_mutex_init(&queue_lock, NULL); + pthread_cond_init(&queue_nonempty, NULL); + reset_suspended(); + } return 0; } @@ -91,12 +96,14 @@ exit(1); } -static void do_overflow_action(struct disp_conf *config) +static int do_overflow_action(struct disp_conf *config) { + int rc = -1; overflowed = 1; switch (config->overflow_action) { case O_IGNORE: + rc = 0; break; case O_SYSLOG: if (queue_full_warning < QUEUE_FULL_LIMIT) { @@ -129,6 +136,7 @@ syslog(LOG_ALERT, "Unknown overflow action requested"); break; } + return rc; } /* returns 0 on success and -1 on error */ @@ -144,9 +152,9 @@ retry: // We allow 3 retries and then its over if (retry_cnt > 3) { - do_overflow_action(config); free(e); - return -1; + + return do_overflow_action(config); } pthread_mutex_lock(&queue_lock); @@ -225,6 +233,7 @@ for (i=q_depth; i<size; i++) qi = NULL; q_depth = size; + overflowed = 0; } pthread_mutex_unlock(&queue_lock); } @@ -253,5 +262,11 @@ free((void *)qi); free(q); + q_last = 0; + q_depth = 0; + processing_suspended = 1; + currently_used = 0; + max_used = 0; + overflowed = 0; }
View file
_service:tar_scm:audit-3.0.1.tar.gz/audit.spec -> _service:tar_scm:audit-3.0.9.tar.gz/audit.spec
Changed
@@ -1,7 +1,7 @@ Summary: User space tools for kernel auditing Name: audit -Version: 3.0.1 +Version: 3.0.9 Release: 1%{dist} License: GPLv2+ Group: System Environment/Daemons @@ -15,8 +15,8 @@ Requires: %{name}-libs = %{version}-%{release} Requires(post): systemd coreutils -Requires(preun): systemd initscripts -Requires(postun): systemd coreutils initscript +Requires(preun): systemd initscripts-service +Requires(postun): systemd coreutils initscripts-service %description The audit package contains the user space utilities for @@ -193,6 +193,7 @@ %files %license COPYING %doc README ChangeLog rules init.d/auditd.cron +%attr(755,root,root) %{_datadir}/%{name} %attr(644,root,root) %{_datadir}/%{name}/sample-rules/* %attr(644,root,root) %{_mandir}/man8/auditctl.8.gz %attr(644,root,root) %{_mandir}/man8/auditd.8.gz @@ -227,6 +228,7 @@ %attr(750,root,root) %{_libexecdir}/initscripts/legacy-actions/auditd/rotate %attr(750,root,root) %{_libexecdir}/initscripts/legacy-actions/auditd/state %attr(750,root,root) %{_libexecdir}/initscripts/legacy-actions/auditd/stop +%attr(750,root,root) %{_libexecdir}/audit-functions %ghost %{_localstatedir}/run/auditd.state %attr(-,root,-) %dir %{_var}/log/audit %attr(750,root,root) %dir /etc/audit @@ -256,6 +258,6 @@ %changelog -* Fri Feb 12 2021 Steve Grubb <sgrubb@redhat.com> 3.0.1-1 +* Mon Aug 29 2022 Steve Grubb <sgrubb@redhat.com> 3.0.9-1 - New upstream release
View file
_service:tar_scm:audit-3.0.1.tar.gz/auparse/Makefile.am -> _service:tar_scm:audit-3.0.9.tar.gz/auparse/Makefile.am
Changed
@@ -13,18 +13,20 @@ # Lesser General Public License for more details. # # You should have received a copy of the GNU Lesser General Public -# License along with this library; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +# License along with this program; see the file COPYING.lib. If not, write to +# the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor +# Boston, MA 02110-1335, USA. # # Authors: # Steve Grubb <sgrubb@redhat.com> +# Richard Guy Briggs <rgb@redhat.com> # SUBDIRS = test EXTRA_DIST = expression-design.txt CLEANFILES = $(BUILT_SOURCES) CONFIG_CLEAN_FILES = *.loT *.rej *.orig -AM_CFLAGS = -fPIC -DPIC -D_GNU_SOURCE -g ${DEBUG} -Wno-pointer-sign -Wno-enum-compare -Wno-switch +AM_CFLAGS = -fPIC -DPIC -D_GNU_SOURCE -g ${DEBUG} -Wno-pointer-sign -Wno-enum-compare -Wno-switch ${WFLAGS} AM_CPPFLAGS = -I. -I${top_srcdir} -I${top_srcdir}/src -I${top_srcdir}/lib -I${top_srcdir}/common LIBS = @@ -65,7 +67,8 @@ tcpoptnametabs.h typetabs.h umounttabs.h inethooktabs.h \ netactiontabs.h \ normalize_obj_kind_maps.h normalize_record_maps.h \ - normalize_syscall_maps.h normalize_evtypetabs.h bpftabs.h + normalize_syscall_maps.h normalize_evtypetabs.h bpftabs.h \ + openat2-resolvetabs.h noinst_PROGRAMS = gen_accesstabs_h gen_captabs_h gen_clock_h \ gen_clone-flagtabs_h \ gen_epoll_ctls_h gen_famtabs_h \ @@ -82,7 +85,8 @@ gen_socktypetabs_h gen_tcpoptnametabs_h gen_typetabs_h \ gen_umounttabs_h gen_inethooktabs_h gen_netactiontabs_h \ gen_normalize_record_map gen_normalize_syscall_map \ - gen_normalize_obj_kind_map gen_normalize_evtypetabs_h gen_bpftabs_h + gen_normalize_obj_kind_map gen_normalize_evtypetabs_h gen_bpftabs_h \ + gen_openat2-resolvetabs_h gen_accesstabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h accesstab.h gen_accesstabs_h_CFLAGS = '-DTABLE_H="accesstab.h"' @@ -660,3 +664,17 @@ bpftabs.h: gen_bpftabs_h Makefile ./gen_bpftabs_h --i2s bpf > $@ +gen_openat2_resolvetabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h \ + openat2-resolvetab.h +gen_openat2_resolvetabs_h_CFLAGS = '-DTABLE_H="openat2-resolvetab.h"' +$(gen_openat2_resolvetabs_h_OBJECTS): CC=$(CC_FOR_BUILD) +$(gen_openat2_resolvetabs_h_OBJECTS): CFLAGS=$(CFLAGS_FOR_BUILD) +$(gen_openat2_resolvetabs_h_OBJECTS): CPPFLAGS=$(CPPFLAGS_FOR_BUILD) +$(gen_openat2_resolvetabs_h_OBJECTS): LDFLAGS=$(LDFLAGS_FOR_BUILD) +gen_openat2-resolvetabs_h$(BUILD_EXEEXT): CC=$(CC_FOR_BUILD) +gen_openat2-resolvetabs_h$(BUILD_EXEEXT): CFLAGS=$(CFLAGS_FOR_BUILD) +gen_openat2-resolvetabs_h$(BUILD_EXEEXT): CPPFLAGS=$(CPPFLAGS_FOR_BUILD) +gen_openat2-resolvetabs_h$(BUILD_EXEEXT): LDFLAGS=$(LDFLAGS_FOR_BUILD) +openat2-resolvetabs.h: gen_openat2-resolvetabs_h Makefile + ./gen_openat2-resolvetabs_h --i2s-transtab openat2_resolve > $@ +
View file
_service:tar_scm:audit-3.0.1.tar.gz/auparse/Makefile.in -> _service:tar_scm:audit-3.0.9.tar.gz/auparse/Makefile.in
Changed
@@ -1,7 +1,7 @@ -# Makefile.in generated by automake 1.16.2 from Makefile.am. +# Makefile.in generated by automake 1.16.5 from Makefile.am. # @configure_input@ -# Copyright (C) 1994-2020 Free Software Foundation, Inc. +# Copyright (C) 1994-2021 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -29,11 +29,13 @@ # Lesser General Public License for more details. # # You should have received a copy of the GNU Lesser General Public -# License along with this library; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +# License along with this program; see the file COPYING.lib. If not, write to +# the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor +# Boston, MA 02110-1335, USA. # # Authors: # Steve Grubb <sgrubb@redhat.com> +# Richard Guy Briggs <rgb@redhat.com> # @@ -136,7 +138,8 @@ gen_netactiontabs_h$(EXEEXT) gen_normalize_record_map$(EXEEXT) \ gen_normalize_syscall_map$(EXEEXT) \ gen_normalize_obj_kind_map$(EXEEXT) \ - gen_normalize_evtypetabs_h$(EXEEXT) gen_bpftabs_h$(EXEEXT) + gen_normalize_evtypetabs_h$(EXEEXT) gen_bpftabs_h$(EXEEXT) \ + gen_openat2-resolvetabs_h$(EXEEXT) subdir = auparse ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 am__aclocal_m4_deps = $(top_srcdir)/m4/ax_prog_cc_for_build.m4 \ @@ -383,6 +386,15 @@ $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \ $(gen_open_flagtabs_h_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \ $(LDFLAGS) -o $@ +am_gen_openat2_resolvetabs_h_OBJECTS = \ + gen_openat2_resolvetabs_h-gen_tables.$(OBJEXT) +gen_openat2_resolvetabs_h_OBJECTS = \ + $(am_gen_openat2_resolvetabs_h_OBJECTS) +gen_openat2_resolvetabs_h_LDADD = $(LDADD) +gen_openat2_resolvetabs_h_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \ + $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \ + $(gen_openat2_resolvetabs_h_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \ + $(LDFLAGS) -o $@ am_gen_persontabs_h_OBJECTS = gen_persontabs_h-gen_tables.$(OBJEXT) gen_persontabs_h_OBJECTS = $(am_gen_persontabs_h_OBJECTS) gen_persontabs_h_LDADD = $(LDADD) @@ -564,6 +576,7 @@ ./$(DEPDIR)/gen_normalize_record_map-gen_tables.Po \ ./$(DEPDIR)/gen_normalize_syscall_map-gen_tables.Po \ ./$(DEPDIR)/gen_open_flagtabs_h-gen_tables.Po \ + ./$(DEPDIR)/gen_openat2_resolvetabs_h-gen_tables.Po \ ./$(DEPDIR)/gen_persontabs_h-gen_tables.Po \ ./$(DEPDIR)/gen_pktoptnametabs_h-gen_tables.Po \ ./$(DEPDIR)/gen_prctl_opttabs_h-gen_tables.Po \ @@ -620,13 +633,15 @@ $(gen_normalize_obj_kind_map_SOURCES) \ $(gen_normalize_record_map_SOURCES) \ $(gen_normalize_syscall_map_SOURCES) \ - $(gen_open_flagtabs_h_SOURCES) $(gen_persontabs_h_SOURCES) \ - $(gen_pktoptnametabs_h_SOURCES) $(gen_prctl_opttabs_h_SOURCES) \ - $(gen_prottabs_h_SOURCES) $(gen_ptracetabs_h_SOURCES) \ - $(gen_recvtabs_h_SOURCES) $(gen_rlimit_h_SOURCES) \ - $(gen_schedtabs_h_SOURCES) $(gen_seccomptabs_h_SOURCES) \ - $(gen_seektabs_h_SOURCES) $(gen_shm_modetabs_h_SOURCES) \ - $(gen_signals_h_SOURCES) $(gen_sockleveltabs_h_SOURCES) \ + $(gen_open_flagtabs_h_SOURCES) \ + $(gen_openat2_resolvetabs_h_SOURCES) \ + $(gen_persontabs_h_SOURCES) $(gen_pktoptnametabs_h_SOURCES) \ + $(gen_prctl_opttabs_h_SOURCES) $(gen_prottabs_h_SOURCES) \ + $(gen_ptracetabs_h_SOURCES) $(gen_recvtabs_h_SOURCES) \ + $(gen_rlimit_h_SOURCES) $(gen_schedtabs_h_SOURCES) \ + $(gen_seccomptabs_h_SOURCES) $(gen_seektabs_h_SOURCES) \ + $(gen_shm_modetabs_h_SOURCES) $(gen_signals_h_SOURCES) \ + $(gen_sockleveltabs_h_SOURCES) \ $(gen_sockoptnametabs_h_SOURCES) $(gen_socktabs_h_SOURCES) \ $(gen_socktypetabs_h_SOURCES) $(gen_tcpoptnametabs_h_SOURCES) \ $(gen_typetabs_h_SOURCES) $(gen_umounttabs_h_SOURCES) @@ -645,13 +660,15 @@ $(gen_normalize_obj_kind_map_SOURCES) \ $(gen_normalize_record_map_SOURCES) \ $(gen_normalize_syscall_map_SOURCES) \ - $(gen_open_flagtabs_h_SOURCES) $(gen_persontabs_h_SOURCES) \ - $(gen_pktoptnametabs_h_SOURCES) $(gen_prctl_opttabs_h_SOURCES) \ - $(gen_prottabs_h_SOURCES) $(gen_ptracetabs_h_SOURCES) \ - $(gen_recvtabs_h_SOURCES) $(gen_rlimit_h_SOURCES) \ - $(gen_schedtabs_h_SOURCES) $(gen_seccomptabs_h_SOURCES) \ - $(gen_seektabs_h_SOURCES) $(gen_shm_modetabs_h_SOURCES) \ - $(gen_signals_h_SOURCES) $(gen_sockleveltabs_h_SOURCES) \ + $(gen_open_flagtabs_h_SOURCES) \ + $(gen_openat2_resolvetabs_h_SOURCES) \ + $(gen_persontabs_h_SOURCES) $(gen_pktoptnametabs_h_SOURCES) \ + $(gen_prctl_opttabs_h_SOURCES) $(gen_prottabs_h_SOURCES) \ + $(gen_ptracetabs_h_SOURCES) $(gen_recvtabs_h_SOURCES) \ + $(gen_rlimit_h_SOURCES) $(gen_schedtabs_h_SOURCES) \ + $(gen_seccomptabs_h_SOURCES) $(gen_seektabs_h_SOURCES) \ + $(gen_shm_modetabs_h_SOURCES) $(gen_signals_h_SOURCES) \ + $(gen_sockleveltabs_h_SOURCES) \ $(gen_sockoptnametabs_h_SOURCES) $(gen_socktabs_h_SOURCES) \ $(gen_socktypetabs_h_SOURCES) $(gen_tcpoptnametabs_h_SOURCES) \ $(gen_typetabs_h_SOURCES) $(gen_umounttabs_h_SOURCES) @@ -695,8 +712,6 @@ unique=`for i in $$list; do \ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ done | $(am__uniquify_input)` -ETAGS = etags -CTAGS = ctags DIST_SUBDIRS = $(SUBDIRS) am__DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/auparse.pc.in \ $(top_srcdir)/depcomp @@ -746,6 +761,8 @@ CPPFLAGS = @CPPFLAGS@ CPPFLAGS_FOR_BUILD = @CPPFLAGS_FOR_BUILD@ CPP_FOR_BUILD = @CPP_FOR_BUILD@ +CSCOPE = @CSCOPE@ +CTAGS = @CTAGS@ CYGPATH_W = @CYGPATH_W@ DEBUG = @DEBUG@ DEFS = @DEFS@ @@ -757,8 +774,10 @@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ +ETAGS = @ETAGS@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FILECMD = @FILECMD@ GOLANG = @GOLANG@ GOROOT = @GOROOT@ GREP = @GREP@ @@ -814,6 +833,7 @@ SHELL = @SHELL@ STRIP = @STRIP@ VERSION = @VERSION@ +WFLAGS = @WFLAGS@ abs_builddir = @abs_builddir@ abs_srcdir = @abs_srcdir@ abs_top_builddir = @abs_top_builddir@ @@ -867,6 +887,7 @@ pyexecdir = @pyexecdir@ python3dir = @python3dir@ pythondir = @pythondir@ +runstatedir = @runstatedir@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ @@ -884,7 +905,7 @@ EXTRA_DIST = expression-design.txt CLEANFILES = $(BUILT_SOURCES) CONFIG_CLEAN_FILES = *.loT *.rej *.orig -AM_CFLAGS = -fPIC -DPIC -D_GNU_SOURCE -g ${DEBUG} -Wno-pointer-sign -Wno-enum-compare -Wno-switch +AM_CFLAGS = -fPIC -DPIC -D_GNU_SOURCE -g ${DEBUG} -Wno-pointer-sign -Wno-enum-compare -Wno-switch ${WFLAGS} AM_CPPFLAGS = -I. -I${top_srcdir} -I${top_srcdir}/src -I${top_srcdir}/lib -I${top_srcdir}/common pkgconfigdir = $(libdir)/pkgconfig pkgconfig_DATA = auparse.pc @@ -918,7 +939,8 @@ tcpoptnametabs.h typetabs.h umounttabs.h inethooktabs.h \ netactiontabs.h \ normalize_obj_kind_maps.h normalize_record_maps.h \ - normalize_syscall_maps.h normalize_evtypetabs.h bpftabs.h + normalize_syscall_maps.h normalize_evtypetabs.h bpftabs.h \ + openat2-resolvetabs.h gen_accesstabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h accesstab.h gen_accesstabs_h_CFLAGS = '-DTABLE_H="accesstab.h"' @@ -1015,6 +1037,10 @@ gen_normalize_evtypetabs_h_CFLAGS = '-DTABLE_H="normalize_evtypetab.h"' gen_bpftabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h bpftab.h gen_bpftabs_h_CFLAGS = '-DTABLE_H="bpftab.h"' +gen_openat2_resolvetabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h \ + openat2-resolvetab.h + +gen_openat2_resolvetabs_h_CFLAGS = '-DTABLE_H="openat2-resolvetab.h"' all: $(BUILT_SOURCES) $(MAKE) $(AM_MAKEFLAGS) all-recursive @@ -1199,6 +1225,10 @@ @rm -f gen_open-flagtabs_h$(EXEEXT) $(AM_V_CCLD)$(gen_open_flagtabs_h_LINK) $(gen_open_flagtabs_h_OBJECTS) $(gen_open_flagtabs_h_LDADD) $(LIBS) +gen_openat2-resolvetabs_h$(EXEEXT): $(gen_openat2_resolvetabs_h_OBJECTS) $(gen_openat2_resolvetabs_h_DEPENDENCIES) $(EXTRA_gen_openat2_resolvetabs_h_DEPENDENCIES) + @rm -f gen_openat2-resolvetabs_h$(EXEEXT) + $(AM_V_CCLD)$(gen_openat2_resolvetabs_h_LINK) $(gen_openat2_resolvetabs_h_OBJECTS) $(gen_openat2_resolvetabs_h_LDADD) $(LIBS) + gen_persontabs_h$(EXEEXT): $(gen_persontabs_h_OBJECTS) $(gen_persontabs_h_DEPENDENCIES) $(EXTRA_gen_persontabs_h_DEPENDENCIES) @rm -f gen_persontabs_h$(EXEEXT) $(AM_V_CCLD)$(gen_persontabs_h_LINK) $(gen_persontabs_h_OBJECTS) $(gen_persontabs_h_LDADD) $(LIBS) @@ -1311,6 +1341,7 @@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/gen_normalize_record_map-gen_tables.Po@am__quote@ # am--include-marker @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/gen_normalize_syscall_map-gen_tables.Po@am__quote@ # am--include-marker @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/gen_open_flagtabs_h-gen_tables.Po@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/gen_openat2_resolvetabs_h-gen_tables.Po@am__quote@ # am--include-marker @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/gen_persontabs_h-gen_tables.Po@am__quote@ # am--include-marker @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/gen_pktoptnametabs_h-gen_tables.Po@am__quote@ # am--include-marker @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/gen_prctl_opttabs_h-gen_tables.Po@am__quote@ # am--include-marker
View file
_service:tar_scm:audit-3.0.1.tar.gz/auparse/auparse-defs.h -> _service:tar_scm:audit-3.0.9.tar.gz/auparse/auparse-defs.h
Changed
@@ -87,7 +87,9 @@ AUPARSE_TYPE_PROCTITLE, AUPARSE_TYPE_HOOK, AUPARSE_TYPE_NETACTION, AUPARSE_TYPE_MACPROTO, AUPARSE_TYPE_IOCTL_REQ, AUPARSE_TYPE_ESCAPED_KEY, - AUPARSE_TYPE_ESCAPED_FILE, AUPARSE_TYPE_FANOTIFY } auparse_type_t; + AUPARSE_TYPE_ESCAPED_FILE, AUPARSE_TYPE_FANOTIFY, + AUPARSE_TYPE_NLMCGRP, AUPARSE_TYPE_RESOLVE +} auparse_type_t; /* This type determines what escaping if any gets applied to interpreted fields */ typedef enum { AUPARSE_ESC_RAW, AUPARSE_ESC_TTY, AUPARSE_ESC_SHELL,
View file
_service:tar_scm:audit-3.0.1.tar.gz/auparse/auparse-idata.h -> _service:tar_scm:audit-3.0.9.tar.gz/auparse/auparse-idata.h
Changed
@@ -1,6 +1,6 @@ /* * idata.h - Header file for ausearch-lookup.c -* Copyright (c) 2013,2016-17 Red Hat Inc., Durham, North Carolina. +* Copyright (c) 2013,2016-17,2021 Red Hat Inc. * All Rights Reserved. * * This library is free software; you can redistribute it and/or @@ -34,8 +34,8 @@ unsigned long long a0; // arg 0 to the syscall unsigned long long a1; // arg 1 to the syscall const char *cwd; // The current working directory - const char *name; // name of field being interpretted - const char *val; // value of field being interpretted + const char *name; // name of field being interpreted + const char *val; // value of field being interpreted } idata; @@ -45,6 +45,7 @@ void _auparse_load_interpretations(const char *buf); void _auparse_free_interpretations(void); const char *_auparse_lookup_interpretation(const char *name); +void _auparse_flush_caches(void); #endif
View file
_service:tar_scm:audit-3.0.1.tar.gz/auparse/auparse.c -> _service:tar_scm:audit-3.0.9.tar.gz/auparse/auparse.c
Changed
@@ -1,5 +1,5 @@ /* auparse.c -- - * Copyright 2006-08,2012-19 Red Hat Inc., Durham, North Carolina. + * Copyright 2006-08,2012-19,21 Red Hat Inc. * All Rights Reserved. * * This library is free software; you can redistribute it and/or @@ -32,6 +32,7 @@ #include <string.h> #include <unistd.h> #include <stdio_ext.h> +#include <limits.h> #include "common.h" //#define LOL_EVENTS_DEBUG01 1 // add debug for list of list event @@ -66,8 +67,9 @@ char *filename, **tmp; int len, num = 0, i = 0; - /* Load config so we know where logs are */ - set_aumessage_mode(au, MSG_STDERR, DBG_NO); + /* Load config so we know where logs are */ + if (secure_getenv("AUPARSE_DEBUG")) + set_aumessage_mode(au, MSG_STDERR, DBG_NO); aup_load_config(au, &config, TEST_SEARCH); /* for each file */ @@ -117,7 +119,7 @@ free(filename); // Terminate the list - tmpi = NULL; + tmpi = NULL; au->source_list = tmp; return 0; } @@ -136,11 +138,10 @@ int sz = ARRAY_LIMIT * sizeof(au_lolnode); lol->maxi = -1; - lol->limit = ARRAY_LIMIT; - if ((lol->array = (au_lolnode *)malloc(sz)) == NULL) { - lol->maxi = -1; + if ((lol->array = (au_lolnode *)malloc(sz)) == NULL) return NULL; - } + + lol->limit = ARRAY_LIMIT; memset(lol->array, 0x00, sz); return lol->array; @@ -238,7 +239,7 @@ int i; au_lol *lol = au->au_lo; au_lolnode *lowest = NULL; - + if (au->au_ready == 0) { //if (debug) printf("No events ready\n"); return NULL; @@ -295,7 +296,7 @@ au->au_ready++; } else if ( // FIXME: Check this v remains true r->type == AUDIT_PROCTITLE || - r->type == AUDIT_EOE || + r->type == AUDIT_EOE || r->type < AUDIT_FIRST_EVENT || r->type >= AUDIT_FIRST_ANOM_MSG || r->type == AUDIT_KERNEL || @@ -414,8 +415,9 @@ { struct daemon_conf config; - /* Load config so we know where logs are */ - set_aumessage_mode(au, MSG_STDERR, DBG_NO); + /* Load config so we know where logs are */ + if (secure_getenv("AUPARSE_DEBUG")) + set_aumessage_mode(au, MSG_STDERR, DBG_NO); aup_load_config(au, &config, TEST_SEARCH); eoe_timeout = (time_t)config.end_of_event_timeout; @@ -455,6 +457,9 @@ return NULL; } au->au_ready = 0; + au->escape_mode = AUPARSE_ESC_TTY; + au->message_mode = MSG_QUIET; + au->debug_message = DBG_NO; au->in = NULL; au->source_list = NULL; @@ -551,9 +556,6 @@ au->expr = NULL; au->find_field = NULL; au->search_where = AUSEARCH_STOP_EVENT; - au->escape_mode = AUPARSE_ESC_TTY; - au->message_mode = MSG_QUIET; - au->debug_message = DBG_NO; au->tmp_translation = NULL; init_normalizer(&au->norm_data); @@ -653,10 +655,31 @@ return 0; } -// If there is data in the state machine, return 1 +// If there is any data in the state machine, return 1. // Otherwise return 0 to indicate its empty int auparse_feed_has_data(auparse_state_t *au) { + if (!au) + return 0; + + int i; + au_lol *lol = au->au_lo; + + // An improvement would be to track how many events we have stored + // to avoid a costly loop + for (i=0; i <= lol->maxi; i++) { + au_lolnode *cur = &(lol->arrayi); + if (cur->status > EBS_EMPTY) + return 1; + } + + return 0; +} + +// If there is a ready event in the state machine, return 1. +// Otherwise return 0 to indicate its empty +int auparse_feed_has_ready_event(auparse_state_t *au) +{ if (au_get_ready_event(au, 1) != NULL) return 1; @@ -729,7 +752,7 @@ /* Fall through */ case AUSOURCE_DESCRIPTOR: case AUSOURCE_FILE_POINTER: - if (au->in) + if (au->in) rewind(au->in); /* Fall through */ case AUSOURCE_BUFFER: @@ -956,7 +979,7 @@ if (au->source_list) { int n = 0; - while (au->source_listn) + while (au->source_listn) free(au->source_listn++); free(au->source_list); au->source_list = NULL; @@ -989,7 +1012,7 @@ void auparse_destroy(auparse_state_t *au) { - lookup_destroy_uid_list(); + lookup_destroy_uid_list(); aulookup_destroy_gid_list(); auparse_destroy_common(au); @@ -1008,7 +1031,7 @@ * without a newline (note, this implies the line may be empty (strlen == 0)) if * successfully read a blank line (e.g. containing only a single newline). * cur_buf will have been newly allocated with malloc. - * + * * Note: cur_buf will be freed the next time this routine is called if * cur_buf is not NULL, callers who retain a reference to the cur_buf * pointer will need to set cur_buf to NULL to cause the previous cur_buf @@ -1066,7 +1089,7 @@ * newline (note, this implies the line may be empty (strlen == 0)) if * successfully read a blank line (e.g. containing only a single * newline). - * + * * Note: cur_buf will be freed the next time this routine is called if * cur_buf is not NULL, callers who retain a reference to the cur_buf * pointer will need to set cur_buf to NULL to cause the previous cur_buf @@ -1099,7 +1122,7 @@ if ((p_newline = strnchr(databuf_beg(&au->databuf), '\n', au->databuf.len)) != NULL) { line_len = p_newline - databuf_beg(&au->databuf); - + /* dup the line */ au->cur_buf = malloc(line_len+1); // +1 for null terminator if (au->cur_buf == NULL) @@ -1112,7 +1135,6 @@ // return success errno = 0; return 1; - } else { // return no data available errno = 0; @@ -1126,18 +1148,18 @@ errno = 0; e->sec = strtoul(s, NULL, 10);
View file
_service:tar_scm:audit-3.0.1.tar.gz/auparse/auparse.h -> _service:tar_scm:audit-3.0.9.tar.gz/auparse/auparse.h
Changed
@@ -1,5 +1,5 @@ /* auparse.h -- - * Copyright 2006-08,2012,2014-17 Red Hat Inc., Durham, North Carolina. + * Copyright 2006-08,2012,2014-17,2022 Red Hat Inc. * All Rights Reserved. * * This library is free software; you can redistribute it and/or @@ -25,6 +25,14 @@ #include "auparse-defs.h" +#ifndef __attr_access +# define __attr_access(x) +#endif +#ifndef __attr_dealloc +# define __attr_dealloc(dealloc, argno) +# define __attr_dealloc_free +#endif + #ifdef __cplusplus extern "C" { #endif @@ -40,18 +48,22 @@ auparse_cb_event_t cb_event_type, void *user_data); /* General functions that affect operation of the library */ -auparse_state_t *auparse_init(ausource_t source, const void *b); -int auparse_new_buffer(auparse_state_t *au, const char *data, size_t data_len); -int auparse_feed(auparse_state_t *au, const char *data, size_t data_len); +void auparse_destroy(auparse_state_t *au); +void auparse_destroy_ext(auparse_state_t *au, auparse_destroy_what_t what); +auparse_state_t *auparse_init(ausource_t source, const void *b) + __attribute_malloc__ __attr_dealloc (auparse_destroy, 1); +int auparse_new_buffer(auparse_state_t *au, const char *data, size_t data_len) + __attr_access ((__read_only__, 2, 3)); +int auparse_feed(auparse_state_t *au, const char *data, size_t data_len) + __attr_access ((__read_only__, 2, 3)); void auparse_feed_age_events(auparse_state_t *au); int auparse_flush_feed(auparse_state_t *au); int auparse_feed_has_data(auparse_state_t *au); +int auparse_feed_has_ready_event(auparse_state_t *au); void auparse_add_callback(auparse_state_t *au, auparse_callback_ptr callback, void *user_data, user_destroy user_destroy_func); void auparse_set_escape_mode(auparse_state_t *au, auparse_esc_t mode); int auparse_reset(auparse_state_t *au); -void auparse_destroy(auparse_state_t *au); -void auparse_destroy_ext(auparse_state_t *au, auparse_destroy_what_t what); /* Functions that are part of the search interface */ int ausearch_add_expression(auparse_state_t *au, const char *expression, @@ -64,7 +76,7 @@ unsigned milli, ausearch_rule_t how); int ausearch_add_timestamp_item_ex(auparse_state_t *au, const char *op, time_t sec, unsigned milli, unsigned serial, ausearch_rule_t how); -int ausearch_add_regex(auparse_state_t *au, const char *expr); +int ausearch_add_regex(auparse_state_t *au, const char *regexp); int ausearch_set_stop(auparse_state_t *au, austop_t where); void ausearch_clear(auparse_state_t *au); @@ -118,7 +130,7 @@ time_t auparse_get_time(auparse_state_t *au); unsigned int auparse_get_milli(auparse_state_t *au); unsigned long auparse_get_serial(auparse_state_t *au); -const char *auparse_get_node(auparse_state_t *au); +const char *auparse_get_node(auparse_state_t *au) __attr_dealloc_free; int auparse_node_compare(au_event_t *e1, au_event_t *e2); int auparse_timestamp_compare(au_event_t *e1, au_event_t *e2); unsigned int auparse_get_num_records(auparse_state_t *au);
View file
_service:tar_scm:audit-3.0.1.tar.gz/auparse/captab.h -> _service:tar_scm:audit-3.0.9.tar.gz/auparse/captab.h
Changed
@@ -1,5 +1,5 @@ /* captab.h -- - * Copyright 2007,2008,2012-14 Red Hat Inc., Durham, North Carolina. + * Copyright 2007,2008,2012-14,2021 Red Hat Inc. * All Rights Reserved. * * This library is free software; you can redistribute it and/or @@ -60,3 +60,7 @@ _S(35, "wake_alarm" ) _S(36, "block_suspend" ) _S(37, "audit_read" ) +_S(38, "perfmon" ) +_S(39, "bpf" ) +_S(40, "checkpoint_restore" ) +
View file
_service:tar_scm:audit-3.0.1.tar.gz/auparse/data_buf.c -> _service:tar_scm:audit-3.0.9.tar.gz/auparse/data_buf.c
Changed
@@ -35,7 +35,7 @@ #include <stdio.h> #include <stdlib.h> -#include <string.h> +#include <string.h> // for memmove() #include <assert.h> #include <stdarg.h> #include <errno.h> @@ -85,7 +85,6 @@ /*****************************************************************************/ static int databuf_shift_data_to_beginning(DataBuf *db); -static int databuf_strcat(DataBuf *db, const char *str); /*****************************************************************************/ /************************* External Global Variables ***********************/ @@ -143,7 +142,6 @@ fmt?" ":"", db->alloc_size, db->alloc_ptr, db->offset, databuf_beg(db), db->len, db->max_len); if (db->flags & DATABUF_FLAG_PRESERVE_HEAD) printf("PRESERVE_HEAD "); - if (db->flags & DATABUF_FLAG_STRING) printf("STRING "); printf(""); if (print_data) { @@ -173,9 +171,6 @@ } } - // For strings intialize with initial NULL terminator - if (flags & DATABUF_FLAG_STRING) databuf_strcat(db, ""); - return 1; } @@ -254,33 +249,6 @@ return databuf_append(db, src, src_size); } -static int databuf_strcat(DataBuf *db, const char *str) -{ - size_t str_len; - - DATABUF_VALIDATE(db); - - if (str == NULL) return 0; - - // +1 so the data append also copies the NULL terminator - str_len = strlen(str) + 1; - - // If there is a NULL terminator exclude it so the subsequent - // data append produces a proper string concatenation - if (db->len > 0) { - char *last_char = databuf_end(db) - 1; - if (last_char && *last_char == 0) { - db->len--; // backup over NULL terminator - } - } - - // Copy string and NULL terminator - databuf_append(db, str, str_len); - - DATABUF_VALIDATE(db); - return 1; -} - int databuf_advance(DataBuf *db, size_t advance) { size_t actual_advance; @@ -347,25 +315,10 @@ char *data; int rc; - rc = databuf_init(&buf, size, DATABUF_FLAG_STRING); + rc = databuf_init(&buf, size, 0); assert(rc); databuf_print(&buf, 1, "after init size=%d", size); -#if 1 - data = "a"; - assert(databuf_strcat(&buf, data)); - databuf_print(&buf, 1, "after strcat(%s)", data); - - data = "bb"; - assert(databuf_strcat(&buf, data)); - databuf_print(&buf, 1, "after strcat(%s)", data); - - data = "ccc"; - assert(databuf_strcat(&buf, data)); - databuf_print(&buf, 1, "after strcat(%s)", data); - -#endif - databuf_free(&buf); #if 0
View file
_service:tar_scm:audit-3.0.1.tar.gz/auparse/data_buf.h -> _service:tar_scm:audit-3.0.9.tar.gz/auparse/data_buf.h
Changed
@@ -34,7 +34,6 @@ /*****************************************************************************/ #define DATABUF_FLAG_PRESERVE_HEAD (1 << 0) -#define DATABUF_FLAG_STRING (2 << 0) /*****************************************************************************/
View file
_service:tar_scm:audit-3.0.1.tar.gz/auparse/ellist.c -> _service:tar_scm:audit-3.0.9.tar.gz/auparse/ellist.c
Changed
@@ -103,7 +103,7 @@ static int parse_up_record(rnode* r) { char *ptr, *buf, *saved=NULL; - unsigned int offset = 0; + unsigned int offset = 0, len; // Potentially cut the record in two ptr = strchr(r->record, AUDIT_INTERP_SEPARATOR); @@ -112,10 +112,19 @@ ptr++; } r->interp = ptr; - buf = strdup(r->record); + // Rather than call strndup, we will do it ourselves to reduce + // the number of interations across the record. + // len includes the string terminator. + len = strlen(r->record) + 1; + r->nv.record = buf = malloc(len); + if (r->nv.record == NULL) + return -1; + memcpy(r->nv.record, r->record, len); + r->nv.end = r->nv.record + len; ptr = audit_strsplit_r(buf, &saved); if (ptr == NULL) { free(buf); + r->nv.record = NULL; return -1; } @@ -147,10 +156,13 @@ // Remove beginning cruft of name if (*ptr == '(') ptr++; - n.name = strdup(ptr); - n.val = strdup(val); + n.name = ptr; + n.val = val; // Remove trailing punctuation len = strlen(n.val); + // Check for invalid val + if (!len) + continue; if (len && n.vallen-1 == ':') { n.vallen-1 = 0; len--; @@ -172,32 +184,59 @@ } // Make virtual keys or just store it if (strcmp(n.name, "key") == 0 && *n.val != '(') { - if (*n.val == '"') - nvlist_append(&r->nv, &n); - else { + if (*n.val == '"') { + // This is a normal single key. + n.name = strdup("key"); + char *t = strdup(n.val); + n.val = t; + if (nvlist_append(&r->nv, &n)) { + free(n.name); + free(n.val); + continue; + } + } else { + // Virtual keys char *key, *ptr2, *saved2; key = (char *)au_unescape(n.val); if (key == NULL) { + n.name = strdup("key"); + n.val = NULL; // Malformed key - save as is - nvlist_append(&r->nv, &n); + if (nvlist_append(&r->nv, &n)) { + free(n.name); + free(n.val); + } continue; } ptr2 = strtok_r(key, key_sep, &saved2); - free(n.name); - free(n.val); while (ptr2) { n.name = strdup("key"); n.val = escape(ptr2); - nvlist_append(&r->nv, &n); + if (nvlist_append(&r->nv, &n)) { + free(n.name); + free(n.val); + } ptr2 = strtok_r(NULL, key_sep, &saved2); } free(key); } continue; - } else - nvlist_append(&r->nv, &n); + } else { + if (strcmp(n.name, "key") == 0) { + // This is a null key + n.name = strdup("key"); + char *t = strdup(n.val); + n.val = t; + if (nvlist_append(&r->nv, &n)) { + free(n.name); + free(n.val); + continue; + } + } else // everything not a key + nvlist_append(&r->nv, &n); + } // Do some info gathering for use later if (r->nv.cnt == 1 && strcmp(n.name, "node") == 0) @@ -208,7 +247,7 @@ r->type = audit_name_to_msg_type(n.val); // This has to account for seccomp records } else if ((r->nv.cnt == (2 + offset) || - r->nv.cnt == (11 + offset)) && + r->nv.cnt == (11 + offset)) && strcmp(n.name, "arch")== 0){ unsigned int ival; errno = 0; @@ -260,7 +299,9 @@ while (ptr && *ptr != '}') { len = strlen(ptr); if ((len+1) >= (256-total)) { - free(buf); + if (nvlist_get_cnt(&r->nv) + == 0) + free(buf); return -1; } if (tmpctx0) { @@ -274,18 +315,28 @@ } n.name = strdup("seperms"); n.val = strdup(tmpctx); - nvlist_append(&r->nv, &n); + if (nvlist_append(&r->nv, &n)) { + free(n.name); + free(n.val); + } continue; } } else continue; - n.val = strdup(ptr); + n.val = ptr; nvlist_append(&r->nv, &n); } } while((ptr = audit_strsplit_r(NULL, &saved))); - free(buf); - r->nv.cur = r->nv.head; // reset to beginning + // If for some reason it was useless, delete buf + if (r->nv.cnt == 0) { + free(buf); + r->nv.record = NULL; + r->nv.end = NULL; + free((void *)r->cwd); + } + + r->nv.cur = 0; // reset to beginning return 0; } @@ -350,7 +401,7 @@ current = l->head; while (current) { nextnode=current->next; - nvlist_clear(¤t->nv); + nvlist_clear(¤t->nv, 1); free(current->record); free(current); current=nextnode; @@ -431,7 +482,7 @@ if (high <= low) return NULL; - node = l->head; /* Start at the beginning */ + node = l->head; /* Start at the beginning */ while (node) { if (node->type >= low && node->type <= high) { l->cur = node;
View file
_service:tar_scm:audit-3.0.1.tar.gz/auparse/ellist.h -> _service:tar_scm:audit-3.0.9.tar.gz/auparse/ellist.h
Changed
@@ -1,6 +1,6 @@ /* * ellist.h - Header file for ellist.c -* Copyright (c) 2006-07,2017 Red Hat Inc., Durham, North Carolina. +* Copyright (c) 2006-07,2017,2021 Red Hat Inc. * All Rights Reserved. * * This library is free software; you can redistribute it and/or @@ -44,7 +44,7 @@ static inline unsigned int aup_list_get_cnt(event_list_t *l) { return l ? l->cnt : 0; } static inline void aup_list_first(event_list_t *l) { l->cur = l->head; } -static inline rnode *aup_list_get_cur(event_list_t *l) { return l->cur; } +static inline rnode *aup_list_get_cur(event_list_t *l) { return l ? l->cur : NULL; } AUDIT_HIDDEN_START
View file
_service:tar_scm:audit-3.0.1.tar.gz/auparse/internal.h -> _service:tar_scm:audit-3.0.9.tar.gz/auparse/internal.h
Changed
@@ -98,7 +98,7 @@ typedef struct { au_lolnode *array; /* array of events */ int maxi; /* largest index in array used */ - int limit; /* number of events in array */ + size_t limit; /* number of events in array */ } au_lol; /*
View file
_service:tar_scm:audit-3.0.1.tar.gz/auparse/interpret.c -> _service:tar_scm:audit-3.0.9.tar.gz/auparse/interpret.c
Changed
@@ -1,7 +1,7 @@ /* * interpret.c - Lookup values to something more readable -* Copyright (c) 2007-09,2011-16,2018-19 Red Hat Inc., Durham, North Carolina. -* All Rights Reserved. +* Copyright (c) 2007-09,2011-16,2018-21 Red Hat Inc. +* All Rights Reserved. * * This library is free software; you can redistribute it and/or * modify it under the terms of the GNU Lesser General Public @@ -44,12 +44,15 @@ #include <linux/ax25.h> #include <linux/atm.h> #include <linux/x25.h> -#include <linux/if.h> // FIXME: remove when ipx.h is fixed -#include <linux/ipx.h> +#ifdef HAVE_IPX_HEADERS + #include <linux/if.h> // FIXME: remove when ipx.h is fixed + #include <linux/ipx.h> +#endif #include <linux/capability.h> #include <sys/personality.h> #include <sys/prctl.h> #include <sched.h> +#include <limits.h> /* PATH_MAX */ #ifdef USE_FANOTIFY #include <linux/fanotify.h> #else @@ -120,6 +123,7 @@ #include "inethooktabs.h" #include "netactiontabs.h" #include "bpftabs.h" +#include "openat2-resolvetabs.h" typedef enum { AVC_UNSET, AVC_DENIED, AVC_GRANTED } avc_t; typedef enum { S_UNSET=-1, S_FAILED, S_SUCCESS } success_t; @@ -394,9 +398,11 @@ } /////////// Interpretation list functions /////////////// +#define NEVER_LOADED 0xFFFF void init_interpretation_list(void) { nvlist_create(&il); + il.cnt = NEVER_LOADED; } /* @@ -411,7 +417,10 @@ if (buffer == NULL) return 0; - buf = strdup(buffer); + if (il.cnt == NEVER_LOADED) + il.cnt = 0; + + il.record = buf = strdup(buffer); if (strncmp(buf, "SADDR=", 6) == 0) { // We have SOCKADDR record. It has no other values. // Handle it by itself. @@ -420,23 +429,25 @@ val = ptr; ptr = strchr(val, '}'); if (ptr) { - n.name = strdup("saddr"); - n.val = strdup(val); - nvlist_append(&il, &n); + // Just change the case + n.name = strcpy(buf, "saddr"); + n.val = val; + if (nvlist_append(&il, &n)) + goto err_out; nvlist_interp_fixup(&il); - free(buf); return 1; } } +err_out: free(buf); + il.record = NULL; + il.cnt = NEVER_LOADED; return 0; } else { // We handle everything else in this branch ptr = audit_strsplit_r(buf, &saved); - if (ptr == NULL) { - free(buf); - return 0; - } + if (ptr == NULL) + goto err_out; do { char tmp; @@ -447,7 +458,7 @@ val++; } else // Malformed - skip continue; - n.name = strdup(ptr); + n.name = ptr; char *c = n.name; while (*c) { *c = tolower(*c); @@ -460,14 +471,19 @@ } else tmp = 0; - n.val = strdup(val); - nvlist_append(&il, &n); + n.val = val; + if (nvlist_append(&il, &n)) + continue; // assuming we loaded something nvlist_interp_fixup(&il); if (ptr) *ptr = tmp; - } while((ptr = audit_strsplit_r(NULL, &saved))); + } while ((ptr = audit_strsplit_r(NULL, &saved))); } - free(buf); + + // If for some reason it was useless, delete buf + if (il.cnt == 0) + goto err_out; + return 1; } @@ -478,6 +494,9 @@ { nvnode *n; + if (il.cnt == NEVER_LOADED) + return NULL; + nvlist_first(&il); if (nvlist_find_name(&il, name)) { n = nvlist_get_cur(&il); @@ -494,7 +513,20 @@ void free_interpretation_list(void) { - nvlist_clear(&il); + if (il.cnt != NEVER_LOADED) { + nvlist_clear(&il, 0); + il.cnt = NEVER_LOADED; + } +} + +// This uses a sentinel to determine if the list has ever been loaded. +// If never loaded, returns 0. Otherwise it returns 1 higher than how +// many interpretations are loaded. +unsigned int interpretation_list_cnt(void) +{ + if (il.cnt == NEVER_LOADED) + return 0; + return il.cnt+1; } //////////// Start Field Value Interpretations ///////////// @@ -624,6 +656,18 @@ gid_cache_created = 0; } +void _auparse_flush_caches(void) +{ + if (uid_cache_created) { + destroy_lru(uid_cache); + uid_cache_created = 0; + } + if (gid_cache_created) { + destroy_lru(gid_cache); + gid_cache_created = 0; + } +} + static const char *print_uid(const char *val, unsigned int base) { int uid; @@ -799,6 +843,9 @@ { char *out; + if (val == NULL) + return strdup(" "); + if (*val == '"') { char *term; val++; @@ -828,6 +875,65 @@ return strdup(val); // Something is wrong with string, just send as is } +// This code is loosely based on glibc-2.27 realpath. +static char workingPATH_MAX; +static char *path_norm(const char *name) +{ + char *rpath, *dest; + const char *start, *end, *rpath_limit; + int old_errno = errno; +
View file
_service:tar_scm:audit-3.0.1.tar.gz/auparse/interpret.h -> _service:tar_scm:audit-3.0.9.tar.gz/auparse/interpret.h
Changed
@@ -34,8 +34,9 @@ void init_interpretation_list(void); int load_interpretation_list(const char *buf); void free_interpretation_list(void); +unsigned int interpretation_list_cnt(void); int lookup_type(const char *name); -const char *interpret(const rnode *r, auparse_esc_t escape_mode); +const char *do_interpret(rnode *r, auparse_esc_t escape_mode); void lookup_destroy_uid_list(void); void aulookup_destroy_gid_list(void); char *au_unescape(char *buf);
View file
_service:tar_scm:audit-3.0.1.tar.gz/auparse/normalize-internal.h -> _service:tar_scm:audit-3.0.9.tar.gz/auparse/normalize-internal.h
Changed
@@ -1,6 +1,6 @@ /* * normalize-internal.h - * Copyright (c) 2016-18 Red Hat Inc., Durham, North Carolina. + * Copyright (c) 2016-18,21 Red Hat Inc. * All Rights Reserved. * * This library is free software; you can redistribute it and/or @@ -72,6 +72,7 @@ #define NORM_SCHEDULER 36 #define NORM_AV 37 #define NORM_BPF 38 +#define NORM_EV_LISTEN 39 // This enum is used to map what the system objects are #define NORM_WHAT_UNKNOWN 0 @@ -119,5 +120,6 @@ #define NORM_EVTYPE_DAC_DECISION 16 #define NORM_EVTYPE_GROUP_CHANGE 17 #define NORM_EVTYPE_AV_DECISION 18 +#define NORM_EVTYPE_BPF 19 #endif
View file
_service:tar_scm:audit-3.0.1.tar.gz/auparse/normalize.c -> _service:tar_scm:audit-3.0.9.tar.gz/auparse/normalize.c
Changed
@@ -53,6 +53,7 @@ #define D au->norm_data static int syscall_success; +static value_t find_simple_object(auparse_state_t *au, int type); void init_normalizer(normalize_data *d) { @@ -99,6 +100,16 @@ syscall_success = -1; } +static void set_system_subject_what(auparse_state_t *au) +{ + D.actor.what = strdup("system"); +} + +static void set_unknown_subject_what(auparse_state_t *au) +{ + D.actor.what = strdup("unknown-acct"); +} + static unsigned int set_subject_what(auparse_state_t *au) { int uid = NORM_ACCT_UNSET - 1; @@ -118,6 +129,7 @@ } } } + set_unknown_subject_what(au); return 1; } @@ -131,7 +143,7 @@ else if (uid < NORM_ACCT_MAX_USER) D.actor.what = strdup("user-acct"); else - D.actor.what = strdup("unknown-acct"); + set_unknown_subject_what(au); return 0; } @@ -334,9 +346,11 @@ if ((strcmp(str, "unset") == 0) && errno == 0) { // Only move it if its safe to if (cnt < limit) { - auparse_next_field(au); + if (auparse_next_field(au) == 0) + return; cnt++; - } + } else + return; } else break; } @@ -494,7 +508,23 @@ static int set_program_obj(auparse_state_t *au) { auparse_first_record(au); - if (auparse_find_field(au, "exe")) { + int type = auparse_get_type(au); + + if (type == AUDIT_BPF) { + if (auparse_find_field(au, "prog-id")) { + D.thing.primary = set_record(0, + auparse_get_record_num(au)); + D.thing.primary = set_field(D.thing.primary, + auparse_get_field_num(au)); + } + } else if (type == AUDIT_EVENT_LISTENER) { + if (auparse_find_field(au, "nl-mcgrp")) { + D.thing.primary = set_record(0, + auparse_get_record_num(au)); + D.thing.primary = set_field(D.thing.primary, + auparse_get_field_num(au)); + } + } else if (auparse_find_field(au, "exe")) { const char *exe = auparse_interpret_field(au); if ((strncmp(exe, "/usr/bin/python", 15) == 0) || (strncmp(exe, "/usr/bin/sh", 11) == 0) || @@ -514,16 +544,8 @@ D.thing.primary = set_field(D.thing.primary, auparse_get_field_num(au)); return 0; - } else { - // Maybe its a BPF program? - auparse_first_record(au); - if (auparse_find_field(au, "prog-id")) { - D.thing.primary = set_record(0, - auparse_get_record_num(au)); - D.thing.primary = set_field(D.thing.primary, - auparse_get_field_num(au)); - } } + return 1; } @@ -568,10 +590,18 @@ objtype = NORM_MAC_CONFIG; break; } else if (ttype == AUDIT_FANOTIFY) { + // We want to go ahead with syscall to get objects tmp_objkind = NORM_AV; break; + } else if (ttype == AUDIT_TIME_INJOFFSET || + ttype == AUDIT_TIME_ADJNTPVAL) { + objtype = NORM_SYSTEM_TIME; + break; } else if (ttype == AUDIT_BPF) { - tmp_objkind = NORM_BPF; + objtype = NORM_BPF; + break; + } else if (ttype == AUDIT_EVENT_LISTENER) { + objtype = NORM_EV_LISTEN; break; } rc = auparse_next_record(au); @@ -873,6 +903,20 @@ D.thing.what = NORM_WHAT_PROCESS; set_program_obj(au); break; + case NORM_EV_LISTEN: + auparse_first_record(au); + f = auparse_find_field(au, "op"); + if (f) { + const char *str = auparse_get_field_str(au); + if (strcmp(str, "connect") == 0) + act = "connected-to"; + else + act = "disconnected-from"; + } else + act = "connected"; + D.thing.what = NORM_WHAT_SOCKET; + set_program_obj(au); + break; default: { const char *k; @@ -934,10 +978,11 @@ case AUDIT_USYS_CONFIG: case AUDIT_CONFIG_CHANGE: case AUDIT_NETFILTER_CFG: - case AUDIT_FEATURE_CHANGE ... AUDIT_REPLACE: + case AUDIT_FEATURE_CHANGE: + case AUDIT_TIME_INJOFFSET: + case AUDIT_TIME_ADJNTPVAL: case AUDIT_USER_DEVICE: case AUDIT_SOFTWARE_UPDATE: - case AUDIT_EVENT_LISTENER: kind = NORM_EVTYPE_CONFIG; break; case AUDIT_SECCOMP: @@ -946,13 +991,13 @@ case AUDIT_TEST ... AUDIT_TRUSTED_APP: case AUDIT_USER_CMD: case AUDIT_CHUSER_ID: - case AUDIT_BPF: kind = NORM_EVTYPE_USERSPACE; break; case AUDIT_USER_TTY: case AUDIT_TTY: kind = NORM_EVTYPE_TTY; break; + case AUDIT_EVENT_LISTENER: case AUDIT_FIRST_DAEMON ... AUDIT_LAST_DAEMON: kind = NORM_EVTYPE_AUDIT_DAEMON; break; @@ -997,6 +1042,9 @@ case AUDIT_FANOTIFY: kind = NORM_EVTYPE_AV_DECISION; break; + case AUDIT_BPF: + kind = NORM_EVTYPE_BPF; + break; default: kind = NORM_EVTYPE_UNKNOWN; } @@ -1004,6 +1052,44 @@ return evtype_i2s(kind); } +const char *find_config_change_object(auparse_state_t *au) +{ + const char *f; + + // Check if its an audit rule + auparse_first_record(au); + f = auparse_find_field(au, "key"); + if (f) { + const char *str = auparse_get_field_str(au); + if (str && strcmp(str, "(null)")) + return f; + } + + // Next lets find the individual objects being set + auparse_first_record(au); + f = auparse_find_field(au, "audit_enabled"); + if (f)
View file
_service:tar_scm:audit-3.0.1.tar.gz/auparse/normalize_evtypetab.h -> _service:tar_scm:audit-3.0.9.tar.gz/auparse/normalize_evtypetab.h
Changed
@@ -1,5 +1,5 @@ /* normalize_evtypetab.h -- - * Copyright 2017 Red Hat Inc., Durham, North Carolina. + * Copyright 2017,2021 Red Hat Inc. * All Rights Reserved. * * This library is free software; you can redistribute it and/or @@ -41,4 +41,4 @@ _S(NORM_EVTYPE_DAC_DECISION, "dac-decision" ) _S(NORM_EVTYPE_GROUP_CHANGE, "group-change" ) _S(NORM_EVTYPE_AV_DECISION, "av-decision" ) - +_S(NORM_EVTYPE_BPF, "bpf-program" )
View file
_service:tar_scm:audit-3.0.1.tar.gz/auparse/normalize_obj_kind_map.h -> _service:tar_scm:audit-3.0.9.tar.gz/auparse/normalize_obj_kind_map.h
Changed
@@ -1,6 +1,6 @@ /* * normalize_obj_kind_map.h - * Copyright (c) 2016-18 Red Hat Inc., Durham, North Carolina. + * Copyright (c) 2016-18,21 Red Hat Inc. * All Rights Reserved. * * This library is free software; you can redistribute it and/or
View file
_service:tar_scm:audit-3.0.1.tar.gz/auparse/normalize_record_map.h -> _service:tar_scm:audit-3.0.9.tar.gz/auparse/normalize_record_map.h
Changed
@@ -32,7 +32,7 @@ _S(AUDIT_CRED_DISP, "disposed-credentials") _S(AUDIT_USER_START, "started-session") _S(AUDIT_USER_END, "ended-session") -_S(AUDIT_USER_AVC, "access-permission") +_S(AUDIT_USER_AVC, "accessed-mac-policy-controlled-object") _S(AUDIT_USER_CHAUTHTOK, "changed-password") _S(AUDIT_USER_ERR, "caused-account-error") _S(AUDIT_CRED_REFR, "refreshed-credentials") @@ -86,6 +86,7 @@ _S(AUDIT_FANOTIFY, "accessed-policy-controlled-file") //_S(AUDIT_BPF, "") //_S(AUDIT_EVENT_LISTENER, "") +//_S(AUDIT_OPENAT2, "") _S(AUDIT_AVC, "accessed-mac-policy-controlled-object") _S(AUDIT_MAC_POLICY_LOAD, "loaded-selinux-policy") _S(AUDIT_MAC_STATUS, "changed-selinux-enforcement-to") @@ -93,6 +94,7 @@ //_S(AUDIT_MAC_UNLBL_ALLOW, "") _S(AUDIT_MAC_MAP_ADD, "added-mac-network-domain-mapping-to") _S(AUDIT_MAC_MAP_DEL, "deleted-mac-network-domain-mapping-from") +_S(AUDIT_ANOM_PROMISCUOUS, "changed-socket-promiscuous-mode") _S(AUDIT_ANOM_ABEND, "crashed-program") _S(AUDIT_ANOM_LINK, "used-suspcious-link") _S(AUDIT_ANOM_CREAT, "created-suspicious-file")
View file
_service:tar_scm:audit-3.0.1.tar.gz/auparse/normalize_syscall_map.h -> _service:tar_scm:audit-3.0.9.tar.gz/auparse/normalize_syscall_map.h
Changed
@@ -41,6 +41,9 @@ _S(NORM_FILE_DIR, "mkdir") _S(NORM_FILE_DIR, "mkdirat") _S(NORM_FILE_MOUNT, "mount") +_S(NORM_FILE_MOUNT, "move_mount") +_S(NORM_FILE_MOUNT, "fsmount") +_S(NORM_FILE_MOUNT, "fspick") _S(NORM_FILE_STAT, "newfstatat") _S(NORM_FILE_STAT, "stat") _S(NORM_FILE_STAT, "fstat") @@ -53,6 +56,7 @@ _S(NORM_FILE, "fallocate") _S(NORM_FILE, "truncate") _S(NORM_FILE, "ftruncate") +_S(NORM_FILE, "memfd_create") _S(NORM_FILE, "open") _S(NORM_FILE, "openat") _S(NORM_FILE, "openat2")
View file
_service:tar_scm:audit-3.0.1.tar.gz/auparse/nvlist.c -> _service:tar_scm:audit-3.0.9.tar.gz/auparse/nvlist.c
Changed
