From 17daba0bd76262ee31eab176e42317cc330cf7f0 Mon Sep 17 00:00:00 2001 From: Krzesimir Nowak Date: Mon, 17 Aug 2020 19:21:25 +0200 Subject: [PATCH] sys-process/audit: Add README.md Try to list the reasons behind this for of the gentoo package. --- .../sys-process/audit/README.md | 27 +++++++++++++++++++ 1 file changed, 27 insertions(+) create mode 100644 sdk_container/src/third_party/coreos-overlay/sys-process/audit/README.md diff --git a/sdk_container/src/third_party/coreos-overlay/sys-process/audit/README.md b/sdk_container/src/third_party/coreos-overlay/sys-process/audit/README.md new file mode 100644 index 0000000000..c6005dfb96 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/sys-process/audit/README.md @@ -0,0 +1,27 @@ +This is a fork of gentoo's `sys-process/audit` package. The main +reasons for having our fork seem to be: + +1. We have our own audit rules (see files in `files/rules.d` + directory). + + - These seem to be mostly similar to what gentoo provides, but split + into several files and they have an additional rule for SELinux + events. + + - We also install it in a different place and place symlinks with + systemd's tmpfiles functionality. + +2. We install a systemd service that loads our rules at startup. + +3. We add a `daemon` use flag that gates a build of `auditd` binary + and some more tools. This flag seems to be unused, which results in + the daemon and tools not being built. The role of auditd is to + write audit records to disk, and both ausearch and aureport utilize + those written logs. Since audit logs are also written to journal, + writing them to disk seems redundant, thus auditd and the tools + seem to be unnecessary. This also reduces the final image size a + bit. + +4. We don't do the permissions lockdown on some auditd files for some + reason. It's either related that we don't build auditd in practice + or it's about our own audit rules.