diff --git a/sdk_container/src/third_party/coreos-overlay/sys-process/audit/audit-2.7.1.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-process/audit/audit-2.7.1.ebuild index 09f4af1a44..e80193b988 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-process/audit/audit-2.7.1.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/sys-process/audit/audit-2.7.1.ebuild @@ -216,34 +216,13 @@ multilib_src_install_all() { keepdir /var/log/audit/ fi - # Gentoo rules - insinto /etc/audit/ - newins "${FILESDIR}"/audit.rules-2.1.3 audit.rules - - use daemon && doins "${FILESDIR}"/audit.rules.stop* + insinto /usr/share/audit/rules.d + doins "${FILESDIR}"/rules.d/*.rules # Security - lockdown_perms "${ED}" + systemd_newtmpfilesd "${FILESDIR}"/audit-rules.tmpfiles audit-rules.conf + systemd_dounit "${FILESDIR}"/audit-rules.service + systemd_enable_service multi-user.target audit-rules.service prune_libtool_files --modules } - -pkg_preinst() { - # Preserve from the audit-1 series - preserve_old_lib /$(get_libdir)/libaudit.so.0 -} - -pkg_postinst() { - lockdown_perms "${EROOT}" - # Preserve from the audit-1 series - preserve_old_lib_notify /$(get_libdir)/libaudit.so.0 -} - -lockdown_perms() { - # Upstream wants these to have restrictive perms. - # Should not || die as not all paths may exist. - local basedir="$1" - chmod 0750 "${basedir}"/sbin/au{ditctl,report,dispd,ditd,search,trace} 2>/dev/null - chmod 0750 "${basedir}"/var/log/audit/ 2>/dev/null - chmod 0640 "${basedir}"/etc/{audit/,}{auditd.conf,audit.rules*} 2>/dev/null -} diff --git a/sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/audit-rules.service b/sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/audit-rules.service new file mode 100644 index 0000000000..8c54802fb5 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/audit-rules.service @@ -0,0 +1,16 @@ +[Unit] +Description=Load Security Auditing Rules +DefaultDependencies=no +After=local-fs.target systemd-tmpfiles-setup.service +Conflicts=shutdown.target +Before=sysinit.target shutdown.target +ConditionSecurity=audit + +[Service] +Type=oneshot +RemainAfterExit=yes +ExecStart=/sbin/augenrules --load +ExecStop=-/sbin/auditctl -D + +[Install] +WantedBy=multi-user.target diff --git a/sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/audit-rules.tmpfiles b/sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/audit-rules.tmpfiles new file mode 100644 index 0000000000..2c15b63d23 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/audit-rules.tmpfiles @@ -0,0 +1,5 @@ +d /etc/audit - - - - - +d /etc/audit/rules.d - - - - - +L /etc/audit/rules.d/00-clear.rules - - - - /usr/share/audit/rules.d/00-clear.rules +L /etc/audit/rules.d/80-selinux.rules - - - - /usr/share/audit/rules.d/80-selinux.rules +L /etc/audit/rules.d/99-default.rules - - - - /usr/share/audit/rules.d/99-default.rules diff --git a/sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/audit.rules-2.1.3 b/sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/audit.rules-2.1.3 deleted file mode 100644 index 25dbedfd1d..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/audit.rules-2.1.3 +++ /dev/null @@ -1,25 +0,0 @@ -# Copyright 1999-2011 Gentoo Foundation -# Distributed under the terms of the GNU General Public License v2 -# -# This file contains the auditctl rules that are loaded -# whenever the audit daemon is started via the initscripts. -# The rules are simply the parameters that would be passed -# to auditctl. - -# First rule - delete all -# This is to clear out old rules, so we don't append to them. --D - -# Feel free to add below this line. See auditctl man page - -# The following rule would cause all of the syscalls listed to be ignored in logging. --a exit,never -F arch=b32 -S read -S write -S open -S fstat -S mmap -S brk -S munmap -S nanosleep -S fcntl -S close -S dup2 -S rt_sigaction -S stat --a exit,never -F arch=b64 -S read -S write -S open -S fstat -S mmap -S brk -S munmap -S nanosleep -S fcntl -S close -S dup2 -S rt_sigaction -S stat - -# The following rule would cause the capture of all systems not caught above. -# -a exit,always -S all - -# Increase the buffers to survive stress events --b 8192 - -# vim:ft=conf: diff --git a/sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/rules.d/00-clear.rules b/sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/rules.d/00-clear.rules new file mode 100644 index 0000000000..f43e62771c --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/rules.d/00-clear.rules @@ -0,0 +1,3 @@ +# First rule - delete all +# This is to clear out old rules, so we don't append to them. +-D diff --git a/sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/rules.d/80-selinux.rules b/sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/rules.d/80-selinux.rules new file mode 100644 index 0000000000..627b17db3f --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/rules.d/80-selinux.rules @@ -0,0 +1,4 @@ +# Enable all SELinux related events +# 1400 to 1499 are for kernel SELinux use (see /include/uapi/linux/audit.h) + +-a exclude,never -F msgtype>=1400 -F msgtype<=1499 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/rules.d/99-default.rules b/sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/rules.d/99-default.rules new file mode 100644 index 0000000000..cc373d8406 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/rules.d/99-default.rules @@ -0,0 +1,5 @@ +# Always report changes to the audit subsystem itself. +-a exclude,never -F msgtype=CONFIG_CHANGE + +# Ignore everything else. +-a exclude,always -F msgtype>0