@@ -1,7 +1,7 @@ /* * nvlist.c - Minimal linked list library for name-value pairs -* Copyright (c) 2006-07,2016 Red Hat Inc., Durham, North Carolina. -* All Rights Reserved. +* Copyright (c) 2006-07,2016,2021 Red Hat Inc. +* All Rights Reserved. * * This library is free software; you can redistribute it and/or * modify it under the terms of the GNU Lesser General Public @@ -28,60 +28,58 @@ #include "interpret.h" #include "auparse-idata.h" - -void nvlist_create(nvlist *l) +static inline void alloc_array(nvlist *l) { - l->head = NULL; - l->cur = NULL; - l->cnt = 0; + l->array = calloc(NFIELDS, sizeof(nvnode)); + l->size = NFIELDS; } -static void nvlist_last(nvlist *l) +void nvlist_create(nvlist *l) { - register nvnode* node; - - if (l->head == NULL) - return; - - node = l->head; - while (node->next) - node = node->next; - l->cur = node; + if (l) { + alloc_array(l); + l->cur = 0; + l->cnt = 0; + l->record = NULL; + l->end = NULL; + } } nvnode *nvlist_next(nvlist *l) { - if (l->cur) - l->cur = l->cur->next; - return l->cur; + // Since cur will be incremented, check for 1 less that total + if (l->cnt && l->cur < (l->cnt - 1)) { + l->cur++; + return &l->arrayl->cur; + } + return NULL; } -void nvlist_append(nvlist *l, nvnode *node) +// 0 on success and 1 on error +int nvlist_append(nvlist *l, nvnode *node) { - nvnode* newnode = malloc(sizeof(nvnode)); + if (node->name == NULL) + return 1; + + if (l->array == NULL) + alloc_array(l); + if (l->cnt == l->size) { + l->array = realloc(l->array, l->size * sizeof(nvnode) * 2); + memset(l->array + l->size, 0, sizeof(nvnode) * l->size); + l->size = l->size * 2; + } + + nvnode *newnode = &l->arrayl->cnt; newnode->name = node->name; newnode->val = node->val; newnode->interp_val = NULL; - newnode->item = l->cnt; - newnode->next = NULL; - - // if we are at top, fix this up - if (l->head == NULL) - l->head = newnode; - else { // Otherwise add pointer to newnode - if (l->cnt == (l->cur->item+1)) { - l->cur->next = newnode; - } - else { - nvlist_last(l); - l->cur->next = newnode; - } - } + newnode->item = l->cnt; // make newnode current - l->cur = newnode; + l->cur = l->cnt; l->cnt++; + return 0; } /* @@ -89,23 +87,16 @@ */ void nvlist_interp_fixup(nvlist *l) { - if (l->cur) { - l->cur->interp_val = l->cur->val; - l->cur->val = NULL; - } + nvnode* node = &l->arrayl->cur; + node->interp_val = node->val; + node->val = NULL; } nvnode *nvlist_goto_rec(nvlist *l, unsigned int i) { - register nvnode* node; - - node = l->head; /* start at the beginning */ - while (node) { - if (node->item == i) { - l->cur = node; - return node; - } else - node = node->next; + if (i < l->cnt) { + l->cur = i; + return &l->arrayl->cur; } return NULL; } @@ -115,52 +106,85 @@ */ int nvlist_find_name(nvlist *l, const char *name) { - register nvnode* node = l->cur; + unsigned int i = l->cur; + register nvnode *node; - while (node) { - if (strcmp(node->name, name) == 0) { - l->cur = node; + if (l->cnt == 0) + return 0; + + do { + node = &l->arrayi; + if (node->name && strcmp(node->name, name) == 0) { + l->cur = i; return 1; } - else - node = node->next; - } + i++; + } while (i < l->cnt); return 0; } extern int interp_adjust_type(int rtype, const char *name, const char *val); -int nvlist_get_cur_type(const rnode *r) +int nvlist_get_cur_type(rnode *r) { - const nvlist *l = &r->nv; - return auparse_interp_adjust_type(r->type, l->cur->name, l->cur->val); + nvlist *l = &r->nv; + nvnode *node = &l->arrayl->cur; + return auparse_interp_adjust_type(r->type, node->name, node->val); } -const char *nvlist_interp_cur_val(const rnode *r, auparse_esc_t escape_mode) +const char *nvlist_interp_cur_val(rnode *r, auparse_esc_t escape_mode) { - const nvlist *l = &r->nv; - if (l->cur->interp_val) - return l->cur->interp_val; - return interpret(r, escape_mode); + nvlist *l = &r->nv; + if (l->cnt == 0) + return NULL; + nvnode *node = &l->arrayl->cur; + if (node->interp_val) + return node->interp_val; + return do_interpret(r, escape_mode); } -void nvlist_clear(nvlist* l) +// This function determines if a chunk of memory is part of the parsed up +// record. If it is, do not free it since it gets free'd at the very end. +// NOTE: This function causes invalid-pointer-pair errors with ASAN +static inline int not_in_rec_buf(nvlist *l, const char *ptr) { - nvnode* nextnode; - register nvnode* current; + if (ptr >= l->record && ptr < l->end) + return 0;
View file
_service:tar_scm:audit-3.0.1.tar.gz/auparse/nvlist.h -> _service:tar_scm:audit-3.0.9.tar.gz/auparse/nvlist.h
Changed
@@ -1,6 +1,6 @@ /* * nvlist.h - Header file for nvlist.c -* Copyright (c) 2006-07,2016 Red Hat Inc., Durham, North Carolina. +* Copyright (c) 2006-07,2016,2021 Red Hat Inc. * All Rights Reserved. * * This library is free software; you can redistribute it and/or @@ -32,20 +32,24 @@ static inline unsigned int nvlist_get_cnt(nvlist *l) { return l->cnt; } -static inline void nvlist_first(nvlist *l) { l->cur = l->head; } -static inline nvnode *nvlist_get_cur(const nvlist *l) { return l->cur; } -static inline const char *nvlist_get_cur_name(const nvlist *l) {if (l->cur) return l->cur->name; else return NULL;} -static inline const char *nvlist_get_cur_val(const nvlist *l) {if (l->cur) return l->cur->val; else return NULL;} -static inline const char *nvlist_get_cur_val_interp(const nvlist *l) {if (l->cur) return l->cur->interp_val; else return NULL;} +static inline void nvlist_first(nvlist *l) { l->cur = 0; } +static inline nvnode *nvlist_get_cur(nvlist *l) + { return &l->arrayl->cur; } +static inline const char *nvlist_get_cur_name(nvlist *l) + {if (l->cnt) { nvnode *node = &l->arrayl->cur; return node->name; } else return NULL;} +static inline const char *nvlist_get_cur_val(nvlist *l) + {if (l->cnt) { nvnode *node = &l->arrayl->cur; return node->val; } else return NULL;} +static inline const char *nvlist_get_cur_val_interp(nvlist *l) + {if (l->cnt) { nvnode *node = &l->arrayl->cur; return node->interp_val; } else return NULL;} AUDIT_HIDDEN_START void nvlist_create(nvlist *l); -void nvlist_clear(nvlist* l); +void nvlist_clear(nvlist *l, int free_interp); nvnode *nvlist_next(nvlist *l); -int nvlist_get_cur_type(const rnode *r); -const char *nvlist_interp_cur_val(const rnode *r, auparse_esc_t escape_mode); -void nvlist_append(nvlist *l, nvnode *node); +int nvlist_get_cur_type(rnode *r); +const char *nvlist_interp_cur_val(rnode *r, auparse_esc_t escape_mode); +int nvlist_append(nvlist *l, nvnode *node); void nvlist_interp_fixup(nvlist *l); /* Given a numeric index, find that record. */
View file
_service:tar_scm:audit-3.0.9.tar.gz/auparse/openat2-resolvetab.h
Added
@@ -0,0 +1,29 @@ +/* openat2-resolvetab.h -- + * Copyright 2021 Red Hat Inc., Durham, North Carolina. + * All Rights Reserved. + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * + * Authors: + * Richard Guy Briggs <rgb@redhat.com> + * Location: include/uapi/linux/openat2.h + */ + +_S(0x01, "RESOLVE_NO_XDEV" ) +_S(0x02, "RESOLVE_NO_MAGICLINKS" ) +_S(0x04, "RESOLVE_NO_SYMLINKS" ) +_S(0x08, "RESOLVE_BENEATH" ) +_S(0x10, "RESOLVE_IN_ROOT" ) +_S(0x20, "RESOLVE_CACHED" )
View file
_service:tar_scm:audit-3.0.1.tar.gz/auparse/rnode.h -> _service:tar_scm:audit-3.0.9.tar.gz/auparse/rnode.h
Changed
@@ -1,6 +1,5 @@ - /* rnode.h -- - * Copyright 2007,2016-17 Red Hat Inc., Durham, North Carolina. + * Copyright 2007,2016-17,21 Red Hat Inc. * All Rights Reserved. * * This library is free software; you can redistribute it and/or @@ -24,21 +23,25 @@ #ifndef RNODE_HEADER #define RNODE_HEADER -/* This is the node of the linked list. Any data elements that are +#define NFIELDS 36 + +/* This is the data node of the fields list. Any data elements that are * per field goes here. */ typedef struct _nvnode{ char *name; // The name string char *val; // The value field - char *interp_val; // The value field interpretted + char *interp_val; // The value field interpreted unsigned int item; // Which item of the same event - struct _nvnode* next; // Next nvpair node pointer } nvnode; -/* This is the field linked list head. */ +/* This is the field list head. */ typedef struct { - nvnode *head; // List head - nvnode *cur; // Pointer to current node + nvnode *array; // array of fields + unsigned int cur; // Index to current node unsigned int cnt; // How many items in this list + unsigned int size; // Number of allocated items + char *record; // Holds the parsed up record + char *end; // End of the parsed up record } nvlist;
View file
_service:tar_scm:audit-3.0.1.tar.gz/auparse/test/Makefile.am -> _service:tar_scm:audit-3.0.9.tar.gz/auparse/test/Makefile.am
Changed
@@ -1,5 +1,5 @@ # Makefile.am -- -# Copyright 2006-08,2014-17 Red Hat Inc., Durham, North Carolina. +# Copyright 2006-08,2014-17 Red Hat Inc. # All Rights Reserved. # # This library is free software; you can redistribute it and/or @@ -23,7 +23,7 @@ CONFIG_CLEAN_FILES = *.loT *.rej *.orig *.cur check_PROGRAMS = auparse_test auparselol_test lookup_test dist_check_SCRIPTS = auparse_test.py -EXTRA_DIST = auparse_test.ref auparse_test.ref.py test.log test2.log test3.log auditd_raw.sed +EXTRA_DIST = auparse_test.ref auparse_test.ref.py test.log test2.log test3.log test4.log auditd_raw.sed AM_CPPFLAGS = -I${top_srcdir}/auparse -I${top_srcdir}/lib
View file
_service:tar_scm:audit-3.0.1.tar.gz/auparse/test/Makefile.in -> _service:tar_scm:audit-3.0.9.tar.gz/auparse/test/Makefile.in
Changed
@@ -1,7 +1,7 @@ -# Makefile.in generated by automake 1.16.2 from Makefile.am. +# Makefile.in generated by automake 1.16.5 from Makefile.am. # @configure_input@ -# Copyright (C) 1994-2020 Free Software Foundation, Inc. +# Copyright (C) 1994-2021 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -15,7 +15,7 @@ @SET_MAKE@ # Makefile.am -- -# Copyright 2006-08,2014-17 Red Hat Inc., Durham, North Carolina. +# Copyright 2006-08,2014-17 Red Hat Inc. # All Rights Reserved. # # This library is free software; you can redistribute it and/or @@ -214,8 +214,6 @@ unique=`for i in $$list; do \ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ done | $(am__uniquify_input)` -ETAGS = etags -CTAGS = ctags am__DIST_COMMON = $(srcdir)/Makefile.in $(top_srcdir)/depcomp DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ @@ -238,6 +236,8 @@ CPPFLAGS = @CPPFLAGS@ CPPFLAGS_FOR_BUILD = @CPPFLAGS_FOR_BUILD@ CPP_FOR_BUILD = @CPP_FOR_BUILD@ +CSCOPE = @CSCOPE@ +CTAGS = @CTAGS@ CYGPATH_W = @CYGPATH_W@ DEBUG = @DEBUG@ DEFS = @DEFS@ @@ -249,8 +249,10 @@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ +ETAGS = @ETAGS@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FILECMD = @FILECMD@ GOLANG = @GOLANG@ GOROOT = @GOROOT@ GREP = @GREP@ @@ -306,6 +308,7 @@ SHELL = @SHELL@ STRIP = @STRIP@ VERSION = @VERSION@ +WFLAGS = @WFLAGS@ abs_builddir = @abs_builddir@ abs_srcdir = @abs_srcdir@ abs_top_builddir = @abs_top_builddir@ @@ -359,6 +362,7 @@ pyexecdir = @pyexecdir@ python3dir = @python3dir@ pythondir = @pythondir@ +runstatedir = @runstatedir@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ @@ -374,7 +378,7 @@ use_python3 = @use_python3@ CONFIG_CLEAN_FILES = *.loT *.rej *.orig *.cur dist_check_SCRIPTS = auparse_test.py -EXTRA_DIST = auparse_test.ref auparse_test.ref.py test.log test2.log test3.log auditd_raw.sed +EXTRA_DIST = auparse_test.ref auparse_test.ref.py test.log test2.log test3.log test4.log auditd_raw.sed AM_CPPFLAGS = -I${top_srcdir}/auparse -I${top_srcdir}/lib lookup_test_SOURCES = lookup_test.c lookup_test_LDADD = ${top_builddir}/auparse/libauparse.la \ @@ -540,7 +544,6 @@ distclean-tags: -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags - distdir: $(BUILT_SOURCES) $(MAKE) $(AM_MAKEFLAGS) distdir-am
View file
_service:tar_scm:audit-3.0.1.tar.gz/auparse/test/auparse_test.c -> _service:tar_scm:audit-3.0.9.tar.gz/auparse/test/auparse_test.c
Changed
@@ -17,6 +17,8 @@ NULL }; +unsigned int walked_fields = 0; +#define FIELDS_EXPECTED 403 static void walk_test(auparse_state_t *au) { @@ -55,6 +57,7 @@ auparse_get_field_name(au), auparse_get_field_str(au), auparse_interpret_field(au)); + walked_fields++; } while (auparse_next_field(au) > 0); printf("\n"); record_cnt++; @@ -462,6 +465,23 @@ } printf("Test 10 Done\n\n"); + printf("Starting Test 11, walk LONG event records from a file...\n"); + au = auparse_init(AUSOURCE_FILE, "test4.log"); + if (au == NULL) { + printf("Error - %s\n", strerror(errno)); + return 1; + } + + walked_fields = 0; + walk_test(au); + auparse_destroy(au); + + if (walked_fields != FIELDS_EXPECTED) { + printf("Error: %i fields expected, but %i read!\n", + FIELDS_EXPECTED, walked_fields); + } + printf("Test 11 Done\n\n"); + puts("Finished non-admin tests\n"); return 0;
View file
_service:tar_scm:audit-3.0.1.tar.gz/auparse/test/auparse_test.py -> _service:tar_scm:audit-3.0.9.tar.gz/auparse/test/auparse_test.py
Changed
@@ -24,7 +24,11 @@ else: return s +walked_fields = 0 +FIELDS_EXPECTED = 403 + def walk_test(au): + global walked_fields event_cnt = 1 au.reset() @@ -51,6 +55,7 @@ au.first_field() while True: print(" %s=%s (%s)" % (au.get_field_name(), au.get_field_str(), au.interpret_field())) + walked_fields += 1 if not au.next_field(): break print("") record_cnt += 1 @@ -256,6 +261,15 @@ au.flush_feed() print("Test 10 Done\n") +print("Starting Test 11, walk LONG event records from a file...") +au = auparse.AuParser(auparse.AUSOURCE_FILE, "test4.log"); +walked_fields = 0 +walk_test(au) +if walked_fields != FIELDS_EXPECTED: + print("Error: %i fields expected, but %i read!\n" % \ + (FIELDS_EXPECTED, walked_fields)) +print("Test 11 Done\n") + print("Finished non-admin tests\n") au = None
View file
_service:tar_scm:audit-3.0.1.tar.gz/auparse/test/auparse_test.ref -> _service:tar_scm:audit-3.0.9.tar.gz/auparse/test/auparse_test.ref
Changed
@@ -799,5 +799,465 @@ Test 10 Done +Starting Test 11, walk LONG event records from a file... +event 1 has 7 records + record 1 of type 1300(SYSCALL) has 26 fields + line=1 file=test4.log + event time: 1655465398.534:25618, host=? + type=SYSCALL (SYSCALL) + arch=c000003e (x86_64) + syscall=59 (execve) + success=yes (yes) + exit=0 (0) + a0=8c403a0 (0x8c403a0) + a1=8c3e8b0 (0x8c3e8b0) + a2=fffffb6cc5b0 (0xfffffb6cc5b0) + a3=0 (0x0) + items=3 (3) + ppid=105182 (105182) + pid=105183 (105183) + auid=573 (unknown(573)) + uid=583 (unknown(583)) + gid=583 (unknown(583)) + euid=583 (unknown(583)) + suid=583 (unknown(583)) + fsuid=583 (unknown(583)) + egid=583 (unknown(583)) + sgid=583 (unknown(583)) + fsgid=583 (unknown(583)) + tty=pts2 (pts2) + ses=2632 (2632) + comm="ld" (ld) + exe="/bin/sh4" (/bin/sh4) + key=(null) ((null)) + + record 2 of type 1309(EXECVE) has 50 fields + line=2 file=test4.log + event time: 1655465398.534:25618, host=? + type=EXECVE (EXECVE) + argc=48 (48) + a0="/bin/sh" (/bin/sh) + a1="-efu" (-efu) + a2="/usr/bin/ld" (/usr/bin/ld) + a3="-plugin" (-plugin) + a4="/usr/libexec/gcc/aarch64-alt-linux/8/liblto_plugin.so" (/usr/libexec/gcc/aarch64-alt-linux/8/liblto_plugin.so) + a5="-plugin-opt=/usr/libexec/gcc/aarch64-alt-linux/8/lto-wrapper" (-plugin-opt=/usr/libexec/gcc/aarch64-alt-linux/8/lto-wrapper) + a6="-plugin-opt=-fresolution=/usr/src/tmp/cchyHiZN.res" (-plugin-opt=-fresolution=/usr/src/tmp/cchyHiZN.res) + a7="-plugin-opt=-pass-through=-lgcc" (-plugin-opt=-pass-through=-lgcc) + a8="-plugin-opt=-pass-through=-lgcc_s" (-plugin-opt=-pass-through=-lgcc_s) + a9="-plugin-opt=-pass-through=-lc" (-plugin-opt=-pass-through=-lc) + a10="-plugin-opt=-pass-through=-lgcc" (-plugin-opt=-pass-through=-lgcc) + a11="-plugin-opt=-pass-through=-lgcc_s" (-plugin-opt=-pass-through=-lgcc_s) + a12="--build-id" (--build-id) + a13="--no-add-needed" (--no-add-needed) + a14="--eh-frame-hdr" (--eh-frame-hdr) + a15="--hash-style=gnu" (--hash-style=gnu) + a16="--as-needed" (--as-needed) + a17="-shared" (-shared) + a18="-X" (-X) + a19="-EL" (-EL) + a20="-maarch64linux" (-maarch64linux) + a21="-o" (-o) + a22="ztest105133.so" (ztest105133.so) + a23="/usr/lib64/gcc/aarch64-alt-linux/8/../../../../lib64/crti.o" (/usr/lib64/gcc/aarch64-alt-linux/8/../../../../lib64/crti.o) + a24="/usr/lib64/gcc/aarch64-alt-linux/8/crtbeginS.o" (/usr/lib64/gcc/aarch64-alt-linux/8/crtbeginS.o) + a25="-L/usr/lib64/gcc/aarch64-alt-linux/8" (-L/usr/lib64/gcc/aarch64-alt-linux/8) + a26="-L/usr/lib64/gcc/aarch64-alt-linux/8/../../../../lib64" (-L/usr/lib64/gcc/aarch64-alt-linux/8/../../../../lib64) + a27="-L/lib/../lib64" (-L/lib/../lib64) + a28="-L/usr/lib/../lib64" (-L/usr/lib/../lib64) + a29="-L/usr/lib64/gcc/aarch64-alt-linux/8/../../.." (-L/usr/lib64/gcc/aarch64-alt-linux/8/../../..) + a30="-soname" (-soname) + a31="libz.so.1" (libz.so.1) + a32="--version-script" (--version-script) + a33="zlib.map" (zlib.map) + a34="ztest105133.o" (ztest105133.o) + a35="-lgcc" (-lgcc) + a36="--push-state" (--push-state) + a37="--as-needed" (--as-needed) + a38="-lgcc_s" (-lgcc_s) + a39="--pop-state" (--pop-state) + a40="-lc" (-lc) + a41="-lgcc" (-lgcc) + a42="--push-state" (--push-state) + a43="--as-needed" (--as-needed) + a44="-lgcc_s" (-lgcc_s) + a45="--pop-state" (--pop-state) + a46="/usr/lib64/gcc/aarch64-alt-linux/8/crtendS.o" (/usr/lib64/gcc/aarch64-alt-linux/8/crtendS.o) + a47="/usr/lib64/gcc/aarch64-alt-linux/8/../../../../lib64/crtn.o" (/usr/lib64/gcc/aarch64-alt-linux/8/../../../../lib64/crtn.o) + + record 3 of type 1307(CWD) has 2 fields + line=3 file=test4.log + event time: 1655465398.534:25618, host=? + type=CWD (CWD) + cwd="/usr/src/RPM/BUILD/zlib-1.2.11-alt1" (/usr/src/RPM/BUILD/zlib-1.2.11-alt1) + + record 4 of type 1302(PATH) has 15 fields + line=4 file=test4.log + event time: 1655465398.534:25618, host=? + type=PATH (PATH) + item=0 (0) + name="/usr/bin/ld" (/usr/bin/ld) + inode=40854 (40854) + dev=00:30 (00:30) + mode=0100755 (file,755) + ouid=582 (unknown(582)) + ogid=582 (unknown(582)) + rdev=00:00 (00:00) + nametype=NORMAL (NORMAL) + cap_fp=0 (none) + cap_fi=0 (none) + cap_fe=0 (0) + cap_fver=0 (0) + cap_frootid=0 (0) + + record 5 of type 1302(PATH) has 15 fields + line=5 file=test4.log + event time: 1655465398.534:25618, host=? + type=PATH (PATH) + item=1 (1) + name="/bin/sh" (/bin/sh) + inode=33238 (33238) + dev=00:30 (00:30) + mode=0100755 (file,755) + ouid=582 (unknown(582)) + ogid=582 (unknown(582)) + rdev=00:00 (00:00) + nametype=NORMAL (NORMAL) + cap_fp=0 (none) + cap_fi=0 (none) + cap_fe=0 (0) + cap_fver=0 (0) + cap_frootid=0 (0) + + record 6 of type 1302(PATH) has 15 fields + line=6 file=test4.log + event time: 1655465398.534:25618, host=? + type=PATH (PATH) + item=2 (2) + name="/lib64/ld-linux-aarch64.so.1" (/lib64/ld-linux-aarch64.so.1) + inode=33874 (33874) + dev=00:30 (00:30) + mode=0100755 (file,755) + ouid=582 (unknown(582)) + ogid=582 (unknown(582)) + rdev=00:00 (00:00) + nametype=NORMAL (NORMAL) + cap_fp=0 (none) + cap_fi=0 (none) + cap_fe=0 (0) + cap_fver=0 (0) + cap_frootid=0 (0) + + record 7 of type 1327(PROCTITLE) has 2 fields + line=7 file=test4.log + event time: 1655465398.534:25618, host=? + type=PROCTITLE (PROCTITLE) + proctitle=2F62696E2F7368002D656675002F7573722F62696E2F6C64002D706C7567696E002F7573722F6C6962657865632F6763632F616172636836342D616C742D6C696E75782F382F6C69626C746F5F706C7567696E2E736F002D706C7567696E2D6F70743D2F7573722F6C6962657865632F6763632F616172636836342D616C742D (/bin/sh -efu /usr/bin/ld -plugin /usr/libexec/gcc/aarch64-alt-linux/8/liblto_plugin.so -plugin-opt=/usr/libexec/gcc/aarch64-alt-) + +event 2 has 6 records + record 1 of type 1300(SYSCALL) has 26 fields + line=8 file=test4.log + event time: 1655465404.819:27091, host=? + type=SYSCALL (SYSCALL) + arch=c000003e (x86_64) + syscall=59 (execve) + success=yes (yes) + exit=0 (0) + a0=1a407f50 (0x1a407f50) + a1=1a401cd0 (0x1a401cd0) + a2=1a3ed090 (0x1a3ed090) + a3=0 (0x0) + items=2 (2) + ppid=105932 (105932) + pid=105933 (105933) + auid=573 (unknown(573)) + uid=583 (unknown(583)) + gid=583 (unknown(583)) + euid=583 (unknown(583)) + suid=583 (unknown(583)) + fsuid=583 (unknown(583)) + egid=583 (unknown(583)) + sgid=583 (unknown(583)) + fsgid=583 (unknown(583)) + tty=pts2 (pts2) + ses=2632 (2632) + comm="m4" (m4) + exe="/usr/bin/m4" (/usr/bin/m4) + key=(null) ((null)) + + record 2 of type 1309(EXECVE) has 218 fields + line=9 file=test4.log + event time: 1655465404.819:27091, host=? + type=EXECVE (EXECVE) + argc=216 (216) + a0="/usr/bin/m4" (/usr/bin/m4) + a1="--nesting-limit=1024" (--nesting-limit=1024) + a2="--gnu" (--gnu) + a3="--include=/usr/share/autoconf-2.60" (--include=/usr/share/autoconf-2.60) + a4="--debug=aflq" (--debug=aflq)
View file
_service:tar_scm:audit-3.0.1.tar.gz/auparse/test/auparse_test.ref.py -> _service:tar_scm:audit-3.0.9.tar.gz/auparse/test/auparse_test.ref.py
Changed
@@ -789,5 +789,465 @@ Test 10 Done +Starting Test 11, walk LONG event records from a file... +event 1 has 7 records + record 1 of type 1300(SYSCALL) has 26 fields + line=1 file=test4.log + event time: 1655465398.534:25618, host=(null) + type=SYSCALL (SYSCALL) + arch=c000003e (x86_64) + syscall=59 (execve) + success=yes (yes) + exit=0 (0) + a0=8c403a0 (0x8c403a0) + a1=8c3e8b0 (0x8c3e8b0) + a2=fffffb6cc5b0 (0xfffffb6cc5b0) + a3=0 (0x0) + items=3 (3) + ppid=105182 (105182) + pid=105183 (105183) + auid=573 (unknown(573)) + uid=583 (unknown(583)) + gid=583 (unknown(583)) + euid=583 (unknown(583)) + suid=583 (unknown(583)) + fsuid=583 (unknown(583)) + egid=583 (unknown(583)) + sgid=583 (unknown(583)) + fsgid=583 (unknown(583)) + tty=pts2 (pts2) + ses=2632 (2632) + comm="ld" (ld) + exe="/bin/sh4" (/bin/sh4) + key=(null) ((null)) + + record 2 of type 1309(EXECVE) has 50 fields + line=2 file=test4.log + event time: 1655465398.534:25618, host=(null) + type=EXECVE (EXECVE) + argc=48 (48) + a0="/bin/sh" (/bin/sh) + a1="-efu" (-efu) + a2="/usr/bin/ld" (/usr/bin/ld) + a3="-plugin" (-plugin) + a4="/usr/libexec/gcc/aarch64-alt-linux/8/liblto_plugin.so" (/usr/libexec/gcc/aarch64-alt-linux/8/liblto_plugin.so) + a5="-plugin-opt=/usr/libexec/gcc/aarch64-alt-linux/8/lto-wrapper" (-plugin-opt=/usr/libexec/gcc/aarch64-alt-linux/8/lto-wrapper) + a6="-plugin-opt=-fresolution=/usr/src/tmp/cchyHiZN.res" (-plugin-opt=-fresolution=/usr/src/tmp/cchyHiZN.res) + a7="-plugin-opt=-pass-through=-lgcc" (-plugin-opt=-pass-through=-lgcc) + a8="-plugin-opt=-pass-through=-lgcc_s" (-plugin-opt=-pass-through=-lgcc_s) + a9="-plugin-opt=-pass-through=-lc" (-plugin-opt=-pass-through=-lc) + a10="-plugin-opt=-pass-through=-lgcc" (-plugin-opt=-pass-through=-lgcc) + a11="-plugin-opt=-pass-through=-lgcc_s" (-plugin-opt=-pass-through=-lgcc_s) + a12="--build-id" (--build-id) + a13="--no-add-needed" (--no-add-needed) + a14="--eh-frame-hdr" (--eh-frame-hdr) + a15="--hash-style=gnu" (--hash-style=gnu) + a16="--as-needed" (--as-needed) + a17="-shared" (-shared) + a18="-X" (-X) + a19="-EL" (-EL) + a20="-maarch64linux" (-maarch64linux) + a21="-o" (-o) + a22="ztest105133.so" (ztest105133.so) + a23="/usr/lib64/gcc/aarch64-alt-linux/8/../../../../lib64/crti.o" (/usr/lib64/gcc/aarch64-alt-linux/8/../../../../lib64/crti.o) + a24="/usr/lib64/gcc/aarch64-alt-linux/8/crtbeginS.o" (/usr/lib64/gcc/aarch64-alt-linux/8/crtbeginS.o) + a25="-L/usr/lib64/gcc/aarch64-alt-linux/8" (-L/usr/lib64/gcc/aarch64-alt-linux/8) + a26="-L/usr/lib64/gcc/aarch64-alt-linux/8/../../../../lib64" (-L/usr/lib64/gcc/aarch64-alt-linux/8/../../../../lib64) + a27="-L/lib/../lib64" (-L/lib/../lib64) + a28="-L/usr/lib/../lib64" (-L/usr/lib/../lib64) + a29="-L/usr/lib64/gcc/aarch64-alt-linux/8/../../.." (-L/usr/lib64/gcc/aarch64-alt-linux/8/../../..) + a30="-soname" (-soname) + a31="libz.so.1" (libz.so.1) + a32="--version-script" (--version-script) + a33="zlib.map" (zlib.map) + a34="ztest105133.o" (ztest105133.o) + a35="-lgcc" (-lgcc) + a36="--push-state" (--push-state) + a37="--as-needed" (--as-needed) + a38="-lgcc_s" (-lgcc_s) + a39="--pop-state" (--pop-state) + a40="-lc" (-lc) + a41="-lgcc" (-lgcc) + a42="--push-state" (--push-state) + a43="--as-needed" (--as-needed) + a44="-lgcc_s" (-lgcc_s) + a45="--pop-state" (--pop-state) + a46="/usr/lib64/gcc/aarch64-alt-linux/8/crtendS.o" (/usr/lib64/gcc/aarch64-alt-linux/8/crtendS.o) + a47="/usr/lib64/gcc/aarch64-alt-linux/8/../../../../lib64/crtn.o" (/usr/lib64/gcc/aarch64-alt-linux/8/../../../../lib64/crtn.o) + + record 3 of type 1307(CWD) has 2 fields + line=3 file=test4.log + event time: 1655465398.534:25618, host=(null) + type=CWD (CWD) + cwd="/usr/src/RPM/BUILD/zlib-1.2.11-alt1" (/usr/src/RPM/BUILD/zlib-1.2.11-alt1) + + record 4 of type 1302(PATH) has 15 fields + line=4 file=test4.log + event time: 1655465398.534:25618, host=(null) + type=PATH (PATH) + item=0 (0) + name="/usr/bin/ld" (/usr/bin/ld) + inode=40854 (40854) + dev=00:30 (00:30) + mode=0100755 (file,755) + ouid=582 (unknown(582)) + ogid=582 (unknown(582)) + rdev=00:00 (00:00) + nametype=NORMAL (NORMAL) + cap_fp=0 (none) + cap_fi=0 (none) + cap_fe=0 (0) + cap_fver=0 (0) + cap_frootid=0 (0) + + record 5 of type 1302(PATH) has 15 fields + line=5 file=test4.log + event time: 1655465398.534:25618, host=(null) + type=PATH (PATH) + item=1 (1) + name="/bin/sh" (/bin/sh) + inode=33238 (33238) + dev=00:30 (00:30) + mode=0100755 (file,755) + ouid=582 (unknown(582)) + ogid=582 (unknown(582)) + rdev=00:00 (00:00) + nametype=NORMAL (NORMAL) + cap_fp=0 (none) + cap_fi=0 (none) + cap_fe=0 (0) + cap_fver=0 (0) + cap_frootid=0 (0) + + record 6 of type 1302(PATH) has 15 fields + line=6 file=test4.log + event time: 1655465398.534:25618, host=(null) + type=PATH (PATH) + item=2 (2) + name="/lib64/ld-linux-aarch64.so.1" (/lib64/ld-linux-aarch64.so.1) + inode=33874 (33874) + dev=00:30 (00:30) + mode=0100755 (file,755) + ouid=582 (unknown(582)) + ogid=582 (unknown(582)) + rdev=00:00 (00:00) + nametype=NORMAL (NORMAL) + cap_fp=0 (none) + cap_fi=0 (none) + cap_fe=0 (0) + cap_fver=0 (0) + cap_frootid=0 (0) + + record 7 of type 1327(PROCTITLE) has 2 fields + line=7 file=test4.log + event time: 1655465398.534:25618, host=(null) + type=PROCTITLE (PROCTITLE) + proctitle=2F62696E2F7368002D656675002F7573722F62696E2F6C64002D706C7567696E002F7573722F6C6962657865632F6763632F616172636836342D616C742D6C696E75782F382F6C69626C746F5F706C7567696E2E736F002D706C7567696E2D6F70743D2F7573722F6C6962657865632F6763632F616172636836342D616C742D (/bin/sh -efu /usr/bin/ld -plugin /usr/libexec/gcc/aarch64-alt-linux/8/liblto_plugin.so -plugin-opt=/usr/libexec/gcc/aarch64-alt-) + +event 2 has 6 records + record 1 of type 1300(SYSCALL) has 26 fields + line=8 file=test4.log + event time: 1655465404.819:27091, host=(null) + type=SYSCALL (SYSCALL) + arch=c000003e (x86_64) + syscall=59 (execve) + success=yes (yes) + exit=0 (0) + a0=1a407f50 (0x1a407f50) + a1=1a401cd0 (0x1a401cd0) + a2=1a3ed090 (0x1a3ed090) + a3=0 (0x0) + items=2 (2) + ppid=105932 (105932) + pid=105933 (105933) + auid=573 (unknown(573)) + uid=583 (unknown(583)) + gid=583 (unknown(583)) + euid=583 (unknown(583)) + suid=583 (unknown(583)) + fsuid=583 (unknown(583)) + egid=583 (unknown(583)) + sgid=583 (unknown(583)) + fsgid=583 (unknown(583)) + tty=pts2 (pts2) + ses=2632 (2632) + comm="m4" (m4) + exe="/usr/bin/m4" (/usr/bin/m4) + key=(null) ((null)) + + record 2 of type 1309(EXECVE) has 218 fields + line=9 file=test4.log + event time: 1655465404.819:27091, host=(null) + type=EXECVE (EXECVE) + argc=216 (216) + a0="/usr/bin/m4" (/usr/bin/m4) + a1="--nesting-limit=1024" (--nesting-limit=1024) + a2="--gnu" (--gnu) + a3="--include=/usr/share/autoconf-2.60" (--include=/usr/share/autoconf-2.60) + a4="--debug=aflq" (--debug=aflq)
View file
_service:tar_scm:audit-3.0.9.tar.gz/auparse/test/test4.log
Added
@@ -0,0 +1,13 @@ +type=SYSCALL msg=audit(1655465398.534:25618): arch=c000003e syscall=59 success=yes exit=0 a0=8c403a0 a1=8c3e8b0 a2=fffffb6cc5b0 a3=0 items=3 ppid=105182 pid=105183 auid=573 uid=583 gid=583 euid=583 suid=583 fsuid=583 egid=583 sgid=583 fsgid=583 tty=pts2 ses=2632 comm="ld" exe="/bin/sh4" key=(null) +type=EXECVE msg=audit(1655465398.534:25618): argc=48 a0="/bin/sh" a1="-efu" a2="/usr/bin/ld" a3="-plugin" a4="/usr/libexec/gcc/aarch64-alt-linux/8/liblto_plugin.so" a5="-plugin-opt=/usr/libexec/gcc/aarch64-alt-linux/8/lto-wrapper" a6="-plugin-opt=-fresolution=/usr/src/tmp/cchyHiZN.res" a7="-plugin-opt=-pass-through=-lgcc" a8="-plugin-opt=-pass-through=-lgcc_s" a9="-plugin-opt=-pass-through=-lc" a10="-plugin-opt=-pass-through=-lgcc" a11="-plugin-opt=-pass-through=-lgcc_s" a12="--build-id" a13="--no-add-needed" a14="--eh-frame-hdr" a15="--hash-style=gnu" a16="--as-needed" a17="-shared" a18="-X" a19="-EL" a20="-maarch64linux" a21="-o" a22="ztest105133.so" a23="/usr/lib64/gcc/aarch64-alt-linux/8/../../../../lib64/crti.o" a24="/usr/lib64/gcc/aarch64-alt-linux/8/crtbeginS.o" a25="-L/usr/lib64/gcc/aarch64-alt-linux/8" a26="-L/usr/lib64/gcc/aarch64-alt-linux/8/../../../../lib64" a27="-L/lib/../lib64" a28="-L/usr/lib/../lib64" a29="-L/usr/lib64/gcc/aarch64-alt-linux/8/../../.." a30="-soname" a31="libz.so.1" a32="--version-script" a33="zlib.map" a34="ztest105133.o" a35="-lgcc" a36="--push-state" a37="--as-needed" a38="-lgcc_s" a39="--pop-state" a40="-lc" a41="-lgcc" a42="--push-state" a43="--as-needed" a44="-lgcc_s" a45="--pop-state" a46="/usr/lib64/gcc/aarch64-alt-linux/8/crtendS.o" a47="/usr/lib64/gcc/aarch64-alt-linux/8/../../../../lib64/crtn.o" +type=CWD msg=audit(1655465398.534:25618): cwd="/usr/src/RPM/BUILD/zlib-1.2.11-alt1" +type=PATH msg=audit(1655465398.534:25618): item=0 name="/usr/bin/ld" inode=40854 dev=00:30 mode=0100755 ouid=582 ogid=582 rdev=00:00 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0 +type=PATH msg=audit(1655465398.534:25618): item=1 name="/bin/sh" inode=33238 dev=00:30 mode=0100755 ouid=582 ogid=582 rdev=00:00 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0 +type=PATH msg=audit(1655465398.534:25618): item=2 name="/lib64/ld-linux-aarch64.so.1" inode=33874 dev=00:30 mode=0100755 ouid=582 ogid=582 rdev=00:00 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0 +type=PROCTITLE msg=audit(1655465398.534:25618): proctitle=2F62696E2F7368002D656675002F7573722F62696E2F6C64002D706C7567696E002F7573722F6C6962657865632F6763632F616172636836342D616C742D6C696E75782F382F6C69626C746F5F706C7567696E2E736F002D706C7567696E2D6F70743D2F7573722F6C6962657865632F6763632F616172636836342D616C742D +type=SYSCALL msg=audit(1655465404.819:27091): arch=c000003e syscall=59 success=yes exit=0 a0=1a407f50 a1=1a401cd0 a2=1a3ed090 a3=0 items=2 ppid=105932 pid=105933 auid=573 uid=583 gid=583 euid=583 suid=583 fsuid=583 egid=583 sgid=583 fsgid=583 tty=pts2 ses=2632 comm="m4" exe="/usr/bin/m4" key=(null) +type=EXECVE msg=audit(1655465404.819:27091): argc=216 a0="/usr/bin/m4" a1="--nesting-limit=1024" a2="--gnu" a3="--include=/usr/share/autoconf-2.60" a4="--debug=aflq" a5="--fatal-warning" a6="--debugfile=autom4te.cache/traces.0t" a7="--trace=AC_CHECK_LIBM" a8="--trace=AC_CONFIG_MACRO_DIR" a9="--trace=AC_CONFIG_MACRO_DIR_TRACE" a10="--trace=AC_DEFUN" a11="--trace=AC_DEFUN_ONCE" a12="--trace=AC_DEPLIBS_CHECK_METHOD" a13="--trace=AC_DISABLE_FAST_INSTALL" a14="--trace=AC_DISABLE_SHARED" a15="--trace=AC_DISABLE_STATIC" a16="--trace=AC_ENABLE_FAST_INSTALL" a17="--trace=AC_ENABLE_SHARED" a18="--trace=AC_ENABLE_STATIC" a19="--trace=AC_LIBLTDL_CONVENIENCE" a20="--trace=AC_LIBLTDL_INSTALLABLE" a21="--trace=AC_LIBTOOL_COMPILER_OPTION" a22="--trace=AC_LIBTOOL_CONFIG" a23="--trace=AC_LIBTOOL_CXX" a24="--trace=AC_LIBTOOL_DLOPEN" a25="--trace=AC_LIBTOOL_DLOPEN_SELF" a26="--trace=AC_LIBTOOL_F77" a27="--trace=AC_LIBTOOL_FC" a28="--trace=AC_LIBTOOL_GCJ" a29="--trace=AC_LIBTOOL_LANG_CXX_CONFIG" a30="--trace=AC_LIBTOOL_LANG_C_CONFIG" a31="--trace=AC_LIBTOOL_LANG_F77_CONFIG" a32="--trace=AC_LIBTOOL_LANG_GCJ_CONFIG" a33="--trace=AC_LIBTOOL_LANG_RC_CONFIG" a34="--trace=AC_LIBTOOL_LINKER_OPTION" a35="--trace=AC_LIBTOOL_OBJDIR" a36="--trace=AC_LIBTOOL_PICMODE" a37="--trace=AC_LIBTOOL_POSTDEP_PREDEP" a38="--trace=AC_LIBTOOL_PROG_CC_C_O" a39="--trace=AC_LIBTOOL_PROG_COMPILER_NO_RTTI" a40="--trace=AC_LIBTOOL_PROG_COMPILER_PIC" a41="--trace=AC_LIBTOOL_PROG_LD_HARDCODE_LIBPATH" a42="--trace=AC_LIBTOOL_PROG_LD_SHLIBS" a43="--trace=AC_LIBTOOL_RC" a44="--trace=AC_LIBTOOL_SETUP" a45="--trace=AC_LIBTOOL_SYS_DYNAMIC_LINKER" a46="--trace=AC_LIBTOOL_SYS_GLOBAL_SYMBOL_PIPE" a47="--trace=AC_LIBTOOL_SYS_HARD_LINK_LOCKS" a48="--trace=AC_LIBTOOL_SYS_LIB_STRIP" a49="--trace=AC_LIBTOOL_SYS_MAX_CMD_LEN" a50="--trace=AC_LIBTOOL_SYS_OLD_ARCHIVE" a51="--trace=AC_LIBTOOL_WIN32_DLL" a52="--trace=AC_LIB_LTDL" a53="--trace=AC_LTDL_DLLIB" a54="--trace=AC_LTDL_DLSYM_USCORE" a55="--trace=AC_LTDL_ENABLE_INSTALL" a56="--trace=AC_LTDL_OBJDIR" a57="--trace=AC_LTDL_PREOPEN" a58="--trace=AC_LTDL_SHLIBEXT" a59="--trace=AC_LTDL_SHLIBPATH" a60="--trace=AC_LTDL_SYMBOL_USCORE" a61="--trace=AC_LTDL_SYSSEARCHPATH" a62="--trace=AC_LTDL_SYS_DLOPEN_DEPLIBS" a63="--trace=AC_PATH_MAGIC" a64="--trace=AC_PATH_TOOL_PREFIX" a65="--trace=AC_PROG_EGREP" a66="--trace=AC_PROG_LD" a67="--trace=AC_PROG_LD_GNU" a68="--trace=AC_PROG_LD_RELOAD_FLAG" a69="--trace=AC_PROG_LIBTOOL" a70="--trace=AC_PROG_NM" a71="--trace=AC_WITH_LTDL" a72="--trace=AM_AUTOMAKE_VERSION" a73="--trace=AM_AUX_DIR_EXPAND" a74="--trace=AM_CONDITIONAL" a75="--trace=AM_DEP_TRACK" a76="--trace=AM_DISABLE_SHARED" a77="--trace=AM_DISABLE_STATIC" a78="--trace=AM_ENABLE_SHARED" a79="--trace=AM_ENABLE_STATIC" a80="--trace=AM_INIT_AUTOMAKE" a81="--trace=AM_MAKE_INCLUDE" a82="--trace=AM_MISSING_HAS_RUN" a83="--trace=AM_MISSING_PROG" a84="--trace=AM_OUTPUT_DEPENDENCY_COMMANDS" a85="--trace=AM_PROG_CC_C_O" a86="--trace=AM_PROG_INSTALL_SH" a87="--trace=AM_PROG_INSTALL_STRIP" a88="--trace=AM_PROG_LD" a89="--trace=AM_PROG_LIBTOOL" a90="--trace=AM_PROG_NM" a91="--trace=AM_RUN_LOG" a92="--trace=AM_SANITY_CHECK" a93="--trace=AM_SET_CURRENT_AUTOMAKE_VERSION" a94="--trace=AM_SET_DEPDIR" a95="--trace=AM_SET_LEADING_DOT" a96="--trace=AM_SILENT_RULES" a97="--trace=AM_SUBST_NOTMAKE" a98="--trace=AU_DEFUN" a99="--trace=LTDL_CONVENIENCE" a100="--trace=LTDL_INIT" a101="--trace=LTDL_INSTALLABLE" a102="--trace=LTOBSOLETE_VERSION" a103="--trace=LTOPTIONS_VERSION" a104="--trace=LTSUGAR_VERSION" a105="--trace=LTVERSION_VERSION" a106="--trace=LT_AC_PROG_EGREP" a107="--trace=LT_AC_PROG_GCJ" a108="--trace=LT_AC_PROG_RC" a109="--trace=LT_AC_PROG_SED" a110="--trace=LT_CMD_MAX_LEN" a111="--trace=LT_CONFIG_LTDL_DIR" a112="--trace=LT_FUNC_ARGZ" a113="--trace=LT_FUNC_DLSYM_USCORE" a114="--trace=LT_INIT" a115="--trace=LT_LANG" a116="--trace=LT_LIB_DLLOAD" a117="--trace=LT_LIB_M" a118="--trace=LT_OUTPUT" a119="--trace=LT_PATH_LD" a120="--trace=LT_PATH_NM" a121="--trace=LT_PROG_GCJ" a122="--trace=LT_PROG_GO" a123="--trace=LT_PROG_RC" a124="--trace=LT_SUPPORTED_TAG" a125="--trace=LT_SYS_DLOPEN_DEPLIBS" a126="--trace=LT_SYS_DLOPEN_SELF" a127="--trace=LT_SYS_DLSEARCH_PATH" a128="--trace=LT_SYS_MODULE_EXT" a129="--trace=LT_SYS_MODULE_PATH" a130="--trace=LT_SYS_SYMBOL_USCORE" a131="--trace=LT_WITH_LTDL" a132="--trace=_AC_AM_CONFIG_HEADER_HOOK" a133="--trace=_AC_PROG_LIBTOOL" a134="--trace=_AM_AUTOCONF_VERSION" a135="--trace=_AM_CONFIG_MACRO_DIRS" a136="--trace=_AM_DEPENDENCIES" a137="--trace=_AM_IF_OPTION" a138="--trace=_AM_MANGLE_OPTION" a139="--trace=_AM_OUTPUT_DEPENDENCY_COMMANDS" a140="--trace=_AM_PROG_CC_C_O" a141="--trace=_AM_PROG_TAR" a142="--trace=_AM_SET_OPTION" a143="--trace=_AM_SET_OPTIONS" a144="--trace=_AM_SUBST_NOTMAKE" a145="--trace=_LTDL_SETUP" a146="--trace=_LT_AC_CHECK_DLFCN" a147="--trace=_LT_AC_FILE_LTDLL_C" a148="--trace=_LT_AC_LANG_CXX" a149="--trace=_LT_AC_LANG_CXX_CONFIG" a150="--trace=_LT_AC_LANG_C_CONFIG" a151="--trace=_LT_AC_LANG_F77" a152="--trace=_LT_AC_LANG_F77_CONFIG" a153="--trace=_LT_AC_LANG_GCJ" a154="--trace=_LT_AC_LANG_GCJ_CONFIG" a155="--trace=_LT_AC_LANG_RC_CONFIG" a156="--trace=_LT_AC_LOCK" a157="--trace=_LT_AC_PROG_CXXCPP" a158="--trace=_LT_AC_PROG_ECHO_BACKSLASH" a159="--trace=_LT_AC_SHELL_INIT" a160="--trace=_LT_AC_SYS_COMPILER" a161="--trace=_LT_AC_SYS_LIBPATH_AIX" a162="--trace=_LT_AC_TAGCONFIG" a163="--trace=_LT_AC_TAGVAR" a164="--trace=_LT_AC_TRY_DLOPEN_SELF" a165="--trace=_LT_CC_BASENAME" a166="--trace=_LT_COMPILER_BOILERPLATE" a167="--trace=_LT_COMPILER_OPTION" a168="--trace=_LT_DLL_DEF_P" a169="--trace=_LT_LIBOBJ" a170="--trace=_LT_LINKER_BOILERPLATE" a171="--trace=_LT_LINKER_OPTION" a172="--trace=_LT_PATH_TOOL_PREFIX" a173="--trace=_LT_PREPARE_SED_QUOTE_VARS" a174="--trace=_LT_PROG_CXX" a175="--trace=_LT_PROG_ECHO_BACKSLASH" a176="--trace=_LT_PROG_F77" a177="--trace=_LT_PROG_FC" a178="--trace=_LT_PROG_LTMAIN" a179="--trace=_LT_REQUIRED_DARWIN_CHECKS" a180="--trace=_LT_WITH_SYSROOT" a181="--trace=_m4_warn" a182="--trace=include" a183="--trace=m4_include" a184="--trace=m4_pattern_allow" a185="--trace=m4_pattern_forbid" a186="--reload-state=/usr/share/autoconf-2.60/autoconf/autoconf.m4f" a187="--undefine=__m4_version__" a188="-" a189="/usr/share/aclocal-1.16/internal/ac-config-macro-dirs.m4" a190="/usr/share/libtool/aclocal/libtool.m4" a191="/usr/share/libtool/aclocal/ltargz.m4" a192="/usr/share/libtool/aclocal/ltdl.m4" a193="/usr/share/libtool/aclocal/ltoptions.m4" a194="/usr/share/libtool/aclocal/ltsugar.m4" a195="/usr/share/libtool/aclocal/ltversion.m4" a196="/usr/share/libtool/aclocal/lt~obsolete.m4" a197="/usr/share/aclocal-1.16/amversion.m4" a198="/usr/share/aclocal-1.16/auxdir.m4" a199="/usr/share/aclocal-1.16/cond.m4" a200="/usr/share/aclocal-1.16/depend.m4" a201="/usr/share/aclocal-1.16/depout.m4" a202="/usr/share/aclocal-1.16/init.m4" a203="/usr/share/aclocal-1.16/install-sh.m4" a204="/usr/share/aclocal-1.16/lead-dot.m4" a205="/usr/share/aclocal-1.16/make.m4" a206="/usr/share/aclocal-1.16/missing.m4" a207="/usr/share/aclocal-1.16/options.m4" a208="/usr/share/aclocal-1.16/prog-cc-c-o.m4" a209="/usr/share/aclocal-1.16/runlog.m4" a210="/usr/share/aclocal-1.16/sanity.m4" a211="/usr/share/aclocal-1.16/silent.m4" a212="/usr/share/aclocal-1.16/strip.m4" a213="/usr/share/aclocal-1.16/substnot.m4" a214="/usr/share/aclocal-1.16/tar.m4" a215="configure.ac" +type=CWD msg=audit(1655465404.819:27091): cwd="/usr/src/RPM/BUILD/zlib-1.2.11-alt1/contrib/minizip" +type=PATH msg=audit(1655465404.819:27091): item=0 name="/usr/bin/m4" inode=40839 dev=00:30 mode=0100755 ouid=582 ogid=582 rdev=00:00 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0 +type=PATH msg=audit(1655465404.819:27091): item=1 name="/lib64/ld-linux-aarch64.so.1" inode=33874 dev=00:30 mode=0100755 ouid=582 ogid=582 rdev=00:00 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0 +type=PROCTITLE msg=audit(1655465404.819:27091): proctitle=2F7573722F62696E2F6D34002D2D6E657374696E672D6C696D69743D31303234002D2D676E75002D2D696E636C7564653D2F7573722F73686172652F6175746F636F6E662D322E3630002D2D64656275673D61666C71002D2D666174616C2D7761726E696E67002D2D646562756766696C653D6175746F6D3474652E63616368
View file
_service:tar_scm:audit-3.0.1.tar.gz/auparse/typetab.h -> _service:tar_scm:audit-3.0.9.tar.gz/auparse/typetab.h
Changed
@@ -142,3 +142,5 @@ _S(AUPARSE_TYPE_FANOTIFY, "resp" ) _S(AUPARSE_TYPE_ESCAPED, "sw" ) _S(AUPARSE_TYPE_ESCAPED, "root_dir" ) +_S(AUPARSE_TYPE_NLMCGRP, "nl-mcgrp" ) +_S(AUPARSE_TYPE_RESOLVE, "resolve" )
View file
_service:tar_scm:audit-3.0.1.tar.gz/bindings/Makefile.am -> _service:tar_scm:audit-3.0.9.tar.gz/bindings/Makefile.am
Changed
@@ -13,8 +13,9 @@ # Lesser General Public License for more details. # # You should have received a copy of the GNU Lesser General Public -# License along with this library; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +# License along with this program; see the file COPYING.lib. If not, write to +# the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor +# Boston, MA 02110-1335, USA. # # Authors: # Steve Grubb <sgrubb@redhat.com>
View file
_service:tar_scm:audit-3.0.1.tar.gz/bindings/Makefile.in -> _service:tar_scm:audit-3.0.9.tar.gz/bindings/Makefile.in
Changed
@@ -1,7 +1,7 @@ -# Makefile.in generated by automake 1.16.2 from Makefile.am. +# Makefile.in generated by automake 1.16.5 from Makefile.am. # @configure_input@ -# Copyright (C) 1994-2020 Free Software Foundation, Inc. +# Copyright (C) 1994-2021 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -29,8 +29,9 @@ # Lesser General Public License for more details. # # You should have received a copy of the GNU Lesser General Public -# License along with this library; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +# License along with this program; see the file COPYING.lib. If not, write to +# the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor +# Boston, MA 02110-1335, USA. # # Authors: # Steve Grubb <sgrubb@redhat.com> @@ -175,8 +176,6 @@ unique=`for i in $$list; do \ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ done | $(am__uniquify_input)` -ETAGS = etags -CTAGS = ctags DIST_SUBDIRS = $(SUBDIRS) am__DIST_COMMON = $(srcdir)/Makefile.in DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) @@ -225,6 +224,8 @@ CPPFLAGS = @CPPFLAGS@ CPPFLAGS_FOR_BUILD = @CPPFLAGS_FOR_BUILD@ CPP_FOR_BUILD = @CPP_FOR_BUILD@ +CSCOPE = @CSCOPE@ +CTAGS = @CTAGS@ CYGPATH_W = @CYGPATH_W@ DEBUG = @DEBUG@ DEFS = @DEFS@ @@ -236,8 +237,10 @@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ +ETAGS = @ETAGS@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FILECMD = @FILECMD@ GOLANG = @GOLANG@ GOROOT = @GOROOT@ GREP = @GREP@ @@ -293,6 +296,7 @@ SHELL = @SHELL@ STRIP = @STRIP@ VERSION = @VERSION@ +WFLAGS = @WFLAGS@ abs_builddir = @abs_builddir@ abs_srcdir = @abs_srcdir@ abs_top_builddir = @abs_top_builddir@ @@ -346,6 +350,7 @@ pyexecdir = @pyexecdir@ python3dir = @python3dir@ pythondir = @pythondir@ +runstatedir = @runstatedir@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ @@ -498,7 +503,6 @@ distclean-tags: -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags - distdir: $(BUILT_SOURCES) $(MAKE) $(AM_MAKEFLAGS) distdir-am
View file
_service:tar_scm:audit-3.0.1.tar.gz/bindings/golang/Makefile.am -> _service:tar_scm:audit-3.0.9.tar.gz/bindings/golang/Makefile.am
Changed
@@ -13,8 +13,9 @@ # Lesser General Public License for more details. # # You should have received a copy of the GNU Lesser General Public -# License along with this library; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +# License along with this program; see the file COPYING.lib. If not, write to +# the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor +# Boston, MA 02110-1335, USA. # # Authors: # Steve Grubb <sgrubb@redhat.com>
View file
_service:tar_scm:audit-3.0.1.tar.gz/bindings/golang/Makefile.in -> _service:tar_scm:audit-3.0.9.tar.gz/bindings/golang/Makefile.in
Changed
@@ -1,7 +1,7 @@ -# Makefile.in generated by automake 1.16.2 from Makefile.am. +# Makefile.in generated by automake 1.16.5 from Makefile.am. # @configure_input@ -# Copyright (C) 1994-2020 Free Software Foundation, Inc. +# Copyright (C) 1994-2021 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -29,8 +29,9 @@ # Lesser General Public License for more details. # # You should have received a copy of the GNU Lesser General Public -# License along with this library; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +# License along with this program; see the file COPYING.lib. If not, write to +# the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor +# Boston, MA 02110-1335, USA. # # Authors: # Steve Grubb <sgrubb@redhat.com> @@ -166,6 +167,8 @@ CPPFLAGS = @CPPFLAGS@ CPPFLAGS_FOR_BUILD = @CPPFLAGS_FOR_BUILD@ CPP_FOR_BUILD = @CPP_FOR_BUILD@ +CSCOPE = @CSCOPE@ +CTAGS = @CTAGS@ CYGPATH_W = @CYGPATH_W@ DEBUG = @DEBUG@ DEFS = @DEFS@ @@ -177,8 +180,10 @@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ +ETAGS = @ETAGS@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FILECMD = @FILECMD@ GOLANG = @GOLANG@ GOROOT = @GOROOT@ GREP = @GREP@ @@ -234,6 +239,7 @@ SHELL = @SHELL@ STRIP = @STRIP@ VERSION = @VERSION@ +WFLAGS = @WFLAGS@ abs_builddir = @abs_builddir@ abs_srcdir = @abs_srcdir@ abs_top_builddir = @abs_top_builddir@ @@ -287,6 +293,7 @@ pyexecdir = @pyexecdir@ python3dir = @python3dir@ pythondir = @pythondir@ +runstatedir = @runstatedir@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ @@ -349,7 +356,6 @@ cscope cscopelist: - distdir: $(BUILT_SOURCES) $(MAKE) $(AM_MAKEFLAGS) distdir-am
View file
_service:tar_scm:audit-3.0.1.tar.gz/bindings/python/Makefile.in -> _service:tar_scm:audit-3.0.9.tar.gz/bindings/python/Makefile.in
Changed
@@ -1,7 +1,7 @@ -# Makefile.in generated by automake 1.16.2 from Makefile.am. +# Makefile.in generated by automake 1.16.5 from Makefile.am. # @configure_input@ -# Copyright (C) 1994-2020 Free Software Foundation, Inc. +# Copyright (C) 1994-2021 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -155,8 +155,6 @@ unique=`for i in $$list; do \ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ done | $(am__uniquify_input)` -ETAGS = etags -CTAGS = ctags DIST_SUBDIRS = python2 python3 am__DIST_COMMON = $(srcdir)/Makefile.in DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) @@ -205,6 +203,8 @@ CPPFLAGS = @CPPFLAGS@ CPPFLAGS_FOR_BUILD = @CPPFLAGS_FOR_BUILD@ CPP_FOR_BUILD = @CPP_FOR_BUILD@ +CSCOPE = @CSCOPE@ +CTAGS = @CTAGS@ CYGPATH_W = @CYGPATH_W@ DEBUG = @DEBUG@ DEFS = @DEFS@ @@ -216,8 +216,10 @@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ +ETAGS = @ETAGS@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FILECMD = @FILECMD@ GOLANG = @GOLANG@ GOROOT = @GOROOT@ GREP = @GREP@ @@ -273,6 +275,7 @@ SHELL = @SHELL@ STRIP = @STRIP@ VERSION = @VERSION@ +WFLAGS = @WFLAGS@ abs_builddir = @abs_builddir@ abs_srcdir = @abs_srcdir@ abs_top_builddir = @abs_top_builddir@ @@ -326,6 +329,7 @@ pyexecdir = @pyexecdir@ python3dir = @python3dir@ pythondir = @pythondir@ +runstatedir = @runstatedir@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ @@ -479,7 +483,6 @@ distclean-tags: -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags - distdir: $(BUILT_SOURCES) $(MAKE) $(AM_MAKEFLAGS) distdir-am
View file
_service:tar_scm:audit-3.0.1.tar.gz/bindings/python/auparse_python.c -> _service:tar_scm:audit-3.0.9.tar.gz/bindings/python/auparse_python.c
Changed
@@ -28,7 +28,7 @@ #if PY_MAJOR_VERSION > 2 #define IS_PY3K -#if PY_MINOR_VERSION > 5 +#if PY_MINOR_VERSION >= 5 #define USE_RICH_COMPARISON #endif #define MODINITERROR return NULL @@ -2387,10 +2387,13 @@ PyModule_AddIntConstant(m, "AUPARSE_TYPE_PROCTITLE", AUPARSE_TYPE_PROCTITLE); PyModule_AddIntConstant(m, "AUPARSE_TYPE_HOOK", AUPARSE_TYPE_HOOK); PyModule_AddIntConstant(m, "AUPARSE_TYPE_NETACTION", AUPARSE_TYPE_NETACTION); + PyModule_AddIntConstant(m, "AUPARSE_TYPE_MACPROTO,", AUPARSE_TYPE_MACPROTO); PyModule_AddIntConstant(m, "AUPARSE_TYPE_IOCTL_REQ", AUPARSE_TYPE_IOCTL_REQ); PyModule_AddIntConstant(m, "AUPARSE_TYPE_ESCAPED_KEY", AUPARSE_TYPE_ESCAPED_KEY); PyModule_AddIntConstant(m, "AUPARSE_TYPE_ESCAPED_FILE", AUPARSE_TYPE_ESCAPED_FILE); PyModule_AddIntConstant(m, "AUPARSE_TYPE_FANOTIFY", AUPARSE_TYPE_FANOTIFY); + PyModule_AddIntConstant(m, "AUPARSE_TYPE_NLMCGRP", AUPARSE_TYPE_NLMCGRP); + PyModule_AddIntConstant(m, "AUPARSE_TYPE_RESOLVE", AUPARSE_TYPE_RESOLVE); /* Escape types */ PyModule_AddIntConstant(m, "AUPARSE_ESC_RAW", AUPARSE_ESC_RAW);
View file
_service:tar_scm:audit-3.0.1.tar.gz/bindings/python/python2/Makefile.am -> _service:tar_scm:audit-3.0.9.tar.gz/bindings/python/python2/Makefile.am
Changed
@@ -13,8 +13,9 @@ # Lesser General Public License for more details. # # You should have received a copy of the GNU Lesser General Public -# License along with this library; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +# License along with this program; see the file COPYING.lib. If not, write to +# the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor +# Boston, MA 02110-1335, USA. # # Authors: # Steve Grubb <sgrubb@redhat.com>
View file
_service:tar_scm:audit-3.0.1.tar.gz/bindings/python/python2/Makefile.in -> _service:tar_scm:audit-3.0.9.tar.gz/bindings/python/python2/Makefile.in
Changed
@@ -1,7 +1,7 @@ -# Makefile.in generated by automake 1.16.2 from Makefile.am. +# Makefile.in generated by automake 1.16.5 from Makefile.am. # @configure_input@ -# Copyright (C) 1994-2020 Free Software Foundation, Inc. +# Copyright (C) 1994-2021 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -29,8 +29,9 @@ # Lesser General Public License for more details. # # You should have received a copy of the GNU Lesser General Public -# License along with this library; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +# License along with this program; see the file COPYING.lib. If not, write to +# the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor +# Boston, MA 02110-1335, USA. # # Authors: # Steve Grubb <sgrubb@redhat.com> @@ -224,8 +225,6 @@ unique=`for i in $$list; do \ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ done | $(am__uniquify_input)` -ETAGS = etags -CTAGS = ctags am__DIST_COMMON = $(srcdir)/Makefile.in $(top_srcdir)/depcomp DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ @@ -248,6 +247,8 @@ CPPFLAGS = @CPPFLAGS@ CPPFLAGS_FOR_BUILD = @CPPFLAGS_FOR_BUILD@ CPP_FOR_BUILD = @CPP_FOR_BUILD@ +CSCOPE = @CSCOPE@ +CTAGS = @CTAGS@ CYGPATH_W = @CYGPATH_W@ DEBUG = @DEBUG@ DEFS = @DEFS@ @@ -259,8 +260,10 @@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ +ETAGS = @ETAGS@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FILECMD = @FILECMD@ GOLANG = @GOLANG@ GOROOT = @GOROOT@ GREP = @GREP@ @@ -316,6 +319,7 @@ SHELL = @SHELL@ STRIP = @STRIP@ VERSION = @VERSION@ +WFLAGS = @WFLAGS@ abs_builddir = @abs_builddir@ abs_srcdir = @abs_srcdir@ abs_top_builddir = @abs_top_builddir@ @@ -369,6 +373,7 @@ pyexecdir = @pyexecdir@ python3dir = @python3dir@ pythondir = @pythondir@ +runstatedir = @runstatedir@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ @@ -562,7 +567,6 @@ distclean-tags: -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags - distdir: $(BUILT_SOURCES) $(MAKE) $(AM_MAKEFLAGS) distdir-am
View file
_service:tar_scm:audit-3.0.1.tar.gz/bindings/python/python3/Makefile.am -> _service:tar_scm:audit-3.0.9.tar.gz/bindings/python/python3/Makefile.am
Changed
@@ -13,8 +13,9 @@ # Lesser General Public License for more details. # # You should have received a copy of the GNU Lesser General Public -# License along with this library; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +# License along with this program; see the file COPYING.lib. If not, write to +# the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor +# Boston, MA 02110-1335, USA. # # Authors: # Steve Grubb <sgrubb@redhat.com>
View file
_service:tar_scm:audit-3.0.1.tar.gz/bindings/python/python3/Makefile.in -> _service:tar_scm:audit-3.0.9.tar.gz/bindings/python/python3/Makefile.in
Changed
@@ -1,7 +1,7 @@ -# Makefile.in generated by automake 1.16.2 from Makefile.am. +# Makefile.in generated by automake 1.16.5 from Makefile.am. # @configure_input@ -# Copyright (C) 1994-2020 Free Software Foundation, Inc. +# Copyright (C) 1994-2021 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -29,8 +29,9 @@ # Lesser General Public License for more details. # # You should have received a copy of the GNU Lesser General Public -# License along with this library; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +# License along with this program; see the file COPYING.lib. If not, write to +# the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor +# Boston, MA 02110-1335, USA. # # Authors: # Steve Grubb <sgrubb@redhat.com> @@ -223,8 +224,6 @@ unique=`for i in $$list; do \ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ done | $(am__uniquify_input)` -ETAGS = etags -CTAGS = ctags am__DIST_COMMON = $(srcdir)/Makefile.in $(top_srcdir)/depcomp DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ @@ -247,6 +246,8 @@ CPPFLAGS = @CPPFLAGS@ CPPFLAGS_FOR_BUILD = @CPPFLAGS_FOR_BUILD@ CPP_FOR_BUILD = @CPP_FOR_BUILD@ +CSCOPE = @CSCOPE@ +CTAGS = @CTAGS@ CYGPATH_W = @CYGPATH_W@ DEBUG = @DEBUG@ DEFS = @DEFS@ @@ -258,8 +259,10 @@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ +ETAGS = @ETAGS@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FILECMD = @FILECMD@ GOLANG = @GOLANG@ GOROOT = @GOROOT@ GREP = @GREP@ @@ -315,6 +318,7 @@ SHELL = @SHELL@ STRIP = @STRIP@ VERSION = @VERSION@ +WFLAGS = @WFLAGS@ abs_builddir = @abs_builddir@ abs_srcdir = @abs_srcdir@ abs_top_builddir = @abs_top_builddir@ @@ -368,6 +372,7 @@ pyexecdir = @pyexecdir@ python3dir = @python3dir@ pythondir = @pythondir@ +runstatedir = @runstatedir@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ @@ -561,7 +566,6 @@ distclean-tags: -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags - distdir: $(BUILT_SOURCES) $(MAKE) $(AM_MAKEFLAGS) distdir-am
View file
_service:tar_scm:audit-3.0.1.tar.gz/bindings/swig/Makefile.am -> _service:tar_scm:audit-3.0.9.tar.gz/bindings/swig/Makefile.am
Changed
@@ -13,8 +13,9 @@ # Lesser General Public License for more details. # # You should have received a copy of the GNU Lesser General Public -# License along with this library; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +# License along with this program; see the file COPYING.lib. If not, write to +# the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor +# Boston, MA 02110-1335, USA. # # Authors: # Steve Grubb <sgrubb@redhat.com>
View file
_service:tar_scm:audit-3.0.1.tar.gz/bindings/swig/Makefile.in -> _service:tar_scm:audit-3.0.9.tar.gz/bindings/swig/Makefile.in
Changed
@@ -1,7 +1,7 @@ -# Makefile.in generated by automake 1.16.2 from Makefile.am. +# Makefile.in generated by automake 1.16.5 from Makefile.am. # @configure_input@ -# Copyright (C) 1994-2020 Free Software Foundation, Inc. +# Copyright (C) 1994-2021 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -29,8 +29,9 @@ # Lesser General Public License for more details. # # You should have received a copy of the GNU Lesser General Public -# License along with this library; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +# License along with this program; see the file COPYING.lib. If not, write to +# the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor +# Boston, MA 02110-1335, USA. # # Authors: # Steve Grubb <sgrubb@redhat.com> @@ -177,8 +178,6 @@ unique=`for i in $$list; do \ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ done | $(am__uniquify_input)` -ETAGS = etags -CTAGS = ctags DIST_SUBDIRS = src python python3 am__DIST_COMMON = $(srcdir)/Makefile.in DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) @@ -227,6 +226,8 @@ CPPFLAGS = @CPPFLAGS@ CPPFLAGS_FOR_BUILD = @CPPFLAGS_FOR_BUILD@ CPP_FOR_BUILD = @CPP_FOR_BUILD@ +CSCOPE = @CSCOPE@ +CTAGS = @CTAGS@ CYGPATH_W = @CYGPATH_W@ DEBUG = @DEBUG@ DEFS = @DEFS@ @@ -238,8 +239,10 @@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ +ETAGS = @ETAGS@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FILECMD = @FILECMD@ GOLANG = @GOLANG@ GOROOT = @GOROOT@ GREP = @GREP@ @@ -295,6 +298,7 @@ SHELL = @SHELL@ STRIP = @STRIP@ VERSION = @VERSION@ +WFLAGS = @WFLAGS@ abs_builddir = @abs_builddir@ abs_srcdir = @abs_srcdir@ abs_top_builddir = @abs_top_builddir@ @@ -348,6 +352,7 @@ pyexecdir = @pyexecdir@ python3dir = @python3dir@ pythondir = @pythondir@ +runstatedir = @runstatedir@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ @@ -501,7 +506,6 @@ distclean-tags: -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags - distdir: $(BUILT_SOURCES) $(MAKE) $(AM_MAKEFLAGS) distdir-am
View file
_service:tar_scm:audit-3.0.1.tar.gz/bindings/swig/python/Makefile.am -> _service:tar_scm:audit-3.0.9.tar.gz/bindings/swig/python/Makefile.am
Changed
@@ -13,8 +13,9 @@ # Lesser General Public License for more details. # # You should have received a copy of the GNU Lesser General Public -# License along with this library; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +# License along with this program; see the file COPYING.lib. If not, write to +# the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor +# Boston, MA 02110-1335, USA. # # Authors: # Steve Grubb <sgrubb@redhat.com>
View file
_service:tar_scm:audit-3.0.1.tar.gz/bindings/swig/python/Makefile.in -> _service:tar_scm:audit-3.0.9.tar.gz/bindings/swig/python/Makefile.in
Changed
@@ -1,7 +1,7 @@ -# Makefile.in generated by automake 1.16.2 from Makefile.am. +# Makefile.in generated by automake 1.16.5 from Makefile.am. # @configure_input@ -# Copyright (C) 1994-2020 Free Software Foundation, Inc. +# Copyright (C) 1994-2021 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -204,8 +204,6 @@ unique=`for i in $$list; do \ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ done | $(am__uniquify_input)` -ETAGS = etags -CTAGS = ctags am__DIST_COMMON = $(srcdir)/Makefile.in $(top_srcdir)/depcomp \ $(top_srcdir)/py-compile DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) @@ -229,6 +227,8 @@ CPPFLAGS = @CPPFLAGS@ CPPFLAGS_FOR_BUILD = @CPPFLAGS_FOR_BUILD@ CPP_FOR_BUILD = @CPP_FOR_BUILD@ +CSCOPE = @CSCOPE@ +CTAGS = @CTAGS@ CYGPATH_W = @CYGPATH_W@ DEBUG = @DEBUG@ DEFS = @DEFS@ @@ -240,8 +240,10 @@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ +ETAGS = @ETAGS@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FILECMD = @FILECMD@ GOLANG = @GOLANG@ GOROOT = @GOROOT@ GREP = @GREP@ @@ -297,6 +299,7 @@ SHELL = @SHELL@ STRIP = @STRIP@ VERSION = @VERSION@ +WFLAGS = @WFLAGS@ abs_builddir = @abs_builddir@ abs_srcdir = @abs_srcdir@ abs_top_builddir = @abs_top_builddir@ @@ -350,6 +353,7 @@ pyexecdir = @pyexecdir@ python3dir = @python3dir@ pythondir = @pythondir@ +runstatedir = @runstatedir@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ @@ -379,8 +383,9 @@ # Lesser General Public License for more details. # # You should have received a copy of the GNU Lesser General Public -# License along with this library; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +# License along with this program; see the file COPYING.lib. If not, write to +# the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor +# Boston, MA 02110-1335, USA. # # Authors: # Steve Grubb <sgrubb@redhat.com> @@ -613,7 +618,6 @@ distclean-tags: -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags - distdir: $(BUILT_SOURCES) $(MAKE) $(AM_MAKEFLAGS) distdir-am
View file
_service:tar_scm:audit-3.0.1.tar.gz/bindings/swig/python/audit.py -> _service:tar_scm:audit-3.0.9.tar.gz/bindings/swig/python/audit.py
Changed
@@ -124,6 +124,10 @@ AUDIT_TIME_ADJNTPVAL = _audit.AUDIT_TIME_ADJNTPVAL AUDIT_BPF = _audit.AUDIT_BPF AUDIT_EVENT_LISTENER = _audit.AUDIT_EVENT_LISTENER +AUDIT_URINGOP = _audit.AUDIT_URINGOP +AUDIT_OPENAT2 = _audit.AUDIT_OPENAT2 +AUDIT_DM_CTRL = _audit.AUDIT_DM_CTRL +AUDIT_DM_EVENT = _audit.AUDIT_DM_EVENT AUDIT_AVC = _audit.AUDIT_AVC AUDIT_SELINUX_ERR = _audit.AUDIT_SELINUX_ERR AUDIT_AVC_PATH = _audit.AUDIT_AVC_PATH @@ -167,6 +171,7 @@ AUDIT_FILTER_EXCLUDE = _audit.AUDIT_FILTER_EXCLUDE AUDIT_FILTER_TYPE = _audit.AUDIT_FILTER_TYPE AUDIT_FILTER_FS = _audit.AUDIT_FILTER_FS +AUDIT_FILTER_URING_EXIT = _audit.AUDIT_FILTER_URING_EXIT AUDIT_NR_FILTERS = _audit.AUDIT_NR_FILTERS AUDIT_FILTER_PREPEND = _audit.AUDIT_FILTER_PREPEND AUDIT_NEVER = _audit.AUDIT_NEVER @@ -445,6 +450,7 @@ AUDIT_APPARMOR_HINT = _audit.AUDIT_APPARMOR_HINT AUDIT_APPARMOR_STATUS = _audit.AUDIT_APPARMOR_STATUS AUDIT_APPARMOR_ERROR = _audit.AUDIT_APPARMOR_ERROR +AUDIT_APPARMOR_KILL = _audit.AUDIT_APPARMOR_KILL AUDIT_FIRST_KERN_CRYPTO_MSG = _audit.AUDIT_FIRST_KERN_CRYPTO_MSG AUDIT_LAST_KERN_CRYPTO_MSG = _audit.AUDIT_LAST_KERN_CRYPTO_MSG AUDIT_INTEGRITY_FIRST_MSG = _audit.AUDIT_INTEGRITY_FIRST_MSG @@ -470,6 +476,9 @@ AUDIT_ANOM_MOD_ACCT = _audit.AUDIT_ANOM_MOD_ACCT AUDIT_ANOM_ROOT_TRANS = _audit.AUDIT_ANOM_ROOT_TRANS AUDIT_ANOM_LOGIN_SERVICE = _audit.AUDIT_ANOM_LOGIN_SERVICE +AUDIT_ANOM_LOGIN_ROOT = _audit.AUDIT_ANOM_LOGIN_ROOT +AUDIT_ANOM_ORIGIN_FAILURES = _audit.AUDIT_ANOM_ORIGIN_FAILURES +AUDIT_ANOM_SESSION = _audit.AUDIT_ANOM_SESSION AUDIT_FIRST_ANOM_RESP = _audit.AUDIT_FIRST_ANOM_RESP AUDIT_LAST_ANOM_RESP = _audit.AUDIT_LAST_ANOM_RESP AUDIT_RESP_ANOMALY = _audit.AUDIT_RESP_ANOMALY @@ -487,6 +496,7 @@ AUDIT_RESP_HALT = _audit.AUDIT_RESP_HALT AUDIT_RESP_ORIGIN_BLOCK = _audit.AUDIT_RESP_ORIGIN_BLOCK AUDIT_RESP_ORIGIN_BLOCK_TIMED = _audit.AUDIT_RESP_ORIGIN_BLOCK_TIMED +AUDIT_RESP_ORIGIN_UNBLOCK_TIMED = _audit.AUDIT_RESP_ORIGIN_UNBLOCK_TIMED AUDIT_FIRST_USER_LSPP_MSG = _audit.AUDIT_FIRST_USER_LSPP_MSG AUDIT_LAST_USER_LSPP_MSG = _audit.AUDIT_LAST_USER_LSPP_MSG AUDIT_USER_ROLE_CHANGE = _audit.AUDIT_USER_ROLE_CHANGE @@ -776,9 +786,6 @@ def audit_add_watch(rulep, path): return _audit.audit_add_watch(rulep, path) -def audit_add_dir(rulep, path): - return _audit.audit_add_dir(rulep, path) - def audit_add_watch_dir(type, rulep, path): return _audit.audit_add_watch_dir(type, rulep, path) @@ -794,8 +801,8 @@ def audit_delete_rule_data(fd, rule, flags, action): return _audit.audit_delete_rule_data(fd, rule, flags, action) -def audit_value_needs_encoding(str, len): - return _audit.audit_value_needs_encoding(str, len) +def audit_value_needs_encoding(str, size): + return _audit.audit_value_needs_encoding(str, size) def audit_encode_value(final, buf, size): return _audit.audit_encode_value(final, buf, size) @@ -827,9 +834,6 @@ def audit_rule_init_data(rule): return _audit.audit_rule_init_data(rule) -def audit_rule_syscall_data(rule, scall): - return _audit.audit_rule_syscall_data(rule, scall) - def audit_rule_syscallbyname_data(rule, scall): return _audit.audit_rule_syscallbyname_data(rule, scall)
View file
_service:tar_scm:audit-3.0.1.tar.gz/bindings/swig/python3/Makefile.am -> _service:tar_scm:audit-3.0.9.tar.gz/bindings/swig/python3/Makefile.am
Changed
@@ -13,8 +13,9 @@ # Lesser General Public License for more details. # # You should have received a copy of the GNU Lesser General Public -# License along with this library; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +# License along with this program; see the file COPYING.lib. If not, write to +# the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor +# Boston, MA 02110-1335, USA. # # Authors: # Steve Grubb <sgrubb@redhat.com>
View file
_service:tar_scm:audit-3.0.1.tar.gz/bindings/swig/python3/Makefile.in -> _service:tar_scm:audit-3.0.9.tar.gz/bindings/swig/python3/Makefile.in
Changed
@@ -1,7 +1,7 @@ -# Makefile.in generated by automake 1.16.2 from Makefile.am. +# Makefile.in generated by automake 1.16.5 from Makefile.am. # @configure_input@ -# Copyright (C) 1994-2020 Free Software Foundation, Inc. +# Copyright (C) 1994-2021 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -204,8 +204,6 @@ unique=`for i in $$list; do \ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ done | $(am__uniquify_input)` -ETAGS = etags -CTAGS = ctags am__DIST_COMMON = $(srcdir)/Makefile.in $(top_srcdir)/depcomp \ $(top_srcdir)/py-compile DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) @@ -229,6 +227,8 @@ CPPFLAGS = @CPPFLAGS@ CPPFLAGS_FOR_BUILD = @CPPFLAGS_FOR_BUILD@ CPP_FOR_BUILD = @CPP_FOR_BUILD@ +CSCOPE = @CSCOPE@ +CTAGS = @CTAGS@ CYGPATH_W = @CYGPATH_W@ DEBUG = @DEBUG@ DEFS = @DEFS@ @@ -240,8 +240,10 @@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ +ETAGS = @ETAGS@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FILECMD = @FILECMD@ GOLANG = @GOLANG@ GOROOT = @GOROOT@ GREP = @GREP@ @@ -297,6 +299,7 @@ SHELL = @SHELL@ STRIP = @STRIP@ VERSION = @VERSION@ +WFLAGS = @WFLAGS@ abs_builddir = @abs_builddir@ abs_srcdir = @abs_srcdir@ abs_top_builddir = @abs_top_builddir@ @@ -350,6 +353,7 @@ pyexecdir = @pyexecdir@ python3dir = @python3dir@ pythondir = @pythondir@ +runstatedir = @runstatedir@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ @@ -379,8 +383,9 @@ # Lesser General Public License for more details. # # You should have received a copy of the GNU Lesser General Public -# License along with this library; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +# License along with this program; see the file COPYING.lib. If not, write to +# the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor +# Boston, MA 02110-1335, USA. # # Authors: # Steve Grubb <sgrubb@redhat.com> @@ -613,7 +618,6 @@ distclean-tags: -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags - distdir: $(BUILT_SOURCES) $(MAKE) $(AM_MAKEFLAGS) distdir-am
View file
_service:tar_scm:audit-3.0.1.tar.gz/bindings/swig/python3/audit.py -> _service:tar_scm:audit-3.0.9.tar.gz/bindings/swig/python3/audit.py
Changed
@@ -124,6 +124,10 @@ AUDIT_TIME_ADJNTPVAL = _audit.AUDIT_TIME_ADJNTPVAL AUDIT_BPF = _audit.AUDIT_BPF AUDIT_EVENT_LISTENER = _audit.AUDIT_EVENT_LISTENER +AUDIT_URINGOP = _audit.AUDIT_URINGOP +AUDIT_OPENAT2 = _audit.AUDIT_OPENAT2 +AUDIT_DM_CTRL = _audit.AUDIT_DM_CTRL +AUDIT_DM_EVENT = _audit.AUDIT_DM_EVENT AUDIT_AVC = _audit.AUDIT_AVC AUDIT_SELINUX_ERR = _audit.AUDIT_SELINUX_ERR AUDIT_AVC_PATH = _audit.AUDIT_AVC_PATH @@ -167,6 +171,7 @@ AUDIT_FILTER_EXCLUDE = _audit.AUDIT_FILTER_EXCLUDE AUDIT_FILTER_TYPE = _audit.AUDIT_FILTER_TYPE AUDIT_FILTER_FS = _audit.AUDIT_FILTER_FS +AUDIT_FILTER_URING_EXIT = _audit.AUDIT_FILTER_URING_EXIT AUDIT_NR_FILTERS = _audit.AUDIT_NR_FILTERS AUDIT_FILTER_PREPEND = _audit.AUDIT_FILTER_PREPEND AUDIT_NEVER = _audit.AUDIT_NEVER @@ -445,6 +450,7 @@ AUDIT_APPARMOR_HINT = _audit.AUDIT_APPARMOR_HINT AUDIT_APPARMOR_STATUS = _audit.AUDIT_APPARMOR_STATUS AUDIT_APPARMOR_ERROR = _audit.AUDIT_APPARMOR_ERROR +AUDIT_APPARMOR_KILL = _audit.AUDIT_APPARMOR_KILL AUDIT_FIRST_KERN_CRYPTO_MSG = _audit.AUDIT_FIRST_KERN_CRYPTO_MSG AUDIT_LAST_KERN_CRYPTO_MSG = _audit.AUDIT_LAST_KERN_CRYPTO_MSG AUDIT_INTEGRITY_FIRST_MSG = _audit.AUDIT_INTEGRITY_FIRST_MSG @@ -470,6 +476,9 @@ AUDIT_ANOM_MOD_ACCT = _audit.AUDIT_ANOM_MOD_ACCT AUDIT_ANOM_ROOT_TRANS = _audit.AUDIT_ANOM_ROOT_TRANS AUDIT_ANOM_LOGIN_SERVICE = _audit.AUDIT_ANOM_LOGIN_SERVICE +AUDIT_ANOM_LOGIN_ROOT = _audit.AUDIT_ANOM_LOGIN_ROOT +AUDIT_ANOM_ORIGIN_FAILURES = _audit.AUDIT_ANOM_ORIGIN_FAILURES +AUDIT_ANOM_SESSION = _audit.AUDIT_ANOM_SESSION AUDIT_FIRST_ANOM_RESP = _audit.AUDIT_FIRST_ANOM_RESP AUDIT_LAST_ANOM_RESP = _audit.AUDIT_LAST_ANOM_RESP AUDIT_RESP_ANOMALY = _audit.AUDIT_RESP_ANOMALY @@ -487,6 +496,7 @@ AUDIT_RESP_HALT = _audit.AUDIT_RESP_HALT AUDIT_RESP_ORIGIN_BLOCK = _audit.AUDIT_RESP_ORIGIN_BLOCK AUDIT_RESP_ORIGIN_BLOCK_TIMED = _audit.AUDIT_RESP_ORIGIN_BLOCK_TIMED +AUDIT_RESP_ORIGIN_UNBLOCK_TIMED = _audit.AUDIT_RESP_ORIGIN_UNBLOCK_TIMED AUDIT_FIRST_USER_LSPP_MSG = _audit.AUDIT_FIRST_USER_LSPP_MSG AUDIT_LAST_USER_LSPP_MSG = _audit.AUDIT_LAST_USER_LSPP_MSG AUDIT_USER_ROLE_CHANGE = _audit.AUDIT_USER_ROLE_CHANGE @@ -776,9 +786,6 @@ def audit_add_watch(rulep: "struct audit_rule_data **", path: "char const *") -> "int": return _audit.audit_add_watch(rulep, path) -def audit_add_dir(rulep: "struct audit_rule_data **", path: "char const *") -> "int": - return _audit.audit_add_dir(rulep, path) - def audit_add_watch_dir(type: "int", rulep: "struct audit_rule_data **", path: "char const *") -> "int": return _audit.audit_add_watch_dir(type, rulep, path) @@ -794,8 +801,8 @@ def audit_delete_rule_data(fd: "int", rule: "audit_rule_data", flags: "int", action: "int") -> "int": return _audit.audit_delete_rule_data(fd, rule, flags, action) -def audit_value_needs_encoding(str: "char const *", len: "unsigned int") -> "int": - return _audit.audit_value_needs_encoding(str, len) +def audit_value_needs_encoding(str: "char const *", size: "unsigned int") -> "int": + return _audit.audit_value_needs_encoding(str, size) def audit_encode_value(final: "char *", buf: "char const *", size: "unsigned int") -> "char *": return _audit.audit_encode_value(final, buf, size) @@ -827,9 +834,6 @@ def audit_rule_init_data(rule: "audit_rule_data") -> "void": return _audit.audit_rule_init_data(rule) -def audit_rule_syscall_data(rule: "audit_rule_data", scall: "int") -> "int": - return _audit.audit_rule_syscall_data(rule, scall) - def audit_rule_syscallbyname_data(rule: "audit_rule_data", scall: "char const *") -> "int": return _audit.audit_rule_syscallbyname_data(rule, scall)
View file
_service:tar_scm:audit-3.0.1.tar.gz/bindings/swig/src/Makefile.am -> _service:tar_scm:audit-3.0.9.tar.gz/bindings/swig/src/Makefile.am
Changed
@@ -13,8 +13,9 @@ # Lesser General Public License for more details. # # You should have received a copy of the GNU Lesser General Public -# License along with this library; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +# License along with this program; see the file COPYING.lib. If not, write to +# the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor +# Boston, MA 02110-1335, USA. # # Authors: # Steve Grubb <sgrubb@redhat.com>
View file
_service:tar_scm:audit-3.0.1.tar.gz/bindings/swig/src/Makefile.in -> _service:tar_scm:audit-3.0.9.tar.gz/bindings/swig/src/Makefile.in
Changed
@@ -1,7 +1,7 @@ -# Makefile.in generated by automake 1.16.2 from Makefile.am. +# Makefile.in generated by automake 1.16.5 from Makefile.am. # @configure_input@ -# Copyright (C) 1994-2020 Free Software Foundation, Inc. +# Copyright (C) 1994-2021 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -29,8 +29,9 @@ # Lesser General Public License for more details. # # You should have received a copy of the GNU Lesser General Public -# License along with this library; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +# License along with this program; see the file COPYING.lib. If not, write to +# the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor +# Boston, MA 02110-1335, USA. # # Authors: # Steve Grubb <sgrubb@redhat.com> @@ -165,6 +166,8 @@ CPPFLAGS = @CPPFLAGS@ CPPFLAGS_FOR_BUILD = @CPPFLAGS_FOR_BUILD@ CPP_FOR_BUILD = @CPP_FOR_BUILD@ +CSCOPE = @CSCOPE@ +CTAGS = @CTAGS@ CYGPATH_W = @CYGPATH_W@ DEBUG = @DEBUG@ DEFS = @DEFS@ @@ -176,8 +179,10 @@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ +ETAGS = @ETAGS@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FILECMD = @FILECMD@ GOLANG = @GOLANG@ GOROOT = @GOROOT@ GREP = @GREP@ @@ -233,6 +238,7 @@ SHELL = @SHELL@ STRIP = @STRIP@ VERSION = @VERSION@ +WFLAGS = @WFLAGS@ abs_builddir = @abs_builddir@ abs_srcdir = @abs_srcdir@ abs_top_builddir = @abs_top_builddir@ @@ -286,6 +292,7 @@ pyexecdir = @pyexecdir@ python3dir = @python3dir@ pythondir = @pythondir@ +runstatedir = @runstatedir@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ @@ -346,7 +353,6 @@ cscope cscopelist: - distdir: $(BUILT_SOURCES) $(MAKE) $(AM_MAKEFLAGS) distdir-am
View file
_service:tar_scm:audit-3.0.1.tar.gz/common/Makefile.am -> _service:tar_scm:audit-3.0.9.tar.gz/common/Makefile.am
Changed
@@ -13,8 +13,9 @@ # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +# along with this program; see the file COPYING. If not, write to the +# Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor +# Boston, MA 02110-1335, USA. # # Authors: # Steve Grubb <sgrubb@redhat.com>
View file
_service:tar_scm:audit-3.0.1.tar.gz/common/Makefile.in -> _service:tar_scm:audit-3.0.9.tar.gz/common/Makefile.in
Changed
@@ -1,7 +1,7 @@ -# Makefile.in generated by automake 1.16.2 from Makefile.am. +# Makefile.in generated by automake 1.16.5 from Makefile.am. # @configure_input@ -# Copyright (C) 1994-2020 Free Software Foundation, Inc. +# Copyright (C) 1994-2021 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -29,8 +29,9 @@ # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +# along with this program; see the file COPYING. If not, write to the +# Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor +# Boston, MA 02110-1335, USA. # # Authors: # Steve Grubb <sgrubb@redhat.com> @@ -195,8 +196,6 @@ unique=`for i in $$list; do \ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ done | $(am__uniquify_input)` -ETAGS = etags -CTAGS = ctags am__DIST_COMMON = $(srcdir)/Makefile.in $(top_srcdir)/depcomp DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ @@ -219,6 +218,8 @@ CPPFLAGS = @CPPFLAGS@ CPPFLAGS_FOR_BUILD = @CPPFLAGS_FOR_BUILD@ CPP_FOR_BUILD = @CPP_FOR_BUILD@ +CSCOPE = @CSCOPE@ +CTAGS = @CTAGS@ CYGPATH_W = @CYGPATH_W@ DEBUG = @DEBUG@ DEFS = @DEFS@ @@ -230,8 +231,10 @@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ +ETAGS = @ETAGS@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FILECMD = @FILECMD@ GOLANG = @GOLANG@ GOROOT = @GOROOT@ GREP = @GREP@ @@ -287,6 +290,7 @@ SHELL = @SHELL@ STRIP = @STRIP@ VERSION = @VERSION@ +WFLAGS = @WFLAGS@ abs_builddir = @abs_builddir@ abs_srcdir = @abs_srcdir@ abs_top_builddir = @abs_top_builddir@ @@ -340,6 +344,7 @@ pyexecdir = @pyexecdir@ python3dir = @python3dir@ pythondir = @pythondir@ +runstatedir = @runstatedir@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ @@ -500,7 +505,6 @@ distclean-tags: -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags - distdir: $(BUILT_SOURCES) $(MAKE) $(AM_MAKEFLAGS) distdir-am
View file
_service:tar_scm:audit-3.0.1.tar.gz/common/audit-fgets.c -> _service:tar_scm:audit-3.0.9.tar.gz/common/audit-fgets.c
Changed
@@ -51,6 +51,9 @@ return 0; } +/* Function to read the next chunk of data from the given fd. If we have + * data to return, we pass the line length for success. 0 for no data. And + * -1 if there was an error reading the fd. */ int audit_fgets(char *buf, size_t blen, int fd) { int complete = 0; @@ -119,5 +122,5 @@ } *current = 0; } - return complete; + return complete ? line_len : 0; }
View file
_service:tar_scm:audit-3.0.1.tar.gz/common/common.h -> _service:tar_scm:audit-3.0.9.tar.gz/common/common.h
Changed
@@ -1,5 +1,5 @@ /* audit-fgets.h -- a replacement for glibc's fgets - * Copyright 2018 Red Hat Inc., Durham, North Carolina. + * Copyright 2018,2022 Red Hat Inc. * All Rights Reserved. * * This library is free software; you can redistribute it and/or @@ -25,11 +25,15 @@ #include <sys/types.h> #include "dso.h" +#ifndef __attr_access +# define __attr_access(x) +#endif AUDIT_HIDDEN_START int audit_fgets_eof(void); int audit_fgets_more(size_t blen); -int audit_fgets(char *buf, size_t blen, int fd); +int audit_fgets(char *buf, size_t blen, int fd) + __attr_access ((__write_only__, 1, 2)); char *audit_strsplit_r(char *s, char **savedpp); char *audit_strsplit(char *s);
View file
_service:tar_scm:audit-3.0.1.tar.gz/compile -> _service:tar_scm:audit-3.0.9.tar.gz/compile
Changed
@@ -3,7 +3,7 @@ scriptversion=2018-03-07.03; # UTC -# Copyright (C) 1999-2020 Free Software Foundation, Inc. +# Copyright (C) 1999-2021 Free Software Foundation, Inc. # Written by Tom Tromey <tromey@cygnus.com>. # # This program is free software; you can redistribute it and/or modify
View file
_service:tar_scm:audit-3.0.1.tar.gz/config.guess -> _service:tar_scm:audit-3.0.9.tar.gz/config.guess
Changed
@@ -1,12 +1,14 @@ -#! /bin/sh +#!/usr/bin/sh # Attempt to guess a canonical system name. -# Copyright 1992-2018 Free Software Foundation, Inc. +# Copyright 1992-2022 Free Software Foundation, Inc. -timestamp='2018-08-29' +# shellcheck disable=SC2006,SC2268 # see below for rationale + +timestamp='2022-05-25' # This file is free software; you can redistribute it and/or modify it # under the terms of the GNU General Public License as published by -# the Free Software Foundation; either version 3 of the License, or +# the Free Software Foundation, either version 3 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, but @@ -27,11 +29,19 @@ # Originally written by Per Bothner; maintained since 2000 by Ben Elliston. # # You can get the latest version of this script from: -# https://git.savannah.gnu.org/gitweb/?p=config.git;a=blob_plain;f=config.guess +# https://git.savannah.gnu.org/cgit/config.git/plain/config.guess # # Please send patches to <config-patches@gnu.org>. +# The "shellcheck disable" line above the timestamp inhibits complaints +# about features and limitations of the classic Bourne shell that were +# superseded or lifted in POSIX. However, this script identifies a wide +# variety of pre-POSIX systems that do not have POSIX shells at all, and +# even some reasonably current systems (Solaris 10 as case-in-point) still +# have a pre-POSIX /bin/sh. + + me=`echo "$0" | sed -e 's,.*/,,'` usage="\ @@ -50,7 +60,7 @@ GNU config.guess ($timestamp) Originally written by Per Bothner. -Copyright 1992-2018 Free Software Foundation, Inc. +Copyright 1992-2022 Free Software Foundation, Inc. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE." @@ -84,6 +94,9 @@ exit 1 fi +# Just in case it came from the environment. +GUESS= + # CC_FOR_BUILD -- compiler used by this script. Note that the use of a # compiler to aid in system detection is discouraged as it requires # temporary files to be created and, as you can see below, it is a @@ -96,12 +109,13 @@ tmp= # shellcheck disable=SC2172 -trap 'test -z "$tmp" || rm -fr "$tmp"' 1 2 13 15 -trap 'exitcode=$?; test -z "$tmp" || rm -fr "$tmp"; exit $exitcode' 0 +trap 'test -z "$tmp" || rm -fr "$tmp"' 0 1 2 13 15 set_cc_for_build() { + # prevent multiple calls if $tmp is already set + test "$tmp" && return 0 : "${TMPDIR=/tmp}" - # shellcheck disable=SC2039 + # shellcheck disable=SC2039,SC3028 { tmp=`(umask 077 && mktemp -d "$TMPDIR/cgXXXXXX") 2>/dev/null` && test -n "$tmp" && test -d "$tmp" ; } || { test -n "$RANDOM" && tmp=$TMPDIR/cg$$-$RANDOM && (umask 077 && mkdir "$tmp" 2>/dev/null) ; } || { tmp=$TMPDIR/cg-$$ && (umask 077 && mkdir "$tmp" 2>/dev/null) && echo "Warning: creating insecure temp directory" >&2 ; } || @@ -111,7 +125,7 @@ ,,) echo "int x;" > "$dummy.c" for driver in cc gcc c89 c99 ; do if ($driver -c -o "$dummy.o" "$dummy.c") >/dev/null 2>&1 ; then - CC_FOR_BUILD="$driver" + CC_FOR_BUILD=$driver break fi done @@ -132,14 +146,12 @@ UNAME_MACHINE=`(uname -m) 2>/dev/null` || UNAME_MACHINE=unknown UNAME_RELEASE=`(uname -r) 2>/dev/null` || UNAME_RELEASE=unknown -UNAME_SYSTEM=`(uname -s) 2>/dev/null` || UNAME_SYSTEM=unknown +UNAME_SYSTEM=`(uname -s) 2>/dev/null` || UNAME_SYSTEM=unknown UNAME_VERSION=`(uname -v) 2>/dev/null` || UNAME_VERSION=unknown -case "$UNAME_SYSTEM" in +case $UNAME_SYSTEM in Linux|GNU|GNU/*) - # If the system lacks a compiler, then just pick glibc. - # We could probably try harder. - LIBC=gnu + LIBC=unknown set_cc_for_build cat <<-EOF > "$dummy.c" @@ -148,24 +160,37 @@ LIBC=uclibc #elif defined(__dietlibc__) LIBC=dietlibc - #else + #elif defined(__GLIBC__) LIBC=gnu + #else + #include <stdarg.h> + /* First heuristic to detect musl libc. */ + #ifdef __DEFINED_va_list + LIBC=musl + #endif #endif EOF - eval "`$CC_FOR_BUILD -E "$dummy.c" 2>/dev/null | grep '^LIBC' | sed 's, ,,g'`" + cc_set_libc=`$CC_FOR_BUILD -E "$dummy.c" 2>/dev/null | grep '^LIBC' | sed 's, ,,g'` + eval "$cc_set_libc" - # If ldd exists, use it to detect musl libc. - if command -v ldd >/dev/null && \ - ldd --version 2>&1 | grep -q ^musl - then - LIBC=musl + # Second heuristic to detect musl libc. + if "$LIBC" = unknown && + command -v ldd >/dev/null && + ldd --version 2>&1 | grep -q ^musl; then + LIBC=musl + fi + + # If the system lacks a compiler, then just pick glibc. + # We could probably try harder. + if "$LIBC" = unknown ; then + LIBC=gnu fi ;; esac # Note: order is significant - the case branches are not exclusive. -case "$UNAME_MACHINE:$UNAME_SYSTEM:$UNAME_RELEASE:$UNAME_VERSION" in +case $UNAME_MACHINE:$UNAME_SYSTEM:$UNAME_RELEASE:$UNAME_VERSION in *:NetBSD:*:*) # NetBSD (nbsd) targets should (where applicable) match one or # more of the tuples: *-*-netbsdelf*, *-*-netbsdaout*, @@ -177,12 +202,12 @@ # # Note: NetBSD doesn't particularly care about the vendor # portion of the name. We always set it to "unknown". - sysctl="sysctl -n hw.machine_arch" UNAME_MACHINE_ARCH=`(uname -p 2>/dev/null || \ - "/sbin/$sysctl" 2>/dev/null || \ - "/usr/sbin/$sysctl" 2>/dev/null || \ + /sbin/sysctl -n hw.machine_arch 2>/dev/null || \ + /usr/sbin/sysctl -n hw.machine_arch 2>/dev/null || \ echo unknown)` - case "$UNAME_MACHINE_ARCH" in + case $UNAME_MACHINE_ARCH in + aarch64eb) machine=aarch64_be-unknown ;; armeb) machine=armeb-unknown ;; arm*) machine=arm-unknown ;; sh3el) machine=shl-unknown ;; @@ -191,13 +216,13 @@ earmv*) arch=`echo "$UNAME_MACHINE_ARCH" | sed -e 's,^e\(armv0-9\).*$,\1,'` endian=`echo "$UNAME_MACHINE_ARCH" | sed -ne 's,^.*\(eb\)$,\1,p'` - machine="${arch}${endian}"-unknown + machine=${arch}${endian}-unknown ;; - *) machine="$UNAME_MACHINE_ARCH"-unknown ;; + *) machine=$UNAME_MACHINE_ARCH-unknown ;; esac # The Operating System including object format, if it has switched # to ELF recently (or will in the future) and ABI. - case "$UNAME_MACHINE_ARCH" in + case $UNAME_MACHINE_ARCH in earm*) os=netbsdelf ;; @@ -218,7 +243,7 @@ ;; esac # Determine ABI tags. - case "$UNAME_MACHINE_ARCH" in + case $UNAME_MACHINE_ARCH in earm*) expr='s/^earmv0-9/-eabi/;s/eb$//' abi=`echo "$UNAME_MACHINE_ARCH" | sed -e "$expr"` @@ -229,7 +254,7 @@ # thus, need a distinct triplet. However, they do not need # kernel version information, so it can be replaced with a # suitable tag, in the style of linux-gnu. - case "$UNAME_VERSION" in + case $UNAME_VERSION in Debian*) release='-gnu'
View file
_service:tar_scm:audit-3.0.1.tar.gz/config.h.in -> _service:tar_scm:audit-3.0.9.tar.gz/config.h.in
Changed
@@ -44,6 +44,9 @@ /* Define to 1 if you have the <inttypes.h> header file. */ #undef HAVE_INTTYPES_H +/* IPX packet interpretation */ +#undef HAVE_IPX_HEADERS + /* Define to 1 if linux/fs.h defined kernel_rwf_t */ #undef HAVE_KERNEL_RWF_T @@ -65,9 +68,6 @@ /* Define to 1 if you have the <linux/fs.h> header file. */ #undef HAVE_LINUX_FS_H -/* Define to 1 if you have the <memory.h> header file. */ -#undef HAVE_MEMORY_H - /* Define to 1 if you have the `nanosleep' function. */ #undef HAVE_NANOSLEEP @@ -101,6 +101,9 @@ /* Define to 1 if you have the <stdint.h> header file. */ #undef HAVE_STDINT_H +/* Define to 1 if you have the <stdio.h> header file. */ +#undef HAVE_STDIO_H + /* Define to 1 if you have the <stdlib.h> header file. */ #undef HAVE_STDLIB_H @@ -140,6 +143,9 @@ /* Define to 1 if you have the <sys/timerfd.h> header file. */ #undef HAVE_SYS_TIMERFD_H +/* Define to 1 if you have the <sys/time.h> header file. */ +#undef HAVE_SYS_TIME_H + /* Define to 1 if you have the <sys/types.h> header file. */ #undef HAVE_SYS_TYPES_H @@ -176,10 +182,13 @@ /* The size of `unsigned long', as computed by sizeof. */ #undef SIZEOF_UNSIGNED_LONG -/* Define to 1 if you have the ANSI C header files. */ +/* Define to 1 if all of the C90 standard headers exist (not just the ones + required in a freestanding environment). This macro is provided for + backward compatibility; new code need not use it. */ #undef STDC_HEADERS -/* Define to 1 if you can safely include both <sys/time.h> and <time.h>. */ +/* Define to 1 if you can safely include both <sys/time.h> and <time.h>. This + macro is obsolete. */ #undef TIME_WITH_SYS_TIME /* Defined when fanotify headers are found */ @@ -202,12 +211,3 @@ /* Define if you want to enable Arm eabi processor support. */ #undef WITH_ARM - -/* Define to empty if `const' does not conform to ANSI C. */ -#undef const - -/* Define to `__inline__' or `__inline' if that's what the C compiler - calls it, or to nothing if 'inline' is not supported under any name. */ -#ifndef __cplusplus -#undef inline -#endif
View file
_service:tar_scm:audit-3.0.1.tar.gz/config.sub -> _service:tar_scm:audit-3.0.9.tar.gz/config.sub
Changed
@@ -1,12 +1,14 @@ -#! /bin/sh +#!/usr/bin/sh # Configuration validation subroutine script. -# Copyright 1992-2018 Free Software Foundation, Inc. +# Copyright 1992-2022 Free Software Foundation, Inc. -timestamp='2018-08-29' +# shellcheck disable=SC2006,SC2268 # see below for rationale + +timestamp='2022-01-03' # This file is free software; you can redistribute it and/or modify it # under the terms of the GNU General Public License as published by -# the Free Software Foundation; either version 3 of the License, or +# the Free Software Foundation, either version 3 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, but @@ -33,7 +35,7 @@ # Otherwise, we print the canonical config type on stdout and succeed. # You can get the latest version of this script from: -# https://git.savannah.gnu.org/gitweb/?p=config.git;a=blob_plain;f=config.sub +# https://git.savannah.gnu.org/cgit/config.git/plain/config.sub # This file is supposed to be the same for all GNU packages # and recognize all the CPU types, system types and aliases @@ -50,6 +52,13 @@ # CPU_TYPE-MANUFACTURER-KERNEL-OPERATING_SYSTEM # It is wrong to echo any other type of specification. +# The "shellcheck disable" line above the timestamp inhibits complaints +# about features and limitations of the classic Bourne shell that were +# superseded or lifted in POSIX. However, this script identifies a wide +# variety of pre-POSIX systems that do not have POSIX shells at all, and +# even some reasonably current systems (Solaris 10 as case-in-point) still +# have a pre-POSIX /bin/sh. + me=`echo "$0" | sed -e 's,.*/,,'` usage="\ @@ -67,7 +76,7 @@ version="\ GNU config.sub ($timestamp) -Copyright 1992-2018 Free Software Foundation, Inc. +Copyright 1992-2022 Free Software Foundation, Inc. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE." @@ -89,7 +98,7 @@ - ) # Use stdin as input. break ;; -* ) - echo "$me: invalid option $1$help" + echo "$me: invalid option $1$help" >&2 exit 1 ;; *local*) @@ -111,9 +120,12 @@ esac # Split fields of configuration type -IFS="-" read -r field1 field2 field3 field4 <<EOF +# shellcheck disable=SC2162 +saved_IFS=$IFS +IFS="-" read field1 field2 field3 field4 <<EOF $1 EOF +IFS=$saved_IFS # Separate into logical components for further validation case $1 in @@ -123,37 +135,36 @@ ;; *-*-*-*) basic_machine=$field1-$field2 - os=$field3-$field4 + basic_os=$field3-$field4 ;; *-*-*) # Ambiguous whether COMPANY is present, or skipped and KERNEL-OS is two # parts maybe_os=$field2-$field3 case $maybe_os in - nto-qnx* | linux-gnu* | linux-android* | linux-dietlibc \ - | linux-newlib* | linux-musl* | linux-uclibc* | uclinux-uclibc* \ + nto-qnx* | linux-* | uclinux-uclibc* \ | uclinux-gnu* | kfreebsd*-gnu* | knetbsd*-gnu* | netbsd*-gnu* \ | netbsd*-eabi* | kopensolaris*-gnu* | cloudabi*-eabi* \ | storm-chaos* | os2-emx* | rtmk-nova*) basic_machine=$field1 - os=$maybe_os + basic_os=$maybe_os ;; android-linux) basic_machine=$field1-unknown - os=linux-android + basic_os=linux-android ;; *) basic_machine=$field1-$field2 - os=$field3 + basic_os=$field3 ;; esac ;; *-*) - # A lone config we happen to match not fitting any patern + # A lone config we happen to match not fitting any pattern case $field1-$field2 in decstation-3100) basic_machine=mips-dec - os= + basic_os= ;; *-*) # Second component is usually, but not always the OS @@ -161,7 +172,11 @@ # Prevent following clause from handling this valid os sun*os*) basic_machine=$field1 - os=$field2 + basic_os=$field2 + ;; + zephyr*) + basic_machine=$field1-unknown + basic_os=$field2 ;; # Manufacturers dec* | mips* | sequent* | encore* | pc533* | sgi* | sony* \ @@ -174,11 +189,11 @@ | microblaze* | sim | cisco \ | oki | wec | wrs | winbond) basic_machine=$field1-$field2 - os= + basic_os= ;; *) basic_machine=$field1 - os=$field2 + basic_os=$field2 ;; esac ;; @@ -190,450 +205,451 @@ case $field1 in 386bsd) basic_machine=i386-pc - os=bsd + basic_os=bsd ;; a29khif) basic_machine=a29k-amd - os=udi + basic_os=udi ;; adobe68k) basic_machine=m68010-adobe - os=scout + basic_os=scout ;; alliant) basic_machine=fx80-alliant - os= + basic_os= ;; altos | altos3068) basic_machine=m68k-altos - os= + basic_os= ;; am29k) basic_machine=a29k-none - os=bsd + basic_os=bsd ;; amdahl) basic_machine=580-amdahl - os=sysv + basic_os=sysv ;; amiga) basic_machine=m68k-unknown - os= + basic_os= ;; amigaos | amigados) basic_machine=m68k-unknown - os=amigaos + basic_os=amigaos ;; amigaunix | amix) basic_machine=m68k-unknown - os=sysv4 + basic_os=sysv4 ;; apollo68) basic_machine=m68k-apollo
View file
_service:tar_scm:audit-3.0.1.tar.gz/configure -> _service:tar_scm:audit-3.0.9.tar.gz/configure
Changed
@@ -1,10 +1,11 @@ #! /bin/sh # From configure.ac Revision: 1.3 . # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.69 for audit 3.0.1. +# Generated by GNU Autoconf 2.71 for audit 3.0.9. # # -# Copyright (C) 1992-1996, 1998-2012 Free Software Foundation, Inc. +# Copyright (C) 1992-1996, 1998-2017, 2020-2021 Free Software Foundation, +# Inc. # # # This configure script is free software; the Free Software Foundation @@ -15,14 +16,16 @@ # Be more Bourne compatible DUALCASE=1; export DUALCASE # for MKS sh -if test -n "${ZSH_VERSION+set}" && (emulate sh) >/dev/null 2>&1; then : +as_nop=: +if test ${ZSH_VERSION+y} && (emulate sh) >/dev/null 2>&1 +then : emulate sh NULLCMD=: # Pre-4.2 versions of Zsh do word splitting on ${1+"$@"}, which # is contrary to our usage. Disable this feature. alias -g '${1+"$@"}'='"$@"' setopt NO_GLOB_SUBST -else +else $as_nop case `(set -o) 2>/dev/null` in #( *posix*) : set -o posix ;; #( @@ -32,46 +35,46 @@ fi + +# Reset variables that may have inherited troublesome values from +# the environment. + +# IFS needs to be set, to space, tab, and newline, in precisely that order. +# (If _AS_PATH_WALK were called with IFS unset, it would have the +# side effect of setting IFS to empty, thus disabling word splitting.) +# Quoting is to prevent editors from complaining about space-tab. as_nl=' ' export as_nl -# Printing a long string crashes Solaris 7 /usr/bin/printf. -as_echo='\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\' -as_echo=$as_echo$as_echo$as_echo$as_echo$as_echo -as_echo=$as_echo$as_echo$as_echo$as_echo$as_echo$as_echo -# Prefer a ksh shell builtin over an external printf program on Solaris, -# but without wasting forks for bash or zsh. -if test -z "$BASH_VERSION$ZSH_VERSION" \ - && (test "X`print -r -- $as_echo`" = "X$as_echo") 2>/dev/null; then - as_echo='print -r --' - as_echo_n='print -rn --' -elif (test "X`printf %s $as_echo`" = "X$as_echo") 2>/dev/null; then - as_echo='printf %s\n' - as_echo_n='printf %s' -else - if test "X`(/usr/ucb/echo -n -n $as_echo) 2>/dev/null`" = "X-n $as_echo"; then - as_echo_body='eval /usr/ucb/echo -n "$1$as_nl"' - as_echo_n='/usr/ucb/echo -n' - else - as_echo_body='eval expr "X$1" : "X\\(.*\\)"' - as_echo_n_body='eval - arg=$1; - case $arg in #( - *"$as_nl"*) - expr "X$arg" : "X\\(.*\\)$as_nl"; - arg=`expr "X$arg" : ".*$as_nl\\(.*\\)"`;; - esac; - expr "X$arg" : "X\\(.*\\)" | tr -d "$as_nl" - ' - export as_echo_n_body - as_echo_n='sh -c $as_echo_n_body as_echo' - fi - export as_echo_body - as_echo='sh -c $as_echo_body as_echo' -fi +IFS=" "" $as_nl" + +PS1='$ ' +PS2='> ' +PS4='+ ' + +# Ensure predictable behavior from utilities with locale-dependent output. +LC_ALL=C +export LC_ALL +LANGUAGE=C +export LANGUAGE + +# We cannot yet rely on "unset" to work, but we need these variables +# to be unset--not just set to an empty or harmless value--now, to +# avoid bugs in old shells (e.g. pre-3.0 UWIN ksh). This construct +# also avoids known problems related to "unset" and subshell syntax +# in other old shells (e.g. bash 2.01 and pdksh 5.2.14). +for as_var in BASH_ENV ENV MAIL MAILPATH CDPATH +do eval test \${$as_var+y} \ + && ( (unset $as_var) || exit 1) >/dev/null 2>&1 && unset $as_var || : +done + +# Ensure that fds 0, 1, and 2 are open. +if (exec 3>&0) 2>/dev/null; then :; else exec 0</dev/null; fi +if (exec 3>&1) 2>/dev/null; then :; else exec 1>/dev/null; fi +if (exec 3>&2) ; then :; else exec 2>/dev/null; fi # The user is always right. -if test "${PATH_SEPARATOR+set}" != set; then +if ${PATH_SEPARATOR+false} :; then PATH_SEPARATOR=: (PATH='/bin;/bin'; FPATH=$PATH; sh -c :) >/dev/null 2>&1 && { (PATH='/bin:/bin'; FPATH=$PATH; sh -c :) >/dev/null 2>&1 || @@ -80,13 +83,6 @@ fi -# IFS -# We need space, tab and new line, in precisely that order. Quoting is -# there to prevent editors from complaining about space-tab. -# (If _AS_PATH_WALK were called with IFS unset, it would disable word -# splitting by setting IFS to empty value.) -IFS=" "" $as_nl" - # Find who we are. Look in the path if we contain no directory separator. as_myself= case $0 in #(( @@ -95,8 +91,12 @@ for as_dir in $PATH do IFS=$as_save_IFS - test -z "$as_dir" && as_dir=. - test -r "$as_dir/$0" && as_myself=$as_dir/$0 && break + case $as_dir in #((( + '') as_dir=./ ;; + */) ;; + *) as_dir=$as_dir/ ;; + esac + test -r "$as_dir$0" && as_myself=$as_dir$0 && break done IFS=$as_save_IFS @@ -108,30 +108,10 @@ as_myself=$0 fi if test ! -f "$as_myself"; then - $as_echo "$as_myself: error: cannot find myself; rerun with an absolute file name" >&2 + printf "%s\n" "$as_myself: error: cannot find myself; rerun with an absolute file name" >&2 exit 1 fi -# Unset variables that we do not need and which cause bugs (e.g. in -# pre-3.0 UWIN ksh). But do not cause bugs in bash 2.01; the "|| exit 1" -# suppresses any "Segmentation fault" message there. '((' could -# trigger a bug in pdksh 5.2.14. -for as_var in BASH_ENV ENV MAIL MAILPATH -do eval test x\${$as_var+set} = xset \ - && ( (unset $as_var) || exit 1) >/dev/null 2>&1 && unset $as_var || : -done -PS1='$ ' -PS2='> ' -PS4='+ ' - -# NLS nuisances. -LC_ALL=C -export LC_ALL -LANGUAGE=C -export LANGUAGE - -# CDPATH. -(unset CDPATH) >/dev/null 2>&1 && unset CDPATH # Use a proper internal environment variable to ensure we don't fall # into an infinite loop, continuously re-executing ourselves. @@ -153,20 +133,22 @@ exec $CONFIG_SHELL $as_opts "$as_myself" ${1+"$@"} # Admittedly, this is quite paranoid, since all the known shells bail # out after a failed `exec'. -$as_echo "$0: could not re-execute with $CONFIG_SHELL" >&2 -as_fn_exit 255 +printf "%s\n" "$0: could not re-execute with $CONFIG_SHELL" >&2 +exit 255 fi # We don't want this to propagate to other subprocesses. { _as_can_reexec=; unset _as_can_reexec;} if test "x$CONFIG_SHELL" = x; then - as_bourne_compatible="if test -n \"\${ZSH_VERSION+set}\" && (emulate sh) >/dev/null 2>&1; then : + as_bourne_compatible="as_nop=: +if test \${ZSH_VERSION+y} && (emulate sh) >/dev/null 2>&1 +then : emulate sh NULLCMD=: # Pre-4.2 versions of Zsh do word splitting on \${1+\"\$@\"}, which # is contrary to our usage. Disable this feature. alias -g '\${1+\"\$@\"}'='\"\$@\"' setopt NO_GLOB_SUBST -else +else \$as_nop
View file
_service:tar_scm:audit-3.0.1.tar.gz/configure.ac -> _service:tar_scm:audit-3.0.9.tar.gz/configure.ac
Changed
@@ -1,7 +1,7 @@ dnl define(AC_INIT_NOTICE, ### Generated automatically using autoconf version AC_ACVERSION -### Copyright 2005-21 Steve Grubb <sgrubb@redhat.com> +### Copyright 2005-22 Steve Grubb <sgrubb@redhat.com> ### ### Permission is hereby granted, free of charge, to any person obtaining a ### copy of this software and associated documentation files (the "Software"), @@ -29,7 +29,7 @@ ) AC_REVISION($Revision: 1.3 $)dnl -AC_INIT(audit,3.0.1) +AC_INIT(audit,3.0.9) AC_PREREQ(2.12)dnl AM_CONFIG_HEADER(config.h) @@ -58,10 +58,9 @@ AC_HEADER_STDC AC_HEADER_TIME -AC_C_CONST -AC_C_INLINE AC_CHECK_SIZEOF(unsigned int) AC_CHECK_SIZEOF(unsigned long) +dnl; next is needed for old compilers and plugins/ids/Makefile.am AM_PROG_CC_C_O AC_CHECK_DECLS(AUDIT_FEATURE_VERSION, , , #include <linux/audit.h>) AC_CHECK_MEMBERS(struct audit_status.feature_bitmap, , , #include <linux/audit.h>) @@ -85,9 +84,25 @@ AC_DEFINE(HAVE_STRNDUPA, 1, Let us know if we have it or not), ) + +AC_MSG_CHECKING(__attr_access support) +AC_COMPILE_IFELSE( + AC_LANG_SOURCE( + + #include <stdio.h> + int audit_fgets(char *buf, size_t blen, int fd) + __attr_access ((__write_only__, 1, 2)); + int main(void) { return 0; }), + ACCESS="yes", + ACCESS="no" +) +AC_MSG_RESULT($ACCESS) + dnl; pthread_yield is used in zos-remote +OLDLIBS="$LIBS" AC_SEARCH_LIBS(pthread_yield, pthread, AC_DEFINE(HAVE_PTHREAD_YIELD, 1, Define to 1 if we have pthread_yield), ) +LIBS="$OLDLIBS" ALLWARNS="" ALLDEBUG="-g" @@ -339,6 +354,21 @@ fi ,WARNS="$ALLWARNS") +WFLAGS="" +AC_MSG_CHECKING(for -Wformat-truncation) +TMPCFLAGS="${CFLAGS}" +CFLAGS="${CFLAGS} -Wformat-truncation" +AC_LINK_IFELSE(AC_LANG_PROGRAM(, ),WFLAGS="-Wno-format-truncation" + AC_MSG_RESULT(yes), + AC_MSG_RESULT(no)) +CFLAGS="${TMPCFLAGS}" +CFLAGS="${CFLAGS} -Wunused-but-set-variable" +AC_LINK_IFELSE(AC_LANG_PROGRAM(, ),WFLAGS="${WFLAGS} -Wno-unused-but-set-variable" + AC_MSG_RESULT(yes), + AC_MSG_RESULT(no)) +CFLAGS="${TMPCFLAGS}" +AC_SUBST(WFLAGS) + withval="" AC_MSG_CHECKING(whether to include arm eabi processor support) AC_ARG_WITH(arm, @@ -416,6 +446,12 @@ AC_DEFINE_UNQUOTED(HAVE_LIBWRAP, , Define if tcp_wrappers support is enabled ) fi +# linux/ipx.h - deprecated in 2018 +AC_CHECK_HEADER(linux/ipx.h, ipx_headers=yes, ipx_headers=no) +if test $ipx_headers = yes ; then + AC_DEFINE(HAVE_IPX_HEADERS,1,IPX packet interpretation) +fi + # See if we want to support lower capabilities for plugins LIBCAP_NG_PATH @@ -434,4 +470,5 @@ Compiler: $CC Compiler flags: `echo $CFLAGS | fmt -w 50 | sed 's,^, ,'` + __attr_access support: $ACCESS "
View file
_service:tar_scm:audit-3.0.1.tar.gz/contrib/plugin/audisp-example.c -> _service:tar_scm:audit-3.0.9.tar.gz/contrib/plugin/audisp-example.c
Changed
@@ -1,5 +1,5 @@ /* audisp-example.c -- - * Copyright 2012 Red Hat Inc., Durham, North Carolina. + * Copyright 2012 Red Hat Inc. * All Rights Reserved. * * This program is free software; you can redistribute it and/or modify @@ -30,10 +30,19 @@ * It will print things to stdout. In a real program, you wouldn't * do anything with stdout since that is likely to be pointing to /dev/null. * - * Excluding some init/destroy items you might need to add to main, the + * Excluding some init/destroy items you might need to add to main, the * event_handler function is the main place that you would modify to do - * things specific to your plugin. + * things specific to your plugin. * + * Also, note that for a "real" plugin, you may have to add an internal queue + * to your application. If plugins do any kind of networking or in depth + * processing of incoming events, auditd's internal queue can overflow because + * the socket connecting to the plugin's stdin get backed up. When audit has + * nowhere to put events, the kernel's audit backlog can get filled up. + * If that happens, the backlog_wait_time is consulted by the kernel which + * may have the effect of slowing down the whole system. A good design would be + * to have 2 threads, one watching for inbound events and one doing the + * processing of the events with a configurable queue in between. */ #define _GNU_SOURCE @@ -58,7 +67,7 @@ /* * SIGTERM handler */ -static void term_handler( int sig ) +static void term_handler(int sig) { stop = 1; } @@ -66,7 +75,7 @@ /* * SIGHUP handler: re-read config */ -static void hup_handler( int sig ) +static void hup_handler(int sig) { hup = 1; } @@ -74,6 +83,11 @@ static void reload_config(void) { hup = 0; + + /* + * Add your code here that re-reads the config file and changes + * how your plugin works. + */ } int main(int argc, char *argv) @@ -98,39 +112,43 @@ printf("audisp-example is exiting due to auparse init errors"); return -1; } + auparse_set_eoe_timeout(2); auparse_add_callback(au, handle_event, NULL, NULL); do { fd_set read_mask; - struct timeval tv; - int retval = 0; - int read_size = 0; + int retval; + int read_size = 1; /* Set to 1 so it's not EOF */ /* Load configuration */ if (hup) { reload_config(); } do { - /* If we timed out & have events, shake them loose */ - if (retval == 0 && auparse_feed_has_data(au)) - auparse_feed_age_events(au); - - tv.tv_sec = 3; - tv.tv_usec = 0; FD_ZERO(&read_mask); FD_SET(0, &read_mask); - if (auparse_feed_has_data(au)) + + if (auparse_feed_has_data(au)) { + struct timeval tv; + tv.tv_sec = 1; + tv.tv_usec = 0; retval= select(1, &read_mask, NULL, NULL, &tv); - else + } else retval= select(1, &read_mask, NULL, NULL, NULL); + + /* If we timed out & have events, shake them loose */ + if (retval == 0 && auparse_feed_has_data(au)) + auparse_feed_age_events(au); + } while (retval == -1 && errno == EINTR && !hup && !stop); /* Now the event loop */ if (!stop && !hup && retval > 0) { - while ((read_size = read(0, tmp, MAX_AUDIT_MESSAGE_LENGTH)) > 0) { + while ((read_size = read(0, tmp, + MAX_AUDIT_MESSAGE_LENGTH)) > 0) { auparse_feed(au, tmp, read_size); } } - if (read_size == 0) /* check eof */ + if (read_size == 0) /* EOF */ break; } while (stop == 0); @@ -164,7 +182,7 @@ } /* This function shows how to iterate through the fields of a record - * and print its name and raw value and interpretted value. */ + * and print its name and raw value and interpreted value. */ static void dump_fields_of_record(auparse_state_t *au) { printf("record type %d(%s) has %d fields\n", auparse_get_type(au),
View file
_service:tar_scm:audit-3.0.1.tar.gz/depcomp -> _service:tar_scm:audit-3.0.9.tar.gz/depcomp
Changed
@@ -3,7 +3,7 @@ scriptversion=2018-03-07.03; # UTC -# Copyright (C) 1999-2020 Free Software Foundation, Inc. +# Copyright (C) 1999-2021 Free Software Foundation, Inc. # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by
View file
_service:tar_scm:audit-3.0.1.tar.gz/docs/Makefile.am -> _service:tar_scm:audit-3.0.9.tar.gz/docs/Makefile.am
Changed
@@ -13,8 +13,9 @@ # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +# along with this program; see the file COPYING. If not, write to the +# Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor +# Boston, MA 02110-1335, USA. # # Authors: # Steve Grubb <sgrubb@redhat.com> @@ -32,11 +33,17 @@ audit_log_acct_message.3 audit_log_user_avc_message.3 \ audit_log_user_command.3 audit_log_user_comm_message.3 \ audit_log_user_message.3 audit_log_semanage_message.3 \ -auparse_new_buffer.3 audit_open.3 audit_request_rules_list_data.3 \ +auparse_new_buffer.3 audit_open.3 audit_close.3 \ +audit_is_enabled.3 audit_request_rules_list_data.3 \ audit_request_signal_info.3 audit_request_status.3 audit.rules.7 \ audit_set_backlog_limit.3 audit_set_enabled.3 audit_set_failure.3 \ audit_setloginuid.3 audit_set_pid.3 audit_set_rate_limit.3 \ -audit_update_watch_perms.3 auparse_add_callback.3 \ +audit_update_watch_perms.3 audit_value_needs_encoding.3 \ +audit_encode_value.3 auparse_add_callback.3 audit_name_to_syscall.3 \ +audit_syscall_to_name.3 audit_name_to_errno.3\ +audit_fstype_to_name.3 audit_name_to_fstype.3 \ +audit_name_to_action.3 \ +audit_flag_to_name.3 audit_name_to_flag.3 \ auparse_destroy.3 auparse_feed.3 auparse_feed_age_events.3 \ auparse_feed_has_data.3 auparse_find_field.3 \ auparse_find_field_next.3 auparse_first_field.3 auparse_first_record.3 \
View file
_service:tar_scm:audit-3.0.1.tar.gz/docs/Makefile.in -> _service:tar_scm:audit-3.0.9.tar.gz/docs/Makefile.in
Changed
@@ -1,7 +1,7 @@ -# Makefile.in generated by automake 1.16.2 from Makefile.am. +# Makefile.in generated by automake 1.16.5 from Makefile.am. # @configure_input@ -# Copyright (C) 1994-2020 Free Software Foundation, Inc. +# Copyright (C) 1994-2021 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -29,8 +29,9 @@ # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +# along with this program; see the file COPYING. If not, write to the +# Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor +# Boston, MA 02110-1335, USA. # # Authors: # Steve Grubb <sgrubb@redhat.com> @@ -200,6 +201,8 @@ CPPFLAGS = @CPPFLAGS@ CPPFLAGS_FOR_BUILD = @CPPFLAGS_FOR_BUILD@ CPP_FOR_BUILD = @CPP_FOR_BUILD@ +CSCOPE = @CSCOPE@ +CTAGS = @CTAGS@ CYGPATH_W = @CYGPATH_W@ DEBUG = @DEBUG@ DEFS = @DEFS@ @@ -211,8 +214,10 @@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ +ETAGS = @ETAGS@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FILECMD = @FILECMD@ GOLANG = @GOLANG@ GOROOT = @GOROOT@ GREP = @GREP@ @@ -268,6 +273,7 @@ SHELL = @SHELL@ STRIP = @STRIP@ VERSION = @VERSION@ +WFLAGS = @WFLAGS@ abs_builddir = @abs_builddir@ abs_srcdir = @abs_srcdir@ abs_top_builddir = @abs_top_builddir@ @@ -321,6 +327,7 @@ pyexecdir = @pyexecdir@ python3dir = @python3dir@ pythondir = @pythondir@ +runstatedir = @runstatedir@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ @@ -344,11 +351,17 @@ audit_log_acct_message.3 audit_log_user_avc_message.3 \ audit_log_user_command.3 audit_log_user_comm_message.3 \ audit_log_user_message.3 audit_log_semanage_message.3 \ -auparse_new_buffer.3 audit_open.3 audit_request_rules_list_data.3 \ +auparse_new_buffer.3 audit_open.3 audit_close.3 \ +audit_is_enabled.3 audit_request_rules_list_data.3 \ audit_request_signal_info.3 audit_request_status.3 audit.rules.7 \ audit_set_backlog_limit.3 audit_set_enabled.3 audit_set_failure.3 \ audit_setloginuid.3 audit_set_pid.3 audit_set_rate_limit.3 \ -audit_update_watch_perms.3 auparse_add_callback.3 \ +audit_update_watch_perms.3 audit_value_needs_encoding.3 \ +audit_encode_value.3 auparse_add_callback.3 audit_name_to_syscall.3 \ +audit_syscall_to_name.3 audit_name_to_errno.3\ +audit_fstype_to_name.3 audit_name_to_fstype.3 \ +audit_name_to_action.3 \ +audit_flag_to_name.3 audit_name_to_flag.3 \ auparse_destroy.3 auparse_feed.3 auparse_feed_age_events.3 \ auparse_feed_has_data.3 auparse_find_field.3 \ auparse_find_field_next.3 auparse_first_field.3 auparse_first_record.3 \ @@ -591,7 +604,6 @@ cscope cscopelist: - distdir: $(BUILT_SOURCES) $(MAKE) $(AM_MAKEFLAGS) distdir-am
View file
_service:tar_scm:audit-3.0.1.tar.gz/docs/audispd-zos-remote.8 -> _service:tar_scm:audit-3.0.9.tar.gz/docs/audispd-zos-remote.8
Changed
@@ -18,7 +18,7 @@ .\" Changelog: .\" 2007-10-06, created by Klaus Heinrich Kiwi <klausk@br.ibm.com> .\" -.TH AUDISP-RACF 8 "Oct 2007" "IBM" "System Administration Utilities" +.TH AUDISPD-ZOS-REMOTE 8 "Oct 2007" "IBM" "System Administration Utilities" .SH NAME audispd\-zos\-remote \- z/OS Remote-services Audit dispatcher plugin .SH SYNOPSIS @@ -71,7 +71,7 @@ .SH IBM z/OS ITDS Server and RACF configuration In order to use this plugin, you must have an IBM z/OS v1R8 (or higher) server with IBM Tivoli Directory Server (ITDS) configured for Remote Audit service. For more detailed information about how to configure the z/OS server for Remote Auditing, refer to -.B z/OS V1R8.0-9.0 Intergrated Security Services Enterprise Identity Mapping (EIM) Guide and Reference +.B z/OS V1R8.0-9.0 Integrated Security Services Enterprise Identity Mapping (EIM) Guide and Reference .nf .RI ( http://publibz.boulder.ibm.com/cgi\-bin/bookmgr_OS390/FRAMESET/EIMA1140/CCONTENTS?DT=20070827115119 ), chapter "2.0 - Working with remote services". @@ -196,7 +196,7 @@ this list will bring all the field names and values in a .B fieldname=value format, as a type 114 -.RB ( "Appication specific Data" ) +.RB ( "Application specific Data" ) relocate. The plug-in will try to interpret those fields (i.e.: use human-readable username .B root instead of numeric userid @@ -222,14 +222,14 @@ The user ID associated with the ITDS doesn't have READ access to the IRR.AUDITX FACILITY Class profile. See .B IBM z/OS RACF Server configuration .TP -.B UNSUF_AUTH - The user has unsuficient authority for the requested function +.B UNSUF_AUTH - The user has unsufficient authority for the requested function The RACF user ID used to perform Remote Audit requests (as configured in .BR zos-remote.conf (5)) don't have access to the IRR.LDAP.REMOTE.AUDIT FACILITY Class profile. See .B IBM z/OS RACF Server configuration .SH BUGS -The plugin currently does remote auditing in a best-effort basis, and will dischard events in case the z/OS server cannot be contacted (network failures) or in any other case that event submission fails. +The plugin currently does remote auditing in a best-effort basis, and will discard events in case the z/OS server cannot be contacted (network failures) or in any other case that event submission fails. .SH FILES /etc/audit/plugins.d/audispd\-zos\-remote.conf
View file
_service:tar_scm:audit-3.0.1.tar.gz/docs/audit.rules.7 -> _service:tar_scm:audit-3.0.9.tar.gz/docs/audit.rules.7
Changed
@@ -1,4 +1,4 @@ -.TH AUDIT.RULES: "7" "Jan 2019" "Red Hat" "System Administration Utilities" +.TH AUDIT.RULES "7" "Jan 2019" "Red Hat" "System Administration Utilities" .SH NAME audit.rules \- a set of rules loaded in the kernel audit system .SH DESCRIPTION @@ -43,7 +43,7 @@ .SS System Call The system call rules are loaded into a matching engine that intercepts each syscall that all programs on the system makes. Therefore it is very important to only use syscall rules when you have to since these affect performance. The more rules, the bigger the performance hit. You can help the performance, though, by combining syscalls into one rule whenever possible. -The Linux kernel has 4 rule matching lists or filters as they are sometimes called. They are: task, exit, user, and exclude. The task list is checked only during the fork or clone syscalls. It is rarely used in practice. +The Linux kernel has 5 rule matching lists or filters as they are sometimes called. They are: task, exit, user, exclude, and filesystem. The task list is checked only during the fork or clone syscalls. It is rarely used in practice. The exit filter is the place where all syscall and file system audit requests are evaluated. @@ -71,7 +71,7 @@ .RE The action and list are separated by a comma but no space in between. Valid lists are: -.IR task ", " exit ", " user ", and " exclude ". Their meaning was explained earlier. +.IR task ", " exit ", " user ", " exclude ", and " filesystem ". Their meaning was explained earlier. Next in the rule would normally be the .B \-S @@ -113,7 +113,7 @@ This will give an ordered listing of the keys associated with rules that have been triggering. If, for example, you had a syscall audit rule that triggered on the failure to open files with EPERM that had a key field of access like this: .nf -\-a always,exit \-F arch=b64 \-S open \-S openat \-F exit=\-EPERM \-k access +\-a always,exit \-F arch=b64 \-S open \-S openat \-S openat2 \-F exit=\-EPERM \-k access .fi Then you can isolate these failures with ausearch and pipe the results to aureport for display. Suppose your investigation noticed a lot of the access denied events. If you wanted to see the files that unauthorized access has been attempted, you could run the following command: @@ -166,10 +166,10 @@ The following rule shows how to audit failed access to files due to permission problems. Note that it takes two rules for each arch ABI to audit this since file access can fail with two different failure codes indicating permission problems. .nf -.B \-a always,exit \-F arch=b32 \-S open \-S openat \-F exit=\-EACCES \-k access -.B \-a always,exit \-F arch=b32 \-S open \-S openat \-F exit=\-EPERM \-k access -.B \-a always,exit \-F arch=b64 \-S open \-S openat \-F exit=\-EACCES \-k access -.B \-a always,exit \-F arch=b64 \-S open \-S openat \-F exit=\-EPERM \-k access +.B \-a always,exit \-F arch=b32 \-S open \-S openat \-S openat2 \-F exit=\-EACCES \-k access +.B \-a always,exit \-F arch=b32 \-S open \-S openat \-S openat2 \-F exit=\-EPERM \-k access +.B \-a always,exit \-F arch=b64 \-S open \-S openat \-S openat2 \-F exit=\-EACCES \-k access +.B \-a always,exit \-F arch=b64 \-S open \-S openat \-S openat2 \-F exit=\-EPERM \-k access .fi .SH HARD WIRED EVENTS
View file
_service:tar_scm:audit-3.0.1.tar.gz/docs/audit_add_rule_data.3 -> _service:tar_scm:audit-3.0.9.tar.gz/docs/audit_add_rule_data.3
Changed
@@ -4,11 +4,11 @@ .SH "SYNOPSIS" .B #include <libaudit.h> .sp -int audit_add_rule_data (int fd, struct audit_rule_data *rule, int flags, int action); +int audit_add_rule_data(int fd, struct audit_rule_data *rule, int flags, int action); .SH "DESCRIPTION" -audit_add_rule adds an audit rule previously constructed with audit_rule_fieldpair_data(3) to one of several kernel event filters. The filter is specified by the flags argument. Possible values for flags are: +audit_add_rule_data adds an audit rule previously constructed with audit_rule_fieldpair_data(3) to one of several kernel event filters. The filter is specified by the flags argument. Possible values for flags are: .TP 3 \(bu @@ -45,7 +45,7 @@ .SH "SEE ALSO" -.BR audit_rule_fieldpair_data(3), +.BR audit_rule_fieldpair_data (3), .BR audit_delete_rule_data (3), .BR auditctl (8).
View file
_service:tar_scm:audit-3.0.9.tar.gz/docs/audit_close.3
Added
@@ -0,0 +1,27 @@ +.TH "AUDIT_CLOSE" "3" "Apr 2021" "Red Hat" "Linux Audit API" +.SH NAME +audit_close \- Close the audit netlink socket connection +.SH "SYNOPSIS" +.nf +.B #include <libaudit.h> +.PP +.BI "void audit_close(int " fd ); +.fi +.SH "DESCRIPTION" +.BR audit_close () +closes the NETLINK_AUDIT socket that communicates with the kernel part of the Linux Audit Subsystem. +.I fd +must have been returned by +.BR audit_open (3). + +.SH "RETURN VALUE" + +None. + +.SH "SEE ALSO" + +.BR audit_open (3), +.BR netlink (7). + +.SH AUTHOR +Steve Grubb
View file
_service:tar_scm:audit-3.0.1.tar.gz/docs/audit_delete_rule_data.3 -> _service:tar_scm:audit-3.0.9.tar.gz/docs/audit_delete_rule_data.3
Changed
@@ -4,7 +4,7 @@ .SH "SYNOPSIS" .B #include <libaudit.h> .sp -int audit_delete_rule_data (int fd, struct audit_rule_data *rule, int flags, int action); +int audit_delete_rule_data(int fd, struct audit_rule_data *rule, int flags, int action); .SH "DESCRIPTION"
View file
_service:tar_scm:audit-3.0.1.tar.gz/docs/audit_detect_machine.3 -> _service:tar_scm:audit-3.0.9.tar.gz/docs/audit_detect_machine.3
Changed
@@ -4,7 +4,7 @@ .SH "SYNOPSIS" .B #include <libaudit.h> .sp -int audit_detect_machine (void); +int audit_detect_machine(void); .SH "DESCRIPTION"
View file
_service:tar_scm:audit-3.0.1.tar.gz/docs/audit_encode_nv_string.3 -> _service:tar_scm:audit-3.0.9.tar.gz/docs/audit_encode_nv_string.3
Changed
@@ -9,7 +9,7 @@ .SH DESCRIPTION This function is used to encode a name/value pair. This should be used on any field being logged that potentially contains a space, a double-quote, or a control character. Any value containing those have to be specially encoded for the auparse library to correctly handle the value. The encoding method is designed to prevent log injection attacks where malicious values could cause parsing errors. -To use this function, pass the name string and value strings on their respective arguments. If the value is likely to have a NUL value embedded within it, you will need to pass a value length that tells in bytes how big the value is. Otherwise, you can pass a 0 for vlen and the function will simply use strlen against the value pointer. Also be aware that the name of the field will cause auparse to do certain things when interpretting the value. If the name is uid, a user id value in decimal is expected. Make sure that well known names are used for their intended purpose or that there is no chance of name collision with something new. +To use this function, pass the name string and value strings on their respective arguments. If the value is likely to have a NUL value embedded within it, you will need to pass a value length that tells in bytes how big the value is. Otherwise, you can pass a 0 for vlen and the function will simply use strlen against the value pointer. Also be aware that the name of the field will cause auparse to do certain things when interpreting the value. If the name is uid, a user id value in decimal is expected. Make sure that well known names are used for their intended purpose or that there is no chance of name collision with something new. .SH "RETURN VALUE"
View file
_service:tar_scm:audit-3.0.9.tar.gz/docs/audit_encode_value.3
Added
@@ -0,0 +1,36 @@ +.TH "AUDIT_ENCODE_VALUE" "3" "May 2021" "Red Hat" "Linux Audit API" +.SH NAME +audit_encode_value \- encode input string to ASCII code string +.SH "SYNOPSIS" +.nf +.B #include <libaudit.h> +.PP +.BI "char *audit_encode_value(char *" final ", const char *" buf ", unsigned int " size "); +.fi +.SH "DESCRIPTION" +.BR audit_encode_value () +encodes a string given by +.I buf +to a ASCII code string. +.I final +is the hexadecimal string encoded to ASCII code. +.I size +is the length of the string given by +.IR buf . + +e.g.: "foo bar" is encoded as "666F6F20626172". "\\1\\2\\3\\4" is encoded as "01020304". + +.SH "RETURN VALUE" + +Returns a encoded string same as +.I final +or, NULL on error. + +.SH "SEE ALSO" + +.BR audit_encode_nv_string (3), +.BR audit_value_needs_encoding (3). + +.SH AUTHOR +Steve Grubb +
View file
_service:tar_scm:audit-3.0.9.tar.gz/docs/audit_flag_to_name.3
Added
@@ -0,0 +1,25 @@ +.TH "AUDIT_FLAG_TO_NAME" "3" "Mar 2022" "Red Hat" "Linux Audit API" +.SH NAME +audit_flag_to_name \- Convert the numeric rule-matching filter value to the rule-matching filter name +.SH "SYNOPSIS" +.nf +.B #include <libaudit.h> +.PP +.BI "const char *audit_flag_to_name(int " flag ); +.fi +.SH "DESCRIPTION" +.BR audit_flag_to_name () +converts the numeric rule-matching filter value (AUDIT_FILTER_TASK, AUDIT_FILTER_EXIT, AUDIT_FILTER_USER, AUDIT_FILTER_EXCLUDE, AUDIT_FILTER_FS) to the rule-matching filter name ("task", "exit", "user", "exclude", "filesystem"). +.I flag +is the numeric rule-matching filter value. + +.SH "RETURN VALUE" + +Returns NULL if an error occurs; otherwise, the return value is the rule-matching filter name. + +.SH "SEE ALSO" + +.BR audit_name_to_flag (3), + +.SH AUTHOR +Steve Grubb
View file
_service:tar_scm:audit-3.0.9.tar.gz/docs/audit_fstype_to_name.3
Added
@@ -0,0 +1,25 @@ +.TH "AUDIT_FSTYPE_TO_NAME" "3" "Mar 2022" "Red Hat" "Linux Audit API" +.SH NAME +audit_fstype_to_name \- Convert the numeric fstype value to the fstype name +.SH "SYNOPSIS" +.nf +.B #include <libaudit.h> +.PP +.BI "const char *audit_fstype_to_name(int " fstype ); +.fi +.SH "DESCRIPTION" +.BR audit_fstype_to_name () +converts the numeric fstype value (0x64626720 or 0x74726163) to the fstype name ("debugfs" or "tracefs"). +.I fstype +is the numeric fstype value. + +.SH "RETURN VALUE" + +Returns NULL if an error occurs; otherwise, the return value is the fstype name. + +.SH "SEE ALSO" + +.BR audit_name_to_fstype (3), + +.SH AUTHOR +Steve Grubb
View file
_service:tar_scm:audit-3.0.1.tar.gz/docs/audit_get_reply.3 -> _service:tar_scm:audit-3.0.9.tar.gz/docs/audit_get_reply.3
Changed
@@ -11,7 +11,7 @@ .SH "RETURN VALUE" -This function returns \-1 on error, 0 if error response received, and positive value on success. +This function returns \-errno on error, 0 if error response received, and positive value on success. .SH "SEE ALSO"
View file
_service:tar_scm:audit-3.0.9.tar.gz/docs/audit_is_enabled.3
Added
@@ -0,0 +1,27 @@ +.TH "AUDIT_IS_ENABLED" "3" "May 2021" "Red Hat" "Linux Audit API" +.SH NAME +audit_is_enabled \- judge whether auditing is enabled or not +.SH "SYNOPSIS" +.nf +.B #include <libaudit.h> +.PP +.BI "int audit_is_enabled(int " fd "); +.fi +.SH "DESCRIPTION" +.BR audit_is_enabled () +judges whether auditing is enabled or not. +.I fd +must have been returned by +.BR audit_open (3). + +.SH "RETURN VALUE" + +This function will return 0 if auditing is NOT enabled and 1 if enabled, and -1 on error. + +.SH "SEE ALSO" + +.BR audit_set_enabled (3). + +.SH AUTHOR +Steve Grubb +
View file
_service:tar_scm:audit-3.0.1.tar.gz/docs/audit_log_semanage_message.3 -> _service:tar_scm:audit-3.0.9.tar.gz/docs/audit_log_semanage_message.3
Changed
@@ -13,7 +13,7 @@ .SH DESCRIPTION This function will log a message to the audit system using a predefined -message format. It should be used for all SE linux user and role +message format. It should be used for all SE Linux user and role manipulation operations. The function parameters are as follows: .nf
View file
_service:tar_scm:audit-3.0.1.tar.gz/docs/audit_log_user_avc_message.3 -> _service:tar_scm:audit-3.0.9.tar.gz/docs/audit_log_user_avc_message.3
Changed
@@ -33,7 +33,7 @@ .BR audit_log_user_message (3), .BR audit_log_acct_message (3), -.BR audit_log_user_avc_message (3), +.BR audit_log_user_comm_message (3), .BR audit_log_semanage_message (3). .SH AUTHOR
View file
_service:tar_scm:audit-3.0.9.tar.gz/docs/audit_name_to_action.3
Added
@@ -0,0 +1,32 @@ +.TH "AUDIT_NAME_TO_ACTION" "3" "Mar 2022" "Red Hat" "Linux Audit API" +.SH NAME +audit_name_to_action, audit_action_to_name \- Convert the action name to the numeric action value to each other +.SH "SYNOPSIS" +.nf +.B #include <libaudit.h> +.PP +.BI "int audit_name_to_action(const char " *action ); +.PP +.BI "const char *audit_action_to_name(int " action ); +.fi +.SH "DESCRIPTION" +.BR audit_name_to_action () +converts the action name ("never", "possible", "always") to the numeric action value (AUDIT_NEVER, AUDIT_POSSIBLE, AUDIT_ALWAYS). +.I action +is the action name. +.PP +.BR audit_action_to_name () +converts the numeric action value (AUDIT_NEVER, AUDIT_POSSIBLE, AUDIT_ALWAYS) to the action name ("never", "possible", "always"). +.I action +is the numeric action value + +.SH "RETURN VALUE" + +.BR audit_name_to_action () +returns -1 if an error occurs; otherwise, the return value is the numeric action value. +.PP +.BR audit_action_to_name () +returns NULL if an error occurs; otherwise, the return value is the action name. + +.SH AUTHOR +Steve Grubb
View file
_service:tar_scm:audit-3.0.9.tar.gz/docs/audit_name_to_errno.3
Added
@@ -0,0 +1,32 @@ +.TH "AUDIT_NAME_TO_ERRNO" "3" "Mar 2022" "Red Hat" "Linux Audit API" +.SH NAME +audit_name_to_errno, audit_errno_to_name \- Convert the errno name and the numeric errno value to each other +.SH "SYNOPSIS" +.nf +.B #include <libaudit.h> +.PP +.BI "int audit_name_to_errno(const char " *error ); +.PP +.BI "const char *audit_errno_to_name(int " error ); +.fi +.SH "DESCRIPTION" +.BR audit_name_to_errno () +converts the errno name ("EPERM", "ENOENT", "ESRCH", etc.) to the numeric errno value (EPERM, ENOENT, ESRCH, etc.). +.I error +is the errno name. +.PP +.BR audit_errno_to_name () +converts the numeric errno value (EPERM, ENOENT, ESRCH, etc.) to the errno name ("EPERM", "ENOENT", "ESRCH", etc.). +.I error +is the numeric errno value. + +.SH "RETURN VALUE" + +.BR audit_name_to_errno () +returns 0 if an error occurs; otherwise, the return value is the numeric errno value. +.PP +.BR audit_errno_to_name () +returns NULL if an error occurs; otherwise, the return value is the errno name. + +.SH AUTHOR +Steve Grubb
View file
_service:tar_scm:audit-3.0.9.tar.gz/docs/audit_name_to_flag.3
Added
@@ -0,0 +1,25 @@ +.TH "AUDIT_NAME_TO_FLAG" "3" "Mar 2022" "Red Hat" "Linux Audit API" +.SH NAME +audit_name_to_flag \- Convert the rule-matching filter name to the numeric rule-matching filter value +.SH "SYNOPSIS" +.nf +.B #include <libaudit.h> +.PP +.BI "int audit_name_to_flag(const char " *flag ); +.fi +.SH "DESCRIPTION" +.BR audit_name_to_flag () +converts the rule-matching filter name ("task", "exit", "user", "exclude", "filesystem") to the numeric rule-matching filter value (AUDIT_FILTER_TASK, AUDIT_FILTER_EXIT, AUDIT_FILTER_USER, AUDIT_FILTER_EXCLUDE, AUDIT_FILTER_FS). +.I flag +is the rule-matching filter name. + +.SH "RETURN VALUE" + +Returns -1 if an error occurs; otherwise, the return value is the numeric rule-matching filter value. + +.SH "SEE ALSO" + +.BR audit_flag_to_name (3), + +.SH AUTHOR +Steve Grubb
View file
_service:tar_scm:audit-3.0.9.tar.gz/docs/audit_name_to_fstype.3
Added
@@ -0,0 +1,25 @@ +.TH "AUDIT_NAME_TO_FSTYPE" "3" "Mar 2022" "Red Hat" "Linux Audit API" +.SH NAME +audit_name_to_fstype \- Convert the fstype name to the numeric fstype value +.SH "SYNOPSIS" +.nf +.B #include <libaudit.h> +.PP +.BI "int audit_name_to_fstype(const char " *name ); +.fi +.SH "DESCRIPTION" +.BR audit_name_to_fstype () +converts the fstype name ("debugfs" or "tracefs") to the numeric fstype value (0x64626720 or 0x74726163). +.I name +is the fstype name. + +.SH "RETURN VALUE" + +Returns -1 if an name occurs; otherwise, the return value is the numeric fstype value. + +.SH "SEE ALSO" + +.BR audit_fstype_to_name (3), + +.SH AUTHOR +Steve Grubb
View file
_service:tar_scm:audit-3.0.9.tar.gz/docs/audit_name_to_syscall.3
Added
@@ -0,0 +1,31 @@ +.TH "AUDIT_NAME_TO_SYSCALL" "3" "Nov 2021" "Red Hat" "Linux Audit API" +.SH NAME +audit_name_to_syscall \- Convert the syscall name to the numeric syscall value +.SH "SYNOPSIS" +.nf +.B #include <libaudit.h> +.PP +.BI "int audit_name_to_syscall(const char " *sc ", int " machine ); +.fi +.SH "DESCRIPTION" +.BR audit_name_to_syscall () +converts the syscall name to the numeric syscall value. +.I sc +is the syscall name. +.I machine +is the enum value of the machine type defined in machine_t. +.I machine +can be obtained by calling +.BR audit_detect_machine (3). + +.SH "RETURN VALUE" + +Returns -1 if an error occurs; otherwise, the return value is the numeric syscall value. + +.SH "SEE ALSO" + +.BR audit_syscall_to_name (3), +.BR audit_detect_machine (3). + +.SH AUTHOR +Steve Grubb
View file
_service:tar_scm:audit-3.0.1.tar.gz/docs/audit_open.3 -> _service:tar_scm:audit-3.0.9.tar.gz/docs/audit_open.3
Changed
@@ -4,7 +4,7 @@ .SH "SYNOPSIS" .B #include <libaudit.h> .sp -int audit_open (void); +int audit_open(void); .SH "DESCRIPTION"
View file
_service:tar_scm:audit-3.0.1.tar.gz/docs/audit_request_rules_list_data.3 -> _service:tar_scm:audit-3.0.9.tar.gz/docs/audit_request_rules_list_data.3
Changed
@@ -1,10 +1,10 @@ -.TH "AUDIT_REQUEST_LIST_DATA" "3" "Oct 2006" "Red Hat" "Linux Audit API" +.TH "AUDIT_REQUEST_RULES_LIST_DATA" "3" "Oct 2006" "Red Hat" "Linux Audit API" .SH NAME audit_request_rules_list_data \- Request list of current audit rules .SH "SYNOPSIS" .B #include <libaudit.h> .sp -int audit_request_rules_list_data (int fd); +int audit_request_rules_list_data(int fd); .SH "DESCRIPTION"
View file
_service:tar_scm:audit-3.0.1.tar.gz/docs/audit_request_signal_info.3 -> _service:tar_scm:audit-3.0.9.tar.gz/docs/audit_request_signal_info.3
Changed
@@ -1,4 +1,4 @@ -.TH "AUDIT_" "3" "Feb 2007" "Red Hat" "Linux Audit API" +.TH "AUDIT_REQUEST_SIGNAL_INFO" "3" "Feb 2007" "Red Hat" "Linux Audit API" .SH NAME audit_request_signal_info \- Request signal info for the audit system .SH "SYNOPSIS"
View file
_service:tar_scm:audit-3.0.1.tar.gz/docs/audit_request_status.3 -> _service:tar_scm:audit-3.0.9.tar.gz/docs/audit_request_status.3
Changed
@@ -5,7 +5,7 @@ .B #include <libaudit.h> .sp -int audit_request_status (int fd); +int audit_request_status(int fd); .SH "DESCRIPTION"
View file
_service:tar_scm:audit-3.0.1.tar.gz/docs/audit_set_backlog_limit.3 -> _service:tar_scm:audit-3.0.9.tar.gz/docs/audit_set_backlog_limit.3
Changed
@@ -5,7 +5,7 @@ .B #include <libaudit.h> .sp -int audit_set_backlog_limit (int fd, int limit); +int audit_set_backlog_limit(int fd, uint32_t limit); .SH "DESCRIPTION"
View file
_service:tar_scm:audit-3.0.1.tar.gz/docs/audit_set_backlog_wait_time.3 -> _service:tar_scm:audit-3.0.9.tar.gz/docs/audit_set_backlog_wait_time.3
Changed
@@ -5,7 +5,7 @@ .B #include <libaudit.h> .sp -int audit_set_backlog_wait_time (int fd, int wait_time); +int audit_set_backlog_wait_time(int fd, uint32_t bwt); .SH "DESCRIPTION"
View file
_service:tar_scm:audit-3.0.1.tar.gz/docs/audit_set_enabled.3 -> _service:tar_scm:audit-3.0.9.tar.gz/docs/audit_set_enabled.3
Changed
@@ -5,7 +5,7 @@ .B #include <libaudit.h> .sp -int audit_set_enabled (int fd, int enabled); +int audit_set_enabled(int fd, uint32_t enabled); .SH "DESCRIPTION"
View file
_service:tar_scm:audit-3.0.1.tar.gz/docs/audit_set_failure.3 -> _service:tar_scm:audit-3.0.9.tar.gz/docs/audit_set_failure.3
Changed
@@ -5,7 +5,7 @@ .B #include <libaudit.h> .sp -int audit_set_failure(int fd, int failure); +int audit_set_failure(int fd, uint32_t failure); .SH "DESCRIPTION" @@ -29,7 +29,7 @@ .SH "SEE ALSO" -.BR audit_set_backlog (3), +.BR audit_set_backlog_limit (3), .BR audit_open (3), .BR auditd (8), .BR auditctl (8).
View file
_service:tar_scm:audit-3.0.1.tar.gz/docs/audit_set_pid.3 -> _service:tar_scm:audit-3.0.9.tar.gz/docs/audit_set_pid.3
Changed
@@ -5,7 +5,7 @@ .B #include <libaudit.h> .sp -int audit_set_pid (int fd, int pid, rep_wait_t wmode); +int audit_set_pid(int fd, uint32_t pid, rep_wait_t wmode); .SH "DESCRIPTION"
View file
_service:tar_scm:audit-3.0.1.tar.gz/docs/audit_set_rate_limit.3 -> _service:tar_scm:audit-3.0.9.tar.gz/docs/audit_set_rate_limit.3
Changed
@@ -5,7 +5,7 @@ .B #include <libaudit.h> .sp -int audit_set_rate_limit (int fd, int limit); +int audit_set_rate_limit(int fd, uint32_t limit); .SH "DESCRIPTION"
View file
_service:tar_scm:audit-3.0.1.tar.gz/docs/audit_setloginuid.3 -> _service:tar_scm:audit-3.0.9.tar.gz/docs/audit_setloginuid.3
Changed
@@ -10,7 +10,7 @@ This function sets the task attribute loginuid with the value of uid. The loginuid value may only be set by programs with the CAP_AUDIT_CONTROL capability. This normally means the root account. .sp -The loginuid value is part of the task structure and is inheritted by child processes. It is used to track what account a user gained system access with. All system entry point programs should set this value right before changing to the uid of the user granted access so that audit events are properly attributed to the that user. +The loginuid value is part of the task structure and is inherited by child processes. It is used to track what account a user gained system access with. All system entry point programs should set this value right before changing to the uid of the user granted access so that audit events are properly attributed to the that user. .SH "RETURN VALUE"
View file
_service:tar_scm:audit-3.0.9.tar.gz/docs/audit_syscall_to_name.3
Added
@@ -0,0 +1,31 @@ +.TH "AUDIT_SYSCALL_TO_NAME" "3" "Nov 2021" "Red Hat" "Linux Audit API" +.SH NAME +audit_syscall_to_name \- Convert the numeric syscall value to the syscall name +.SH "SYNOPSIS" +.nf +.B #include <libaudit.h> +.PP +.BI "const char *audit_syscall_to_name(int " sc ", int " machine ); +.fi +.SH "DESCRIPTION" +.BR audit_syscall_to_name () +converts the numeric syscall value to the syscall name. +.I sc +is the numeric syscall value. +.I machine +is the enum value of the machine type defined in machine_t. +.I machine +can be obtained by calling +.BR audit_detect_machine (3). + +.SH "RETURN VALUE" + +Returns NULL if an error occurs; otherwise, the return value is the syscall name. + +.SH "SEE ALSO" + +.BR audit_name_to_syscall (3), +.BR audit_detect_machine (3). + +.SH AUTHOR +Steve Grubb
View file
_service:tar_scm:audit-3.0.9.tar.gz/docs/audit_value_needs_encoding.3
Added
@@ -0,0 +1,27 @@ +.TH "AUDIT_VALUE_NEEDS_ENCODING" "3" "Apr 2021" "Red Hat" "Linux Audit API" +.SH NAME +audit_value_needs_encoding \- check a string to see if it needs encoding +.SH "SYNOPSIS" +.nf +.B #include <libaudit.h> +.PP +.BI "int audit_value_needs_encoding(const char *" str ", unsigned int " size "); +.fi +.SH "DESCRIPTION" +.BR audit_value_needs_encoding () +checks a string to see if it needs encoding. Specifically, this function checks if the string contains a space, a double-quote, or a control character. +.I str +is the string to check if encoding is needed. +.I size +is the length of str. + +.SH "RETURN VALUE" + +The return value if encoding is needed is 1. If not needed is 0. + +.SH "SEE ALSO" + +.BR audit_encode_nv_string (3). + +.SH AUTHOR +Steve Grubb
View file
_service:tar_scm:audit-3.0.1.tar.gz/docs/auditctl.8 -> _service:tar_scm:audit-3.0.9.tar.gz/docs/auditctl.8
Changed
@@ -1,4 +1,4 @@ -.TH AUDITCTL: "8" "Aug 2018" "Red Hat" "System Administration Utilities" +.TH AUDITCTL "8" "July 2021" "Red Hat" "System Administration Utilities" .SH NAME auditctl \- a utility to assist controlling the kernel's audit system .SH SYNOPSIS @@ -11,7 +11,7 @@ Set max number (limit) of outstanding audit buffers allowed (Kernel Default=64) If all buffers are full, the failure flag is consulted by the kernel for action. .TP .BI \-\-backlog_wait_time \ \fIwait_time\fP -Set the time for the kernel to wait (Kernel Default 60*HZ) when the backlog limit is reached before queuing more audit events to be transferred to auditd. The number must be greater than or equal to zero and less that 10 times the default value. +Set the time for the kernel to wait (Kernel Default 60*HZ) when the backlog limit is reached before queuing more audit events to be transferred to auditd. The number must be greater than or equal to zero and less than 10 times the default value. .TP .BI \-\-reset_backlog_wait_time_actual Reset the actual backlog wait time counter shown by the status command. @@ -52,7 +52,7 @@ .BI \-R\ file Read rules from a \fIfile\fP. The rules must be 1 per line and in the order that they are to be executed in. The rule file must be owned by root and not readable by other users or it will be rejected. The rule file may have comments embedded by starting the line with a '#' character. Rules that are read from a file are identical to what you would type on a command line except they are not preceded by auditctl (since auditctl is the one executing the file) and you would not use shell escaping since auditctl is reading the file instead of bash. .TP -.BI \-\-signal signal +.BI \-\-signal\ signal Send a signal to the audit daemon. You must have privileges to do this. Supported signals are .I TERM, HUP, USR1, USR2, CONT. .TP @@ -261,7 +261,7 @@ Any \fIsyscall name\fP or \fInumber\fP may be used. The word '\fBall\fP' may also be used. If the given syscall is made by a program, then start an audit record. If a field rule is given and no syscall is specified, it will default to all syscalls. You may also specify multiple syscalls in the same rule by using multiple \-S options in the same rule. Doing so improves performance since fewer rules need to be evaluated. Alternatively, you may pass a comma separated list of syscall names. If you are on a bi-arch system, like x86_64, you should be aware that auditctl simply takes the text, looks it up for the native arch (in this case b64) and sends that rule to the kernel. If there are no additional arch directives, IT WILL APPLY TO BOTH 32 & 64 BIT SYSCALLS. This can have undesirable effects since there is no guarantee that any syscall has the same number on both 32 and 64 bit interfaces. You will likely want to control this and write 2 rules, one with arch equal to b32 and one with b64 to make sure the kernel finds the events that you intend. See the arch field discussion for more info. .TP .BI \-w\ path -Insert a watch for the file system object at \fIpath\fP. You cannot insert a watch to the top level directory. This is prohibited by the kernel. Wildcards are not supported either and will generate a warning. The way that watches work is by tracking the inode internally. If you place a watch on a file, its the same as using the \-F path option on a syscall rule. If you place a watch on a directory, its the same as using the \-F dir option on a syscall rule. The \-w form of writing watches is for backwards compatibility and the syscall based form is more expressive. Unlike most syscall auditing rules, watches do not impact performance based on the number of rules sent to the kernel. The only valid options when using a watch are the \-p and \-k. If you need to anything fancy like audit a specific user accessing a file, then use the syscall auditing form with the path or dir fields. See the EXAMPLES section for an example of converting one form to another. +Insert a watch for the file system object at \fIpath\fP. You cannot insert a watch to the top level directory. This is prohibited by the kernel. Wildcards are not supported either and will generate a warning. The way that watches work is by tracking the inode internally. If you place a watch on a file, its the same as using the \-F path option on a syscall rule. If you place a watch on a directory, its the same as using the \-F dir option on a syscall rule. The \-w form of writing watches is for backwards compatibility and the syscall based form is more expressive. Unlike most syscall auditing rules, watches do not impact performance based on the number of rules sent to the kernel. The only valid options when using a watch are the \-p and \-k. If you need to do anything fancy like audit a specific user accessing a file, then use the syscall auditing form with the path or dir fields. See the EXAMPLES section for an example of converting one form to another. .TP .BI \-W\ path Remove a watch for the file system object at \fIpath\fP. The rule must match exactly. See \fB-d\fP discussion for more info. @@ -292,7 +292,10 @@ To see all syscalls made by a specific program: .nf +# By pid: .B auditctl \-a always,exit \-S all \-F pid=1005 +# By executable path +.B auditctl \-a always,exit \-S all \-F exe=/usr/bin/ls .fi To see files opened by a specific user: @@ -327,12 +330,22 @@ .B auditctl \-a always,exit \-F dir=/home/ \-F uid=0 \-C auid!=obj_uid .fi +.SH DISABLED BY DEFAULT + +On many systems auditd is configured to install an +.B -a never,task +rule by default. This rule causes every new process to skip all audit rule processing. This is usually done to avoid a small performance overhead imposed by syscall auditing. If you want to use auditd, you need to remove that rule by deleting 10-no-audit.rules and adding 10-base-config.rules to the audit rules directory. + +If you have defined audit rules that are not matching when they should, check auditctl -l to make sure there is no never,task rule there. + .SH FILES .TP .I /etc/audit/audit.rules /etc/audit/audit-stop.rules .SH "SEE ALSO" .BR audit.rules (7), +.BR ausearch(8), +.BR aureport(8), .BR auditd (8). .SH AUTHOR
View file
_service:tar_scm:audit-3.0.1.tar.gz/docs/auditd-plugins.5 -> _service:tar_scm:audit-3.0.9.tar.gz/docs/auditd-plugins.5
Changed
@@ -1,6 +1,6 @@ -.TH AUDIT-PLUGINS: "5" "Aug 2018" "Red Hat" "System Administration Utilities" +.TH AUDITD-PLUGINS "5" "Aug 2022" "Red Hat" "System Administration Utilities" .SH NAME -audit-plugins \- realtime event receivers +auditd-plugins \- realtime event receivers .SH DESCRIPTION \fBauditd\fP can multiplex audit events in realtime. It takes audit events and distributes them to child programs that want to analyze events in realtime. When the audit daemon receives a SIGTERM or SIGHUP, it passes that signal to its child processes so that can reload the configuration or terminate. @@ -8,7 +8,7 @@ .B plugin_dir if the admin wished to locate plugins somewhere else. But auditd will install its plugins in the default location. -The plugin directory will be scanned and every pluging that is active will be started. If the plugin has a problem and exits, it will be started a maximum of +The plugin directory will be scanned and every plugin that is active will be started. If the plugin has a problem and exits, it will be started a maximum of .B max_restarts times as found in auditd.conf. @@ -55,6 +55,17 @@ .IR string option tells the dispatcher to completely change the event into a string suitable for parsing with the audit parsing library. The default value is .IR string. + +.SH NOTE +auditd has an internal queue to hold events for plugins. (See the \fIq_depth\fP setting in \fIauditd.conf\fP.) Plugins have to watch for and dequeue events as fast as possible and queue them internally if they can't be immediately processed. If the plugin is not able to dequeue records, the auditd internal queue will get filled. At any time, as root, you can run the following to check auditd's metrics: + +auditctl --signal cont ; sleep 1 ; cat /var/run/auditd.state + +If auditd's internal queue fills, it cannot dequeue any events from the kernel backlog. If the kernel's backlog fills, it looks at the value of backlog_wait_time to delay all processes that generate an event to see if there is eventually room to add the event. This will likely be noticed as slowing down various processes on the machine. The kernel's audit subsystem can be checked by running: + +auditctl -s + +When tuning the audit system's performance, you'd want to check both kernel and auditd metrics and adjust accordingly. .SH FILES /etc/auditd/auditd.conf
View file
_service:tar_scm:audit-3.0.1.tar.gz/docs/auditd.8 -> _service:tar_scm:audit-3.0.9.tar.gz/docs/auditd.8
Changed
@@ -1,4 +1,4 @@ -.TH "AUDITD" "8" "Sept 2013" "Red Hat" "System Administration Utilities" +.TH "AUDITD" "8" "Sept 2021" "Red Hat" "System Administration Utilities" .SH NAME auditd \- The Linux Audit daemon .SH SYNOPSIS @@ -35,24 +35,41 @@ be passed to the dispatcher. (default: /etc/audit/) .SH SIGNALS .TP -SIGHUP +.B SIGHUP causes auditd to reconfigure. This means that auditd re-reads the configuration file. If there are no syntax errors, it will proceed to implement the requested changes. If the reconfigure is successful, a DAEMON_CONFIG event is recorded in the logs. If not successful, error handling is controlled by space_left_action, admin_space_left_action, disk_full_action, and disk_error_action parameters in auditd.conf. .TP -SIGTERM +.B SIGTERM caused auditd to discontinue processing audit events, write a shutdown audit event, and exit. .TP -SIGUSR1 +.B SIGUSR1 causes auditd to immediately rotate the logs. It will consult the max_log_file_action to see if it should keep the logs or not. .TP -SIGUSR2 +.B SIGUSR2 causes auditd to attempt to resume logging and passing events to plugins. This is usually needed after logging has been suspended or the internal queue is overflowed. Either of these conditions depends on the applicable configuration settings. .TP -SIGCONT +.B SIGCONT causes auditd to dump a report of internal state to /var/run/auditd.state. +.SH EXIT CODES +.TP +.B 1 +Cannot adjust priority, daemonize, open audit netlink, write the pid file, start up plugins, resolve the machine name, set audit pid, or other initialization tasks. + +.TP +.B 2 +Invalid or excessive command line arguments + +.TP +.B 4 +The audit daemon doesn't have sufficient privilege + +.TP +.B 6 +There is an error in the configuration file + .SH FILES .B /etc/audit/auditd.conf - configuration file for audit daemon @@ -66,6 +83,9 @@ .B /etc/audit/plugins.d/ - directory holding individual plugin configuration files. .P +.B /etc/audit/audit-stop +- These rules are loaded when the audit daemon stops. +.P .B /var/run/auditd.state - report about internal state.
View file
_service:tar_scm:audit-3.0.1.tar.gz/docs/auditd.conf.5 -> _service:tar_scm:audit-3.0.9.tar.gz/docs/auditd.conf.5
Changed
@@ -1,4 +1,4 @@ -.TH AUDITD.CONF: "5" "August 2018" "Red Hat" "System Administration Utilities" +.TH AUDITD.CONF "5" "August 2018" "Red Hat" "System Administration Utilities" .SH NAME auditd.conf \- audit daemon configuration file .SH DESCRIPTION @@ -148,7 +148,7 @@ .IR space_left is set to 25%, then the audit daemon sets .IR space_left -to approxiatemly 500 megabytes. Note that this calculation is performed when the audit daemon starts, so if you resize the filesystem containing +to approximately 500 megabytes. Note that this calculation is performed when the audit daemon starts, so if you resize the filesystem containing .IR log_file while the audit daemon is running, you should send the audit daemon SIGHUP to re-read the configuration file and recalculate the correct percentage. .TP @@ -207,8 +207,7 @@ .I single option will cause the audit daemon to put the computer system in single user mode. The .I halt -option will cause the audit daemon to shutdown the computer system. Except for r -otate, it will perform this action just one time. +option will cause the audit daemon to shutdown the computer system. Except for rotate, it will perform this action just one time. .TP .I disk_full_action This parameter tells the system what action to take when the system has @@ -286,7 +285,7 @@ by a dash (no spaces allowed). It indicates which client ports are allowed for incoming connections. If not specified, any port is allowed. Allowed values are 1..65535. For example, to require the -client use a priviledged port, specify +client use a privileged port, specify .I 1\-1023 for this parameter. You will also need to set the local_port option in the audisp-remote.conf file. Making sure that clients send from a privileged port is a security feature to prevent log injection attacks by untrusted users. .TP @@ -328,7 +327,7 @@ dispatcher for processing. The default is "no". .TP .I q_depth -This is a numeric value that tells how big to make the internal queue of the audit event dispatcher. A bigger queue lets it handle a flood of events better, but could hold events that are not processed when the daemon is terminated. If you get messages in syslog about events getting dropped, increase this value. The default value is 400. +This is a numeric value that tells how big to make the internal queue of the audit event dispatcher. A bigger queue lets it handle a flood of events better, but could hold events that are not processed when the daemon is terminated. If you get messages in syslog about events getting dropped, increase this value. The default value is 2000. .TP .I overflow_action This option determines how the daemon should react to overflowing its internal queue. When this happens, it means that more events are being received than it can pass along to child processes. This error means that it is going to lose the current event that it's trying to dispatch. This option has the following choices:
View file
_service:tar_scm:audit-3.0.1.tar.gz/docs/augenrules.8 -> _service:tar_scm:audit-3.0.9.tar.gz/docs/augenrules.8
Changed
@@ -1,4 +1,4 @@ -.TH AUGENRULES: "8" "Apr 2013" "Red Hat" "System Administration Utilities" +.TH AUGENRULES "8" "Apr 2013" "Red Hat" "System Administration Utilities" .SH NAME augenrules \- a script that merges component audit rule files .SH SYNOPSIS
View file
_service:tar_scm:audit-3.0.1.tar.gz/docs/auparse_add_callback.3 -> _service:tar_scm:audit-3.0.9.tar.gz/docs/auparse_add_callback.3
Changed
@@ -58,7 +58,7 @@ . .SH "RETURN VALUE" -Returns the previous callback pointer. +None. .SH "SEE ALSO"
View file
_service:tar_scm:audit-3.0.1.tar.gz/docs/auparse_destroy.3 -> _service:tar_scm:audit-3.0.9.tar.gz/docs/auparse_destroy.3
Changed
@@ -4,9 +4,9 @@ .SH "SYNOPSIS" .B #include <auparse.h> .sp -.B void auparse_destroy (auparse_state_t *au); +.B void auparse_destroy(auparse_state_t *au); -.B void auparse_destroy_ext (auparse_state_t *au, auparse_destroy_what_t what); +.B void auparse_destroy_ext(auparse_state_t *au, auparse_destroy_what_t what); .SH "DESCRIPTION"
View file
_service:tar_scm:audit-3.0.1.tar.gz/docs/auparse_find_field.3 -> _service:tar_scm:audit-3.0.9.tar.gz/docs/auparse_find_field.3
Changed
@@ -1,4 +1,4 @@ -.TH "AUPARSE_FIND_FIELD" "3" "Feb 2007" "Red Hat" "Linux Audit API" +.TH "AUPARSE_FIND_FIELD" "3" "June 2021" "Red Hat" "Linux Audit API" .SH NAME auparse_find_field \- search for field name .SH "SYNOPSIS" @@ -10,6 +10,8 @@ auparse_find_field will scan all records in an event to find the first occurrence of the field name passed to it. Searching begins from the cursor's current position. The field name is stored for subsequent searching. +NOTE: auparse creates 2 psuedo fields that do not exist in the natural record for SELinux AVC and USER_AVC decision and permissions. The field names are seresult and seperms respectively. + .SH "RETURN VALUE" Returns NULL field not found. If an error occurs errno will be set. Otherwise, it returns a pointer to the text value associated with the field.
View file
_service:tar_scm:audit-3.0.1.tar.gz/docs/auparse_get_field_type.3 -> _service:tar_scm:audit-3.0.9.tar.gz/docs/auparse_get_field_type.3
Changed
@@ -12,7 +12,7 @@ .SH "RETURN VALUE" -Returns AUPARSE_TYPE_UNCLASSIFIED if the field's data type has no known description or is an integer. Otherwise it returns another enum. Fields with the type AUPARSE_TYPE_ESCAPED must be interpretted to access their value since those field's raw value is encoded. +Returns AUPARSE_TYPE_UNCLASSIFIED if the field's data type has no known description or is an integer. Otherwise it returns another enum. Fields with the type AUPARSE_TYPE_ESCAPED must be interpreted to access their value since those field's raw value is encoded. .SH "SEE ALSO"
View file
_service:tar_scm:audit-3.0.1.tar.gz/docs/auparse_get_milli.3 -> _service:tar_scm:audit-3.0.9.tar.gz/docs/auparse_get_milli.3
Changed
@@ -18,7 +18,6 @@ .BR auparse_get_timestamp (3), .BR auparse_get_time (3). -.BR auparse_get_milli (3). .BR auparse_get_node (3). .SH AUTHOR
View file
_service:tar_scm:audit-3.0.1.tar.gz/docs/auparse_get_type.3 -> _service:tar_scm:audit-3.0.9.tar.gz/docs/auparse_get_type.3
Changed
@@ -16,7 +16,7 @@ .SH "SEE ALSO" -.BR auparse_get_type_name(3), auparse_next_record (3). +.BR auparse_get_type_name (3), auparse_next_record (3). .SH AUTHOR Steve Grubb
View file
_service:tar_scm:audit-3.0.1.tar.gz/docs/auparse_get_type_name.3 -> _service:tar_scm:audit-3.0.9.tar.gz/docs/auparse_get_type_name.3
Changed
@@ -16,7 +16,7 @@ .SH "SEE ALSO" -.BR auparse_get_type(3), auparse_next_record(3). +.BR auparse_get_type (3), auparse_next_record (3). .SH AUTHOR Steve Grubb
View file
_service:tar_scm:audit-3.0.1.tar.gz/docs/auparse_set_eoe_timeout.3 -> _service:tar_scm:audit-3.0.9.tar.gz/docs/auparse_set_eoe_timeout.3
Changed
@@ -8,7 +8,7 @@ .SH "DESCRIPTION" -auparse_set_eoe_timeout is used to set the end of event timeout value (seconds). The value should be a positive integer. If this function is called, it overides any setting in /etc/auditd.conf. +auparse_set_eoe_timeout is used to set the end of event timeout value (seconds). The value should be a positive integer. If this function is called, it overrides any setting in /etc/auditd.conf. The function should be called after the \fIauparse_init()\fP function call. For details on the timeout, see the \fBend_of_event_timeout\fP configuration item description in \fIauditd.conf(5)\fP.
View file
_service:tar_scm:audit-3.0.1.tar.gz/docs/auparse_set_escape_mode.3 -> _service:tar_scm:audit-3.0.9.tar.gz/docs/auparse_set_escape_mode.3
Changed
@@ -8,7 +8,7 @@ .SH "DESCRIPTION" -auparse_set_escape_mode is used to set the escaping method that will be used to output interpretted text. The choices for the mode variable are: +auparse_set_escape_mode is used to set the escaping method that will be used to output interpreted text. The choices for the mode variable are: .RS .TP
View file
_service:tar_scm:audit-3.0.1.tar.gz/docs/aureport.8 -> _service:tar_scm:audit-3.0.9.tar.gz/docs/aureport.8
Changed
@@ -1,4 +1,4 @@ -.TH AUREPORT: "8" "March 2017" "Red Hat" "System Administration Utilities" +.TH AUREPORT "8" "March 2017" "Red Hat" "System Administration Utilities" .SH NAME aureport \- a tool that produces summary reports of audit daemon logs .SH SYNOPSIS @@ -24,8 +24,11 @@ .BR \-cr ,\ \-\-crypto Report about crypto events .TP +.BR \-\-debug +Write malformed events that are skipped to stderr. +.TP .BR \-\-eoe\-timeout \ \fIseconds\fP -Set the end of event parsing timeout. See \fBend_of_event_timeout\fP in \fIauditd.conf(5)\fP for details. Note that setting this value will overide any configured value found in /etc/auditd/auditd.conf. +Set the end of event parsing timeout. See \fBend_of_event_timeout\fP in \fIauditd.conf(5)\fP for details. Note that setting this value will override any configured value found in /etc/auditd/auditd.conf. .TP .BR \-e ,\ \-\-event Report about events @@ -49,7 +52,7 @@ Interpret numeric entities into text. For example, uid is converted to account name. The conversion is done using the current resources of the machine where the search is being run. If you have renamed the accounts, or don't have the same accounts on your machine, you could get misleading results. .TP .BR \-if ,\ \-\-input \ \fIfile\fP\ |\ \fIdirectory\fP -Use the given \fIfile\fP or \fIdirectory\fP instead of the logs. This is to aid analysis where the logs have been moved to another machine or only part of a log was saved. +Use the given \fIfile\fP or \fIdirectory\fP instead of the logs. This is to aid analysis where the logs have been moved to another machine or only part of a log was saved. The path length is limited to 4064 bytes. .TP .B \-\-input\-logs Use the log file location from auditd.conf as input for analysis. This is needed if you are using aureport from a cron job.
View file
_service:tar_scm:audit-3.0.1.tar.gz/docs/ausearch.8 -> _service:tar_scm:audit-3.0.9.tar.gz/docs/ausearch.8
Changed
@@ -1,4 +1,4 @@ -.TH AUSEARCH: "8" "March 2017" "Red Hat" "System Administration Utilities" +.TH AUSEARCH "8" "April 2021" "Red Hat" "System Administration Utilities" .SH NAME ausearch \- a tool to query audit daemon logs .SH SYNOPSIS @@ -50,7 +50,7 @@ .TP .BR \-\-eoe\-timeout \ \fIseconds\fP -Set the end of event parsing timeout. See \fBend_of_event_timeout\fP in \fIauditd.conf(5)\fP for details. Note that setting this value will overide any configured value found in /etc/auditd/auditd.conf. +Set the end of event parsing timeout. See \fBend_of_event_timeout\fP in \fIauditd.conf(5)\fP for details. Note that setting this value will override any configured value found in /etc/auditd/auditd.conf. .TP .BR \-e,\ \-\-exit \ \fIexit-code-or-errno\fP Search for an event based on the given syscall \fIexit code or errno\fP. @@ -95,7 +95,7 @@ Interpret numeric entities into text. For example, uid is converted to account name. If the audit logs are unenriched, the conversion is done using the current resources of the machine where the search is being run. If you have renamed the accounts, or don't have the same accounts on your machine, you could get misleading results. If the logs are enriched, it uses the supplemental data to do the conversion. This allows accurate log reporting even when run on a different machine than the original logs came from. .TP .BR \-if ,\ \-\-input \ \fIfile-name\fP\ |\ \fIdirectory\fP -Use the given \fIfile\fP or \fIdirectory\fP instead of the logs. This is to aid analysis where the logs have been moved to another machine or only part of a log was saved. +Use the given \fIfile\fP or \fIdirectory\fP instead of the logs. This is to aid analysis where the logs have been moved to another machine or only part of a log was saved. The path length is limited to 4064 bytes. .TP .BR \-\-input\-logs Use the log file location from auditd.conf as input for searching. This is needed if you are using ausearch from a cron job. @@ -195,7 +195,7 @@ Search for an event with the given \fIuser ID\fP. .TP .BR \-ul ,\ \-\-loginuid \ \fIlogin-id\fP -Search for an event with the given \fIlogin user ID\fP. All entry point programs that are pamified need to be configured with pam_loginuid required for the session for searching on loginuid (auid) to be accurate. +Search for an event with the given \fIlogin user ID\fP. All entry point programs that are PAMified need to be configured with pam_loginuid required for the session for searching on loginuid (auid) to be accurate. .TP .BR \-uu ,\ \-\-uuid \ \fIguest-uuid\fP Search for an event with the given \fIguest UUID\fP. @@ -218,7 +218,7 @@ if OK, .TP 1 -if nothing found, or argument errors or minor file acces/read errors, +if nothing found, or argument errors or minor file access/read errors, .TP 10 invalid checkpoint data found in checkpoint file, @@ -236,4 +236,5 @@ .SH "SEE ALSO" .BR auditd (8), .BR auditd.conf (5), +.BR aureport (8), .BR pam_loginuid (8).
View file
_service:tar_scm:audit-3.0.1.tar.gz/docs/ausearch_add_expression.3 -> _service:tar_scm:audit-3.0.9.tar.gz/docs/ausearch_add_expression.3
Changed
@@ -1,4 +1,4 @@ -.TH "AUSEARCH_ADD_expression" "3" "Feb 2008" "Red Hat" "Linux Audit API" +.TH "AUSEARCH_ADD_EXPRESSION" "3" "Feb 2008" "Red Hat" "Linux Audit API" .SH NAME ausearch_add_expression \- build up search expression .SH "SYNOPSIS"
View file
_service:tar_scm:audit-3.0.1.tar.gz/docs/ausearch_add_regex.3 -> _service:tar_scm:audit-3.0.9.tar.gz/docs/ausearch_add_regex.3
Changed
@@ -4,7 +4,7 @@ .SH "SYNOPSIS" .B #include <auparse.h> .sp -int ausearch_add_regex(auparse_state_t *au, const char *expr); +int ausearch_add_regex(auparse_state_t *au, const char *regexp); .SH "DESCRIPTION"
View file
_service:tar_scm:audit-3.0.1.tar.gz/docs/autrace.8 -> _service:tar_scm:audit-3.0.9.tar.gz/docs/autrace.8
Changed
@@ -1,4 +1,4 @@ -.TH AUTRACE: "8" "Jan 2007" "Red Hat" "System Administration Utilities" +.TH AUTRACE "8" "Jan 2007" "Red Hat" "System Administration Utilities" .SH NAME autrace \- a program similar to strace .SH SYNOPSIS
View file
_service:tar_scm:audit-3.0.1.tar.gz/docs/get_auditfail_action.3 -> _service:tar_scm:audit-3.0.9.tar.gz/docs/get_auditfail_action.3
Changed
@@ -29,7 +29,7 @@ #include <libaudit.h> .sp .HP 19 -int\ \fBget_auditfail_action\fR\ (int *\fIfailmode\fR); +int\ \fBget_auditfail_action\fR(auditfail_t *\fIfailmode\fR); .ad .hy
View file
_service:tar_scm:audit-3.0.1.tar.gz/docs/libaudit.conf.5 -> _service:tar_scm:audit-3.0.9.tar.gz/docs/libaudit.conf.5
Changed
@@ -1,10 +1,10 @@ -.TH LIBAUDIT.CONF: "5" "Oct 2009" "Red Hat" "System Administration Utilities" +.TH LIBAUDIT.CONF "5" "Oct 2009" "Red Hat" "System Administration Utilities" .SH NAME libaudit.conf \- libaudit configuration file .SH DESCRIPTION The file .I /etc/libaudit.conf -contains configuration information for user space applications that link to libaudit. The applications are responsible for querrying the settings in this file and obeying the admin's preferences. This file contains one configuration keyword per line, an equal sign, and then followed by appropriate configuration information. The keywords recognized are: +contains configuration information for user space applications that link to libaudit. The applications are responsible for querying the settings in this file and obeying the admin's preferences. This file contains one configuration keyword per line, an equal sign, and then followed by appropriate configuration information. The keywords recognized are: .IR failure_action ". These keywords are described below.
View file
_service:tar_scm:audit-3.0.1.tar.gz/docs/set_aumessage_mode.3 -> _service:tar_scm:audit-3.0.9.tar.gz/docs/set_aumessage_mode.3
Changed
@@ -19,9 +19,9 @@ .el .ne 3 .IP "\\$1" \\$2 .. -.TH "SET_MESSAGE_MODE" 3 "2004-12-01" "Linux 2.6" "Linux Programmer's Manual" +.TH "SET_AUMESSAGE_MODE" 3 "2004-12-01" "Linux 2.6" "Linux Programmer's Manual" .SH NAME -set_message_mode \- Sets the message mode +set_aumessage_mode \- Sets the message mode .SH "SYNOPSIS" .ad l .hy 0 @@ -29,24 +29,32 @@ #include <libaudit.h> .sp .HP 23 -void\ \fBset_message_mode\fR\ (message_t\ \fImode\fR); +void\ \fBset_aumessage_mode\fR(message_t\ \fImode\fR, debug_message_t\ \fIdebug\fR); .ad .hy .SH "DESCRIPTION" .PP -\fBset_message_mode\fR sets the location where informational messages are sent. If \fImode\fR=0 (default), then informational messages are sent to stderr. If \fImode\fR=1, then informational messages are sent to syslog. +\fBset_aumessage_mode\fR sets the location where messages are sent and the output of the debug messages. + +If \fImode\fR=MSG_STDERR, then messages are sent to stderr. If \fImode\fR=MSG_SYSLOG, then messages are sent to syslog. If \fImode\fR=MSG_QUIET (default), then messages are not sent. + +If \fIdebug\fR=DBG_YES, then debug messages are output. If \fIdebug\fR=DBG_NO (default), then debug messages are not output. .SH "EXAMPLE" .nf /* Sample code */ -set_message_mode(MSG_SYSLOG) +set_aumessage_mode(MSG_SYSLOG, DBG_YES) .fi +.SH "RETURN VALUE" + +None. + .SH "SEE ALSO" .BR auditd (8),
View file
_service:tar_scm:audit-3.0.1.tar.gz/docs/zos-remote.conf.5 -> _service:tar_scm:audit-3.0.9.tar.gz/docs/zos-remote.conf.5
Changed
@@ -26,7 +26,7 @@ controls the configuration for the .BR audispd\-zos\-remote (8) Audit dispatcher plugin. The default location for this file is -.IR /etc/audisp/zos\-remote.conf , +.IR /etc/audit/zos\-remote.conf , however, a different file can be specified as the first argument to the .B audispd\-zos\-remote plugin. See @@ -56,7 +56,7 @@ .I q_depth The .B audispd\-zos\-remote -plugin will queue inputed events to the maximum of +plugin will queue inputted events to the maximum of .I q_depth events while trying to submit those remotely. This can handle burst of events or in case of a slow network connection. However, the .B audispd\-zos\-remote
View file
_service:tar_scm:audit-3.0.1.tar.gz/init.d/Makefile.am -> _service:tar_scm:audit-3.0.9.tar.gz/init.d/Makefile.am
Changed
@@ -13,8 +13,9 @@ # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +# along with this program; see the file COPYING. If not, write to the +# Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor +# Boston, MA 02110-1335, USA. # # Authors: # Steve Grubb <sgrubb@redhat.com> @@ -25,7 +26,7 @@ auditd.cron libaudit.conf auditd.condrestart \ auditd.reload auditd.restart auditd.resume \ auditd.rotate auditd.state auditd.stop \ - audit-stop.rules augenrules + audit-stop.rules augenrules audit-functions libconfig = libaudit.conf if ENABLE_SYSTEMD initdir = /usr/lib/systemd/system @@ -51,6 +52,7 @@ if ENABLE_SYSTEMD mkdir -p ${DESTDIR}${initdir} mkdir -p ${DESTDIR}${legacydir} + mkdir -p ${DESTDIR}${libexecdir} $(INSTALL_SCRIPT) -D -m 644 ${srcdir}/auditd.service ${DESTDIR}${initdir} $(INSTALL_SCRIPT) -D -m 750 ${srcdir}/auditd.rotate ${DESTDIR}${legacydir}/rotate $(INSTALL_SCRIPT) -D -m 750 ${srcdir}/auditd.resume ${DESTDIR}${legacydir}/resume @@ -59,6 +61,7 @@ $(INSTALL_SCRIPT) -D -m 750 ${srcdir}/auditd.stop ${DESTDIR}${legacydir}/stop $(INSTALL_SCRIPT) -D -m 750 ${srcdir}/auditd.restart ${DESTDIR}${legacydir}/restart $(INSTALL_SCRIPT) -D -m 750 ${srcdir}/auditd.condrestart ${DESTDIR}${legacydir}/condrestart + $(INSTALL_SCRIPT) -D -m 750 ${srcdir}/audit-functions ${DESTDIR}${libexecdir} else $(INSTALL_SCRIPT) -D ${srcdir}/auditd.init ${DESTDIR}${initdir}/auditd endif
View file
_service:tar_scm:audit-3.0.1.tar.gz/init.d/Makefile.in -> _service:tar_scm:audit-3.0.9.tar.gz/init.d/Makefile.in
Changed
@@ -1,7 +1,7 @@ -# Makefile.in generated by automake 1.16.2 from Makefile.am. +# Makefile.in generated by automake 1.16.5 from Makefile.am. # @configure_input@ -# Copyright (C) 1994-2020 Free Software Foundation, Inc. +# Copyright (C) 1994-2021 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -29,8 +29,9 @@ # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +# along with this program; see the file COPYING. If not, write to the +# Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor +# Boston, MA 02110-1335, USA. # # Authors: # Steve Grubb <sgrubb@redhat.com> @@ -198,6 +199,8 @@ CPPFLAGS = @CPPFLAGS@ CPPFLAGS_FOR_BUILD = @CPPFLAGS_FOR_BUILD@ CPP_FOR_BUILD = @CPP_FOR_BUILD@ +CSCOPE = @CSCOPE@ +CTAGS = @CTAGS@ CYGPATH_W = @CYGPATH_W@ DEBUG = @DEBUG@ DEFS = @DEFS@ @@ -209,8 +212,10 @@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ +ETAGS = @ETAGS@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FILECMD = @FILECMD@ GOLANG = @GOLANG@ GOROOT = @GOROOT@ GREP = @GREP@ @@ -266,6 +271,7 @@ SHELL = @SHELL@ STRIP = @STRIP@ VERSION = @VERSION@ +WFLAGS = @WFLAGS@ abs_builddir = @abs_builddir@ abs_srcdir = @abs_srcdir@ abs_top_builddir = @abs_top_builddir@ @@ -319,6 +325,7 @@ pyexecdir = @pyexecdir@ python3dir = @python3dir@ pythondir = @pythondir@ +runstatedir = @runstatedir@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ @@ -337,7 +344,7 @@ auditd.cron libaudit.conf auditd.condrestart \ auditd.reload auditd.restart auditd.resume \ auditd.rotate auditd.state auditd.stop \ - audit-stop.rules augenrules + audit-stop.rules augenrules audit-functions libconfig = libaudit.conf @ENABLE_SYSTEMD_FALSE@initdir = $(sysconfdir)/rc.d/init.d @@ -448,7 +455,6 @@ cscope cscopelist: - distdir: $(BUILT_SOURCES) $(MAKE) $(AM_MAKEFLAGS) distdir-am @@ -616,6 +622,7 @@ install-exec-hook: @ENABLE_SYSTEMD_TRUE@ mkdir -p ${DESTDIR}${initdir} @ENABLE_SYSTEMD_TRUE@ mkdir -p ${DESTDIR}${legacydir} +@ENABLE_SYSTEMD_TRUE@ mkdir -p ${DESTDIR}${libexecdir} @ENABLE_SYSTEMD_TRUE@ $(INSTALL_SCRIPT) -D -m 644 ${srcdir}/auditd.service ${DESTDIR}${initdir} @ENABLE_SYSTEMD_TRUE@ $(INSTALL_SCRIPT) -D -m 750 ${srcdir}/auditd.rotate ${DESTDIR}${legacydir}/rotate @ENABLE_SYSTEMD_TRUE@ $(INSTALL_SCRIPT) -D -m 750 ${srcdir}/auditd.resume ${DESTDIR}${legacydir}/resume @@ -624,6 +631,7 @@ @ENABLE_SYSTEMD_TRUE@ $(INSTALL_SCRIPT) -D -m 750 ${srcdir}/auditd.stop ${DESTDIR}${legacydir}/stop @ENABLE_SYSTEMD_TRUE@ $(INSTALL_SCRIPT) -D -m 750 ${srcdir}/auditd.restart ${DESTDIR}${legacydir}/restart @ENABLE_SYSTEMD_TRUE@ $(INSTALL_SCRIPT) -D -m 750 ${srcdir}/auditd.condrestart ${DESTDIR}${legacydir}/condrestart +@ENABLE_SYSTEMD_TRUE@ $(INSTALL_SCRIPT) -D -m 750 ${srcdir}/audit-functions ${DESTDIR}${libexecdir} @ENABLE_SYSTEMD_FALSE@ $(INSTALL_SCRIPT) -D ${srcdir}/auditd.init ${DESTDIR}${initdir}/auditd chmod 0750 $(DESTDIR)$(sbindir)/augenrules
View file
_service:tar_scm:audit-3.0.9.tar.gz/init.d/audit-functions
Added
@@ -0,0 +1,52 @@ +# -*-Shell-script-*- + +# Make sure umask is sane +umask 022 + +#/usr/libexec/audit/audit-functions + +# killproc {program} -signal +killproc () +{ + local daemon="$1" + local sig= + -n "${2:-}" && sig=$2 + + # This matches src/auditd.c + local pid_file="/var/run/auditd.pid" + local pid_dir=$(dirname $pid_file) + + if ! -d "$pid_dir" ; then + return 4 + fi + + local pid= + if -f "$pid_file" ; then + # pid file exists, use it + while : ; do + read line + -z "$line" && break + for p in $line ; do + # pid is numeric and corresponds to a process + if -z "${p//0-9/}" && -d "/proc/$p" ; then + d=$(cat "/proc/$p/comm") + if "$d" = "$daemon" ; then + pid="$p" + break + fi + fi + done + done < "$pid_file" + else + # need to search /proc + p=$(pidof "$daemon") + if -n "$p" ; then + pid="$p" + fi + fi + + # At this point we should have a pid or the process is dead + if -n "$pid" && -n "$sig" ; then + kill "$sig" "$pid" >/dev/null 2>&1 + fi +}
View file
_service:tar_scm:audit-3.0.1.tar.gz/init.d/auditd.conf -> _service:tar_scm:audit-3.0.9.tar.gz/init.d/auditd.conf
Changed
@@ -33,7 +33,8 @@ krb5_principal = auditd ##krb5_key_file = /etc/audit/audit.key distribute_network = no -q_depth = 400 +q_depth = 2000 overflow_action = SYSLOG max_restarts = 10 plugin_dir = /etc/audit/plugins.d +end_of_event_timeout = 2
View file
_service:tar_scm:audit-3.0.1.tar.gz/init.d/auditd.cron -> _service:tar_scm:audit-3.0.9.tar.gz/init.d/auditd.cron
Changed
@@ -1,14 +1,14 @@ #!/bin/sh ########## -# This script can be installed to get a daily log rotation -# based on a cron job. +# This script can be installed to the cron system to get log rotation +# based on time instead of log size. ########## -/sbin/service auditd rotate +/sbin/auditctl --signal usr1 EXITVALUE=$? if $EXITVALUE != 0 ; then - /usr/bin/logger -t auditd "ALERT exited abnormally with $EXITVALUE" + /usr/bin/logger -t auditd "ALERT auditctl exited abnormally with $EXITVALUE while rotating the logs" fi exit 0
View file
_service:tar_scm:audit-3.0.1.tar.gz/init.d/auditd.reload -> _service:tar_scm:audit-3.0.9.tar.gz/init.d/auditd.reload
Changed
@@ -7,7 +7,7 @@ PATH=/sbin:/bin:/usr/bin:/usr/sbin prog="auditd" -. /etc/rc.d/init.d/functions +. /usr/libexec/audit-functions printf "Reconfiguring: " /sbin/augenrules --load
View file
_service:tar_scm:audit-3.0.1.tar.gz/init.d/auditd.resume -> _service:tar_scm:audit-3.0.9.tar.gz/init.d/auditd.resume
Changed
@@ -7,7 +7,7 @@ PATH=/sbin:/bin:/usr/bin:/usr/sbin prog="auditd" -. /etc/rc.d/init.d/functions +. /usr/libexec/audit-functions printf "Resuming logging: " killproc $prog -USR2
View file
_service:tar_scm:audit-3.0.1.tar.gz/init.d/auditd.rotate -> _service:tar_scm:audit-3.0.9.tar.gz/init.d/auditd.rotate
Changed
@@ -7,7 +7,7 @@ PATH=/sbin:/bin:/usr/bin:/usr/sbin prog="auditd" -. /etc/rc.d/init.d/functions +. /usr/libexec/audit-functions printf "Rotating logs: " killproc $prog -USR1
View file
_service:tar_scm:audit-3.0.1.tar.gz/init.d/auditd.service -> _service:tar_scm:audit-3.0.9.tar.gz/init.d/auditd.service
Changed
@@ -13,6 +13,8 @@ Conflicts=shutdown.target RefuseManualStop=yes ConditionKernelCommandLine=!audit=0 +ConditionKernelCommandLine=!audit=off + Documentation=man:auditd(8) https://github.com/linux-audit/audit-documentation Service @@ -27,12 +29,16 @@ # By default we don't clear the rules on exit. To enable this, uncomment # the next line after copying the file to /etc/systemd/system/auditd.service #ExecStopPost=/sbin/auditctl -R /etc/audit/audit-stop.rules +Restart=on-failure +# Do not restart for intentional exits. See EXIT CODES section in auditd(8). +RestartPreventExitStatus=2 4 6 ### Security Settings ### MemoryDenyWriteExecute=true LockPersonality=true ProtectControlGroups=true ProtectKernelModules=true +RestrictRealtime=true Install WantedBy=multi-user.target
View file
_service:tar_scm:audit-3.0.1.tar.gz/init.d/auditd.state -> _service:tar_scm:audit-3.0.9.tar.gz/init.d/auditd.state
Changed
@@ -8,7 +8,7 @@ PATH=/sbin:/bin:/usr/bin:/usr/sbin prog="auditd" state_file="/var/run/auditd.state" -. /etc/rc.d/init.d/functions +. /usr/libexec/audit-functions printf "Getting auditd internal state: " killproc $prog -CONT
View file
_service:tar_scm:audit-3.0.1.tar.gz/init.d/auditd.stop -> _service:tar_scm:audit-3.0.9.tar.gz/init.d/auditd.stop
Changed
@@ -7,8 +7,12 @@ PATH=/sbin:/bin:/usr/bin:/usr/sbin prog="auditd" -. /etc/rc.d/init.d/functions -pid="$(__pids_pidof "$prog")" +. /usr/libexec/audit-functions +pid= +p=$(pidof "$prog") +if -n "$p" ; then + pid="$p" +fi printf "Stopping logging: " killproc $prog -TERM
View file
_service:tar_scm:audit-3.0.1.tar.gz/init.d/augenrules -> _service:tar_scm:audit-3.0.9.tar.gz/init.d/augenrules
Changed
@@ -27,7 +27,7 @@ DestinationFile=/etc/audit/audit.rules SourceRulesDir=/etc/audit/rules.d -TmpRules=`mktemp /tmp/aurules.XXXXXXXX` +TmpRules=$(mktemp /tmp/aurules.XXXXXXXX) ASuffix="prev" OnlyCheck=0 LoadRules=0
View file
_service:tar_scm:audit-3.0.1.tar.gz/install-sh -> _service:tar_scm:audit-3.0.9.tar.gz/install-sh
Changed
@@ -1,7 +1,7 @@ #!/bin/sh # install - install a program, script, or datafile -scriptversion=2018-03-11.20; # UTC +scriptversion=2020-11-14.01; # UTC # This originates from X11R5 (mit/util/scripts/install.sh), which was # later released in X11R6 (xc/config/util/install.sh) with the @@ -69,6 +69,11 @@ # Desired mode of installed file. mode=0755 +# Create dirs (including intermediate dirs) using mode 755. +# This is like GNU 'install' as of coreutils 8.32 (2020). +mkdir_umask=22 + +backupsuffix= chgrpcmd= chmodcmd=$chmodprog chowncmd= @@ -99,18 +104,28 @@ --version display version info and exit. -c (ignored) - -C install only if different (preserve the last data modification time) + -C install only if different (preserve data modification time) -d create directories instead of installing files. -g GROUP $chgrpprog installed files to GROUP. -m MODE $chmodprog installed files to MODE. -o USER $chownprog installed files to USER. + -p pass -p to $cpprog. -s $stripprog installed files. + -S SUFFIX attempt to back up existing files, with suffix SUFFIX. -t DIRECTORY install into DIRECTORY. -T report an error if DSTFILE is a directory. Environment variables override the default commands: CHGRPPROG CHMODPROG CHOWNPROG CMPPROG CPPROG MKDIRPROG MVPROG RMPROG STRIPPROG + +By default, rm is invoked with -f; when overridden with RMPROG, +it's up to you to specify -f if you want it. + +If -S is not specified, no backups are attempted. + +Email bug reports to bug-automake@gnu.org. +Automake home page: https://www.gnu.org/software/automake/ " while test $# -ne 0; do @@ -137,8 +152,13 @@ -o) chowncmd="$chownprog $2" shift;; + -p) cpprog="$cpprog -p";; + -s) stripcmd=$stripprog;; + -S) backupsuffix="$2" + shift;; + -t) is_target_a_directory=always dst_arg=$2 @@ -255,6 +275,10 @@ dstdir=$dst test -d "$dstdir" dstdir_status=$? + # Don't chown directories that already exist. + if test $dstdir_status = 0; then + chowncmd="" + fi else # Waiting for this to be detected by the "$cpprog $src $dsttmp" command @@ -301,22 +325,6 @@ if test $dstdir_status != 0; then case $posix_mkdir in '') - # Create intermediate dirs using mode 755 as modified by the umask. - # This is like FreeBSD 'install' as of 1997-10-28. - umask=`umask` - case $stripcmd.$umask in - # Optimize common cases. - *23672367) mkdir_umask=$umask;; - .*00202 | .0202 | .02) mkdir_umask=22;; - - *0-7) - mkdir_umask=`expr $umask + 22 \ - - $umask % 100 % 40 + $umask % 20 \ - - $umask % 10 % 4 + $umask % 2 - `;; - *) mkdir_umask=$umask,go-w;; - esac - # With -d, create the new directory with the user-specified mode. # Otherwise, rely on $mkdir_umask. if test -n "$dir_arg"; then @@ -326,52 +334,49 @@ fi posix_mkdir=false - case $umask in - *1235670-70-7) - # POSIX mkdir -p sets u+wx bits regardless of umask, which - # is incompatible with FreeBSD 'install' when (umask & 300) != 0. - ;; - *) - # Note that $RANDOM variable is not portable (e.g. dash); Use it - # here however when possible just to lower collision chance. - tmpdir=${TMPDIR-/tmp}/ins$RANDOM-$$ - - trap 'ret=$?; rmdir "$tmpdir/a/b" "$tmpdir/a" "$tmpdir" 2>/dev/null; exit $ret' 0 - - # Because "mkdir -p" follows existing symlinks and we likely work - # directly in world-writeable /tmp, make sure that the '$tmpdir' - # directory is successfully created first before we actually test - # 'mkdir -p' feature. - if (umask $mkdir_umask && - $mkdirprog $mkdir_mode "$tmpdir" && - exec $mkdirprog $mkdir_mode -p -- "$tmpdir/a/b") >/dev/null 2>&1 - then - if test -z "$dir_arg" || { - # Check for POSIX incompatibilities with -m. - # HP-UX 11.23 and IRIX 6.5 mkdir -m -p sets group- or - # other-writable bit of parent directory when it shouldn't. - # FreeBSD 6.1 mkdir -m -p sets mode of existing directory. - test_tmpdir="$tmpdir/a" - ls_ld_tmpdir=`ls -ld "$test_tmpdir"` - case $ls_ld_tmpdir in - d????-?r-*) different_mode=700;; - d????-?--*) different_mode=755;; - *) false;; - esac && - $mkdirprog -m$different_mode -p -- "$test_tmpdir" && { - ls_ld_tmpdir_1=`ls -ld "$test_tmpdir"` - test "$ls_ld_tmpdir" = "$ls_ld_tmpdir_1" - } - } - then posix_mkdir=: - fi - rmdir "$tmpdir/a/b" "$tmpdir/a" "$tmpdir" - else - # Remove any dirs left behind by ancient mkdir implementations. - rmdir ./$mkdir_mode ./-p ./-- "$tmpdir" 2>/dev/null - fi - trap '' 0;; - esac;; + # The $RANDOM variable is not portable (e.g., dash). Use it + # here however when possible just to lower collision chance. + tmpdir=${TMPDIR-/tmp}/ins$RANDOM-$$ + + trap ' + ret=$? + rmdir "$tmpdir/a/b" "$tmpdir/a" "$tmpdir" 2>/dev/null + exit $ret + ' 0 + + # Because "mkdir -p" follows existing symlinks and we likely work + # directly in world-writeable /tmp, make sure that the '$tmpdir' + # directory is successfully created first before we actually test + # 'mkdir -p'. + if (umask $mkdir_umask && + $mkdirprog $mkdir_mode "$tmpdir" && + exec $mkdirprog $mkdir_mode -p -- "$tmpdir/a/b") >/dev/null 2>&1 + then + if test -z "$dir_arg" || { + # Check for POSIX incompatibilities with -m. + # HP-UX 11.23 and IRIX 6.5 mkdir -m -p sets group- or + # other-writable bit of parent directory when it shouldn't. + # FreeBSD 6.1 mkdir -m -p sets mode of existing directory. + test_tmpdir="$tmpdir/a" + ls_ld_tmpdir=`ls -ld "$test_tmpdir"` + case $ls_ld_tmpdir in + d????-?r-*) different_mode=700;; + d????-?--*) different_mode=755;; + *) false;; + esac && + $mkdirprog -m$different_mode -p -- "$test_tmpdir" && { + ls_ld_tmpdir_1=`ls -ld "$test_tmpdir"` + test "$ls_ld_tmpdir" = "$ls_ld_tmpdir_1" + } + } + then posix_mkdir=: + fi + rmdir "$tmpdir/a/b" "$tmpdir/a" "$tmpdir" + else + # Remove any dirs left behind by ancient mkdir implementations. + rmdir ./$mkdir_mode ./-p ./-- "$tmpdir" 2>/dev/null + fi + trap '' 0;; esac if @@ -382,7 +387,7 @@ then : else - # The umask is ridiculous, or mkdir does not conform to POSIX,
View file
_service:tar_scm:audit-3.0.1.tar.gz/lib/Makefile.am -> _service:tar_scm:audit-3.0.9.tar.gz/lib/Makefile.am
Changed
@@ -13,8 +13,9 @@ # Lesser General Public License for more details. # # You should have received a copy of the GNU Lesser General Public -# License along with this library; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +# License along with this program; see the file COPYING.lib. If not, write to +# the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor +# Boston, MA 02110-1335, USA. # # Authors: # Steve Grubb <sgrubb@redhat.com> @@ -25,7 +26,7 @@ CONFIG_CLEAN_FILES = *.loT *.rej *.orig EXTRA_DIST = syscall-update.txt VERSION_INFO = 1:0 -AM_CFLAGS = -fPIC -DPIC -D_GNU_SOURCE +AM_CFLAGS = -fPIC -DPIC -D_GNU_SOURCE ${WFLAGS} AM_CPPFLAGS = -I. -I${top_srcdir} -I${top_srcdir}/auparse -I${top_srcdir}/common pkgconfigdir = $(libdir)/pkgconfig
View file
_service:tar_scm:audit-3.0.1.tar.gz/lib/Makefile.in -> _service:tar_scm:audit-3.0.9.tar.gz/lib/Makefile.in
Changed
@@ -1,7 +1,7 @@ -# Makefile.in generated by automake 1.16.2 from Makefile.am. +# Makefile.in generated by automake 1.16.5 from Makefile.am. # @configure_input@ -# Copyright (C) 1994-2020 Free Software Foundation, Inc. +# Copyright (C) 1994-2021 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -29,8 +29,9 @@ # Lesser General Public License for more details. # # You should have received a copy of the GNU Lesser General Public -# License along with this library; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +# License along with this program; see the file COPYING.lib. If not, write to +# the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor +# Boston, MA 02110-1335, USA. # # Authors: # Steve Grubb <sgrubb@redhat.com> @@ -420,8 +421,6 @@ unique=`for i in $$list; do \ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ done | $(am__uniquify_input)` -ETAGS = etags -CTAGS = ctags DIST_SUBDIRS = $(SUBDIRS) am__DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/audit.pc.in \ $(top_srcdir)/depcomp @@ -471,6 +470,8 @@ CPPFLAGS = @CPPFLAGS@ CPPFLAGS_FOR_BUILD = @CPPFLAGS_FOR_BUILD@ CPP_FOR_BUILD = @CPP_FOR_BUILD@ +CSCOPE = @CSCOPE@ +CTAGS = @CTAGS@ CYGPATH_W = @CYGPATH_W@ DEBUG = @DEBUG@ DEFS = @DEFS@ @@ -482,8 +483,10 @@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ +ETAGS = @ETAGS@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FILECMD = @FILECMD@ GOLANG = @GOLANG@ GOROOT = @GOROOT@ GREP = @GREP@ @@ -539,6 +542,7 @@ SHELL = @SHELL@ STRIP = @STRIP@ VERSION = @VERSION@ +WFLAGS = @WFLAGS@ abs_builddir = @abs_builddir@ abs_srcdir = @abs_srcdir@ abs_top_builddir = @abs_top_builddir@ @@ -592,6 +596,7 @@ pyexecdir = @pyexecdir@ python3dir = @python3dir@ pythondir = @pythondir@ +runstatedir = @runstatedir@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ @@ -610,7 +615,7 @@ CONFIG_CLEAN_FILES = *.loT *.rej *.orig EXTRA_DIST = syscall-update.txt VERSION_INFO = 1:0 -AM_CFLAGS = -fPIC -DPIC -D_GNU_SOURCE +AM_CFLAGS = -fPIC -DPIC -D_GNU_SOURCE ${WFLAGS} AM_CPPFLAGS = -I. -I${top_srcdir} -I${top_srcdir}/auparse -I${top_srcdir}/common pkgconfigdir = $(libdir)/pkgconfig pkgconfig_DATA = audit.pc @@ -1235,7 +1240,6 @@ distclean-tags: -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags - distdir: $(BUILT_SOURCES) $(MAKE) $(AM_MAKEFLAGS) distdir-am @@ -1305,7 +1309,8 @@ done install: $(BUILT_SOURCES) $(MAKE) $(AM_MAKEFLAGS) install-recursive -install-exec: install-exec-recursive +install-exec: $(BUILT_SOURCES) + $(MAKE) $(AM_MAKEFLAGS) install-exec-recursive install-data: install-data-recursive uninstall: uninstall-recursive @@ -1452,7 +1457,7 @@ uninstall-pkgconfigDATA .MAKE: $(am__recursive_targets) all check install install-am \ - install-strip + install-exec install-strip .PHONY: $(am__recursive_targets) CTAGS GTAGS TAGS all all-am \ am--depfiles check check-am clean clean-generic \
View file
_service:tar_scm:audit-3.0.1.tar.gz/lib/aarch64_table.h -> _service:tar_scm:audit-3.0.9.tar.gz/lib/aarch64_table.h
Changed
@@ -317,3 +317,13 @@ _S(439, "faccessat2") _S(440, "process_madvise") _S(441, "epoll_pwait2") +_S(442, "mount_setattr") +_S(443, "quotactl_fd") +_S(444, "landlock_create_ruleset") +_S(445, "landlock_add_rule") +_S(446, "landlock_restrict_self") +_S(447, "memfd_secret") +_S(448, "process_mrelease") +_S(449, "futex_waitv") +_S(450, "set_mempolicy_home_node") +
View file
_service:tar_scm:audit-3.0.1.tar.gz/lib/arm_table.h -> _service:tar_scm:audit-3.0.9.tar.gz/lib/arm_table.h
Changed
@@ -423,3 +423,12 @@ _S(439, "faccessat2") _S(440, "process_madvise") _S(441, "epoll_pwait2") +_S(442, "mount_setattr") +_S(443, "quotactl_fd") +_S(444, "landlock_create_ruleset") +_S(445, "landlock_add_rule") +_S(446, "landlock_restrict_self") +_S(448, "process_mrelease") +_S(449, "futex_waitv") +_S(450, "set_mempolicy_home_node") +
View file
_service:tar_scm:audit-3.0.1.tar.gz/lib/i386_table.h -> _service:tar_scm:audit-3.0.9.tar.gz/lib/i386_table.h
Changed
@@ -453,4 +453,13 @@ _S(439, "faccessat2") _S(440, "process_madvise") _S(441, "epoll_pwait2") +_S(442, "mount_setattr") +_S(443, "quotactl_fd") +_S(444, "landlock_create_ruleset") +_S(445, "landlock_add_rule") +_S(446, "landlock_restrict_self") +_S(447, "memfd_secret") +_S(448, "process_mrelease") +_S(449, "futex_waitv") +_S(450, "set_mempolicy_home_node")
View file
_service:tar_scm:audit-3.0.1.tar.gz/lib/libaudit.c -> _service:tar_scm:audit-3.0.9.tar.gz/lib/libaudit.c
Changed
@@ -38,7 +38,6 @@ #include <sys/stat.h> #include <fcntl.h> /* O_NOFOLLOW needs gnu defined */ #include <limits.h> /* for PATH_MAX */ -#include <sys/stat.h> #include <sys/types.h> #include <sys/socket.h> /* AF_MAX */ #ifdef HAVE_LIBCAP_NG @@ -560,7 +559,7 @@ int audit_set_feature(int fd, unsigned feature, unsigned value, unsigned lock) { -#if defined(HAVE_DECL_AUDIT_FEATURE_VERSION) +#if HAVE_DECL_AUDIT_FEATURE_VERSION == 1 int rc; struct audit_features f; @@ -584,7 +583,7 @@ int audit_request_features(int fd) { -#if defined(HAVE_DECL_AUDIT_FEATURE_VERSION) +#if HAVE_DECL_AUDIT_FEATURE_VERSION == 1 int rc; struct audit_features f; @@ -603,7 +602,7 @@ extern int audit_set_loginuid_immutable(int fd) { -#if defined(HAVE_DECL_AUDIT_FEATURE_VERSION) +#if HAVE_DECL_AUDIT_FEATURE_VERSION == 1 return audit_set_feature(fd, AUDIT_FEATURE_LOGINUID_IMMUTABLE, 1, 1); #else errno = EINVAL; @@ -694,12 +693,40 @@ char *audit_format_signal_info(char *buf, int len, char *op, struct audit_reply *rep, char *res) { + struct stat sb; + char path32, ses16; + int rlen; + snprintf(path, sizeof(path), "/proc/%u", rep->signal_info->pid); + int fd = open(path, O_RDONLY); + if (fd >= 0) { + if (fstat(fd, &sb) < 0) + sb.st_uid = -1; + close(fd); + } else + sb.st_uid = -1; + snprintf(path, sizeof(path), "/proc/%u/sessionid", + rep->signal_info->pid); + fd = open(path, O_RDONLY, rep->signal_info->pid); + if (fd < 0) + strcpy(ses, "4294967295"); + else { + do { + rlen = read(fd, ses, sizeof(ses)); + } while (rlen < 0 && errno == EINTR); + close(fd); + if (rlen < 0 || rlen >= sizeof(ses)) + strcpy(ses, "4294967295"); + else + sesrlen = 0; + } if (rep->len == 24) - snprintf(buf, len, "op=%s auid=%u pid=%d res=%s", op, - rep->signal_info->uid, rep->signal_info->pid, res); + snprintf(buf, len, "op=%s auid=%u uid=%u ses=%s pid=%d res=%s", + op, rep->signal_info->uid, sb.st_uid, ses, + rep->signal_info->pid, res); else - snprintf(buf, len, "op=%s auid=%u pid=%d subj=%s res=%s", - op, rep->signal_info->uid, rep->signal_info->pid, + snprintf(buf, len, "op=%s auid=%u uid=%u ses=%s pid=%d subj=%s res=%s", + op,rep->signal_info->uid, sb.st_uid, ses, + rep->signal_info->pid, rep->signal_info->ctx, res); return buf; } @@ -743,11 +770,6 @@ return audit_add_watch_dir(AUDIT_WATCH, rulep, path); } -int audit_add_dir(struct audit_rule_data **rulep, const char *path) -{ - return audit_add_watch_dir(AUDIT_DIR, rulep, path); -} - int audit_add_watch_dir(int type, struct audit_rule_data **rulep, const char *path) { @@ -1836,9 +1858,17 @@ { struct passwd *pw; + errno = 0; pw = getpwnam(name); - if (pw == NULL) + if (pw == NULL) { + /* getpwnam() might return ECONNREFUSED in some very + * specific cases when using LDAP. + * Manually set it to ENOENT so callers don't get confused + * with netlink's ECONNREFUSED */ + if (errno == ECONNREFUSED) + errno = ENOENT; return 1; + } memset(pw->pw_passwd, ' ', strlen(pw->pw_passwd)); *uid = pw->pw_uid; @@ -1849,9 +1879,14 @@ { struct group *gr; + errno = 0; gr = getgrnam(name); - if (gr == NULL) + if (gr == NULL) { + /* See above for explanation. */ + if (errno == ECONNREFUSED) + errno = ENOENT; return 1; + } *gid = gr->gr_gid; return 0;
View file
_service:tar_scm:audit-3.0.1.tar.gz/lib/libaudit.h -> _service:tar_scm:audit-3.0.9.tar.gz/lib/libaudit.h
Changed
@@ -1,5 +1,5 @@ -/* libaudit.h -- - * Copyright 2004-2018 Red Hat Inc., Durham, North Carolina. +/* libaudit.h -- + * Copyright 2004-2018,2021-22 Red Hat Inc. * All Rights Reserved. * * This library is free software; you can redistribute it and/or @@ -15,7 +15,7 @@ * You should have received a copy of the GNU Lesser General Public * License along with this library; if not, write to the Free Software * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA - * + * * Authors: * Steve Grubb <sgrubb@redhat.com> * Rickard E. (Rik) Faith <faith@redhat.com> @@ -23,11 +23,6 @@ #ifndef _LIBAUDIT_H_ #define _LIBAUDIT_H_ -#ifdef __cplusplus -extern "C" { -#endif - - #include <asm/types.h> #include <stdint.h> #include <sys/socket.h> @@ -35,6 +30,17 @@ #include <linux/audit.h> #include <stdarg.h> #include <syslog.h> +#ifndef __attr_access +# define __attr_access(x) +#endif +#ifndef __attr_dealloc +# define __attr_dealloc(dealloc, argno) +# define __attr_dealloc_free +#endif + +#ifdef __cplusplus +extern "C" { +#endif /* Audit message types as of 2.6.29 kernel: @@ -124,6 +130,7 @@ #define AUDIT_APPARMOR_HINT 1504 #define AUDIT_APPARMOR_STATUS 1505 #define AUDIT_APPARMOR_ERROR 1506 +#define AUDIT_APPARMOR_KILL 1507 #endif #define AUDIT_FIRST_KERN_CRYPTO_MSG 1600 @@ -136,7 +143,7 @@ #define AUDIT_INTEGRITY_LAST_MSG 1899 #ifndef AUDIT_INTEGRITY_DATA #define AUDIT_INTEGRITY_DATA 1800 /* Data integrity verification */ -#define AUDIT_INTEGRITY_METADATA 1801 // Metadata integrity verification +#define AUDIT_INTEGRITY_METADATA 1801 // Metadata integrity verification #define AUDIT_INTEGRITY_STATUS 1802 /* Integrity enable status */ #define AUDIT_INTEGRITY_HASH 1803 /* Integrity HASH type */ #define AUDIT_INTEGRITY_PCR 1804 /* PCR invalidation msgs */ @@ -145,6 +152,9 @@ #ifndef AUDIT_INTEGRITY_EVM_XATTR #define AUDIT_INTEGRITY_EVM_XATTR 1806 /* New EVM-covered xattr */ #endif +#ifndef AUDIT_INTEGRITY_POLICY_RULE +#define AUDIT_INTEGRITY_POLICY_RULE 1807 /* Integrity Policy rule */ +#endif #define AUDIT_FIRST_ANOM_MSG 2100 #define AUDIT_LAST_ANOM_MSG 2199 @@ -167,6 +177,9 @@ #define AUDIT_ANOM_MOD_ACCT 2116 // Changing an acct #define AUDIT_ANOM_ROOT_TRANS 2117 // User became root #define AUDIT_ANOM_LOGIN_SERVICE 2118 // Service acct attempted login +#define AUDIT_ANOM_LOGIN_ROOT 2119 // Root login attempted +#define AUDIT_ANOM_ORIGIN_FAILURES 2120 // Origin has too many failed login +#define AUDIT_ANOM_SESSION 2121 // The user session is bad #define AUDIT_FIRST_ANOM_RESP 2200 #define AUDIT_LAST_ANOM_RESP 2299 @@ -185,6 +198,7 @@ #define AUDIT_RESP_HALT 2212 /* take the system down */ #define AUDIT_RESP_ORIGIN_BLOCK 2213 /* Address blocked by iptables */ #define AUDIT_RESP_ORIGIN_BLOCK_TIMED 2214 /* Address blocked for time */ +#define AUDIT_RESP_ORIGIN_UNBLOCK_TIMED 2215 /* Address unblocked from timed */ #define AUDIT_FIRST_USER_LSPP_MSG 2300 #define AUDIT_LAST_USER_LSPP_MSG 2399 @@ -296,7 +310,15 @@ #endif #ifndef AUDIT_EVENT_LISTENER -#define AUDIT_EVENT_LISTENER 1335 /* audit mcast sock join/part */ +#define AUDIT_EVENT_LISTENER 1335 /* audit mcast sock join/part */ +#endif + +#ifndef AUDIT_URINGOP +#define AUDIT_URINGOP 1336 /* io_uring operations */ +#endif + +#ifndef AUDIT_OPENAT2 +#define AUDIT_OPENAT2 1337 /* openat2 open_how flags */ #endif #ifndef AUDIT_MAC_CALIPSO_ADD @@ -582,14 +604,16 @@ typedef enum { GET_REPLY_BLOCKING=0, GET_REPLY_NONBLOCKING } reply_t; extern int audit_open(void); extern void audit_close(int fd); -extern int audit_get_reply(int fd, struct audit_reply *rep, reply_t block, +extern int audit_get_reply(int fd, struct audit_reply *rep, reply_t block, int peek); extern uid_t audit_getloginuid(void); extern int audit_setloginuid(uid_t uid); extern uint32_t audit_get_session(void); extern int audit_detect_machine(void); extern int audit_determine_machine(const char *arch); -extern char *audit_format_signal_info(char *buf, int len, char *op, struct audit_reply *rep, char *res); +extern char *audit_format_signal_info(char *buf, int len, char *op, + struct audit_reply *rep, char *res) + __attr_access ((__write_only__, 1, 2)); /* Translation functions */ extern int audit_name_to_field(const char *field); @@ -610,9 +634,9 @@ extern int audit_name_to_errno(const char *error); extern const char *audit_errno_to_name(int error); extern int audit_name_to_ftype(const char *name); -extern const char *audit_ftype_to_name(int ftype); +extern const char *audit_ftype_to_name(int ftype); extern int audit_name_to_fstype(const char *name); -extern const char *audit_fstype_to_name(int fstype); +extern const char *audit_fstype_to_name(int fstype); extern void audit_number_to_errmsg(int errnumber, const char *opt); /* AUDIT_GET */ @@ -632,7 +656,8 @@ int audit_set_backlog_wait_time(int fd, uint32_t bwt); int audit_reset_lost(int fd); int audit_reset_backlog_wait_time_actual(int fd); -extern int audit_set_feature(int fd, unsigned feature, unsigned value, unsigned lock); +extern int audit_set_feature(int fd, unsigned feature, unsigned value, + unsigned lock); extern int audit_set_loginuid_immutable(int fd); /* AUDIT_LIST_RULES */ @@ -644,7 +669,6 @@ /* AUDIT_WATCH */ extern int audit_update_watch_perms(struct audit_rule_data *rule, int perms); extern int audit_add_watch(struct audit_rule_data **rulep, const char *path); -extern int audit_add_dir(struct audit_rule_data **rulep, const char *path); extern int audit_add_watch_dir(int type, struct audit_rule_data **rulep, const char *path); extern int audit_trim_subtrees(int fd); @@ -660,10 +684,15 @@ int flags, int action); /* The following are for standard formatting of messages */ -extern int audit_value_needs_encoding(const char *str, unsigned int len); -extern char *audit_encode_value(char *final,const char *buf,unsigned int size); +extern int audit_value_needs_encoding(const char *str, unsigned int size) + __attr_access ((__read_only__, 1, 2)); +extern char *audit_encode_value(char *final,const char *buf,unsigned int size) + __attr_access ((__write_only__, 1)) + __attr_access ((__read_only__, 2, 3)); extern char *audit_encode_nv_string(const char *name, const char *value, - unsigned int vlen); + unsigned int vlen) + __attr_access ((__read_only__, 2, 3)) + __attr_dealloc_free; extern int audit_log_user_message(int audit_fd, int type, const char *message, const char *hostname, const char *addr, const char *tty, int result); extern int audit_log_user_comm_message(int audit_fd, int type, @@ -672,8 +701,8 @@ extern int audit_log_acct_message(int audit_fd, int type, const char *pgname, const char *op, const char *name, unsigned int id, const char *host, const char *addr, const char *tty, int result); -extern int audit_log_user_avc_message(int audit_fd, int type, - const char *message, const char *hostname, const char *addr, +extern int audit_log_user_avc_message(int audit_fd, int type, + const char *message, const char *hostname, const char *addr, const char *tty, uid_t uid); extern int audit_log_semanage_message(int audit_fd, int type, const char *pgname, const char *op, const char *name, unsigned int id, @@ -689,7 +718,6 @@ extern struct audit_rule_data *audit_rule_create_data(void); /* Initializes an existing audit_rule_data struct */ extern void audit_rule_init_data(struct audit_rule_data *rule); -extern int audit_rule_syscall_data(struct audit_rule_data *rule, int scall); extern int audit_rule_syscallbyname_data(struct audit_rule_data *rule, const char *scall); /* Note that the following function takes a **, where audit_rule_fieldpair()
View file
_service:tar_scm:audit-3.0.1.tar.gz/lib/machinetab.h -> _service:tar_scm:audit-3.0.9.tar.gz/lib/machinetab.h
Changed
@@ -40,4 +40,5 @@ #endif #ifdef WITH_AARCH64 _S(MACH_AARCH64, "aarch64" ) +_S(MACH_AARCH64, "armv8l") #endif
View file
_service:tar_scm:audit-3.0.1.tar.gz/lib/msg_typetab.h -> _service:tar_scm:audit-3.0.9.tar.gz/lib/msg_typetab.h
Changed
@@ -1,5 +1,5 @@ /* msg_typetab.h -- - * Copyright 2005-07,2009-18 Red Hat Inc., Durham, North Carolina. + * Copyright 2005-07,2009-18,21 Red Hat Inc. * All Rights Reserved. * * This library is free software; you can redistribute it and/or @@ -127,6 +127,8 @@ _S(AUDIT_TIME_ADJNTPVAL, "TIME_ADJNTPVAL" ) _S(AUDIT_BPF, "BPF" ) _S(AUDIT_EVENT_LISTENER, "EVENT_LISTENER" ) +_S(AUDIT_URINGOP, "URINGOP" ) +_S(AUDIT_OPENAT2, "OPENAT2" ) _S(AUDIT_AVC, "AVC" ) _S(AUDIT_SELINUX_ERR, "SELINUX_ERR" ) _S(AUDIT_AVC_PATH, "AVC_PATH" ) @@ -158,6 +160,7 @@ _S(AUDIT_INTEGRITY_PCR, "INTEGRITY_PCR" ) _S(AUDIT_INTEGRITY_RULE, "INTEGRITY_RULE" ) _S(AUDIT_INTEGRITY_EVM_XATTR, "INTEGRITY_EVM_XATTR" ) +_S(AUDIT_INTEGRITY_POLICY_RULE, "INTEGRITY_POLICY_RULE" ) #ifdef WITH_APPARMOR _S(AUDIT_AA, "APPARMOR" ) @@ -167,6 +170,7 @@ _S(AUDIT_APPARMOR_HINT, "APPARMOR_HINT" ) _S(AUDIT_APPARMOR_STATUS, "APPARMOR_STATUS" ) _S(AUDIT_APPARMOR_ERROR, "APPARMOR_ERROR" ) +_S(AUDIT_APPARMOR_KILL, "APPARMOR_KILL" ) #endif _S(AUDIT_KERNEL, "KERNEL" ) _S(AUDIT_ANOM_LOGIN_FAILURES, "ANOM_LOGIN_FAILURES" ) @@ -188,6 +192,9 @@ _S(AUDIT_ANOM_MOD_ACCT, "ANOM_MOD_ACCT" ) _S(AUDIT_ANOM_ROOT_TRANS, "ANOM_ROOT_TRANS" ) _S(AUDIT_ANOM_LOGIN_SERVICE, "ANOM_LOGIN_SERVICE" ) +_S(AUDIT_ANOM_LOGIN_ROOT, "ANOM_LOGIN_ROOT" ) +_S(AUDIT_ANOM_ORIGIN_FAILURES, "ANOM_ORIGIN_FAILURES" ) +_S(AUDIT_ANOM_SESSION, "ANOM_SESSION" ) _S(AUDIT_RESP_ANOMALY, "RESP_ANOMALY" ) _S(AUDIT_RESP_ALERT, "RESP_ALERT" ) _S(AUDIT_RESP_KILL_PROC, "RESP_KILL_PROC" ) @@ -203,6 +210,7 @@ _S(AUDIT_RESP_HALT, "RESP_HALT" ) _S(AUDIT_RESP_ORIGIN_BLOCK, "RESP_ORIGIN_BLOCK" ) _S(AUDIT_RESP_ORIGIN_BLOCK_TIMED, "RESP_ORIGIN_BLOCK_TIMED" ) +_S(AUDIT_RESP_ORIGIN_UNBLOCK_TIMED, "RESP_ORIGIN_UNBLOCK_TIMED" ) _S(AUDIT_USER_ROLE_CHANGE, "USER_ROLE_CHANGE" ) _S(AUDIT_ROLE_ASSIGN, "ROLE_ASSIGN" ) _S(AUDIT_ROLE_REMOVE, "ROLE_REMOVE" )
View file
_service:tar_scm:audit-3.0.1.tar.gz/lib/netlink.c -> _service:tar_scm:audit-3.0.9.tar.gz/lib/netlink.c
Changed
@@ -64,10 +64,10 @@ } if (fcntl(fd, F_SETFD, FD_CLOEXEC) == -1) { saved_errno = errno; - close(fd); audit_msg(LOG_ERR, "Error setting audit netlink socket CLOEXEC flag (%s)", strerror(errno)); + close(fd); errno = saved_errno; return -1; } @@ -147,7 +147,7 @@ rep->error = NULL; rep->signal_info = NULL; rep->conf = NULL; -#if defined(HAVE_DECL_AUDIT_FEATURE_VERSION) +#if HAVE_DECL_AUDIT_FEATURE_VERSION == 1 rep->features = NULL; #endif if (!NLMSG_OK(rep->nlh, (unsigned int)len)) { @@ -172,7 +172,7 @@ case AUDIT_GET: rep->status = NLMSG_DATA(rep->nlh); break; -#if defined(HAVE_DECL_AUDIT_FEATURE_VERSION) +#if HAVE_DECL_AUDIT_FEATURE_VERSION == 1 case AUDIT_GET_FEATURE: rep->features = NLMSG_DATA(rep->nlh); break;
View file
_service:tar_scm:audit-3.0.1.tar.gz/lib/ppc_table.h -> _service:tar_scm:audit-3.0.9.tar.gz/lib/ppc_table.h
Changed
@@ -388,4 +388,62 @@ _S(385, "pkey_free") _S(386, "pkey_mprotect") _S(387, "rseq") +_S(388, "io_pgetevents") +_S(392, "semtimedop") +_S(393, "semget") +_S(394, "semctl") +_S(395, "shmget") +_S(396, "shmctl") +_S(397, "shmat") +_S(398, "shmdt") +_S(399, "msgget") +_S(400, "msgsnd") +_S(401, "msgrcv") +_S(402, "msgctl") +_S(403, "clock_gettime64") +_S(404, "clock_settime64") +_S(405, "clock_adjtime64") +_S(406, "clock_getres_time64") +_S(407, "clock_nanosleep_time64") +_S(408, "timer_gettime64") +_S(409, "timer_settime64") +_S(410, "timerfd_gettime64") +_S(411, "timerfd_settime64") +_S(412, "utimensat_time64") +_S(413, "pselect6_time64") +_S(414, "ppoll_time64") +_S(416, "io_pgetevents_time64") +_S(417, "recvmmsg_time64") +_S(418, "mq_timedsend_time64") +_S(419, "mq_timedreceive_time64") +_S(420, "semtimedop_time64") +_S(421, "rt_sigtimedwait_time64") +_S(422, "futex_time64") +_S(423, "sched_rr_get_interval_time64") +_S(424, "pidfd_send_signal") +_S(425, "io_uring_setup") +_S(426, "io_uring_enter") +_S(427, "io_uring_register") +_S(428, "open_tree") +_S(429, "move_mount") +_S(430, "fsopen") +_S(431, "fsconfig") +_S(432, "fsmount") +_S(433, "fspick") +_S(434, "pidfd_open") +_S(435, "clone3") +_S(436, "close_range") +_S(437, "openat2") +_S(438, "pidfd_getfd") +_S(439, "faccessat2") +_S(440, "process_madvise") +_S(441, "epoll_pwait2") +_S(442, "mount_setattr") +_S(443, "quotactl_fd") +_S(444, "landlock_create_ruleset") +_S(445, "landlock_add_rule") +_S(446, "landlock_restrict_self") +_S(448, "process_mrelease") +_S(449, "futex_waitv") +_S(450, "set_mempolicy_home_node")
View file
_service:tar_scm:audit-3.0.1.tar.gz/lib/s390_table.h -> _service:tar_scm:audit-3.0.9.tar.gz/lib/s390_table.h
Changed
@@ -401,4 +401,12 @@ _S(439, "faccessat2") _S(440, "process_madvise") _S(441, "epoll_pwait2") +_S(442, "mount_setattr") +_S(443, "quotactl_fd") +_S(444, "landlock_create_ruleset") +_S(445, "landlock_add_rule") +_S(446, "landlock_restrict_self") +_S(448, "process_mrelease") +_S(449, "futex_waitv") +_S(450, "set_mempolicy_home_node")
View file
_service:tar_scm:audit-3.0.1.tar.gz/lib/s390x_table.h -> _service:tar_scm:audit-3.0.9.tar.gz/lib/s390x_table.h
Changed
@@ -365,4 +365,12 @@ _S(439, "faccessat2") _S(440, "process_madvise") _S(441, "epoll_pwait2") +_S(442, "mount_setattr") +_S(443, "quotactl_fd") +_S(444, "landlock_create_ruleset") +_S(445, "landlock_add_rule") +_S(446, "landlock_restrict_self") +_S(448, "process_mrelease") +_S(449, "futex_waitv") +_S(450, "set_mempolicy_home_node")
View file
_service:tar_scm:audit-3.0.1.tar.gz/lib/syscall-update.txt -> _service:tar_scm:audit-3.0.9.tar.gz/lib/syscall-update.txt
Changed
@@ -2,11 +2,11 @@ arch/arm/tools/syscall.tbl arch/arm/include/uapi/asm/unistd.h -arch/powerpc/include/uapi/asm/unistd.h +include/uapi/asm-generic/unistd.h (aarch64) +arch/powerpc/kernel/syscalls/syscall.tbl arch/s390/kernel/syscalls/syscall.tbl arch/x86/entry/syscalls/syscall_32.tbl arch/x86/entry/syscalls/syscall_64.tbl -include/uapi/asm-generic/unistd.h (aarch64) For src/ausearch-lookup.c: Inspect include/linux/net.h for socketcall updates
View file
_service:tar_scm:audit-3.0.1.tar.gz/lib/test/Makefile.in -> _service:tar_scm:audit-3.0.9.tar.gz/lib/test/Makefile.in
Changed
@@ -1,7 +1,7 @@ -# Makefile.in generated by automake 1.16.2 from Makefile.am. +# Makefile.in generated by automake 1.16.5 from Makefile.am. # @configure_input@ -# Copyright (C) 1994-2020 Free Software Foundation, Inc. +# Copyright (C) 1994-2021 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -190,8 +190,6 @@ unique=`for i in $$list; do \ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ done | $(am__uniquify_input)` -ETAGS = etags -CTAGS = ctags am__tty_colors_dummy = \ mgn= red= grn= lgn= blu= brg= std=; \ am__color_tests=no @@ -374,6 +372,7 @@ bases='$(TEST_LOGS)'; \ bases=`for i in $$bases; do echo $$i; done | sed 's/\.log$$//'`; \ bases=`echo $$bases` +AM_TESTSUITE_SUMMARY_HEADER = ' for $(PACKAGE_STRING)' RECHECK_LOGS = $(TEST_LOGS) AM_RECURSIVE_TARGETS = check recheck TEST_SUITE_LOG = test-suite.log @@ -419,6 +418,8 @@ CPPFLAGS = @CPPFLAGS@ CPPFLAGS_FOR_BUILD = @CPPFLAGS_FOR_BUILD@ CPP_FOR_BUILD = @CPP_FOR_BUILD@ +CSCOPE = @CSCOPE@ +CTAGS = @CTAGS@ CYGPATH_W = @CYGPATH_W@ DEBUG = @DEBUG@ DEFS = @DEFS@ @@ -430,8 +431,10 @@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ +ETAGS = @ETAGS@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FILECMD = @FILECMD@ GOLANG = @GOLANG@ GOROOT = @GOROOT@ GREP = @GREP@ @@ -487,6 +490,7 @@ SHELL = @SHELL@ STRIP = @STRIP@ VERSION = @VERSION@ +WFLAGS = @WFLAGS@ abs_builddir = @abs_builddir@ abs_srcdir = @abs_srcdir@ abs_top_builddir = @abs_top_builddir@ @@ -540,6 +544,7 @@ pyexecdir = @pyexecdir@ python3dir = @python3dir@ pythondir = @pythondir@ +runstatedir = @runstatedir@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ @@ -802,7 +807,7 @@ test x"$$VERBOSE" = x || cat $(TEST_SUITE_LOG); \ fi; \ echo "$${col}$$br$${std}"; \ - echo "$${col}Testsuite summary for $(PACKAGE_STRING)$${std}"; \ + echo "$${col}Testsuite summary"$(AM_TESTSUITE_SUMMARY_HEADER)"$${std}"; \ echo "$${col}$$br$${std}"; \ create_testsuite_report --maybe-color; \ echo "$$col$$br$$std"; \ @@ -857,7 +862,6 @@ @am__EXEEXT_TRUE@ --log-file $$b.log --trs-file $$b.trs \ @am__EXEEXT_TRUE@ $(am__common_driver_flags) $(AM_TEST_LOG_DRIVER_FLAGS) $(TEST_LOG_DRIVER_FLAGS) -- $(TEST_LOG_COMPILE) \ @am__EXEEXT_TRUE@ "$$tst" $(AM_TESTS_FD_REDIRECT) - distdir: $(BUILT_SOURCES) $(MAKE) $(AM_MAKEFLAGS) distdir-am
View file
_service:tar_scm:audit-3.0.1.tar.gz/lib/x86_64_table.h -> _service:tar_scm:audit-3.0.9.tar.gz/lib/x86_64_table.h
Changed
@@ -373,3 +373,13 @@ _S(439, "faccessat2") _S(440, "process_madvise") _S(441, "epoll_pwait2") +_S(442, "mount_setattr") +_S(443, "quotactl_fd") +_S(444, "landlock_create_ruleset") +_S(445, "landlock_add_rule") +_S(446, "landlock_restrict_self") +_S(447, "memfd_secret") +_S(448, "process_mrelease") +_S(449, "futex_waitv") +_S(450, "set_mempolicy_home_node") +
View file
_service:tar_scm:audit-3.0.1.tar.gz/ltmain.sh -> _service:tar_scm:audit-3.0.9.tar.gz/ltmain.sh
Changed
@@ -1,12 +1,12 @@ -#! /bin/sh +#! /usr/bin/env sh ## DO NOT EDIT - This file generated from ./build-aux/ltmain.in -## by inline-source v2014-01-03.01 +## by inline-source v2019-02-19.15 -# libtool (GNU libtool) 2.4.6 +# libtool (GNU libtool) 2.4.7 # Provide generalized library-building support services. # Written by Gordon Matzigkeit <gord@gnu.ai.mit.edu>, 1996 -# Copyright (C) 1996-2015 Free Software Foundation, Inc. +# Copyright (C) 1996-2019, 2021-2022 Free Software Foundation, Inc. # This is free software; see the source for copying conditions. There is NO # warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. @@ -31,8 +31,8 @@ PROGRAM=libtool PACKAGE=libtool -VERSION=2.4.6 -package_revision=2.4.6 +VERSION=2.4.7 +package_revision=2.4.7 ## ------ ## @@ -64,34 +64,25 @@ # libraries, which are installed to $pkgauxdir. # Set a version string for this script. -scriptversion=2015-01-20.17; # UTC +scriptversion=2019-02-19.15; # UTC # General shell script boiler plate, and helper functions. # Written by Gary V. Vaughan, 2004 -# Copyright (C) 2004-2015 Free Software Foundation, Inc. -# This is free software; see the source for copying conditions. There is NO -# warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. - -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation; either version 3 of the License, or -# (at your option) any later version. - -# As a special exception to the GNU General Public License, if you distribute -# this file as part of a program or library that is built using GNU Libtool, -# you may include this file under the same distribution terms that you use -# for the rest of that program. - -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNES FOR A PARTICULAR PURPOSE. See the GNU -# General Public License for more details. - -# You should have received a copy of the GNU General Public License -# along with this program. If not, see <http://www.gnu.org/licenses/>. +# This is free software. There is NO warranty; not even for +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. +# +# Copyright (C) 2004-2019, 2021 Bootstrap Authors +# +# This file is dual licensed under the terms of the MIT license +# <https://opensource.org/license/MIT>, and GPL version 2 or later +# <http://www.gnu.org/licenses/gpl-2.0.html>. You must apply one of +# these licenses when using or redistributing this software or any of +# the files within it. See the URLs above, or the file `LICENSE` +# included in the Bootstrap distribution for the full license texts. -# Please report bugs or propose patches to gary@gnu.org. +# Please report bugs or propose patches to: +# <https://github.com/gnulib-modules/bootstrap/issues> ## ------ ## @@ -139,9 +130,12 @@ _G_safe_locale=\"$_G_var=C; \$_G_safe_locale\" fi" done - -# CDPATH. -(unset CDPATH) >/dev/null 2>&1 && unset CDPATH +# These NLS vars are set unconditionally (bootstrap issue #24). Unset those +# in case the environment reset is needed later and the $save_* variant is not +# defined (see the code above). +LC_ALL=C +LANGUAGE=C +export LANGUAGE LC_ALL # Make sure IFS has a sensible default sp=' ' @@ -159,6 +153,26 @@ fi +# func_unset VAR +# -------------- +# Portably unset VAR. +# In some shells, an 'unset VAR' statement leaves a non-zero return +# status if VAR is already unset, which might be problematic if the +# statement is used at the end of a function (thus poisoning its return +# value) or when 'set -e' is active (causing even a spurious abort of +# the script in this case). +func_unset () +{ + { eval $1=; (eval unset $1) >/dev/null 2>&1 && eval unset $1 || : ; } +} + + +# Make sure CDPATH doesn't cause `cd` commands to output the target dir. +func_unset CDPATH + +# Make sure ${,E,F}GREP behave sanely. +func_unset GREP_OPTIONS + ## ------------------------- ## ## Locate command utilities. ## @@ -259,7 +273,7 @@ rm -f conftest.in conftest.tmp conftest.nl conftest.out } - func_path_progs "sed gsed" func_check_prog_sed $PATH:/usr/xpg4/bin + func_path_progs "sed gsed" func_check_prog_sed "$PATH:/usr/xpg4/bin" rm -f conftest.sed SED=$func_path_progs_result } @@ -295,7 +309,7 @@ rm -f conftest.in conftest.tmp conftest.nl conftest.out } - func_path_progs "grep ggrep" func_check_prog_grep $PATH:/usr/xpg4/bin + func_path_progs "grep ggrep" func_check_prog_grep "$PATH:/usr/xpg4/bin" GREP=$func_path_progs_result } @@ -360,6 +374,35 @@ s/\\(^$_G_bs\\)$_G_bs2$_G_dollar/\\1$_G_bs2$_G_bs$_G_dollar/g s/\n//g" +# require_check_ifs_backslash +# --------------------------- +# Check if we can use backslash as IFS='\' separator, and set +# $check_ifs_backshlash_broken to ':' or 'false'. +require_check_ifs_backslash=func_require_check_ifs_backslash +func_require_check_ifs_backslash () +{ + _G_save_IFS=$IFS + IFS='\' + _G_check_ifs_backshlash='a\\b' + for _G_i in $_G_check_ifs_backshlash + do + case $_G_i in + a) + check_ifs_backshlash_broken=false + ;; + '') + break + ;; + *) + check_ifs_backshlash_broken=: + break + ;; + esac + done + IFS=$_G_save_IFS + require_check_ifs_backslash=: +} + ## ----------------- ## ## Global variables. ## @@ -580,16 +623,16 @@ { $debug_cmd - func_quote_for_eval "$2" - eval "$1+=\\ \$func_quote_for_eval_result" + func_quote_arg pretty "$2" + eval "$1+=\\ \$func_quote_arg_result" }' else func_append_quoted () { $debug_cmd - func_quote_for_eval "$2" - eval "$1=\$$1\\ \$func_quote_for_eval_result" + func_quote_arg pretty "$2" + eval "$1=\$$1\\ \$func_quote_arg_result" } fi @@ -1091,85 +1134,203 @@ } -# func_quote_for_eval ARG...
View file
_service:tar_scm:audit-3.0.1.tar.gz/m4/Makefile.am -> _service:tar_scm:audit-3.0.9.tar.gz/m4/Makefile.am
Changed
@@ -13,8 +13,9 @@ # Lesser General Public License for more details. # # You should have received a copy of the GNU Lesser General Public -# License along with this library; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +# License along with this program; see the file COPYING.lib. If not, write to +# the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor +# Boston, MA 02110-1335, USA. # # Authors: # Steve Grubb <sgrubb@redhat.com>
View file
_service:tar_scm:audit-3.0.1.tar.gz/m4/Makefile.in -> _service:tar_scm:audit-3.0.9.tar.gz/m4/Makefile.in
Changed
@@ -1,7 +1,7 @@ -# Makefile.in generated by automake 1.16.2 from Makefile.am. +# Makefile.in generated by automake 1.16.5 from Makefile.am. # @configure_input@ -# Copyright (C) 1994-2020 Free Software Foundation, Inc. +# Copyright (C) 1994-2021 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -29,8 +29,9 @@ # Lesser General Public License for more details. # # You should have received a copy of the GNU Lesser General Public -# License along with this library; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +# License along with this program; see the file COPYING.lib. If not, write to +# the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor +# Boston, MA 02110-1335, USA. # # Authors: # Steve Grubb <sgrubb@redhat.com> @@ -196,6 +197,8 @@ CPPFLAGS = @CPPFLAGS@ CPPFLAGS_FOR_BUILD = @CPPFLAGS_FOR_BUILD@ CPP_FOR_BUILD = @CPP_FOR_BUILD@ +CSCOPE = @CSCOPE@ +CTAGS = @CTAGS@ CYGPATH_W = @CYGPATH_W@ DEBUG = @DEBUG@ DEFS = @DEFS@ @@ -207,8 +210,10 @@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ +ETAGS = @ETAGS@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FILECMD = @FILECMD@ GOLANG = @GOLANG@ GOROOT = @GOROOT@ GREP = @GREP@ @@ -264,6 +269,7 @@ SHELL = @SHELL@ STRIP = @STRIP@ VERSION = @VERSION@ +WFLAGS = @WFLAGS@ abs_builddir = @abs_builddir@ abs_srcdir = @abs_srcdir@ abs_top_builddir = @abs_top_builddir@ @@ -317,6 +323,7 @@ pyexecdir = @pyexecdir@ python3dir = @python3dir@ pythondir = @pythondir@ +runstatedir = @runstatedir@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ @@ -398,7 +405,6 @@ cscope cscopelist: - distdir: $(BUILT_SOURCES) $(MAKE) $(AM_MAKEFLAGS) distdir-am
View file
_service:tar_scm:audit-3.0.1.tar.gz/m4/libtool.m4 -> _service:tar_scm:audit-3.0.9.tar.gz/m4/libtool.m4
Changed
@@ -1,6 +1,7 @@ # libtool.m4 - Configure libtool for the host system. -*-Autoconf-*- # -# Copyright (C) 1996-2001, 2003-2015 Free Software Foundation, Inc. +# Copyright (C) 1996-2001, 2003-2019, 2021-2022 Free Software +# Foundation, Inc. # Written by Gordon Matzigkeit, 1996 # # This file is free software; the Free Software Foundation gives @@ -31,7 +32,7 @@ # along with this program. If not, see <http://www.gnu.org/licenses/>. ) -# serial 58 LT_INIT +# serial 59 LT_INIT # LT_PREREQ(VERSION) @@ -181,6 +182,7 @@ m4_require(_LT_CHECK_SHELL_FEATURES)dnl m4_require(_LT_PATH_CONVERSION_FUNCTIONS)dnl m4_require(_LT_CMD_RELOAD)dnl +m4_require(_LT_DECL_FILECMD)dnl m4_require(_LT_CHECK_MAGIC_METHOD)dnl m4_require(_LT_CHECK_SHAREDLIB_FROM_LINKLIB)dnl m4_require(_LT_CMD_OLD_ARCHIVE)dnl @@ -219,8 +221,8 @@ ofile=libtool can_build_shared=yes -# All known linkers require a '.a' archive for static linking (except MSVC, -# which needs '.lib'). +# All known linkers require a '.a' archive for static linking (except MSVC and +# ICC, which need '.lib'). libext=a with_gnu_ld=$lt_cv_prog_gnu_ld @@ -778,7 +780,7 @@ # if finds mixed CR/LF and LF-only lines. Since sed operates in # text mode, it properly converts lines to CR/LF. This bash problem # is reportedly fixed, but why not run on old versions too? - sed '$q' "$ltmain" >> "$cfgfile" \ + $SED '$q' "$ltmain" >> "$cfgfile" \ || (rm -f "$cfgfile"; exit 1) mv -f "$cfgfile" "$ofile" || @@ -1042,8 +1044,8 @@ _LT_EOF echo "$LTCC $LTCFLAGS -c -o conftest.o conftest.c" >&AS_MESSAGE_LOG_FD $LTCC $LTCFLAGS -c -o conftest.o conftest.c 2>&AS_MESSAGE_LOG_FD - echo "$AR cru libconftest.a conftest.o" >&AS_MESSAGE_LOG_FD - $AR cru libconftest.a conftest.o 2>&AS_MESSAGE_LOG_FD + echo "$AR $AR_FLAGS libconftest.a conftest.o" >&AS_MESSAGE_LOG_FD + $AR $AR_FLAGS libconftest.a conftest.o 2>&AS_MESSAGE_LOG_FD echo "$RANLIB libconftest.a" >&AS_MESSAGE_LOG_FD $RANLIB libconftest.a 2>&AS_MESSAGE_LOG_FD cat > conftest.c << _LT_EOF @@ -1067,17 +1069,12 @@ _lt_dar_allow_undefined='$wl-undefined ${wl}suppress' ;; darwin1.*) _lt_dar_allow_undefined='$wl-flat_namespace $wl-undefined ${wl}suppress' ;; - darwin*) # darwin 5.x on - # if running on 10.5 or later, the deployment target defaults - # to the OS version, if on x86, and 10.4, the deployment - # target defaults to 10.4. Don't you love it? - case ${MACOSX_DEPLOYMENT_TARGET-10.0},$host in - 10.0,*86*-darwin8*|10.0,*-darwin91*) - _lt_dar_allow_undefined='$wl-undefined ${wl}dynamic_lookup' ;; - 10.012,.*) - _lt_dar_allow_undefined='$wl-flat_namespace $wl-undefined ${wl}suppress' ;; - 10.*) - _lt_dar_allow_undefined='$wl-undefined ${wl}dynamic_lookup' ;; + darwin*) + case $MACOSX_DEPLOYMENT_TARGET,$host in + 10.012,*|,*powerpc*-darwin5-8*) + _lt_dar_allow_undefined='$wl-flat_namespace $wl-undefined ${wl}suppress' ;; + *) + _lt_dar_allow_undefined='$wl-undefined ${wl}dynamic_lookup' ;; esac ;; esac @@ -1126,12 +1123,12 @@ output_verbose_link_cmd=func_echo_all _LT_TAGVAR(archive_cmds, $1)="\$CC -dynamiclib \$allow_undefined_flag -o \$lib \$libobjs \$deplibs \$compiler_flags -install_name \$rpath/\$soname \$verstring $_lt_dar_single_mod$_lt_dsymutil" _LT_TAGVAR(module_cmds, $1)="\$CC \$allow_undefined_flag -o \$lib -bundle \$libobjs \$deplibs \$compiler_flags$_lt_dsymutil" - _LT_TAGVAR(archive_expsym_cmds, $1)="sed 's|^|_|' < \$export_symbols > \$output_objdir/\$libname-symbols.expsym~\$CC -dynamiclib \$allow_undefined_flag -o \$lib \$libobjs \$deplibs \$compiler_flags -install_name \$rpath/\$soname \$verstring $_lt_dar_single_mod$_lt_dar_export_syms$_lt_dsymutil" - _LT_TAGVAR(module_expsym_cmds, $1)="sed -e 's|^|_|' < \$export_symbols > \$output_objdir/\$libname-symbols.expsym~\$CC \$allow_undefined_flag -o \$lib -bundle \$libobjs \$deplibs \$compiler_flags$_lt_dar_export_syms$_lt_dsymutil" + _LT_TAGVAR(archive_expsym_cmds, $1)="$SED 's|^|_|' < \$export_symbols > \$output_objdir/\$libname-symbols.expsym~\$CC -dynamiclib \$allow_undefined_flag -o \$lib \$libobjs \$deplibs \$compiler_flags -install_name \$rpath/\$soname \$verstring $_lt_dar_single_mod$_lt_dar_export_syms$_lt_dsymutil" + _LT_TAGVAR(module_expsym_cmds, $1)="$SED -e 's|^|_|' < \$export_symbols > \$output_objdir/\$libname-symbols.expsym~\$CC \$allow_undefined_flag -o \$lib -bundle \$libobjs \$deplibs \$compiler_flags$_lt_dar_export_syms$_lt_dsymutil" m4_if($1, CXX, if test yes != "$lt_cv_apple_cc_single_mod"; then _LT_TAGVAR(archive_cmds, $1)="\$CC -r -keep_private_externs -nostdlib -o \$lib-master.o \$libobjs~\$CC -dynamiclib \$allow_undefined_flag -o \$lib \$lib-master.o \$deplibs \$compiler_flags -install_name \$rpath/\$soname \$verstring$_lt_dsymutil" - _LT_TAGVAR(archive_expsym_cmds, $1)="sed 's|^|_|' < \$export_symbols > \$output_objdir/\$libname-symbols.expsym~\$CC -r -keep_private_externs -nostdlib -o \$lib-master.o \$libobjs~\$CC -dynamiclib \$allow_undefined_flag -o \$lib \$lib-master.o \$deplibs \$compiler_flags -install_name \$rpath/\$soname \$verstring$_lt_dar_export_syms$_lt_dsymutil" + _LT_TAGVAR(archive_expsym_cmds, $1)="$SED 's|^|_|' < \$export_symbols > \$output_objdir/\$libname-symbols.expsym~\$CC -r -keep_private_externs -nostdlib -o \$lib-master.o \$libobjs~\$CC -dynamiclib \$allow_undefined_flag -o \$lib \$lib-master.o \$deplibs \$compiler_flags -install_name \$rpath/\$soname \$verstring$_lt_dar_export_syms$_lt_dsymutil" fi ,) else @@ -1245,7 +1242,8 @@ # _LT_WITH_SYSROOT # ---------------- AC_DEFUN(_LT_WITH_SYSROOT, -AC_MSG_CHECKING(for sysroot) +m4_require(_LT_DECL_SED)dnl +AC_MSG_CHECKING(for sysroot) AC_ARG_WITH(sysroot, AS_HELP_STRING(--with-sysroot@<:@=DIR@:>@, Search for dependent libraries within DIR (or the compiler's sysroot @@ -1262,7 +1260,7 @@ fi ;; #( /*) - lt_sysroot=`echo "$with_sysroot" | sed -e "$sed_quote_subst"` + lt_sysroot=`echo "$with_sysroot" | $SED -e "$sed_quote_subst"` ;; #( no|'') ;; #( @@ -1292,7 +1290,7 @@ # options accordingly. echo 'int i;' > conftest.$ac_ext if AC_TRY_EVAL(ac_compile); then - case `/usr/bin/file conftest.$ac_objext` in + case `$FILECMD conftest.$ac_objext` in *ELF-32*) HPUX_IA64_MODE=32 ;; @@ -1309,7 +1307,7 @@ echo '#line '$LINENO' "configure"' > conftest.$ac_ext if AC_TRY_EVAL(ac_compile); then if test yes = "$lt_cv_prog_gnu_ld"; then - case `/usr/bin/file conftest.$ac_objext` in + case `$FILECMD conftest.$ac_objext` in *32-bit*) LD="${LD-ld} -melf32bsmip" ;; @@ -1321,7 +1319,7 @@ ;; esac else - case `/usr/bin/file conftest.$ac_objext` in + case `$FILECMD conftest.$ac_objext` in *32-bit*) LD="${LD-ld} -32" ;; @@ -1343,7 +1341,7 @@ echo '#line '$LINENO' "configure"' > conftest.$ac_ext if AC_TRY_EVAL(ac_compile); then emul=elf - case `/usr/bin/file conftest.$ac_objext` in + case `$FILECMD conftest.$ac_objext` in *32-bit*) emul="${emul}32" ;; @@ -1351,7 +1349,7 @@ emul="${emul}64" ;; esac - case `/usr/bin/file conftest.$ac_objext` in + case `$FILECMD conftest.$ac_objext` in *MSB*) emul="${emul}btsmip" ;; @@ -1359,7 +1357,7 @@ emul="${emul}ltsmip" ;; esac - case `/usr/bin/file conftest.$ac_objext` in + case `$FILECMD conftest.$ac_objext` in *N32*) emul="${emul}n32" ;; @@ -1379,14 +1377,14 @@ # not appear in the list. echo 'int i;' > conftest.$ac_ext if AC_TRY_EVAL(ac_compile); then - case `/usr/bin/file conftest.o` in + case `$FILECMD conftest.o` in *32-bit*) case $host in x86_64-*kfreebsd*-gnu) LD="${LD-ld} -m elf_i386_fbsd" ;; x86_64-*linux*) - case `/usr/bin/file conftest.o` in + case `$FILECMD conftest.o` in *x86-64*) LD="${LD-ld} -m elf32_x86_64" ;; @@ -1454,7 +1452,7 @@ # options accordingly. echo 'int i;' > conftest.$ac_ext if AC_TRY_EVAL(ac_compile); then - case `/usr/bin/file conftest.o` in + case `$FILECMD conftest.o` in *64-bit*) case $lt_cv_prog_gnu_ld in yes*) @@ -1493,9 +1491,22 @@ m4_defun(_LT_PROG_AR, AC_CHECK_TOOLS(AR, ar, false) : ${AR=ar}
View file
_service:tar_scm:audit-3.0.1.tar.gz/m4/ltoptions.m4 -> _service:tar_scm:audit-3.0.9.tar.gz/m4/ltoptions.m4
Changed
@@ -1,7 +1,7 @@ # Helper functions for option handling. -*- Autoconf -*- # -# Copyright (C) 2004-2005, 2007-2009, 2011-2015 Free Software -# Foundation, Inc. +# Copyright (C) 2004-2005, 2007-2009, 2011-2019, 2021-2022 Free +# Software Foundation, Inc. # Written by Gary V. Vaughan, 2004 # # This file is free software; the Free Software Foundation gives
View file
_service:tar_scm:audit-3.0.1.tar.gz/m4/ltsugar.m4 -> _service:tar_scm:audit-3.0.9.tar.gz/m4/ltsugar.m4
Changed
@@ -1,6 +1,6 @@ # ltsugar.m4 -- libtool m4 base layer. -*-Autoconf-*- # -# Copyright (C) 2004-2005, 2007-2008, 2011-2015 Free Software +# Copyright (C) 2004-2005, 2007-2008, 2011-2019, 2021-2022 Free Software # Foundation, Inc. # Written by Gary V. Vaughan, 2004 #
View file
_service:tar_scm:audit-3.0.1.tar.gz/m4/ltversion.m4 -> _service:tar_scm:audit-3.0.9.tar.gz/m4/ltversion.m4
Changed
@@ -1,6 +1,7 @@ # ltversion.m4 -- version numbers -*- Autoconf -*- # -# Copyright (C) 2004, 2011-2015 Free Software Foundation, Inc. +# Copyright (C) 2004, 2011-2019, 2021-2022 Free Software Foundation, +# Inc. # Written by Scott James Remnant, 2004 # # This file is free software; the Free Software Foundation gives @@ -9,15 +10,15 @@ # @configure_input@ -# serial 4179 ltversion.m4 +# serial 4245 ltversion.m4 # This file is part of GNU Libtool -m4_define(LT_PACKAGE_VERSION, 2.4.6) -m4_define(LT_PACKAGE_REVISION, 2.4.6) +m4_define(LT_PACKAGE_VERSION, 2.4.7) +m4_define(LT_PACKAGE_REVISION, 2.4.7) AC_DEFUN(LTVERSION_VERSION, -macro_version='2.4.6' -macro_revision='2.4.6' +macro_version='2.4.7' +macro_revision='2.4.7' _LT_DECL(, macro_version, 0, Which release of libtool.m4 was used?) _LT_DECL(, macro_revision, 0) )
View file
_service:tar_scm:audit-3.0.1.tar.gz/m4/lt~obsolete.m4 -> _service:tar_scm:audit-3.0.9.tar.gz/m4/lt~obsolete.m4
Changed
@@ -1,7 +1,7 @@ # lt~obsolete.m4 -- aclocal satisfying obsolete definitions. -*-Autoconf-*- # -# Copyright (C) 2004-2005, 2007, 2009, 2011-2015 Free Software -# Foundation, Inc. +# Copyright (C) 2004-2005, 2007, 2009, 2011-2019, 2021-2022 Free +# Software Foundation, Inc. # Written by Scott James Remnant, 2004. # # This file is free software; the Free Software Foundation gives
View file
_service:tar_scm:audit-3.0.1.tar.gz/missing -> _service:tar_scm:audit-3.0.9.tar.gz/missing
Changed
@@ -3,7 +3,7 @@ scriptversion=2018-03-07.03; # UTC -# Copyright (C) 1996-2020 Free Software Foundation, Inc. +# Copyright (C) 1996-2021 Free Software Foundation, Inc. # Originally written by Fran,cois Pinard <pinard@iro.umontreal.ca>, 1996. # This program is free software; you can redistribute it and/or modify
View file
_service:tar_scm:audit-3.0.1.tar.gz/py-compile -> _service:tar_scm:audit-3.0.9.tar.gz/py-compile
Changed
@@ -1,9 +1,9 @@ #!/bin/sh # py-compile - Compile a Python program -scriptversion=2020-02-19.23; # UTC +scriptversion=2021-02-27.01; # UTC -# Copyright (C) 2000-2020 Free Software Foundation, Inc. +# Copyright (C) 2000-2021 Free Software Foundation, Inc. # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by @@ -27,7 +27,7 @@ # bugs to <bug-automake@gnu.org> or send patches to # <automake-patches@gnu.org>. -if -z "$PYTHON" ; then +if test -z "$PYTHON"; then PYTHON=python fi @@ -96,26 +96,26 @@ files=$* if test -z "$files"; then - usage_error "no files given" + usage_error "no files given" fi # if basedir was given, then it should be prepended to filenames before # byte compilation. -if -z "$basedir" ; then - pathtrans="path = file" +if test -z "$basedir"; then + pathtrans="path = file" else - pathtrans="path = os.path.join('$basedir', file)" + pathtrans="path = os.path.join('$basedir', file)" fi # if destdir was given, then it needs to be prepended to the filename to # byte compile but not go into the compiled file. -if -z "$destdir" ; then - filetrans="filepath = path" +if test -z "$destdir"; then + filetrans="filepath = path" else - filetrans="filepath = os.path.normpath('$destdir' + os.sep + path)" + filetrans="filepath = os.path.normpath('$destdir' + os.sep + path)" fi -python_major=$($PYTHON -V 2>&1 | sed -e 's/.* //;s/\..*$//;1q') +python_major=`$PYTHON -V 2>&1 | sed -e 's/.* //;s/\..*$//;1q'` if test -z "$python_major"; then echo "$me: could not determine $PYTHON major version, guessing 3" >&2 python_major=3 @@ -176,7 +176,7 @@ py_compile.compile(filepath, $import_call(filepath$import_arg2), path) else: py_compile.compile(filepath, filepath + 'o', path) -sys.stdout.write('\n')" 2>/dev/null || : +sys.stdout.write('\n')" 2>/dev/null || exit $? # Local Variables: # mode: shell-script
View file
_service:tar_scm:audit-3.0.1.tar.gz/rules/23-ignore-filesystems.rules -> _service:tar_scm:audit-3.0.9.tar.gz/rules/23-ignore-filesystems.rules
Changed
@@ -1,4 +1,4 @@ -# This rule supresses events that originate on the below file systems. +# This rule suppresses events that originate on the below file systems. # Typically you would use this in conjunction with rules to monitor # kernel modules. The filesystem listed are known to cause hundreds of # path records during kernel module load. As an aside, if you do see the
View file
_service:tar_scm:audit-3.0.1.tar.gz/rules/30-nispom.rules -> _service:tar_scm:audit-3.0.9.tar.gz/rules/30-nispom.rules
Changed
@@ -1,4 +1,4 @@ -## This file contains the a sample audit configuration intended to +## This file contains a sample audit configuration intended to ## meet the NISPOM Chapter 8 rules. This rule depends on having ## 10-base-config.rules & 99-finalize.rules installed. @@ -47,10 +47,10 @@ -a always,exit -F arch=b64 -S mkdir,link,symlink,mkdirat -F exit=-EPERM -F key=creation ## unsuccessful open --a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F exit=-EACCES -F key=open --a always,exit -F arch=b64 -S open,openat,open_by_handle_at -F exit=-EACCES -F key=open --a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F exit=-EPERM -F key=open --a always,exit -F arch=b64 -S open,openat,open_by_handle_at -F exit=-EPERM -F key=open +-a always,exit -F arch=b32 -S open,openat,openat2,open_by_handle_at -F exit=-EACCES -F key=open +-a always,exit -F arch=b64 -S open,openat,openat2,open_by_handle_at -F exit=-EACCES -F key=open +-a always,exit -F arch=b32 -S open,openat,openat2,open_by_handle_at -F exit=-EPERM -F key=open +-a always,exit -F arch=b64 -S open,openat,openat2,open_by_handle_at -F exit=-EPERM -F key=open ## unsuccessful close -a always,exit -F arch=b32 -S close -F exit=-EIO -F key=close
View file
_service:tar_scm:audit-3.0.1.tar.gz/rules/30-ospp-v42-3-access-failed.rules -> _service:tar_scm:audit-3.0.9.tar.gz/rules/30-ospp-v42-3-access-failed.rules
Changed
@@ -1,5 +1,5 @@ ## Unsuccessful file access (any other opens) This has to go last. --a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-access --a always,exit -F arch=b64 -S open,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-access --a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-access --a always,exit -F arch=b64 -S open,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-access +-a always,exit -F arch=b32 -S open,openat,openat2,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-access +-a always,exit -F arch=b64 -S open,openat,openat2,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-access +-a always,exit -F arch=b32 -S open,openat,openat2,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-access +-a always,exit -F arch=b64 -S open,openat,openat2,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-access
View file
_service:tar_scm:audit-3.0.1.tar.gz/rules/30-ospp-v42-3-access-success.rules -> _service:tar_scm:audit-3.0.9.tar.gz/rules/30-ospp-v42-3-access-success.rules
Changed
@@ -1,4 +1,4 @@ ## Successful file access (any other opens) This has to go last. ## These next two are likely to result in a whole lot of events --a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-access --a always,exit -F arch=b64 -S open,openat,open_by_handle_at -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-access +-a always,exit -F arch=b32 -S open,openat,openat2,open_by_handle_at -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-access +-a always,exit -F arch=b64 -S open,openat,openat2,open_by_handle_at -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-access
View file
_service:tar_scm:audit-3.0.1.tar.gz/rules/30-ospp-v42.rules -> _service:tar_scm:audit-3.0.9.tar.gz/rules/30-ospp-v42.rules
Changed
@@ -54,6 +54,7 @@ -a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes -a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes -a always,exit -F path=/usr/bin/at -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes +-a always,exit -F path=/usr/sbin/grub2-set-bootflag -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes ## Privilege escalation via su or sudo. This is entirely handled by pam.
View file
_service:tar_scm:audit-3.0.1.tar.gz/rules/30-pci-dss-v31.rules -> _service:tar_scm:audit-3.0.9.tar.gz/rules/30-pci-dss-v31.rules
Changed
@@ -8,7 +8,7 @@ ## 3) It is also assumed that 1000 represents the first usable user account. To ## be sure, look at UID_MIN in /etc/login.defs. ## 4) If these rules generate too much spurious data for your tastes, limit the -## the syscall file rules with a directory, like -F dir=/etc +## syscall file rules with a directory, like -F dir=/etc ## 5) You can search for the results on the key fields in the rules ## @@ -92,7 +92,7 @@ ## logs off the system to assure that there is an unaltered copy. ## 10.5.1 Limit viewing of audit trails to those with a job-related need. -## The audit daemon by default limits viewing of the auit trail to root. +## The audit daemon by default limits viewing of the audit trail to root. ## If someone that is not an admin has a job related need to see logs, then ## create a unique group for people with this need and set the log_group ## configuration item in auditd.conf
View file
_service:tar_scm:audit-3.0.1.tar.gz/rules/30-stig.rules -> _service:tar_scm:audit-3.0.9.tar.gz/rules/30-stig.rules
Changed
@@ -8,7 +8,7 @@ ## 3) It is also assumed that 1000 represents the first usable user account. To ## be sure, look at UID_MIN in /etc/login.defs. ## 4) If these rules generate too much spurious data for your tastes, limit the -## the syscall file rules with a directory, like -F dir=/etc +## syscall file rules with a directory, like -F dir=/etc ## 5) You can search for the results on the key fields in the rules ## ## @@ -100,10 +100,10 @@ -a always,exit -F arch=b64 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod ##- Unauthorized access attempts to files (unsuccessful) --a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access --a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access --a always,exit -F arch=b64 -S open,truncate,ftruncate,creat,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access --a always,exit -F arch=b64 -S open,truncate,ftruncate,creat,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access +-a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,openat2,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access +-a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,openat2,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access +-a always,exit -F arch=b64 -S open,truncate,ftruncate,creat,openat,openat2,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access +-a always,exit -F arch=b64 -S open,truncate,ftruncate,creat,openat,openat2,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access ##- Use of print command (unsuccessful and successful)
View file
_service:tar_scm:audit-3.0.9.tar.gz/rules/44-installers.rules
Added
@@ -0,0 +1,9 @@ +# These rules watch for invocation of things known to install software + +-a always,exit -F perm=x -F path=/usr/bin/dnf-3 -F key=software-installer +-a always,exit -F perm=x -F path=/usr/bin/yum -F key=software-installer +-a always,exit -F perm=x -F path=/usr/bin/pip -F key=software-installer +-a always,exit -F perm=x -F path=/usr/bin/npm -F key=software-installer +-a always,exit -F perm=x -F path=/usr/bin/cpan -F key=software-installer +-a always,exit -F perm=x -F path=/usr/bin/gem -F key=software-installer +-a always,exit -F perm=x -F path=/usr/bin/luarocks -F key=software-installer
View file
_service:tar_scm:audit-3.0.1.tar.gz/rules/71-networking.rules -> _service:tar_scm:audit-3.0.9.tar.gz/rules/71-networking.rules
Changed
@@ -1,3 +1,3 @@ -## This is to check if the system is making or recieving connections +## This is to check if the system is making or receiving connections ## externally -a always,exit -F arch=b64 -S accept,connect -F key=external-access
View file
_service:tar_scm:audit-3.0.1.tar.gz/rules/Makefile.am -> _service:tar_scm:audit-3.0.9.tar.gz/rules/Makefile.am
Changed
@@ -13,8 +13,9 @@ # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +# along with this program; see the file COPYING. If not, write to the +# Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor +# Boston, MA 02110-1335, USA. # # Authors: # Steve Grubb <sgrubb@redhat.com> @@ -37,6 +38,7 @@ 30-ospp-v42-6-owner-change-success.rules \ 31-privileged.rules 32-power-abuse.rules \ 40-local.rules 41-containers.rules 42-injection.rules 43-module-load.rules \ +44-installers.rules \ 70-einval.rules 71-networking.rules \ 99-finalize.rules README-rules
View file
_service:tar_scm:audit-3.0.1.tar.gz/rules/Makefile.in -> _service:tar_scm:audit-3.0.9.tar.gz/rules/Makefile.in
Changed
@@ -1,7 +1,7 @@ -# Makefile.in generated by automake 1.16.2 from Makefile.am. +# Makefile.in generated by automake 1.16.5 from Makefile.am. # @configure_input@ -# Copyright (C) 1994-2020 Free Software Foundation, Inc. +# Copyright (C) 1994-2021 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -29,8 +29,9 @@ # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +# along with this program; see the file COPYING. If not, write to the +# Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor +# Boston, MA 02110-1335, USA. # # Authors: # Steve Grubb <sgrubb@redhat.com> @@ -196,6 +197,8 @@ CPPFLAGS = @CPPFLAGS@ CPPFLAGS_FOR_BUILD = @CPPFLAGS_FOR_BUILD@ CPP_FOR_BUILD = @CPP_FOR_BUILD@ +CSCOPE = @CSCOPE@ +CTAGS = @CTAGS@ CYGPATH_W = @CYGPATH_W@ DEBUG = @DEBUG@ DEFS = @DEFS@ @@ -207,8 +210,10 @@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ +ETAGS = @ETAGS@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FILECMD = @FILECMD@ GOLANG = @GOLANG@ GOROOT = @GOROOT@ GREP = @GREP@ @@ -264,6 +269,7 @@ SHELL = @SHELL@ STRIP = @STRIP@ VERSION = @VERSION@ +WFLAGS = @WFLAGS@ abs_builddir = @abs_builddir@ abs_srcdir = @abs_srcdir@ abs_top_builddir = @abs_top_builddir@ @@ -317,6 +323,7 @@ pyexecdir = @pyexecdir@ python3dir = @python3dir@ pythondir = @pythondir@ +runstatedir = @runstatedir@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ @@ -346,6 +353,7 @@ 30-ospp-v42-6-owner-change-success.rules \ 31-privileged.rules 32-power-abuse.rules \ 40-local.rules 41-containers.rules 42-injection.rules 43-module-load.rules \ +44-installers.rules \ 70-einval.rules 71-networking.rules \ 99-finalize.rules README-rules @@ -416,7 +424,6 @@ cscope cscopelist: - distdir: $(BUILT_SOURCES) $(MAKE) $(AM_MAKEFLAGS) distdir-am
View file
_service:tar_scm:audit-3.0.1.tar.gz/rules/README-rules -> _service:tar_scm:audit-3.0.9.tar.gz/rules/README-rules
Changed
@@ -20,7 +20,10 @@ that should be thought out and individual files copied to /etc/audit/rules.d/ For example, if you wanted to set a system up in the STIG configuration, copy rules 10-base-config, 30-stig, 31-privileged, and 99-finalize. You can add -more if you like. +more if you like. Also, not all arches have the same syscalls. It is expected +that the rules be fine tuned for the arch they are deployed on. For example, +aarch64 does not have the open syscall. It should just be deleted from the +rules. Once you have the rules in the rules.d directory, you can load them by running augenrules --load
View file
_service:tar_scm:audit-3.0.1.tar.gz/src/Makefile.am -> _service:tar_scm:audit-3.0.9.tar.gz/src/Makefile.am
Changed
@@ -13,8 +13,9 @@ # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +# along with this program; see the file COPYING. If not, write to the +# Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor +# Boston, MA 02110-1335, USA. # # Authors: # Steve Grubb <sgrubb@redhat.com> @@ -24,31 +25,30 @@ SUBDIRS = test AM_CPPFLAGS = -I${top_srcdir} -I${top_srcdir}/lib -I${top_srcdir}/src/libev -I${top_srcdir}/auparse -I${top_srcdir}/audisp -I${top_srcdir}/common sbin_PROGRAMS = auditd auditctl aureport ausearch autrace -AM_CFLAGS = -D_GNU_SOURCE -Wno-pointer-sign +AM_CFLAGS = -D_GNU_SOURCE -Wno-pointer-sign ${WFLAGS} noinst_HEADERS = auditd-config.h auditd-event.h auditd-listen.h ausearch-llist.h ausearch-options.h auditctl-llist.h aureport-options.h ausearch-parse.h aureport-scan.h ausearch-lookup.h ausearch-int.h auditd-dispatch.h ausearch-string.h ausearch-nvpair.h ausearch-common.h ausearch-avc.h ausearch-time.h ausearch-lol.h auditctl-listing.h ausearch-checkpt.h auditd_SOURCES = auditd.c auditd-event.c auditd-config.c auditd-reconfig.c auditd-sendmail.c auditd-dispatch.c if ENABLE_LISTENER auditd_SOURCES += auditd-listen.c endif -auditd_CFLAGS = -fPIE -DPIE -g -D_REENTRANT -D_GNU_SOURCE -fno-strict-aliasing -pthread -Wno-pointer-sign +auditd_CFLAGS = -fPIE -DPIE -g -D_REENTRANT -D_GNU_SOURCE -fno-strict-aliasing -pthread -Wno-pointer-sign ${WFLAGS} auditd_LDFLAGS = -pie -Wl,-z,relro -Wl,-z,now -auditd_DEPENDENCIES = libev/libev.a ${top_builddir}/audisp/libdisp.a -auditd_LDADD = @LIBWRAP_LIBS@ -Llibev -lev -L${top_builddir}/audisp -ldisp -L${top_builddir}/lib -laudit -L${top_builddir}/auparse -lauparse -lpthread -lrt -lm $(gss_libs) -L${top_builddir}/common -laucommon +auditd_LDADD = @LIBWRAP_LIBS@ ${top_builddir}/src/libev/libev.la ${top_builddir}/audisp/libdisp.la ${top_builddir}/lib/libaudit.la ${top_builddir}/auparse/libauparse.la -lpthread -lm $(gss_libs) ${top_builddir}/common/libaucommon.la auditctl_SOURCES = auditctl.c auditctl-llist.c delete_all.c auditctl-listing.c -auditctl_CFLAGS = -fPIE -DPIE -g -D_GNU_SOURCE +auditctl_CFLAGS = -fPIE -DPIE -g -D_GNU_SOURCE ${WFLAGS} auditctl_LDFLAGS = -pie -Wl,-z,relro -Wl,-z,now -auditctl_LDADD = -L${top_builddir}/lib -laudit -L${top_builddir}/auparse -lauparse -L${top_builddir}/common -laucommon +auditctl_LDADD = ${top_builddir}/lib/libaudit.la ${top_builddir}/auparse/libauparse.la ${top_builddir}/common/libaucommon.la aureport_SOURCES = aureport.c auditd-config.c ausearch-llist.c aureport-options.c ausearch-string.c ausearch-parse.c aureport-scan.c aureport-output.c ausearch-lookup.c ausearch-int.c ausearch-time.c ausearch-nvpair.c ausearch-avc.c ausearch-lol.c -aureport_LDADD = -L${top_builddir}/lib -laudit -L${top_builddir}/auparse -lauparse -L${top_builddir}/common -laucommon +aureport_LDADD = ${top_builddir}/lib/libaudit.la ${top_builddir}/auparse/libauparse.la ${top_builddir}/common/libaucommon.la ausearch_SOURCES = ausearch.c auditd-config.c ausearch-llist.c ausearch-options.c ausearch-report.c ausearch-match.c ausearch-string.c ausearch-parse.c ausearch-int.c ausearch-time.c ausearch-nvpair.c ausearch-lookup.c ausearch-avc.c ausearch-lol.c ausearch-checkpt.c -ausearch_LDADD = -L${top_builddir}/lib -laudit -L${top_builddir}/auparse -lauparse -L${top_builddir}/common -laucommon +ausearch_LDADD = ${top_builddir}/lib/libaudit.la ${top_builddir}/auparse/libauparse.la ${top_builddir}/common/libaucommon.la autrace_SOURCES = autrace.c delete_all.c auditctl-llist.c -autrace_LDADD = -L${top_builddir}/lib -laudit +autrace_LDADD = ${top_builddir}/lib/libaudit.la libev/libev.a: make -C libev
View file
_service:tar_scm:audit-3.0.1.tar.gz/src/Makefile.in -> _service:tar_scm:audit-3.0.9.tar.gz/src/Makefile.in
Changed
@@ -1,7 +1,7 @@ -# Makefile.in generated by automake 1.16.2 from Makefile.am. +# Makefile.in generated by automake 1.16.5 from Makefile.am. # @configure_input@ -# Copyright (C) 1994-2020 Free Software Foundation, Inc. +# Copyright (C) 1994-2021 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -29,8 +29,9 @@ # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +# along with this program; see the file COPYING. If not, write to the +# Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor +# Boston, MA 02110-1335, USA. # # Authors: # Steve Grubb <sgrubb@redhat.com> @@ -136,7 +137,9 @@ auditctl-delete_all.$(OBJEXT) \ auditctl-auditctl-listing.$(OBJEXT) auditctl_OBJECTS = $(am_auditctl_OBJECTS) -auditctl_DEPENDENCIES = +auditctl_DEPENDENCIES = ${top_builddir}/lib/libaudit.la \ + ${top_builddir}/auparse/libauparse.la \ + ${top_builddir}/common/libaucommon.la AM_V_lt = $(am__v_lt_@AM_V@) am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@) am__v_lt_0 = --silent @@ -155,6 +158,11 @@ auditd-auditd-dispatch.$(OBJEXT) $(am__objects_1) auditd_OBJECTS = $(am_auditd_OBJECTS) am__DEPENDENCIES_1 = +auditd_DEPENDENCIES = ${top_builddir}/src/libev/libev.la \ + ${top_builddir}/audisp/libdisp.la \ + ${top_builddir}/lib/libaudit.la \ + ${top_builddir}/auparse/libauparse.la $(am__DEPENDENCIES_1) \ + ${top_builddir}/common/libaucommon.la auditd_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ $(LIBTOOLFLAGS) --mode=link $(CCLD) $(auditd_CFLAGS) $(CFLAGS) \ $(auditd_LDFLAGS) $(LDFLAGS) -o $@ @@ -166,7 +174,9 @@ ausearch-time.$(OBJEXT) ausearch-nvpair.$(OBJEXT) \ ausearch-avc.$(OBJEXT) ausearch-lol.$(OBJEXT) aureport_OBJECTS = $(am_aureport_OBJECTS) -aureport_DEPENDENCIES = +aureport_DEPENDENCIES = ${top_builddir}/lib/libaudit.la \ + ${top_builddir}/auparse/libauparse.la \ + ${top_builddir}/common/libaucommon.la am_ausearch_OBJECTS = ausearch.$(OBJEXT) auditd-config.$(OBJEXT) \ ausearch-llist.$(OBJEXT) ausearch-options.$(OBJEXT) \ ausearch-report.$(OBJEXT) ausearch-match.$(OBJEXT) \ @@ -176,11 +186,13 @@ ausearch-avc.$(OBJEXT) ausearch-lol.$(OBJEXT) \ ausearch-checkpt.$(OBJEXT) ausearch_OBJECTS = $(am_ausearch_OBJECTS) -ausearch_DEPENDENCIES = +ausearch_DEPENDENCIES = ${top_builddir}/lib/libaudit.la \ + ${top_builddir}/auparse/libauparse.la \ + ${top_builddir}/common/libaucommon.la am_autrace_OBJECTS = autrace.$(OBJEXT) delete_all.$(OBJEXT) \ auditctl-llist.$(OBJEXT) autrace_OBJECTS = $(am_autrace_OBJECTS) -autrace_DEPENDENCIES = +autrace_DEPENDENCIES = ${top_builddir}/lib/libaudit.la AM_V_P = $(am__v_P_@AM_V@) am__v_P_ = $(am__v_P_@AM_DEFAULT_V@) am__v_P_0 = false @@ -280,8 +292,6 @@ unique=`for i in $$list; do \ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ done | $(am__uniquify_input)` -ETAGS = etags -CTAGS = ctags DIST_SUBDIRS = $(SUBDIRS) am__DIST_COMMON = $(srcdir)/Makefile.in $(top_srcdir)/depcomp DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) @@ -330,6 +340,8 @@ CPPFLAGS = @CPPFLAGS@ CPPFLAGS_FOR_BUILD = @CPPFLAGS_FOR_BUILD@ CPP_FOR_BUILD = @CPP_FOR_BUILD@ +CSCOPE = @CSCOPE@ +CTAGS = @CTAGS@ CYGPATH_W = @CYGPATH_W@ DEBUG = @DEBUG@ DEFS = @DEFS@ @@ -341,8 +353,10 @@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ +ETAGS = @ETAGS@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FILECMD = @FILECMD@ GOLANG = @GOLANG@ GOROOT = @GOROOT@ GREP = @GREP@ @@ -398,6 +412,7 @@ SHELL = @SHELL@ STRIP = @STRIP@ VERSION = @VERSION@ +WFLAGS = @WFLAGS@ abs_builddir = @abs_builddir@ abs_srcdir = @abs_srcdir@ abs_top_builddir = @abs_top_builddir@ @@ -451,6 +466,7 @@ pyexecdir = @pyexecdir@ python3dir = @python3dir@ pythondir = @pythondir@ +runstatedir = @runstatedir@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ @@ -467,25 +483,24 @@ CONFIG_CLEAN_FILES = *.rej *.orig SUBDIRS = test AM_CPPFLAGS = -I${top_srcdir} -I${top_srcdir}/lib -I${top_srcdir}/src/libev -I${top_srcdir}/auparse -I${top_srcdir}/audisp -I${top_srcdir}/common -AM_CFLAGS = -D_GNU_SOURCE -Wno-pointer-sign +AM_CFLAGS = -D_GNU_SOURCE -Wno-pointer-sign ${WFLAGS} noinst_HEADERS = auditd-config.h auditd-event.h auditd-listen.h ausearch-llist.h ausearch-options.h auditctl-llist.h aureport-options.h ausearch-parse.h aureport-scan.h ausearch-lookup.h ausearch-int.h auditd-dispatch.h ausearch-string.h ausearch-nvpair.h ausearch-common.h ausearch-avc.h ausearch-time.h ausearch-lol.h auditctl-listing.h ausearch-checkpt.h auditd_SOURCES = auditd.c auditd-event.c auditd-config.c \ auditd-reconfig.c auditd-sendmail.c auditd-dispatch.c \ $(am__append_1) -auditd_CFLAGS = -fPIE -DPIE -g -D_REENTRANT -D_GNU_SOURCE -fno-strict-aliasing -pthread -Wno-pointer-sign +auditd_CFLAGS = -fPIE -DPIE -g -D_REENTRANT -D_GNU_SOURCE -fno-strict-aliasing -pthread -Wno-pointer-sign ${WFLAGS} auditd_LDFLAGS = -pie -Wl,-z,relro -Wl,-z,now -auditd_DEPENDENCIES = libev/libev.a ${top_builddir}/audisp/libdisp.a -auditd_LDADD = @LIBWRAP_LIBS@ -Llibev -lev -L${top_builddir}/audisp -ldisp -L${top_builddir}/lib -laudit -L${top_builddir}/auparse -lauparse -lpthread -lrt -lm $(gss_libs) -L${top_builddir}/common -laucommon +auditd_LDADD = @LIBWRAP_LIBS@ ${top_builddir}/src/libev/libev.la ${top_builddir}/audisp/libdisp.la ${top_builddir}/lib/libaudit.la ${top_builddir}/auparse/libauparse.la -lpthread -lm $(gss_libs) ${top_builddir}/common/libaucommon.la auditctl_SOURCES = auditctl.c auditctl-llist.c delete_all.c auditctl-listing.c -auditctl_CFLAGS = -fPIE -DPIE -g -D_GNU_SOURCE +auditctl_CFLAGS = -fPIE -DPIE -g -D_GNU_SOURCE ${WFLAGS} auditctl_LDFLAGS = -pie -Wl,-z,relro -Wl,-z,now -auditctl_LDADD = -L${top_builddir}/lib -laudit -L${top_builddir}/auparse -lauparse -L${top_builddir}/common -laucommon +auditctl_LDADD = ${top_builddir}/lib/libaudit.la ${top_builddir}/auparse/libauparse.la ${top_builddir}/common/libaucommon.la aureport_SOURCES = aureport.c auditd-config.c ausearch-llist.c aureport-options.c ausearch-string.c ausearch-parse.c aureport-scan.c aureport-output.c ausearch-lookup.c ausearch-int.c ausearch-time.c ausearch-nvpair.c ausearch-avc.c ausearch-lol.c -aureport_LDADD = -L${top_builddir}/lib -laudit -L${top_builddir}/auparse -lauparse -L${top_builddir}/common -laucommon +aureport_LDADD = ${top_builddir}/lib/libaudit.la ${top_builddir}/auparse/libauparse.la ${top_builddir}/common/libaucommon.la ausearch_SOURCES = ausearch.c auditd-config.c ausearch-llist.c ausearch-options.c ausearch-report.c ausearch-match.c ausearch-string.c ausearch-parse.c ausearch-int.c ausearch-time.c ausearch-nvpair.c ausearch-lookup.c ausearch-avc.c ausearch-lol.c ausearch-checkpt.c -ausearch_LDADD = -L${top_builddir}/lib -laudit -L${top_builddir}/auparse -lauparse -L${top_builddir}/common -laucommon +ausearch_LDADD = ${top_builddir}/lib/libaudit.la ${top_builddir}/auparse/libauparse.la ${top_builddir}/common/libaucommon.la autrace_SOURCES = autrace.c delete_all.c auditctl-llist.c -autrace_LDADD = -L${top_builddir}/lib -laudit +autrace_LDADD = ${top_builddir}/lib/libaudit.la all: all-recursive .SUFFIXES: @@ -914,7 +929,6 @@ distclean-tags: -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags - distdir: $(BUILT_SOURCES) $(MAKE) $(AM_MAKEFLAGS) distdir-am
View file
_service:tar_scm:audit-3.0.1.tar.gz/src/auditctl-listing.c -> _service:tar_scm:audit-3.0.9.tar.gz/src/auditctl-listing.c
Changed
@@ -1,20 +1,20 @@ -/* auditctl-listing.c -- - * Copyright 2014,16 Red Hat Inc., Durham, North Carolina. +/* auditctl-listing.c -- + * Copyright 2014,16,2021 Red Hat Inc. * All Rights Reserved. * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. * - * This program is distributed in the hope that it will be useful, + * This library is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. * - * You should have received a copy of the GNU General Public License - * along with this program; if not, write to the Free Software - * Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor + * You should have received a copy of the GNU Lesser General Public + * License along with this program; if not, write to the Free Software + * Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor * Boston, MA 02110-1335, USA. * * Authors: @@ -122,7 +122,7 @@ else printf(" -F arch%sb32", audit_operator_to_symbol(op)); - } else { + } else { const char *ptr = audit_machine_to_name(machine); printf(" -F arch%s%s", audit_operator_to_symbol(op), ptr); @@ -398,7 +398,7 @@ printf(" -F perm=%s", perms); } else if (field == AUDIT_INODE) { // This is unsigned - printf(" -F %s%s%u", name, + printf(" -F %s%s%u", name, audit_operator_to_symbol(op), r->valuesi); } else if (field == AUDIT_FIELD_COMPARE) { @@ -411,7 +411,7 @@ // Show these as hex if (count > 1 || interpret == 0) - printf(" -F %s%s0x%X", name, + printf(" -F %s%s0x%X", name, audit_operator_to_symbol(op), r->valuesi); else { // Use ignore to mean interpret @@ -460,14 +460,23 @@ audit_operator_to_symbol(op), audit_fstype_to_name( r->valuesi)); + } else if (field == AUDIT_LOGINUID || + field == AUDIT_SESSIONID) { + if (r->valuesi == -1 && interpret) + printf(" -F %s%sunset", name, + audit_operator_to_symbol(op)); + else + printf(" -F %s%s%d", name, + audit_operator_to_symbol(op), + r->valuesi); } else { // The default is signed decimal - printf(" -F %s%s%d", name, + printf(" -F %s%s%d", name, audit_operator_to_symbol(op), r->valuesi); } } else { - // The field name is unknown + // The field name is unknown printf(" f%d%s%d", r->fieldsi, audit_operator_to_symbol(op), r->valuesi); @@ -576,7 +585,7 @@ #endif printed = 1; break; -#if defined(HAVE_DECL_AUDIT_FEATURE_VERSION) +#if HAVE_DECL_AUDIT_FEATURE_VERSION == 1 case AUDIT_GET_FEATURE: { uint32_t mask = AUDIT_FEATURE_TO_MASK( @@ -599,7 +608,7 @@ printed = 1; return 1; default: - printf("Unknown: type=%d, len=%d\n", rep->type, + printf("Unknown: type=%d, len=%d\n", rep->type, rep->nlh->nlmsg_len); printed = 1; break;
View file
_service:tar_scm:audit-3.0.1.tar.gz/src/auditctl.c -> _service:tar_scm:audit-3.0.9.tar.gz/src/auditctl.c
Changed
@@ -110,7 +110,7 @@ " -C f=f Compare collected fields if available:\n" " Field name, operator(=,!=), field name\n" " -d <l,a> Delete rule from <l>ist with <a>ction\n" - " l=task,exit,user,exclude\n" + " l=task,exit,user,exclude,filesystem\n" " a=never,always\n" " -D Delete all rules and watches\n" " -e 0..2 Set enabled flag\n" @@ -130,12 +130,12 @@ " -R <file> read rules from file\n" " -s Report status\n" " -S syscall Build rule: syscall name or number\n" - " --signal <signal> Send the specified signal to the daemon" + " --signal <signal> Send the specified signal to the daemon\n" " -t Trim directory watches\n" " -v Version\n" " -w <path> Insert watch at <path>\n" " -W <path> Remove watch at <path>\n" -#if defined(HAVE_DECL_AUDIT_FEATURE_VERSION) +#if HAVE_DECL_AUDIT_FEATURE_VERSION == 1 " --loginuid-immutable Make loginuids unchangeable once set\n" #endif #if HAVE_DECL_AUDIT_VERSION_BACKLOG_WAIT_TIME == 1 || \ @@ -153,30 +153,30 @@ static int lookup_filter(const char *str, int *filter) { - if (strcmp(str, "task") == 0) - *filter = AUDIT_FILTER_TASK; - else if (strcmp(str, "exit") == 0) + if (strcmp(str, "exit") == 0) *filter = AUDIT_FILTER_EXIT; + else if (strcmp(str, "task") == 0) + *filter = AUDIT_FILTER_TASK; else if (strcmp(str, "user") == 0) *filter = AUDIT_FILTER_USER; - else if (strcmp(str, "filesystem") == 0) - *filter = AUDIT_FILTER_FS; else if (strcmp(str, "exclude") == 0) { *filter = AUDIT_FILTER_EXCLUDE; exclude = 1; - } else + } else if (strcmp(str, "filesystem") == 0) + *filter = AUDIT_FILTER_FS; + else return 2; return 0; } static int lookup_action(const char *str, int *act) { - if (strcmp(str, "never") == 0) + if (strcmp(str, "always") == 0) + *act = AUDIT_ALWAYS; + else if (strcmp(str, "never") == 0) *act = AUDIT_NEVER; else if (strcmp(str, "possible") == 0) return 1; - else if (strcmp(str, "always") == 0) - *act = AUDIT_ALWAYS; else return 2; return 0; @@ -200,8 +200,8 @@ *p = 0; /* Try opt both ways */ - if (lookup_filter(opt, filter) == 2) { - rc = lookup_action(opt, act); + if (lookup_action(opt, act) == 2) { + rc = lookup_filter(opt, filter); if (rc != 0) { *p = ','; return rc; @@ -368,7 +368,7 @@ return 0; } -static void check_rule_mismatch(int lineno, const char *option) +static int check_rule_mismatch(int lineno, const char *option) { struct audit_rule_data tmprule; unsigned int old_audit_elf = _audit_elf; @@ -386,17 +386,28 @@ _audit_elf = AUDIT_ARCH_S390; break; } + + char *ptr, *saved, *tmp = strdup(option); + if (tmp == NULL) + return -1; + ptr = strtok_r(tmp, ",", &saved); memset(&tmprule, 0, sizeof(struct audit_rule_data)); - audit_rule_syscallbyname_data(&tmprule, option); + while (ptr) { + audit_rule_syscallbyname_data(&tmprule, ptr); + ptr = strtok_r(NULL, ",", &saved); + } if (memcmp(tmprule.mask, rule_new->mask, AUDIT_BITMASK_SIZE)) rc = 1; + free(tmp); + _audit_elf = old_audit_elf; - if (rc) { + if (rc) { if (lineno) audit_msg(LOG_WARNING, "WARNING - 32/64 bit syscall mismatch in line %d, you should specify an arch", lineno); else audit_msg(LOG_WARNING, "WARNING - 32/64 bit syscall mismatch, you should specify an arch"); } + return 0; } @@ -532,7 +543,7 @@ static struct option long_opts = { -#if defined(HAVE_DECL_AUDIT_FEATURE_VERSION) +#if HAVE_DECL_AUDIT_FEATURE_VERSION == 1 {"loginuid-immutable", 0, NULL, 1}, #endif #if HAVE_DECL_AUDIT_VERSION_BACKLOG_WAIT_TIME == 1 || \ @@ -824,7 +835,8 @@ case 0: _audit_syscalladded = 1; if (unknown_arch && add != AUDIT_FILTER_UNSET) - check_rule_mismatch(lineno, optarg); + if (check_rule_mismatch(lineno, optarg) == -1) + retval = -1; break; case -1: audit_msg(LOG_ERR, "Syscall name unknown: %s", @@ -1008,7 +1020,7 @@ } break; case 'p': - if (!add && !del) { + if (add == AUDIT_FILTER_UNSET && del == AUDIT_FILTER_UNSET) { audit_msg(LOG_ERR, "permission option needs a watch given prior to it"); retval = -1;
View file
_service:tar_scm:audit-3.0.1.tar.gz/src/auditd-config.c -> _service:tar_scm:audit-3.0.9.tar.gz/src/auditd-config.c
Changed
@@ -1,5 +1,5 @@ /* auditd-config.c -- - * Copyright 2004-2011,2013-14,2016,2018 Red Hat Inc., Durham, North Carolina. + * Copyright 2004-2011,2013-14,2016,2018,2020-21 Red Hat Inc. * All Rights Reserved. * * This program is free software; you can redistribute it and/or modify @@ -18,7 +18,7 @@ * * Authors: * Steve Grubb <sgrubb@redhat.com> - * + * */ #include "config.h" @@ -347,7 +347,7 @@ config->krb5_principal = NULL; config->krb5_key_file = NULL; config->distribute_network_events = 0; - config->q_depth = 400; + config->q_depth = 2000; config->overflow_action = O_SYSLOG; config->max_restarts = 10; config->plugin_dir = strdup("/etc/audit/plugins.d"); @@ -1768,7 +1768,9 @@ if (i > 99999) { audit_msg(LOG_ERR, "q_depth must be 99999 or less"); return 1; - } + } else if (i < 512) + audit_msg(LOG_WARNING, + "q_depth should be larger than 512 for safety margin"); config->q_depth = i; return 0; } @@ -1948,6 +1950,21 @@ "Error - incremental flushing chosen, but 0 selected for freq"); return 1; } + if (config->log_group != 0) { + int rc = 0; + char *path = strdup(config->log_file); + const char *dir = dirname(path); + if (dir && strcmp(dir, "/var/log") == 0) { + audit_msg(LOG_ERR, + "Error - log_file is directly in %s and chgrp" + " will alter a system directory's permissions. Use" + " another directory.", dir); + rc = 1; + } + free(path); + if (rc) + return rc; + } /* Warnings */ if (config->flush > FT_INCREMENTAL_ASYNC && config->freq != 0) { audit_msg(LOG_WARNING, @@ -2016,8 +2033,13 @@ audit_msg(LOG_ERR, "Unable to get machine name"); rc = -1; - } else + } else { + // Remove any spaces + char *p; + while ((p = strchr(tmp_name, ' '))) + *p = '_'; config->node_name = strdup(tmp_name); + } break; case N_USER: if (config->node_name == NULL) {
View file
_service:tar_scm:audit-3.0.1.tar.gz/src/auditd-event.c -> _service:tar_scm:audit-3.0.9.tar.gz/src/auditd-event.c
Changed
@@ -1,5 +1,5 @@ -/* auditd-event.c -- - * Copyright 2004-08,2011,2013,2015-16,2018 Red Hat Inc.,Durham, North Carolina. +/* auditd-event.c -- + * Copyright 2004-08,2011,2013,2015-16,2018,2021 Red Hat Inc. * All Rights Reserved. * * This program is free software; you can redistribute it and/or modify @@ -42,6 +42,7 @@ #include "libaudit.h" #include "private.h" #include "auparse.h" +#include "auparse-idata.h" /* This is defined in auditd.c */ extern volatile int stop; @@ -56,7 +57,7 @@ static void do_disk_full_action(void); static void do_disk_error_action(const char *func, int err); static void fix_disk_permissions(void); -static void check_excess_logs(void); +static void check_excess_logs(void); static void rotate_logs_now(void); static void rotate_logs(unsigned int num_logs, unsigned int keep_logs); static void shift_logs(void); @@ -70,7 +71,7 @@ /* Local Data */ static struct daemon_conf *config; static volatile int log_fd; -static FILE *log_file; +static FILE *log_file = NULL; static unsigned int disk_err_warning = 0; static int fs_space_warning = 0; static int fs_admin_space_warning = 0; @@ -117,7 +118,7 @@ config->space_left); fprintf(f, "admin_space_left setting %lu MB\n", config->admin_space_left); - } + } fprintf(f, "logging suspended = %s\n", logging_suspended ? "yes" : "no"); fprintf(f, "file system space action performed = %s\n", @@ -131,17 +132,14 @@ void shutdown_events(void) { - /* Give it 5 seconds to clear the queue */ - alarm(5); - - // Nudge the flush thread - pthread_cond_signal(&do_flush); - pthread_join(flush_thread, NULL); - + // We are no longer processing events, sync the disk and close up. + pthread_cancel(flush_thread); free((void *)format_buf); + auparse_destroy_ext(au, AUPARSE_DESTROY_ALL); + if (log_fd >= 0) + fsync(log_fd); if (log_file) fclose(log_file); - auparse_destroy_ext(au, AUPARSE_DESTROY_ALL); } int init_event(struct daemon_conf *conf) @@ -160,8 +158,8 @@ log_fd = 1; // stdout log_file = fdopen(log_fd, "a"); if (log_file == NULL) { - audit_msg(LOG_ERR, - "Error setting up stdout descriptor (%s)", + audit_msg(LOG_ERR, + "Error setting up stdout descriptor (%s)", strerror(errno)); return 1; } @@ -177,7 +175,8 @@ format_buf = (char *)malloc(FORMAT_BUF_LEN); if (format_buf == NULL) { audit_msg(LOG_ERR, "No memory for formatting, exiting"); - fclose(log_file); + if (log_file) + fclose(log_file); log_file = NULL; return 1; } @@ -193,11 +192,12 @@ /* This is a worker thread. Don't handle signals. */ sigemptyset(&sigs); - sigaddset(&sigs, SIGALRM); sigaddset(&sigs, SIGTERM); sigaddset(&sigs, SIGHUP); sigaddset(&sigs, SIGUSR1); sigaddset(&sigs, SIGUSR2); + sigaddset(&sigs, SIGCHLD); + sigaddset(&sigs, SIGCONT); pthread_sigmask(SIG_SETMASK, &sigs, NULL); while (!stop) { @@ -208,13 +208,16 @@ // into a loop of fsyncs. while (flush == 0) { pthread_cond_wait(&do_flush, &flush_lock); - if (stop) + if (stop) { + pthread_mutex_unlock(&flush_lock); return NULL; + } } flush = 0; pthread_mutex_unlock(&flush_lock); - fsync(log_fd); + if (log_fd >= 0) + fsync(log_fd); } return NULL; } @@ -227,6 +230,7 @@ pthread_cond_init(&do_flush, NULL); flush = 0; pthread_create(&flush_thread, NULL, flush_thread_main, NULL); + pthread_detach(flush_thread); } static void replace_event_msg(struct auditd_event *e, const char *buf) @@ -238,7 +242,8 @@ e->reply.message = strdup(buf); else { // If too big, we must truncate the event due to API - e->reply.message = strndup(buf, MAX_AUDIT_MESSAGE_LENGTH-1); + e->reply.message = strndup(buf, + MAX_AUDIT_MESSAGE_LENGTH-1); len = MAX_AUDIT_MESSAGE_LENGTH; } // For network originating events, len should be used @@ -263,7 +268,7 @@ "node=%s type=DAEMON_ERR op=format-raw msg=NULL res=failed", config->node_name); else - snprintf(format_buf, MAX_AUDIT_MESSAGE_LENGTH, + snprintf(format_buf, MAX_AUDIT_MESSAGE_LENGTH, "type=DAEMON_ERR op=format-raw msg=NULL res=failed"); } else { int len, nlen; @@ -271,7 +276,7 @@ char unknown32; type = audit_msg_type_to_name(rep->type); if (type == NULL) { - snprintf(unknown, sizeof(unknown), + snprintf(unknown, sizeof(unknown), "UNKNOWN%d", rep->type); type = unknown; } @@ -283,7 +288,7 @@ len = rep->len; } - // Note: This can truncate messages if + // Note: This can truncate messages if // MAX_AUDIT_MESSAGE_LENGTH is too small if (config->node_name_format != N_NONE) nlen = snprintf(format_buf, FORMAT_BUF_LEN - 32, @@ -295,9 +300,9 @@ "type=%s msg=%.*s", type, len, message); /* Replace \n with space so it looks nicer. */ - ptr = format_buf; + ptr = format_buf; while ((ptr = strchr(ptr, 0x0A)) != NULL) - *ptr = ' '; + *ptr = ' '; /* Trim trailing space off since it wastes space */ if (format_bufnlen-1 == ' ') @@ -339,7 +344,7 @@ } field_namei = 0; nlen = i; - + // get the translated value value = auparse_interpret_field(au); if (value == NULL) @@ -393,10 +398,10 @@ "node=%s type=DAEMON_ERR op=format-enriched msg=NULL res=failed", config->node_name); else - snprintf(format_buf, MAX_AUDIT_MESSAGE_LENGTH, + snprintf(format_buf, MAX_AUDIT_MESSAGE_LENGTH, "type=DAEMON_ERR op=format-enriched msg=NULL res=failed"); } else { - int rc; + int rc, rtype; size_t mlen, len; char *message; // Do raw format to get event started @@ -429,6 +434,17 @@
View file
_service:tar_scm:audit-3.0.1.tar.gz/src/auditd-listen.c -> _service:tar_scm:audit-3.0.9.tar.gz/src/auditd-listen.c
Changed
@@ -119,9 +119,9 @@ static char *sockaddr_to_addr(struct sockaddr_storage *addr) { - static char buf40; + static char buf64; - snprintf(buf, sizeof(buf), "%s:%u", + snprintf(buf, sizeof(buf), "%52s:%u", sockaddr_to_string(addr), sockaddr_to_port(addr)); return buf; @@ -321,14 +321,16 @@ gss_failure_2(msg, minor_status, GSS_C_MECH_CODE); } -#define KCHECK(x,f) if (x) { \ +#define KCHECK(x,f, k) if (x) { \ const char *kstr = krb5_get_error_message(kcontext, x); \ audit_msg(LOG_ERR, "krb5 error: %s in %s\n", kstr, f); \ krb5_free_error_message(kcontext, kstr); \ + krb5_free_context(k); k = NULL; \ return -1; } /* These are our private credentials, which come from a key file on our server. They are aquired once, at program start. */ +static krb5_context kcontext = NULL; static int server_acquire_creds(const char *service_name, gss_cred_id_t *lserver_creds) { @@ -336,7 +338,6 @@ gss_name_t server_name; OM_uint32 major_status, minor_status; - krb5_context kcontext = NULL; int krberr; my_service_name = strdup(service_name); @@ -363,9 +364,9 @@ (void) gss_release_name(&minor_status, &server_name); krberr = krb5_init_context(&kcontext); - KCHECK (krberr, "krb5_init_context"); + KCHECK (krberr, "krb5_init_context", kcontext); krberr = krb5_get_default_realm(kcontext, &my_gss_realm); - KCHECK (krberr, "krb5_get_default_realm"); + KCHECK (krberr, "krb5_get_default_realm", kcontext); audit_msg(LOG_DEBUG, "GSS creds for %s acquired", service_name); @@ -413,10 +414,9 @@ GSS_C_NO_CHANNEL_BINDINGS, &client, NULL, &send_tok, &sess_flags, NULL, NULL); - if (recv_tok.value) { - free(recv_tok.value); - recv_tok.value = NULL; - } + if (recv_tok.value) + gss_release_buffer(&min_stat, &recv_tok); + if (maj_stat != GSS_S_COMPLETE && maj_stat != GSS_S_CONTINUE_NEEDED) { gss_release_buffer(&min_stat, &send_tok); @@ -440,6 +440,7 @@ if (*context != GSS_C_NO_CONTEXT) gss_delete_sec_context(&min_stat, context, GSS_C_NO_BUFFER); + gss_release_name(&min_stat, &client); return -1; } gss_release_buffer(&min_stat, &send_tok); @@ -454,14 +455,22 @@ return -1; } - audit_msg(LOG_INFO, "GSS-API Accepted connection from: %s", - (char *)recv_tok.value); - io->remote_name = strdup(recv_tok.value); - io->remote_name_len = strlen(recv_tok.value); + if (asprintf(&io->remote_name, "%.*s", (int)recv_tok.length, + (char *)recv_tok.value) < 0) { + io->remote_name = strdup("?"); + io->remote_name_len = 1; + } else + io->remote_name_len = recv_tok.length; + + audit_msg(LOG_INFO, "GSS-API Accepted connection from: %s", + io->remote_name); gss_release_buffer(&min_stat, &recv_tok); - slashptr = strchr(io->remote_name, '/'); - atptr = strchr(io->remote_name, '@'); + if (io->remote_name) { + slashptr = strchr(io->remote_name, '/'); + atptr = strchr(io->remote_name, '@'); + } else + slashptr = NULL; if (!slashptr || !atptr) { audit_msg(LOG_ERR, "Invalid GSS name from remote client: %s", @@ -875,7 +884,7 @@ /* Make the client data structure */ client = (struct ev_tcp *)malloc (sizeof (struct ev_tcp)); if (client == NULL) { - audit_msg(LOG_CRIT, "Unable to allocate TCP client data"); + audit_msg(LOG_CRIT, "Unable to allocate TCP client data"); snprintf(emsg, sizeof(emsg), "op=alloc addr=%s port=%u res=no", sockaddr_to_string(&aaddr), @@ -970,7 +979,7 @@ hints.ai_flags = AI_PASSIVE | AI_ADDRCONFIG; hints.ai_socktype = SOCK_STREAM; hints.ai_family = AF_UNSPEC; - snprintf(local, sizeof(local), "%lu", config->tcp_listen_port); + snprintf(local, sizeof(local), "%u", (unsigned)config->tcp_listen_port); rc = getaddrinfo(NULL, local, &hints, &ai); if (rc) { @@ -1003,11 +1012,11 @@ // we only need one. if (runp->ai_family == AF_INET && prefer_ipv6) goto next_try; - + listen_socketnlsocks = socket(runp->ai_family, runp->ai_socktype, runp->ai_protocol); if (listen_socketnlsocks < 0) { - audit_msg(LOG_ERR, "Cannot create %s listener socket", + audit_msg(LOG_ERR, "Cannot create %s listener socket", runp->ai_family == AF_INET ? "IPv4" : "IPv6"); goto next_try; } @@ -1027,7 +1036,7 @@ if (bind(listen_socketnlsocks, runp->ai_addr, runp->ai_addrlen)) { if (errno != EADDRINUSE) - audit_msg(LOG_ERR, + audit_msg(LOG_ERR, "Cannot bind listener socket to port %ld (%s)", config->tcp_listen_port, strerror(errno)); close(listen_socketnlsocks); @@ -1036,7 +1045,7 @@ } if (listen(listen_socketnlsocks, config->tcp_listen_queue)) { - audit_msg(LOG_ERR, "Unable to listen on %ld (%s)", + audit_msg(LOG_ERR, "Unable to listen on %ld (%s)", config->tcp_listen_port, strerror(errno)); close(listen_socketnlsocks); @@ -1138,6 +1147,8 @@ #ifdef USE_GSSAPI if (USE_GSS) { gss_release_cred(&status, &server_creds); + krb5_free_context(kcontext); + kcontext = NULL; free(my_service_name); my_service_name = NULL; }
View file
_service:tar_scm:audit-3.0.1.tar.gz/src/auditd-reconfig.c -> _service:tar_scm:audit-3.0.9.tar.gz/src/auditd-reconfig.c
Changed
@@ -1,5 +1,5 @@ /* auditd-reconfig.c -- - * Copyright 2005 Red Hat Inc., Durham, North Carolina. + * Copyright 2005,2021 Red Hat Inc. * All Rights Reserved. * * This program is free software; you can redistribute it and/or modify @@ -50,7 +50,7 @@ int start_config_manager(struct auditd_event *e) { int retval, rc = 0; - + retval = pthread_mutex_trylock(&config_lock); if (retval == 0) { pthread_attr_t detached; @@ -60,19 +60,19 @@ PTHREAD_CREATE_DETACHED); if (pthread_create(&config_thread, &detached, - config_thread_main, e) < 0) { - audit_msg(LOG_ERR, + config_thread_main, e) < 0) { + audit_msg(LOG_ERR, "Couldn't create config thread, no config changes"); free(e); pthread_mutex_unlock(&config_lock); - rc = 1; + rc = 1; } pthread_attr_destroy(&detached); } else { - audit_msg(LOG_ERR, + audit_msg(LOG_ERR, "Config thread already running, no config changes"); free(e); - rc = 1; + rc = 1; } return rc; } @@ -91,11 +91,11 @@ /* This is a worker thread. Don't handle signals. */ sigemptyset(&sigs); - sigaddset(&sigs, SIGALRM); sigaddset(&sigs, SIGTERM); sigaddset(&sigs, SIGHUP); sigaddset(&sigs, SIGUSR1); sigaddset(&sigs, SIGUSR2); + sigaddset(&sigs, SIGCHLD); sigaddset(&sigs, SIGCONT); pthread_sigmask(SIG_SETMASK, &sigs, NULL); @@ -104,10 +104,10 @@ new_config.sender_uid = e->reply.signal_info->uid; new_config.sender_pid = e->reply.signal_info->pid; if (e->reply.len > 24) - new_config.sender_ctx = + new_config.sender_ctx = strdup(e->reply.signal_info->ctx); else - new_config.sender_ctx = strdup("?"); + new_config.sender_ctx = strdup("?"); memcpy(e->reply.msg.data, &new_config, sizeof(new_config)); e->reply.conf = (struct daemon_conf *)e->reply.msg.data; e->reply.type = AUDIT_DAEMON_RECONFIG; @@ -125,6 +125,6 @@ } pthread_mutex_unlock(&config_lock); - return NULL; + return NULL; }
View file
_service:tar_scm:audit-3.0.1.tar.gz/src/auditd.c -> _service:tar_scm:audit-3.0.9.tar.gz/src/auditd.c
Changed
@@ -1,5 +1,5 @@ /* auditd.c -- - * Copyright 2004-09,2011,2013,2016-18 Red Hat Inc., Durham, North Carolina. + * Copyright 2004-09,2011,2013,2016-18,2021 Red Hat Inc. * All Rights Reserved. * * This program is free software; you can redistribute it and/or modify @@ -79,7 +79,6 @@ /* Local function prototypes */ int send_audit_event(int type, const char *str); -static void close_down(void); static void clean_exit(void); static int get_reply(int fd, struct audit_reply *rep, int seq); static char *getsubj(char *subj); @@ -113,16 +112,9 @@ EV_STOP (); } -/* - * Used with sigalrm to force exit - */ -static void thread_killer( int sig ) -{ - exit(0); -} /* - * Used with sigalrm to force exit + * Used to reconfigure the daemon */ static void hup_handler( struct ev_loop *loop, struct ev_signal *sig, int revents ) { @@ -200,6 +192,7 @@ if (f == NULL) return; + fprintf(f, "audit version = %s\n", VERSION); time_t now = time(0); strftime(buf, sizeof(buf), "%x %X", localtime(&now)); fprintf(f, "current time = %s\n", buf); @@ -311,8 +304,9 @@ e->reply.type = type; if (seq_num == 0) { - srand(time(NULL)); - seq_num = rand()%10000; + // seq_num does not have to cryptographically secure + srandom(time(NULL)); + seq_num = random()%10000; } else seq_num++; // Write event into netlink area like normal events @@ -456,8 +450,10 @@ return -1; /* Success - die a happy death */ - if (status == SUCCESS) + if (status == SUCCESS) { + free_config(&config); _exit(0); + } return -1; } @@ -478,88 +474,97 @@ static void netlink_handler(struct ev_loop *loop, struct ev_io *io, int revents) { - if (cur_event == NULL) { - if ((cur_event = malloc(sizeof(*cur_event))) == NULL) { - char emsgDEFAULT_BUF_SZ; - if (*subj) - snprintf(emsg, sizeof(emsg), + int rc = 1, cnt = 0; + + // Try to get all the events that are waiting but yield after 5 to + // let other handlers run. Five should cover PATH events. + // FIXME: backing down to 3 until IPC is faster + while (rc > 0 && cnt < 3) { + if (cur_event == NULL) { + if ((cur_event = malloc(sizeof(*cur_event))) == NULL) { + char emsgDEFAULT_BUF_SZ; + if (*subj) + snprintf(emsg, sizeof(emsg), "op=error-halt auid=%u pid=%d subj=%s res=failed", - audit_getloginuid(), getpid(), subj); - else - snprintf(emsg, sizeof(emsg), + audit_getloginuid(), + getpid(), subj); + else + snprintf(emsg, sizeof(emsg), "op=error-halt auid=%u pid=%d res=failed", - audit_getloginuid(), getpid()); - EV_STOP (); - send_audit_event(AUDIT_DAEMON_ABORT, emsg); - audit_msg(LOG_ERR, + audit_getloginuid(), + getpid()); + EV_STOP (); + send_audit_event(AUDIT_DAEMON_ABORT, emsg); + audit_msg(LOG_ERR, "Cannot allocate audit reply, exiting"); - close_down(); - if (pidfile) - unlink(pidfile); - shutdown_dispatcher(); - return; + shutdown_events(); + if (pidfile) + unlink(pidfile); + shutdown_dispatcher(); + return; + } + cur_event->ack_func = NULL; } - cur_event->ack_func = NULL; - } - if (audit_get_reply(fd, &cur_event->reply, - GET_REPLY_NONBLOCKING, 0) > 0) { - switch (cur_event->reply.type) - { /* Don't process these */ - case NLMSG_NOOP: - case NLMSG_DONE: - case NLMSG_ERROR: - case AUDIT_GET: /* Or these */ - case AUDIT_WATCH_INS...AUDIT_WATCH_LIST: - case AUDIT_ADD_RULE...AUDIT_GET_FEATURE: - case AUDIT_FIRST_DAEMON...AUDIT_LAST_DAEMON: - case AUDIT_REPLACE: - break; - case AUDIT_SIGNAL_INFO: - if (hup_info_requested) { - char hupMAX_AUDIT_MESSAGE_LENGTH; - audit_msg(LOG_DEBUG, + + rc = audit_get_reply(fd, &cur_event->reply, + GET_REPLY_NONBLOCKING, 0); + if (rc > 0) { + switch (cur_event->reply.type) + { /* Don't process these */ + case NLMSG_NOOP: + case NLMSG_DONE: + case NLMSG_ERROR: + case AUDIT_GET: /* Or these */ + case AUDIT_WATCH_INS...AUDIT_WATCH_LIST: + case AUDIT_ADD_RULE...AUDIT_GET_FEATURE: + case AUDIT_FIRST_DAEMON...AUDIT_LAST_DAEMON: + case AUDIT_REPLACE: + break; + case AUDIT_SIGNAL_INFO: + if (hup_info_requested) { + char hupMAX_AUDIT_MESSAGE_LENGTH; + audit_msg(LOG_DEBUG, "HUP detected, starting config manager"); - reconfig_ev = cur_event; - if (start_config_manager(cur_event)) { - audit_format_signal_info(hup, + reconfig_ev = cur_event; + if (start_config_manager(cur_event)) { + audit_format_signal_info(hup, sizeof(hup), "reconfigure state=no-change", &cur_event->reply, "failed"); send_audit_event(AUDIT_DAEMON_CONFIG, hup); - } - cur_event = NULL; - hup_info_requested = 0; - } else if (usr1_info_requested) { - char usr1MAX_AUDIT_MESSAGE_LENGTH; + } + cur_event = NULL; + hup_info_requested = 0; + } else if (usr1_info_requested) { + char usr1MAX_AUDIT_MESSAGE_LENGTH; audit_format_signal_info(usr1, sizeof(usr1), "rotate-logs", &cur_event->reply, "success"); send_audit_event(AUDIT_DAEMON_ROTATE, usr1); - usr1_info_requested = 0; - } else if (usr2_info_requested) { - char usr2MAX_AUDIT_MESSAGE_LENGTH; + usr1_info_requested = 0; + } else if (usr2_info_requested) { + char usr2MAX_AUDIT_MESSAGE_LENGTH; audit_format_signal_info(usr2, sizeof(usr2), "resume-logging", &cur_event->reply, "success"); - resume_logging(); - libdisp_resume(); - send_audit_event(AUDIT_DAEMON_RESUME, usr2); - usr2_info_requested = 0; + resume_logging(); + libdisp_resume(); + send_audit_event(AUDIT_DAEMON_RESUME,
View file
_service:tar_scm:audit-3.0.1.tar.gz/src/aureport-options.c -> _service:tar_scm:audit-3.0.9.tar.gz/src/aureport-options.c
Changed
@@ -177,8 +177,10 @@ "\t--comm\t\t\t\tCommands run report\n" "\t-c,--config\t\t\tConfig change report\n" "\t-cr,--crypto\t\t\tCrypto report\n" + "\t--debug\t\t\t\tWrite malformed events that are skipped to stderr\n" "\t--eoe-timeout secs\t\tEnd of Event Timeout\n" "\t-e,--event\t\t\tEvent report\n" + "\t--escape option\t\t\tEscape output\n" "\t-f,--file\t\t\tFile name report\n" "\t--failed\t\t\tonly failed events in report\n" "\t-h,--host\t\t\tRemote Host name report\n" @@ -187,8 +189,8 @@ "\t-if,--input <Input File name>\tuse this file as input\n" "\t--input-logs\t\t\tUse the logs even if stdin is a pipe\n" "\t--integrity\t\t\tIntegrity event report\n" - "\t-l,--login\t\t\tLogin report\n" "\t-k,--key\t\t\tKey report\n" + "\t-l,--login\t\t\tLogin report\n" "\t-m,--mods\t\t\tModification to accounts report\n" "\t-ma,--mac\t\t\tMandatory Access Control (MAC) report\n" "\t-n,--anomaly\t\t\taNomaly report\n" @@ -264,8 +266,8 @@ varsc); retval = -1; } else { - if (strlen(optarg) >= PATH_MAX) { - fprintf(stderr, + if (strlen(optarg) >= PATH_MAX-32) { + fprintf(stderr, "File name is too long %s\n", optarg); retval = -1;
View file
_service:tar_scm:audit-3.0.1.tar.gz/src/aureport.c -> _service:tar_scm:audit-3.0.9.tar.gz/src/aureport.c
Changed
@@ -109,7 +109,7 @@ lol_set_eoe_timeout((time_t)config.end_of_event_timeout); /* - * If an override was specified on the command line, overide the config + * If an override was specified on the command line, override the config */ if (arg_eoe_timeout != 0) lol_set_eoe_timeout((time_t)arg_eoe_timeout); @@ -168,10 +168,10 @@ int num = 0; if (user_file && userfile_is_dir) { - char dirnameMAXPATHLEN; + char dirnameMAXPATHLEN+1; clear_config (&config); - strcpy(dirname, user_file); + strncpy(dirname, user_file, MAXPATHLEN-32); if (dirnamestrlen(dirname)-1 != '/') strcat(dirname, "/"); strcat (dirname, "audit.log");
View file
_service:tar_scm:audit-3.0.1.tar.gz/src/ausearch-llist.c -> _service:tar_scm:audit-3.0.9.tar.gz/src/ausearch-llist.c
Changed
@@ -136,11 +136,11 @@ int list_find_item(llist *l, unsigned int i) { register lnode* node; - + if (l->cur && (l->cur->item <= i)) node = l->cur; /* Try to use where we are */ else - node = l->head; /* Can't, start over */ + node = l->head; /* Can't, start over */ while (node) { if (node->item == i) { @@ -167,12 +167,12 @@ l->head = NULL; l->cur = NULL; l->cnt = 0; - l->e.milli = 0L; - l->e.sec = 0L; - l->e.serial = 0L; + l->e.milli = 0L; + l->e.sec = 0L; + l->e.serial = 0L; free((char *)l->e.node); l->e.node = NULL; - l->e.type = 0; + l->e.type = 0; l->s.gid = -1; l->s.egid = -1; l->s.ppid = -1; @@ -239,8 +239,8 @@ lnode *list_find_msg(llist *l, int i) { register lnode* node; - - node = l->head; /* start at the beginning */ + + node = l->head; /* start at the beginning */ while (node) { if (node->type == i) { l->cur = node; @@ -258,7 +258,7 @@ if (high <= low) return NULL; - node = l->head; /* Start at the beginning */ + node = l->head; /* Start at the beginning */ while (node) { if (node->type >= low && node->type <= high) { l->cur = node;
View file
_service:tar_scm:audit-3.0.1.tar.gz/src/ausearch-llist.h -> _service:tar_scm:audit-3.0.9.tar.gz/src/ausearch-llist.h
Changed
@@ -69,9 +69,9 @@ char *acct; // account used when uid is invalid char *uuid; // virtual machine unique universal identifier char *vmname; // virtual machine name - const char *tuid; // interpretted uid - const char *teuid; // interpretted euid - const char *tauid; // interpretted auid + const char *tuid; // interpreted uid + const char *teuid; // interpreted euid + const char *tauid; // interpreted auid } search_items; /* This is the node of the linked list. Any data elements that are per
View file
_service:tar_scm:audit-3.0.1.tar.gz/src/ausearch-lol.c -> _service:tar_scm:audit-3.0.9.tar.gz/src/ausearch-lol.c
Changed
@@ -27,6 +27,7 @@ #include <errno.h> #include <string.h> #include <stdio.h> +#include <limits.h> #include "ausearch-common.h" #include "auditd-config.h" #include "common.h" @@ -99,13 +100,13 @@ errno = 0; e->sec = strtoul(s, NULL, 10); - if (errno) + if (errno || e->sec > (LONG_MAX - eoe_timeout -1)) return -1; ptr = strchr(s, '.'); if (ptr) { ptr++; e->milli = strtoul(ptr, NULL, 10); - if (errno) + if (errno || e->milli > 999) return -1; s = ptr; } else @@ -192,7 +193,8 @@ // Now should be pointing to msg= ptr = audit_strsplit(NULL); - if (ptr) { + // strlen is for fuzzers that make invalid lines + if (ptr && strnlen(ptr, 20) > 18) { if (*(ptr+9) == '(') ptr+=9; else
View file
_service:tar_scm:audit-3.0.1.tar.gz/src/ausearch-lookup.c -> _service:tar_scm:audit-3.0.9.tar.gz/src/ausearch-lookup.c
Changed
@@ -300,6 +300,9 @@ while (isxdigit(*ptr)) ptr++; } + if ((ptr - buf) == 0) + return NULL; + str = strndup(buf, ptr - buf); if (*buf == '(')
View file
_service:tar_scm:audit-3.0.1.tar.gz/src/ausearch-lookup.h -> _service:tar_scm:audit-3.0.9.tar.gz/src/ausearch-lookup.h
Changed
@@ -1,6 +1,6 @@ /* * ausearch-lookup.h - Header file for ausearch-lookup.c -* Copyright (c) 2005-06,2014,2017 Red Hat Inc., Durham, North Carolina. +* Copyright (c) 2005-06,2014,2017,2022 Red Hat Inc. * All Rights Reserved. * * This software may be freely redistributed and/or modified under the @@ -15,7 +15,7 @@ * * You should have received a copy of the GNU General Public License * along with this program; see the file COPYING. If not, write to the -* Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor +* Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor * Boston, MA 02110-1335, USA. * * Authors: @@ -34,13 +34,16 @@ const char *aulookup_result(avc_t result); const char *aulookup_success(int s); -const char *aulookup_syscall(llist *l, char *buf, size_t size); -const char *aulookup_uid(uid_t uid, char *buf, size_t size); +const char *aulookup_syscall(llist *l, char *buf, size_t size) + __attr_access ((__write_only__, 2, 3)); +const char *aulookup_uid(uid_t uid, char *buf, size_t size) + __attr_access ((__write_only__, 2, 3)); void aulookup_destroy_uid_list(void); char *unescape(const char *buf); int is_hex_string(const char *str); void print_tty_data(const char *val); -void safe_print_string_n(const char *s, unsigned int len, int ret); +void safe_print_string_n(const char *s, unsigned int len, int ret) + __attr_access ((__read_only__, 1, 2)); void safe_print_string(const char *s, int ret); #endif
View file
_service:tar_scm:audit-3.0.1.tar.gz/src/ausearch-match.c -> _service:tar_scm:audit-3.0.9.tar.gz/src/ausearch-match.c
Changed
@@ -79,7 +79,7 @@ slist *sptr = event_node_list; if (l->e.node == NULL) - return 0; + return 0; slist_first(sptr); sn=slist_get_cur(sptr); @@ -97,17 +97,17 @@ return 0; if (group_match(l) == 0) return 0; - if ((event_ppid != -1) && + if ((event_ppid != -1) && (event_ppid != l->s.ppid)) return 0; - if ((event_pid != -1) && + if ((event_pid != -1) && (event_pid != l->s.pid)) return 0; - if (event_machine != -1 && + if (event_machine != -1 && (event_machine != audit_elf_to_machine(l->s.arch))) return 0; - if ((event_syscall != -1) && + if ((event_syscall != -1) && (event_syscall != l->s.syscall)) return 0; if ((event_session_id != -2) && @@ -139,7 +139,7 @@ found = 1; break; } - } while((in = + } while((in = ilist_next(event_type))); if (found) break; @@ -148,7 +148,7 @@ return 0; } - // Done all the easy compares, now do the + // Done all the easy compares, now do the // string searches. if (event_filename) { int found = 0; @@ -184,31 +184,31 @@ if (event_hostname) { if (l->s.hostname == NULL) return 0; - if (strmatch(event_hostname, + if (strmatch(event_hostname, l->s.hostname) == 0) - return 0; + return 0; } if (event_terminal) { if (l->s.terminal == NULL) return 0; - if (strmatch(event_terminal, + if (strmatch(event_terminal, l->s.terminal) == 0) - return 0; + return 0; } if (event_exe) { if (l->s.exe == NULL) return 0; - if (strmatch(event_exe, + if (strmatch(event_exe, l->s.exe) == 0) - return 0; - } + return 0; + } if (event_comm) { if (l->s.comm == NULL) return 0; - if (strmatch(event_comm, + if (strmatch(event_comm, l->s.comm) == 0) - return 0; - } + return 0; + } if (event_key) { if (l->s.key == NULL) return 0; @@ -232,7 +232,7 @@ if (!found) return 0; } - } + } if (event_vmname) { if (l->s.vmname == NULL) return 0; @@ -258,23 +258,23 @@ /* * This function compares strings. It returns a 0 if no match and a 1 if - * there is a match + * there is a match */ static int strmatch(const char *needle, const char *haystack) { if (event_exact_match) { if (strcmp(haystack, needle) != 0) - return 0; + return 0; } else { if (strstr(haystack, needle) == NULL) - return 0; + return 0; } return 1; } /* * This function compares user id's. - * It returns a 0 if no match and a 1 if there is a match + * It returns a 0 if no match and a 1 if there is a match */ static int user_match(llist *l) { @@ -335,7 +335,7 @@ /* * This function compares group id's. It returns a 0 if no match and a 1 if - * there is a match + * there is a match */ static int group_match(llist *l) { @@ -358,7 +358,7 @@ /* * This function compares contexts. It returns a 0 if no match and a 1 if - * there is a match + * there is a match */ static int context_match(llist *l) { @@ -366,21 +366,21 @@ if (event_subject) { if (l->s.avc && alist_find_subj(l->s.avc)) { do { - if (strmatch(event_subject, + if (strmatch(event_subject, l->s.avc->cur->scontext)) return 1; } while(alist_next_subj(l->s.avc)); } - } + } if (event_object) { if (l->s.avc) { alist_first(l->s.avc); if (alist_find_obj(l->s.avc)) { do { - if (strmatch(event_object, + if (strmatch(event_object, l->s.avc->cur->tcontext)) return 1; - } while(alist_next_obj(l->s.avc)); + } while(alist_next_obj(l->s.avc)); } } } @@ -391,19 +391,19 @@ return 0; if (alist_find_subj(l->s.avc)) { do { - if (strmatch(event_subject, + if (strmatch(event_subject, l->s.avc->cur->scontext)) return 1; } while(alist_next_subj(l->s.avc)); } return 0; - } + } if (event_object) { if (l->s.avc == NULL) return 0; if (alist_find_obj(l->s.avc)) { do { - if (strmatch(event_object, + if (strmatch(event_object, l->s.avc->cur->tcontext)) return 1; } while(alist_next_obj(l->s.avc));
View file
_service:tar_scm:audit-3.0.1.tar.gz/src/ausearch-options.c -> _service:tar_scm:audit-3.0.9.tar.gz/src/ausearch-options.c
Changed
@@ -202,7 +202,12 @@ "\t--checkpoint <checkpoint file>\tsearch from last complete event\n" "\t--debug\t\t\tWrite malformed events that are skipped to stderr\n" "\t-e,--exit <Exit code or errno>\tsearch based on syscall exit code\n" + "\t-escape <option>\t\tescape output\n" "\t--eoe-timeout secs\t\tEnd of Event timeout\n" + "\t--extra-keys\t\t\tadd a final column with key information\n" + "\t--extra-labels\t\t\tadd columns of information about subject and object labels\n" + "\t--extra-obj2\t\t\tadd columns of information about a second object\n" + "\t--extra-time\t\t\tadd columns of information about broken down time\n" "\t-f,--file <File name>\t\tsearch based on file name\n" "\t--format raw|default|interpret|csv|text results format options\n" "\t-ga,--gid-all <all Group id>\tsearch based on All group ids\n" @@ -252,14 +257,14 @@ errno = 0; tmp = strtoul(optarg, NULL, 10); if (errno) { - fprintf(stderr, + fprintf(stderr, "Numeric message type conversion error (%s) for %s\n", strerror(errno), optarg); retval = -1; } } else { tmp = audit_name_to_msg_type(optarg); - if (tmp < 0) + if (tmp < 0) retval = -1; } if (retval == 0) { @@ -324,7 +329,7 @@ switch (audit_lookup_option(varsc)) { case S_EVENT: if (!optarg) { - fprintf(stderr, + fprintf(stderr, "Argument is required for %s\n", varsc); retval = -1; @@ -340,7 +345,7 @@ } c++; } else { - fprintf(stderr, + fprintf(stderr, "Audit event id must be a numeric value, was %s\n", optarg); retval = -1; @@ -369,56 +374,56 @@ case S_EXTRA_KEYS: extra_keys = 1; if (optarg) { - fprintf(stderr, + fprintf(stderr, "Argument is NOT required for %s\n", varsc); - retval = -1; + retval = -1; } break; case S_EXTRA_LABELS: extra_labels = 1; if (optarg) { - fprintf(stderr, + fprintf(stderr, "Argument is NOT required for %s\n", varsc); - retval = -1; + retval = -1; } break; case S_EXTRA_OBJ2: extra_obj2 = 1; if (optarg) { - fprintf(stderr, + fprintf(stderr, "Argument is NOT required for %s\n", varsc); - retval = -1; + retval = -1; } break; case S_EXTRA_TIME: extra_time = 1; if (optarg) { - fprintf(stderr, + fprintf(stderr, "Argument is NOT required for %s\n", varsc); - retval = -1; + retval = -1; } break; case S_COMM: if (!optarg) { - fprintf(stderr, + fprintf(stderr, "Argument is required for %s\n", varsc); retval = -1; break; } else { event_comm = strdup(optarg); - if (event_comm == NULL) - retval = -1; + if (event_comm == NULL) + retval = -1; c++; } break; case S_FILENAME: if (!optarg) { - fprintf(stderr, + fprintf(stderr, "Argument is required for %s\n", varsc); retval = -1; @@ -432,120 +437,120 @@ break; } event_filename = strdup(optarg); - if (event_filename == NULL) - retval = -1; + if (event_filename == NULL) + retval = -1; c++; } break; case S_KEY: if (!optarg) { - fprintf(stderr, + fprintf(stderr, "Argument is required for %s\n", varsc); retval = -1; } else { event_key = strdup(optarg); - if (event_key == NULL) - retval = -1; + if (event_key == NULL) + retval = -1; c++; } break; case S_ALL_GID: if (!optarg) { - fprintf(stderr, + fprintf(stderr, "Argument is required for %s\n", varsc); retval = -1; break; } - if (isdigit(optarg0)) { + if (isdigit(optarg0)) { errno = 0; - event_gid = strtoul(optarg,NULL,10); + event_gid = strtoul(optarg,NULL,10); if (errno) { - fprintf(stderr, + fprintf(stderr, "Numeric group ID conversion error (%s) for %s\n", strerror(errno), optarg); - retval = -1; + retval = -1; } - } else { + } else { struct group *gr ; gr = getgrnam(optarg) ; if (gr == NULL) { - fprintf(stderr, + fprintf(stderr, "Group ID is non-numeric and unknown (%s)\n", optarg); retval = -1; break; } event_gid = gr->gr_gid; - } + } event_egid = event_gid; event_ga = 1; c++; break; case S_EFF_GID: if (!optarg) { - fprintf(stderr, + fprintf(stderr, "Argument is required for %s\n", varsc); retval = -1; break; } - if (isdigit(optarg0)) { + if (isdigit(optarg0)) { errno = 0; - event_egid = strtoul(optarg,NULL,10); + event_egid = strtoul(optarg,NULL,10);
View file
_service:tar_scm:audit-3.0.1.tar.gz/src/ausearch-parse.c -> _service:tar_scm:audit-3.0.9.tar.gz/src/ausearch-parse.c
Changed
@@ -1,6 +1,6 @@ /* * ausearch-parse.c - Extract interesting fields and check for match -* Copyright (c) 2005-08,2011,2013-14,2018-20 Red Hat +* Copyright (c) 2005-08,2011,2013-14,2018-21 Red Hat * Copyright (c) 2011 IBM Corp. * All Rights Reserved. * @@ -175,6 +175,7 @@ case AUDIT_MMAP: case AUDIT_PROCTITLE: case AUDIT_REPLACE...AUDIT_BPF: + case AUDIT_OPENAT2: // Nothing to parse break; case AUDIT_NETFILTER_CFG: @@ -420,8 +421,10 @@ str = strstr(term, "comm="); if (str) { /* Make the syscall one override */ - if (s->comm) + if (s->comm) { free(s->comm); + s->comm = NULL; + } str += 5; if (*str == '"') { str++; @@ -431,7 +434,7 @@ *term = 0; s->comm = strdup(str); *term = '"'; - } else + } else s->comm = unescape(str); } else return 38; @@ -1029,7 +1032,7 @@ if (str) { str += 5; term = str; - while (*term != ' ' && *term != ':') + while (*term != ' ' && *term != ':' && *term) term++; if (term == str) return 24; @@ -1130,7 +1133,7 @@ } } skip: - mptr = term + 1; + mptr = term; if (event_comm) { // dont do this search unless needed @@ -1184,7 +1187,7 @@ } } } - mptr = term + 1; + mptr = term; // get hostname if (event_hostname) { @@ -1242,7 +1245,7 @@ char *end = str; int legacy = 0; - while (*end != ' ') { + while (*end != ' ' && *end) { if (!isxdigit(*end)) { legacy = 1; } @@ -1293,7 +1296,7 @@ char *end = str; int legacy = 0; - while (*end != ' ') { + while (*end != ' ' && *end) { if (!isxdigit(*end)) { legacy = 1; } @@ -1656,12 +1659,21 @@ if (event_hostname || event_filename) { str = strstr(n->message, "saddr="); if (str) { - int len; + unsigned int len = 0; struct sockaddr *saddr; char nameNI_MAXHOST; str += 6; - len = strlen(str)/2; + const char *ptr = str; + if (*ptr == '(') { + const char *ptr2 = strchr(ptr, ')'); + if (ptr2) + len = (ptr2 - ptr) + 1; + } else { + while (isxdigit(ptrlen)) + len++; + len /= 2; + } s->hostname = unescape(str); if (s->hostname == NULL) return 4; @@ -1681,17 +1693,13 @@ } len = sizeof(struct sockaddr_in6); } else if (saddr->sa_family == AF_UNIX) { - struct sockaddr_un *un = - (struct sockaddr_un *)saddr; - if (un->sun_path0) - len = strlen(un->sun_path); - else // abstract name - len = strlen(&un->sun_path1); - if (len == 0) { + if (len < 4) { fprintf(stderr, "sun_path len too short\n"); return 3; } + struct sockaddr_un *un = + (struct sockaddr_un *)saddr; if (event_filename) { if (!s->filename) { //create @@ -1734,7 +1742,7 @@ s->hostname = NULL; return 0; } - if (getnameinfo(saddr, len, name, NI_MAXHOST, + if (getnameinfo(saddr, len, name, NI_MAXHOST, NULL, 0, NI_NUMERICHOST) ) { free(s->hostname); s->hostname = NULL; @@ -1993,6 +2001,10 @@ *term = '"'; } else { s->comm = unescape(str); + if (s->comm == NULL) { + rc = 11; + goto err; + } term = str + 6; } } @@ -2261,6 +2273,23 @@ *term = ' '; } + // optionally get res + if (event_success != S_UNSET) { + str = strstr(term, "res="); + if (str != NULL) { + ptr = str + 4; + term = strchr(ptr, ' '); + if (term) + *term = 0; + errno = 0; + s->success = strtoul(ptr, NULL, 10); + if (errno) + return 68; + if (term) + *term = ' '; + } + } + return 0; } @@ -2630,7 +2659,7 @@ return 58; *term = ' '; } else - s->loginuid = (unsigned long)-1; + s->loginuid = (uid_t)-1; if (s->tauid) free((void *)s->tauid); s->tauid = lookup_uid("auid", s->loginuid); } @@ -2666,7 +2695,7 @@ return 61; *term = ' '; } else - s->session_id = (unsigned long)-1; + s->session_id = (uint32_t)-1; } // get subject if not already filled if (!s->avc && event_subject) { @@ -2696,8 +2725,10 @@ str = strstr(term, "comm="); if (str) { /* Make the syscall one override */ - if (s->comm) + if (s->comm) { free(s->comm); + s->comm = NULL; + } str += 5; if (*str == '"') {
View file
_service:tar_scm:audit-3.0.1.tar.gz/src/ausearch-report.c -> _service:tar_scm:audit-3.0.9.tar.gz/src/ausearch-report.c
Changed
@@ -450,7 +450,7 @@ rc = auparse_normalize(au, extra_labels ? NORM_OPT_ALL : NORM_OPT_NO_ATTRS); - //DATE + // DATE if (tv) { strftime(tmp, sizeof(tmp), "%x", tv); printf("%s", tmp); @@ -602,7 +602,13 @@ if (auparse_get_field_type(au) == AUPARSE_TYPE_ESCAPED_FILE) val = auparse_interpret_realpath(au); - else + else if (auparse_get_type(au) == AUDIT_CONFIG_CHANGE) { + if (action && ((strcmp(action, "set") == 0) || + (strcmp(action, "seccomp-logging") == 0))) + val = auparse_get_field_name(au); + else + val = auparse_interpret_field(au); + } else val = auparse_interpret_field(au); printf("%s", val); } @@ -706,7 +712,8 @@ rc = auparse_normalize_subject_secondary(au); if (rc == 1) { int uid = auparse_get_field_int(au); - if (uid != id && id != -2) + // if they are different, id exists, and uid is not unset + if (uid != id && id != -2 && uid != -1) printf(", acting as %s,", auparse_interpret_field(au)); } @@ -750,6 +757,13 @@ val = auparse_interpret_sock_address(au); if (val == NULL) val = auparse_interpret_sock_family(au); + } else if (type == AUDIT_CONFIG_CHANGE) { + if (action && + ((strcmp(action, "set") == 0) || + strcmp(action, "seccomp-logging") == 0)) + val = auparse_get_field_name(au); + else + val = auparse_interpret_field(au); } if (val == NULL)
View file
_service:tar_scm:audit-3.0.1.tar.gz/src/ausearch.c -> _service:tar_scm:audit-3.0.9.tar.gz/src/ausearch.c
Changed
@@ -14,8 +14,9 @@ * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License - * along with this program; if not, write to the Free Software - * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * along with this program; see the file COPYING. If not, write to the + * Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor + * Boston, MA 02110-1335, USA. * * Authors: * Steve Grubb <sgrubb@redhat.com> @@ -116,7 +117,7 @@ lol_set_eoe_timeout((time_t)config.end_of_event_timeout); /* - * If an override was specified on the command line, overide the config + * If an override was specified on the command line, override the config */ if (arg_eoe_timeout != 0) lol_set_eoe_timeout((time_t)arg_eoe_timeout); @@ -164,6 +165,7 @@ /* we deal with failures via * checkpt_failure later */ (void)set_ChkPtFileDetails(user_file); + free_config(&config); break; } } else if (force_logs) @@ -227,10 +229,10 @@ int ret; if (user_file && userfile_is_dir) { - char dirnameMAXPATHLEN; + char dirnameMAXPATHLEN+1; clear_config (&config); - strcpy(dirname, user_file); + strncpy(dirname, user_file, MAXPATHLEN-32); if (dirnamestrlen(dirname)-1 != '/') strcat(dirname, "/"); strcat (dirname, "audit.log"); @@ -515,11 +517,15 @@ static int process_stdin(void) { + struct sigaction sa; log_fd = stdin; - input_is_pipe=1; + input_is_pipe = 1; + + sa.sa_flags = 0; + sigemptyset(&sa.sa_mask); + sa.sa_handler = alarm_handler; - if (signal(SIGALRM, alarm_handler) == SIG_ERR || - siginterrupt(SIGALRM, 1) == -1) + if (sigaction(SIGALRM, &sa, NULL) < 0) return -1; return process_log_fd();
View file
_service:tar_scm:audit-3.0.1.tar.gz/src/autrace.c -> _service:tar_scm:audit-3.0.9.tar.gz/src/autrace.c
Changed
@@ -89,6 +89,7 @@ rc |= audit_rule_syscallbyname_data(rule, "readlinkat"); rc |= audit_rule_syscallbyname_data(rule, "execve"); rc |= audit_rule_syscallbyname_data(rule, "name_to_handle_at"); + rc |= audit_rule_syscallbyname_data(rule, "openat2"); if (machine != MACH_X86 && machine != MACH_S390X && machine != MACH_S390) {
View file
_service:tar_scm:audit-3.0.1.tar.gz/src/libev/Makefile.am -> _service:tar_scm:audit-3.0.9.tar.gz/src/libev/Makefile.am
Changed
@@ -13,8 +13,9 @@ # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +# along with this program; see the file COPYING. If not, write to the +# Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor +# Boston, MA 02110-1335, USA. # # Authors: # Steve Grubb <sgrubb@redhat.com> @@ -24,6 +25,7 @@ AM_CFLAGS = -fPIC -DPIC -g -fno-strict-aliasing ${DEBUG} noinst_HEADERS = ev.h ev_vars.h ev_wrap.h event.h -noinst_LIBRARIES = libev.a +noinst_LTLIBRARIES = libev.la -libev_a_SOURCES = ev.c event.c +libev_la_SOURCES = ev.c event.c +libev_la_LDFLAGS = -no-undefined -static
View file
_service:tar_scm:audit-3.0.1.tar.gz/src/libev/Makefile.in -> _service:tar_scm:audit-3.0.9.tar.gz/src/libev/Makefile.in
Changed
@@ -1,7 +1,7 @@ -# Makefile.in generated by automake 1.16.2 from Makefile.am. +# Makefile.in generated by automake 1.16.5 from Makefile.am. # @configure_input@ -# Copyright (C) 1994-2020 Free Software Foundation, Inc. +# Copyright (C) 1994-2021 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -105,16 +105,17 @@ CONFIG_HEADER = $(top_builddir)/config.h CONFIG_CLEAN_FILES = CONFIG_CLEAN_VPATH_FILES = -LIBRARIES = $(noinst_LIBRARIES) -ARFLAGS = cru -AM_V_AR = $(am__v_AR_@AM_V@) -am__v_AR_ = $(am__v_AR_@AM_DEFAULT_V@) -am__v_AR_0 = @echo " AR " $@; -am__v_AR_1 = -libev_a_AR = $(AR) $(ARFLAGS) -libev_a_LIBADD = -am_libev_a_OBJECTS = ev.$(OBJEXT) event.$(OBJEXT) -libev_a_OBJECTS = $(am_libev_a_OBJECTS) +LTLIBRARIES = $(noinst_LTLIBRARIES) +libev_la_LIBADD = +am_libev_la_OBJECTS = ev.lo event.lo +libev_la_OBJECTS = $(am_libev_la_OBJECTS) +AM_V_lt = $(am__v_lt_@AM_V@) +am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@) +am__v_lt_0 = --silent +am__v_lt_1 = +libev_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ + $(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ + $(libev_la_LDFLAGS) $(LDFLAGS) -o $@ AM_V_P = $(am__v_P_@AM_V@) am__v_P_ = $(am__v_P_@AM_DEFAULT_V@) am__v_P_0 = false @@ -130,14 +131,10 @@ DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir) depcomp = $(SHELL) $(top_srcdir)/depcomp am__maybe_remake_depfiles = depfiles -am__depfiles_remade = ./$(DEPDIR)/ev.Po ./$(DEPDIR)/event.Po +am__depfiles_remade = ./$(DEPDIR)/ev.Plo ./$(DEPDIR)/event.Plo am__mv = mv -f COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -AM_V_lt = $(am__v_lt_@AM_V@) -am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@) -am__v_lt_0 = --silent -am__v_lt_1 = LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \ $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \ @@ -154,8 +151,8 @@ am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@) am__v_CCLD_0 = @echo " CCLD " $@; am__v_CCLD_1 = -SOURCES = $(libev_a_SOURCES) -DIST_SOURCES = $(libev_a_SOURCES) +SOURCES = $(libev_la_SOURCES) +DIST_SOURCES = $(libev_la_SOURCES) am__can_run_installinfo = \ case $$AM_UPDATE_INFO_DIR in \ n|no|NO) false;; \ @@ -179,8 +176,6 @@ unique=`for i in $$list; do \ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ done | $(am__uniquify_input)` -ETAGS = etags -CTAGS = ctags am__DIST_COMMON = $(srcdir)/Makefile.in $(top_srcdir)/depcomp README DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ @@ -203,6 +198,8 @@ CPPFLAGS = @CPPFLAGS@ CPPFLAGS_FOR_BUILD = @CPPFLAGS_FOR_BUILD@ CPP_FOR_BUILD = @CPP_FOR_BUILD@ +CSCOPE = @CSCOPE@ +CTAGS = @CTAGS@ CYGPATH_W = @CYGPATH_W@ DEBUG = @DEBUG@ DEFS = @DEFS@ @@ -214,8 +211,10 @@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ +ETAGS = @ETAGS@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FILECMD = @FILECMD@ GOLANG = @GOLANG@ GOROOT = @GOROOT@ GREP = @GREP@ @@ -271,6 +270,7 @@ SHELL = @SHELL@ STRIP = @STRIP@ VERSION = @VERSION@ +WFLAGS = @WFLAGS@ abs_builddir = @abs_builddir@ abs_srcdir = @abs_srcdir@ abs_top_builddir = @abs_top_builddir@ @@ -324,6 +324,7 @@ pyexecdir = @pyexecdir@ python3dir = @python3dir@ pythondir = @pythondir@ +runstatedir = @runstatedir@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ @@ -353,8 +354,9 @@ # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +# along with this program; see the file COPYING. If not, write to the +# Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor +# Boston, MA 02110-1335, USA. # # Authors: # Steve Grubb <sgrubb@redhat.com> @@ -363,8 +365,9 @@ EXTRA_DIST = README ev_epoll.c ev_poll.c ev_select.c ev_iouring.c ev_linuxaio.c libev.m4 AM_CFLAGS = -fPIC -DPIC -g -fno-strict-aliasing ${DEBUG} noinst_HEADERS = ev.h ev_vars.h ev_wrap.h event.h -noinst_LIBRARIES = libev.a -libev_a_SOURCES = ev.c event.c +noinst_LTLIBRARIES = libev.la +libev_la_SOURCES = ev.c event.c +libev_la_LDFLAGS = -no-undefined -static all: all-am .SUFFIXES: @@ -399,13 +402,19 @@ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh $(am__aclocal_m4_deps): -clean-noinstLIBRARIES: - -test -z "$(noinst_LIBRARIES)" || rm -f $(noinst_LIBRARIES) +clean-noinstLTLIBRARIES: + -test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES) + @list='$(noinst_LTLIBRARIES)'; \ + locs=`for p in $$list; do echo $$p; done | \ + sed 's|^^/*$$|.|; s|/^/*$$||; s|$$|/so_locations|' | \ + sort -u`; \ + test -z "$$locs" || { \ + echo rm -f $${locs}; \ + rm -f $${locs}; \ + } -libev.a: $(libev_a_OBJECTS) $(libev_a_DEPENDENCIES) $(EXTRA_libev_a_DEPENDENCIES) - $(AM_V_at)-rm -f libev.a - $(AM_V_AR)$(libev_a_AR) libev.a $(libev_a_OBJECTS) $(libev_a_LIBADD) - $(AM_V_at)$(RANLIB) libev.a +libev.la: $(libev_la_OBJECTS) $(libev_la_DEPENDENCIES) $(EXTRA_libev_la_DEPENDENCIES) + $(AM_V_CCLD)$(libev_la_LINK) $(libev_la_OBJECTS) $(libev_la_LIBADD) $(LIBS) mostlyclean-compile: -rm -f *.$(OBJEXT) @@ -413,8 +422,8 @@ distclean-compile: -rm -f *.tab.c -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ev.Po@am__quote@ # am--include-marker -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/event.Po@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ev.Plo@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/event.Plo@am__quote@ # am--include-marker $(am__depfiles_remade): @$(MKDIR_P) $(@D) @@ -500,7 +509,6 @@ distclean-tags: -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags - distdir: $(BUILT_SOURCES) $(MAKE) $(AM_MAKEFLAGS) distdir-am @@ -536,7 +544,7 @@ done check-am: all-am check: check-am -all-am: Makefile $(LIBRARIES) $(HEADERS) +all-am: Makefile $(LTLIBRARIES) $(HEADERS) installdirs: install: install-am install-exec: install-exec-am @@ -570,12 +578,12 @@ @echo "it deletes files that may require special tools to rebuild." clean: clean-am -clean-am: clean-generic clean-libtool clean-noinstLIBRARIES \ +clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \ mostlyclean-am distclean: distclean-am - -rm -f ./$(DEPDIR)/ev.Po - -rm -f ./$(DEPDIR)/event.Po + -rm -f ./$(DEPDIR)/ev.Plo
View file
_service:tar_scm:audit-3.0.1.tar.gz/src/libev/ev.c -> _service:tar_scm:audit-3.0.9.tar.gz/src/libev/ev.c
Changed
@@ -4872,6 +4872,8 @@ char buf EV_INOTIFY_BUFSIZE; int ofs; int len = read (fs_fd, buf, sizeof (buf)); + if (len < 0) + return; for (ofs = 0; ofs < len; ) {
View file
_service:tar_scm:audit-3.0.1.tar.gz/src/test/Makefile.in -> _service:tar_scm:audit-3.0.9.tar.gz/src/test/Makefile.in
Changed
@@ -1,7 +1,7 @@ -# Makefile.in generated by automake 1.16.2 from Makefile.am. +# Makefile.in generated by automake 1.16.5 from Makefile.am. # @configure_input@ -# Copyright (C) 1994-2020 Free Software Foundation, Inc. +# Copyright (C) 1994-2021 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -194,8 +194,6 @@ unique=`for i in $$list; do \ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ done | $(am__uniquify_input)` -ETAGS = etags -CTAGS = ctags am__tty_colors_dummy = \ mgn= red= grn= lgn= blu= brg= std=; \ am__color_tests=no @@ -378,6 +376,7 @@ bases='$(TEST_LOGS)'; \ bases=`for i in $$bases; do echo $$i; done | sed 's/\.log$$//'`; \ bases=`echo $$bases` +AM_TESTSUITE_SUMMARY_HEADER = ' for $(PACKAGE_STRING)' RECHECK_LOGS = $(TEST_LOGS) AM_RECURSIVE_TARGETS = check recheck TEST_SUITE_LOG = test-suite.log @@ -423,6 +422,8 @@ CPPFLAGS = @CPPFLAGS@ CPPFLAGS_FOR_BUILD = @CPPFLAGS_FOR_BUILD@ CPP_FOR_BUILD = @CPP_FOR_BUILD@ +CSCOPE = @CSCOPE@ +CTAGS = @CTAGS@ CYGPATH_W = @CYGPATH_W@ DEBUG = @DEBUG@ DEFS = @DEFS@ @@ -434,8 +435,10 @@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ +ETAGS = @ETAGS@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FILECMD = @FILECMD@ GOLANG = @GOLANG@ GOROOT = @GOROOT@ GREP = @GREP@ @@ -491,6 +494,7 @@ SHELL = @SHELL@ STRIP = @STRIP@ VERSION = @VERSION@ +WFLAGS = @WFLAGS@ abs_builddir = @abs_builddir@ abs_srcdir = @abs_srcdir@ abs_top_builddir = @abs_top_builddir@ @@ -544,6 +548,7 @@ pyexecdir = @pyexecdir@ python3dir = @python3dir@ pythondir = @pythondir@ +runstatedir = @runstatedir@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ @@ -813,7 +818,7 @@ test x"$$VERBOSE" = x || cat $(TEST_SUITE_LOG); \ fi; \ echo "$${col}$$br$${std}"; \ - echo "$${col}Testsuite summary for $(PACKAGE_STRING)$${std}"; \ + echo "$${col}Testsuite summary"$(AM_TESTSUITE_SUMMARY_HEADER)"$${std}"; \ echo "$${col}$$br$${std}"; \ create_testsuite_report --maybe-color; \ echo "$$col$$br$$std"; \ @@ -875,7 +880,6 @@ @am__EXEEXT_TRUE@ --log-file $$b.log --trs-file $$b.trs \ @am__EXEEXT_TRUE@ $(am__common_driver_flags) $(AM_TEST_LOG_DRIVER_FLAGS) $(TEST_LOG_DRIVER_FLAGS) -- $(TEST_LOG_COMPILE) \ @am__EXEEXT_TRUE@ "$$tst" $(AM_TESTS_FD_REDIRECT) - distdir: $(BUILT_SOURCES) $(MAKE) $(AM_MAKEFLAGS) distdir-am
View file
_service:tar_scm:audit-3.0.1.tar.gz/test-driver -> _service:tar_scm:audit-3.0.9.tar.gz/test-driver
Changed
@@ -3,7 +3,7 @@ scriptversion=2018-03-07.03; # UTC -# Copyright (C) 2011-2020 Free Software Foundation, Inc. +# Copyright (C) 2011-2021 Free Software Foundation, Inc. # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by @@ -42,11 +42,13 @@ { cat <<END Usage: - test-driver --test-name=NAME --log-file=PATH --trs-file=PATH - --expect-failure={yes|no} --color-tests={yes|no} - --enable-hard-errors={yes|no} -- + test-driver --test-name NAME --log-file PATH --trs-file PATH + --expect-failure {yes|no} --color-tests {yes|no} + --enable-hard-errors {yes|no} -- TEST-SCRIPT TEST-SCRIPT-ARGUMENTS + The '--test-name', '--log-file' and '--trs-file' options are mandatory. +See the GNU Automake documentation for information. END } @@ -103,8 +105,11 @@ trap "st=141; $do_exit" 13 trap "st=143; $do_exit" 15 -# Test script is run here. -"$@" >$log_file 2>&1 +# Test script is run here. We create the file first, then append to it, +# to ameliorate tests themselves also writing to the log file. Our tests +# don't, but others can (automake bug#35762). +: >"$log_file" +"$@" >>"$log_file" 2>&1 estatus=$? if test $enable_hard_errors = no && test $estatus -eq 99; then @@ -126,7 +131,7 @@ # know whether the test passed or failed simply by looking at the '.log' # file, without the need of also peaking into the corresponding '.trs' # file (automake bug#11814). -echo "$res $test_name (exit status: $estatus)" >>$log_file +echo "$res $test_name (exit status: $estatus)" >>"$log_file" # Report outcome to console. echo "${col}${res}${std}: $test_name"
View file
_service:tar_scm:audit-3.0.1.tar.gz/tools/Makefile.am -> _service:tar_scm:audit-3.0.9.tar.gz/tools/Makefile.am
Changed
@@ -12,9 +12,10 @@ # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU # Lesser General Public License for more details. # -# You should have received a copy of the GNU Lesser General Public -# License along with this library; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +# You should have received a copy of the GNU General Public License +# along with this program; see the file COPYING. If not, write to the +# Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor +# Boston, MA 02110-1335, USA. # # Authors: # Steve Grubb <sgrubb@redhat.com>
View file
_service:tar_scm:audit-3.0.1.tar.gz/tools/Makefile.in -> _service:tar_scm:audit-3.0.9.tar.gz/tools/Makefile.in
Changed
@@ -1,7 +1,7 @@ -# Makefile.in generated by automake 1.16.2 from Makefile.am. +# Makefile.in generated by automake 1.16.5 from Makefile.am. # @configure_input@ -# Copyright (C) 1994-2020 Free Software Foundation, Inc. +# Copyright (C) 1994-2021 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -28,9 +28,10 @@ # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU # Lesser General Public License for more details. # -# You should have received a copy of the GNU Lesser General Public -# License along with this library; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +# You should have received a copy of the GNU General Public License +# along with this program; see the file COPYING. If not, write to the +# Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor +# Boston, MA 02110-1335, USA. # # Authors: # Steve Grubb <sgrubb@redhat.com> @@ -175,8 +176,6 @@ unique=`for i in $$list; do \ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ done | $(am__uniquify_input)` -ETAGS = etags -CTAGS = ctags DIST_SUBDIRS = $(SUBDIRS) am__DIST_COMMON = $(srcdir)/Makefile.in DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) @@ -225,6 +224,8 @@ CPPFLAGS = @CPPFLAGS@ CPPFLAGS_FOR_BUILD = @CPPFLAGS_FOR_BUILD@ CPP_FOR_BUILD = @CPP_FOR_BUILD@ +CSCOPE = @CSCOPE@ +CTAGS = @CTAGS@ CYGPATH_W = @CYGPATH_W@ DEBUG = @DEBUG@ DEFS = @DEFS@ @@ -236,8 +237,10 @@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ +ETAGS = @ETAGS@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FILECMD = @FILECMD@ GOLANG = @GOLANG@ GOROOT = @GOROOT@ GREP = @GREP@ @@ -293,6 +296,7 @@ SHELL = @SHELL@ STRIP = @STRIP@ VERSION = @VERSION@ +WFLAGS = @WFLAGS@ abs_builddir = @abs_builddir@ abs_srcdir = @abs_srcdir@ abs_top_builddir = @abs_top_builddir@ @@ -346,6 +350,7 @@ pyexecdir = @pyexecdir@ python3dir = @python3dir@ pythondir = @pythondir@ +runstatedir = @runstatedir@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ @@ -498,7 +503,6 @@ distclean-tags: -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags - distdir: $(BUILT_SOURCES) $(MAKE) $(AM_MAKEFLAGS) distdir-am
View file
_service:tar_scm:audit-3.0.1.tar.gz/tools/aulast/Makefile.am -> _service:tar_scm:audit-3.0.9.tar.gz/tools/aulast/Makefile.am
Changed
@@ -12,9 +12,10 @@ # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU # Lesser General Public License for more details. # -# You should have received a copy of the GNU Lesser General Public -# License along with this library; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +# You should have received a copy of the GNU General Public License +# along with this program; see the file COPYING. If not, write to the +# Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor +# Boston, MA 02110-1335, USA. # # Authors: # Steve Grubb <sgrubb@redhat.com> @@ -23,8 +24,8 @@ CONFIG_CLEAN_FILES = *.loT *.rej *.orig EXTRA_DIST = $(man_MANS) AM_CPPFLAGS = -I${top_srcdir} -I${top_srcdir}/lib -I${top_srcdir}/auparse -LIBS = -L${top_builddir}/auparse -lauparse -AM_CFLAGS = -D_GNU_SOURCE +LIBS = ${top_builddir}/auparse/libauparse.la +AM_CFLAGS = -D_GNU_SOURCE ${WFLAGS} bin_PROGRAMS = aulast noinst_HEADERS = aulast-llist.h man_MANS = aulast.8
View file
_service:tar_scm:audit-3.0.1.tar.gz/tools/aulast/Makefile.in -> _service:tar_scm:audit-3.0.9.tar.gz/tools/aulast/Makefile.in
Changed
@@ -1,7 +1,7 @@ -# Makefile.in generated by automake 1.16.2 from Makefile.am. +# Makefile.in generated by automake 1.16.5 from Makefile.am. # @configure_input@ -# Copyright (C) 1994-2020 Free Software Foundation, Inc. +# Copyright (C) 1994-2021 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -28,9 +28,10 @@ # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU # Lesser General Public License for more details. # -# You should have received a copy of the GNU Lesser General Public -# License along with this library; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +# You should have received a copy of the GNU General Public License +# along with this program; see the file COPYING. If not, write to the +# Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor +# Boston, MA 02110-1335, USA. # # Authors: # Steve Grubb <sgrubb@redhat.com> @@ -227,8 +228,6 @@ unique=`for i in $$list; do \ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ done | $(am__uniquify_input)` -ETAGS = etags -CTAGS = ctags am__DIST_COMMON = $(srcdir)/Makefile.in $(top_srcdir)/depcomp DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ @@ -251,6 +250,8 @@ CPPFLAGS = @CPPFLAGS@ CPPFLAGS_FOR_BUILD = @CPPFLAGS_FOR_BUILD@ CPP_FOR_BUILD = @CPP_FOR_BUILD@ +CSCOPE = @CSCOPE@ +CTAGS = @CTAGS@ CYGPATH_W = @CYGPATH_W@ DEBUG = @DEBUG@ DEFS = @DEFS@ @@ -262,8 +263,10 @@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ +ETAGS = @ETAGS@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FILECMD = @FILECMD@ GOLANG = @GOLANG@ GOROOT = @GOROOT@ GREP = @GREP@ @@ -276,7 +279,7 @@ LDFLAGS = @LDFLAGS@ LDFLAGS_FOR_BUILD = @LDFLAGS_FOR_BUILD@ LIBOBJS = @LIBOBJS@ -LIBS = -L${top_builddir}/auparse -lauparse +LIBS = ${top_builddir}/auparse/libauparse.la LIBTOOL = @LIBTOOL@ LIBTOOL_DEPS = @LIBTOOL_DEPS@ LIBWRAP_LIBS = @LIBWRAP_LIBS@ @@ -319,6 +322,7 @@ SHELL = @SHELL@ STRIP = @STRIP@ VERSION = @VERSION@ +WFLAGS = @WFLAGS@ abs_builddir = @abs_builddir@ abs_srcdir = @abs_srcdir@ abs_top_builddir = @abs_top_builddir@ @@ -372,6 +376,7 @@ pyexecdir = @pyexecdir@ python3dir = @python3dir@ pythondir = @pythondir@ +runstatedir = @runstatedir@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ @@ -388,7 +393,7 @@ CONFIG_CLEAN_FILES = *.loT *.rej *.orig EXTRA_DIST = $(man_MANS) AM_CPPFLAGS = -I${top_srcdir} -I${top_srcdir}/lib -I${top_srcdir}/auparse -AM_CFLAGS = -D_GNU_SOURCE +AM_CFLAGS = -D_GNU_SOURCE ${WFLAGS} noinst_HEADERS = aulast-llist.h man_MANS = aulast.8 aulast_SOURCES = aulast.c aulast-llist.c @@ -615,7 +620,6 @@ distclean-tags: -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags - distdir: $(BUILT_SOURCES) $(MAKE) $(AM_MAKEFLAGS) distdir-am
View file
_service:tar_scm:audit-3.0.1.tar.gz/tools/aulast/aulast.8 -> _service:tar_scm:audit-3.0.9.tar.gz/tools/aulast/aulast.8
Changed
@@ -1,4 +1,4 @@ -.TH AULAST: "8" "June 2016" "Red Hat" "System Administration Utilities" +.TH AULAST "8" "June 2016" "Red Hat" "System Administration Utilities" .SH NAME aulast \- a program similar to last .SH SYNOPSIS @@ -17,11 +17,15 @@ Report on the bad logins. .TP +.B \-\-debug +Print debug messages to stderr. + +.TP .B \-\-extract Write raw audit records used to create the displayed report into a file aulast.log in the current working directory. .TP -.BI \-f file +.BI \-f\ file Use the file instead of the audit logs for input. .TP @@ -33,11 +37,11 @@ Take audit records from stdin. The audit events must be in the raw format. .TP -.BI \-\-tty +.BI \-\-tty\ tty Limit the report to a specific tty's activity. The names of ttys can be abbreviated. For example, 0 is the same as tty0. .TP -.BI \-\-user name +.BI \-\-user\ name Limit the report to a specific user. .SH "EXAMPLES"
View file
_service:tar_scm:audit-3.0.1.tar.gz/tools/aulast/aulast.c -> _service:tar_scm:audit-3.0.9.tar.gz/tools/aulast/aulast.c
Changed
@@ -45,7 +45,8 @@ void usage(void) { fprintf(stderr, - "usage: aulast --stdin --proof --extract -f file --user name --tty tty\n"); + "usage: aulast --bad --debug --stdin --proof --extract -f file " + "--user name --tty tty\n"); } /* This outputs a line of text reporting the login/out times */ @@ -95,8 +96,11 @@ int mins, hours, days; if (notime) printf("- %-7.5s", " "); - else - printf("- %-7.5s", ctime(&cur->end) + 11); + else { + char *ttime = ctime(&cur->end); + printf("- %-7.5s", ttime ? ttime + 11 : + "bad value"); + } secs = cur->end - cur->start; mins = (secs / 60) % 60; hours = (secs / 3600) % 24; @@ -127,10 +131,13 @@ strftime(start, sizeof(start), "%x %T", btm); if (cur->end != 0) { btm = localtime(&cur->end); - strftime(end, sizeof(end), "%x %T", btm); - printf(" ausearch --start %s --end %s", - start, end); + if (btm) { + strftime(end, sizeof(end), "%x %T", btm); + printf(" ausearch --start %s --end %s", + start, end); + } else goto no_end; } else { +no_end: printf(" ausearch --start %s", start); } if (cur->name == NULL) @@ -401,7 +408,7 @@ static void process_bootup(auparse_state_t *au) { lnode *cur; - int start; + time_t start; // See if we have unclosed boot up and make into CRASH record list_first(&l);
View file
_service:tar_scm:audit-3.0.1.tar.gz/tools/aulastlog/Makefile.am -> _service:tar_scm:audit-3.0.9.tar.gz/tools/aulastlog/Makefile.am
Changed
@@ -12,9 +12,10 @@ # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU # Lesser General Public License for more details. # -# You should have received a copy of the GNU Lesser General Public -# License along with this library; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +# You should have received a copy of the GNU General Public License +# along with this program; see the file COPYING. If not, write to the +# Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor +# Boston, MA 02110-1335, USA. # # Authors: # Steve Grubb <sgrubb@redhat.com> @@ -23,8 +24,8 @@ CONFIG_CLEAN_FILES = *.loT *.rej *.orig EXTRA_DIST = $(man_MANS) AM_CPPFLAGS = -I${top_srcdir} -I${top_srcdir}/auparse -LIBS = -L${top_builddir}/auparse -lauparse -AM_CFLAGS = -D_GNU_SOURCE +LIBS = ${top_builddir}/auparse/libauparse.la +AM_CFLAGS = -D_GNU_SOURCE ${WFLAGS} bin_PROGRAMS = aulastlog noinst_HEADERS = aulastlog-llist.h man_MANS = aulastlog.8
View file
_service:tar_scm:audit-3.0.1.tar.gz/tools/aulastlog/Makefile.in -> _service:tar_scm:audit-3.0.9.tar.gz/tools/aulastlog/Makefile.in
Changed
@@ -1,7 +1,7 @@ -# Makefile.in generated by automake 1.16.2 from Makefile.am. +# Makefile.in generated by automake 1.16.5 from Makefile.am. # @configure_input@ -# Copyright (C) 1994-2020 Free Software Foundation, Inc. +# Copyright (C) 1994-2021 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -28,9 +28,10 @@ # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU # Lesser General Public License for more details. # -# You should have received a copy of the GNU Lesser General Public -# License along with this library; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +# You should have received a copy of the GNU General Public License +# along with this program; see the file COPYING. If not, write to the +# Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor +# Boston, MA 02110-1335, USA. # # Authors: # Steve Grubb <sgrubb@redhat.com> @@ -227,8 +228,6 @@ unique=`for i in $$list; do \ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ done | $(am__uniquify_input)` -ETAGS = etags -CTAGS = ctags am__DIST_COMMON = $(srcdir)/Makefile.in $(top_srcdir)/depcomp DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ @@ -251,6 +250,8 @@ CPPFLAGS = @CPPFLAGS@ CPPFLAGS_FOR_BUILD = @CPPFLAGS_FOR_BUILD@ CPP_FOR_BUILD = @CPP_FOR_BUILD@ +CSCOPE = @CSCOPE@ +CTAGS = @CTAGS@ CYGPATH_W = @CYGPATH_W@ DEBUG = @DEBUG@ DEFS = @DEFS@ @@ -262,8 +263,10 @@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ +ETAGS = @ETAGS@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FILECMD = @FILECMD@ GOLANG = @GOLANG@ GOROOT = @GOROOT@ GREP = @GREP@ @@ -276,7 +279,7 @@ LDFLAGS = @LDFLAGS@ LDFLAGS_FOR_BUILD = @LDFLAGS_FOR_BUILD@ LIBOBJS = @LIBOBJS@ -LIBS = -L${top_builddir}/auparse -lauparse +LIBS = ${top_builddir}/auparse/libauparse.la LIBTOOL = @LIBTOOL@ LIBTOOL_DEPS = @LIBTOOL_DEPS@ LIBWRAP_LIBS = @LIBWRAP_LIBS@ @@ -319,6 +322,7 @@ SHELL = @SHELL@ STRIP = @STRIP@ VERSION = @VERSION@ +WFLAGS = @WFLAGS@ abs_builddir = @abs_builddir@ abs_srcdir = @abs_srcdir@ abs_top_builddir = @abs_top_builddir@ @@ -372,6 +376,7 @@ pyexecdir = @pyexecdir@ python3dir = @python3dir@ pythondir = @pythondir@ +runstatedir = @runstatedir@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ @@ -388,7 +393,7 @@ CONFIG_CLEAN_FILES = *.loT *.rej *.orig EXTRA_DIST = $(man_MANS) AM_CPPFLAGS = -I${top_srcdir} -I${top_srcdir}/auparse -AM_CFLAGS = -D_GNU_SOURCE +AM_CFLAGS = -D_GNU_SOURCE ${WFLAGS} noinst_HEADERS = aulastlog-llist.h man_MANS = aulastlog.8 aulastlog_SOURCES = aulastlog.c aulastlog-llist.c @@ -615,7 +620,6 @@ distclean-tags: -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags - distdir: $(BUILT_SOURCES) $(MAKE) $(AM_MAKEFLAGS) distdir-am
View file
_service:tar_scm:audit-3.0.1.tar.gz/tools/aulastlog/aulastlog.8 -> _service:tar_scm:audit-3.0.9.tar.gz/tools/aulastlog/aulastlog.8
Changed
@@ -1,4 +1,4 @@ -.TH AULASTLOG: "8" "June 2016" "Red Hat" "System Administration Utilities" +.TH AULASTLOG "8" "June 2016" "Red Hat" "System Administration Utilities" .SH NAME aulastlog \- a program similar to lastlog .SH SYNOPSIS
View file
_service:tar_scm:audit-3.0.1.tar.gz/tools/ausyscall/Makefile.am -> _service:tar_scm:audit-3.0.9.tar.gz/tools/ausyscall/Makefile.am
Changed
@@ -12,9 +12,10 @@ # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU # Lesser General Public License for more details. # -# You should have received a copy of the GNU Lesser General Public -# License along with this library; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +# You should have received a copy of the GNU General Public License +# along with this program; see the file COPYING. If not, write to the +# Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor +# Boston, MA 02110-1335, USA. # # Authors: # Steve Grubb <sgrubb@redhat.com> @@ -23,8 +24,8 @@ CONFIG_CLEAN_FILES = *.loT *.rej *.orig EXTRA_DIST = $(man_MANS) AM_CPPFLAGS = -I${top_srcdir} -I${top_srcdir}/lib -LIBS = -L${top_builddir}/lib -laudit -AM_CFLAGS = -D_GNU_SOURCE +LIBS = ${top_builddir}/lib/libaudit.la +AM_CFLAGS = -D_GNU_SOURCE ${WFLAGS} bin_PROGRAMS = ausyscall man_MANS = ausyscall.8
View file
_service:tar_scm:audit-3.0.1.tar.gz/tools/ausyscall/Makefile.in -> _service:tar_scm:audit-3.0.9.tar.gz/tools/ausyscall/Makefile.in
Changed
@@ -1,7 +1,7 @@ -# Makefile.in generated by automake 1.16.2 from Makefile.am. +# Makefile.in generated by automake 1.16.5 from Makefile.am. # @configure_input@ -# Copyright (C) 1994-2020 Free Software Foundation, Inc. +# Copyright (C) 1994-2021 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -28,9 +28,10 @@ # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU # Lesser General Public License for more details. # -# You should have received a copy of the GNU Lesser General Public -# License along with this library; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +# You should have received a copy of the GNU General Public License +# along with this program; see the file COPYING. If not, write to the +# Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor +# Boston, MA 02110-1335, USA. # # Authors: # Steve Grubb <sgrubb@redhat.com> @@ -223,8 +224,6 @@ unique=`for i in $$list; do \ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ done | $(am__uniquify_input)` -ETAGS = etags -CTAGS = ctags am__DIST_COMMON = $(srcdir)/Makefile.in $(top_srcdir)/depcomp DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ @@ -247,6 +246,8 @@ CPPFLAGS = @CPPFLAGS@ CPPFLAGS_FOR_BUILD = @CPPFLAGS_FOR_BUILD@ CPP_FOR_BUILD = @CPP_FOR_BUILD@ +CSCOPE = @CSCOPE@ +CTAGS = @CTAGS@ CYGPATH_W = @CYGPATH_W@ DEBUG = @DEBUG@ DEFS = @DEFS@ @@ -258,8 +259,10 @@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ +ETAGS = @ETAGS@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FILECMD = @FILECMD@ GOLANG = @GOLANG@ GOROOT = @GOROOT@ GREP = @GREP@ @@ -272,7 +275,7 @@ LDFLAGS = @LDFLAGS@ LDFLAGS_FOR_BUILD = @LDFLAGS_FOR_BUILD@ LIBOBJS = @LIBOBJS@ -LIBS = -L${top_builddir}/lib -laudit +LIBS = ${top_builddir}/lib/libaudit.la LIBTOOL = @LIBTOOL@ LIBTOOL_DEPS = @LIBTOOL_DEPS@ LIBWRAP_LIBS = @LIBWRAP_LIBS@ @@ -315,6 +318,7 @@ SHELL = @SHELL@ STRIP = @STRIP@ VERSION = @VERSION@ +WFLAGS = @WFLAGS@ abs_builddir = @abs_builddir@ abs_srcdir = @abs_srcdir@ abs_top_builddir = @abs_top_builddir@ @@ -368,6 +372,7 @@ pyexecdir = @pyexecdir@ python3dir = @python3dir@ pythondir = @pythondir@ +runstatedir = @runstatedir@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ @@ -384,7 +389,7 @@ CONFIG_CLEAN_FILES = *.loT *.rej *.orig EXTRA_DIST = $(man_MANS) AM_CPPFLAGS = -I${top_srcdir} -I${top_srcdir}/lib -AM_CFLAGS = -D_GNU_SOURCE +AM_CFLAGS = -D_GNU_SOURCE ${WFLAGS} man_MANS = ausyscall.8 ausyscall_SOURCES = ausyscall.c all: all-am @@ -609,7 +614,6 @@ distclean-tags: -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags - distdir: $(BUILT_SOURCES) $(MAKE) $(AM_MAKEFLAGS) distdir-am
View file
_service:tar_scm:audit-3.0.1.tar.gz/tools/ausyscall/ausyscall.8 -> _service:tar_scm:audit-3.0.9.tar.gz/tools/ausyscall/ausyscall.8
Changed
@@ -1,16 +1,16 @@ -.TH AUSYSCALL: "8" "Nov 2008" "Red Hat" "System Administration Utilities" +.TH AUSYSCALL "8" "Nov 2008" "Red Hat" "System Administration Utilities" .SH NAME ausyscall \- a program that allows mapping syscall names and numbers .SH SYNOPSIS .B ausyscall arch name | number | \-\-dump | \-\-exact .SH DESCRIPTION -\fBausyscall\fP is a program that prints out the mapping from syscall name to number and reverse for the given arch. The arch can be anything returned by `uname \-m`. If arch is not given, the program will take a guess based on the running image. You may give the syscall name or number and it will find the opposite. You can also dump the whole table with the \-\-dump option. By default a syscall name lookup will be a substring match meaning that it will try to match all occurrences of the given name with syscalls. So giving a name of chown will match both fchown and chown as any other syscall with chown in its name. If this behavior is not desired, pass the \-\-exact flag and it will do an exact string match. +\fBausyscall\fP is a program that prints out the mapping from syscall name to number and reverse for the given arch. The arch can be anything returned by `uname \-m`. If arch is not given, the program will take a guess based on the running image. Or for convenience, you can pass \fBb32\fP or \fBb64\fP to use the current arch but a specific ABI. You may give the syscall name or number and it will find the opposite. You can also dump the whole table with the \-\-dump option. By default a syscall name lookup will be a substring match meaning that it will try to match all occurrences of the given name with syscalls. So giving a name of chown will match both fchown and chown as any other syscall with chown in its name. If this behavior is not desired, pass the \-\-exact flag and it will do an exact string match. This program can be used to verify syscall numbers on a biarch platform for rule optimization. For example, suppose you had an auditctl rule: .B \-a always, exit \-S open \-F exit=\-EPERM \-k fail\-open -If you wanted to verify that both 32 and 64 bit programs would be audited, run "ausyscall i386 open" and then "ausyscall x86_64 open". Look at the returned numbers. If they are different, you will have to write two auditctl rules to get complete coverage. +If you wanted to verify that both 32 and 64 bit programs would be audited, run "ausyscall i386 open" and then "ausyscall x86_64 open". (Or use the b32 and b64 option.) Look at the returned numbers. If they are different, you will have to write two auditctl rules to get complete coverage. .nf .B \-a always,exit \-F arch=b32 \-S open \-F exit=\-EPERM \-k fail\-open
View file
_service:tar_scm:audit-3.0.1.tar.gz/tools/ausyscall/ausyscall.c -> _service:tar_scm:audit-3.0.9.tar.gz/tools/ausyscall/ausyscall.c
Changed
@@ -56,7 +56,7 @@ usage(); } syscall_num = strtol(argvi, 0, 10); - } else if ((rc = audit_name_to_machine(argvi)) != -1) { + } else if ((rc = audit_determine_machine(argvi)) >= 0) { if (machine != -1) { fputs("Two machine types not allowed\n",stderr); usage();
View file
_service:tar_scm:audit-3.0.1.tar.gz/tools/auvirt/Makefile.am -> _service:tar_scm:audit-3.0.9.tar.gz/tools/auvirt/Makefile.am
Changed
@@ -29,8 +29,8 @@ -I${top_srcdir}/lib \ -I${top_srcdir}/auparse \ -I${top_srcdir}/src -LIBS = -L${top_builddir}/auparse -lauparse -AM_CFLAGS = -D_GNU_SOURCE +LIBS = ${top_builddir}/auparse/libauparse.la +AM_CFLAGS = -D_GNU_SOURCE ${WFLAGS} bin_PROGRAMS = auvirt noinst_HEADERS = auvirt-list.h man_MANS = auvirt.8
View file
_service:tar_scm:audit-3.0.1.tar.gz/tools/auvirt/Makefile.in -> _service:tar_scm:audit-3.0.9.tar.gz/tools/auvirt/Makefile.in
Changed
@@ -1,7 +1,7 @@ -# Makefile.in generated by automake 1.16.2 from Makefile.am. +# Makefile.in generated by automake 1.16.5 from Makefile.am. # @configure_input@ -# Copyright (C) 1994-2020 Free Software Foundation, Inc. +# Copyright (C) 1994-2021 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -231,8 +231,6 @@ unique=`for i in $$list; do \ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ done | $(am__uniquify_input)` -ETAGS = etags -CTAGS = ctags am__DIST_COMMON = $(srcdir)/Makefile.in $(top_srcdir)/depcomp DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ @@ -255,6 +253,8 @@ CPPFLAGS = @CPPFLAGS@ CPPFLAGS_FOR_BUILD = @CPPFLAGS_FOR_BUILD@ CPP_FOR_BUILD = @CPP_FOR_BUILD@ +CSCOPE = @CSCOPE@ +CTAGS = @CTAGS@ CYGPATH_W = @CYGPATH_W@ DEBUG = @DEBUG@ DEFS = @DEFS@ @@ -266,8 +266,10 @@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ +ETAGS = @ETAGS@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +FILECMD = @FILECMD@ GOLANG = @GOLANG@ GOROOT = @GOROOT@ GREP = @GREP@ @@ -280,7 +282,7 @@ LDFLAGS = @LDFLAGS@ LDFLAGS_FOR_BUILD = @LDFLAGS_FOR_BUILD@ LIBOBJS = @LIBOBJS@ -LIBS = -L${top_builddir}/auparse -lauparse +LIBS = ${top_builddir}/auparse/libauparse.la LIBTOOL = @LIBTOOL@ LIBTOOL_DEPS = @LIBTOOL_DEPS@ LIBWRAP_LIBS = @LIBWRAP_LIBS@ @@ -323,6 +325,7 @@ SHELL = @SHELL@ STRIP = @STRIP@ VERSION = @VERSION@ +WFLAGS = @WFLAGS@ abs_builddir = @abs_builddir@ abs_srcdir = @abs_srcdir@ abs_top_builddir = @abs_top_builddir@ @@ -376,6 +379,7 @@ pyexecdir = @pyexecdir@ python3dir = @python3dir@ pythondir = @pythondir@ +runstatedir = @runstatedir@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ @@ -396,7 +400,7 @@ -I${top_srcdir}/auparse \ -I${top_srcdir}/src -AM_CFLAGS = -D_GNU_SOURCE +AM_CFLAGS = -D_GNU_SOURCE ${WFLAGS} noinst_HEADERS = auvirt-list.h man_MANS = auvirt.8 auvirt_SOURCES = auvirt.c \ @@ -641,7 +645,6 @@ distclean-tags: -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags - distdir: $(BUILT_SOURCES) $(MAKE) $(AM_MAKEFLAGS) distdir-am
View file
_service:tar_scm:audit-3.0.1.tar.gz/tools/auvirt/auvirt.8 -> _service:tar_scm:audit-3.0.9.tar.gz/tools/auvirt/auvirt.8
Changed
@@ -35,7 +35,7 @@ Show records for all virtualization related events. .TP \fB--debug\fP -Print debug messages to standard output. +Print debug messages to stderr. .TP \fB-f\fP, \fB--file\fP \fIfile\fP Read records from the given \fIfile\fP instead from the system audit log file.
View file
_service:tar_scm:audit-3.0.1.tar.gz/tools/auvirt/auvirt.c -> _service:tar_scm:audit-3.0.9.tar.gz/tools/auvirt/auvirt.c
Changed
@@ -145,7 +145,7 @@ fprintf(output, "usage: auvirt --stdin --all-events --summary " "--start start-date start-time " "--end end-date end-time --file file-name " - "--show-uuid --proof " + "--show-uuid --proof --debug " "--uuid uuid --vm vm-name\n"); }
Locations
Projects
Search
Status Monitor
Help
Open Build Service
OBS Manuals
API Documentation
OBS Portal
Reporting a Bug
Contact
Mailing List
Forums
Chat (IRC)
Twitter
Open Build Service (OBS)
is an
openSUSE project
.
浙ICP备2022010568号-2