mirror of
https://github.com/flatcar/scripts.git
synced 2025-08-18 10:27:00 +02:00
sys-process/audit: Install Flatcar rules
For some reason, locking down is disabled in the same commit, but no clear explanation exist.
This commit is contained in:
Krzesimir Nowak
parent
a1940254ee
commit
22ba3fdb41
@ -9,7 +9,8 @@ EAPI="6"
|
||||
|
||||
PYTHON_COMPAT=( python{3_6,3_7} )
|
||||
|
||||
inherit autotools multilib multilib-minimal toolchain-funcs preserve-libs python-r1 linux-info systemd usr-ldscript
|
||||
# Flatcar: We don't use preserve-libs.
|
||||
inherit autotools multilib multilib-minimal toolchain-funcs python-r1 linux-info systemd usr-ldscript
|
||||
|
||||
DESCRIPTION="Userspace utilities for storing and processing auditing records"
|
||||
HOMEPAGE="https://people.redhat.com/sgrubb/audit/"
|
||||
@ -201,36 +202,17 @@ multilib_src_install_all() {
|
||||
mv "${ED}"/{sbin,usr/sbin}/audisp-remote || die
|
||||
fi
|
||||
|
||||
# Gentoo rules
|
||||
insinto /etc/audit/
|
||||
newins "${FILESDIR}"/audit.rules-2.1.3 audit.rules
|
||||
use daemon && doins "${FILESDIR}"/audit.rules.stop*
|
||||
# Flatcar: We install our own rules.
|
||||
insinto /usr/share/audit/rules.d
|
||||
doins "${FILESDIR}"/rules.d/*.rules
|
||||
|
||||
# audit logs go here
|
||||
use daemon && keepdir /var/log/audit/
|
||||
|
||||
find "${D}" -name '*.la' -delete || die
|
||||
|
||||
# Security
|
||||
lockdown_perms "${ED}"
|
||||
}
|
||||
|
||||
pkg_preinst() {
|
||||
# Preserve from the audit-1 series
|
||||
preserve_old_lib /$(get_libdir)/libaudit.so.0
|
||||
}
|
||||
|
||||
pkg_postinst() {
|
||||
lockdown_perms "${EROOT}"
|
||||
# Preserve from the audit-1 series
|
||||
preserve_old_lib_notify /$(get_libdir)/libaudit.so.0
|
||||
}
|
||||
|
||||
lockdown_perms() {
|
||||
# Upstream wants these to have restrictive perms.
|
||||
# Should not || die as not all paths may exist.
|
||||
local basedir="$1"
|
||||
chmod 0750 "${basedir}"/sbin/au{ditctl,report,dispd,ditd,search,trace} 2>/dev/null
|
||||
chmod 0750 "${basedir}"/var/log/audit/ 2>/dev/null
|
||||
chmod 0640 "${basedir}"/etc/{audit/,}{auditd.conf,audit.rules*} 2>/dev/null
|
||||
# Flatcar: Our systemd stuff.
|
||||
systemd_newtmpfilesd "${FILESDIR}"/audit-rules.tmpfiles audit-rules.conf
|
||||
systemd_dounit "${FILESDIR}"/audit-rules.service
|
||||
systemd_enable_service multi-user.target audit-rules.service
|
||||
}
|
||||
|
||||
16
sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/audit-rules.service
vendored
Normal file
16
sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/audit-rules.service
vendored
Normal file
@ -0,0 +1,16 @@
|
||||
[Unit]
|
||||
Description=Load Security Auditing Rules
|
||||
DefaultDependencies=no
|
||||
After=local-fs.target systemd-tmpfiles-setup.service
|
||||
Conflicts=shutdown.target
|
||||
Before=sysinit.target shutdown.target
|
||||
ConditionSecurity=audit
|
||||
|
||||
[Service]
|
||||
Type=oneshot
|
||||
RemainAfterExit=yes
|
||||
ExecStart=/sbin/augenrules --load
|
||||
ExecStop=-/sbin/auditctl -D
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
||||
5
sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/audit-rules.tmpfiles
vendored
Normal file
5
sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/audit-rules.tmpfiles
vendored
Normal file
@ -0,0 +1,5 @@
|
||||
d /etc/audit - - - - -
|
||||
d /etc/audit/rules.d - - - - -
|
||||
L /etc/audit/rules.d/00-clear.rules - - - - /usr/share/audit/rules.d/00-clear.rules
|
||||
L /etc/audit/rules.d/80-selinux.rules - - - - /usr/share/audit/rules.d/80-selinux.rules
|
||||
L /etc/audit/rules.d/99-default.rules - - - - /usr/share/audit/rules.d/99-default.rules
|
||||
@ -1,24 +0,0 @@
|
||||
# Copyright 1999-2005 Gentoo Foundation
|
||||
# Distributed under the terms of the GNU General Public License v2
|
||||
#
|
||||
# This file contains the auditctl rules that are loaded
|
||||
# whenever the audit daemon is started via the initscripts.
|
||||
# The rules are simply the parameters that would be passed
|
||||
# to auditctl.
|
||||
|
||||
# First rule - delete all
|
||||
# This is to clear out old rules, so we don't append to them.
|
||||
-D
|
||||
|
||||
# Feel free to add below this line. See auditctl man page
|
||||
|
||||
# The following rule would cause all of the syscalls listed to be ignored in logging.
|
||||
# -a entry,never -S read -S write -S open -S fstat -S fstat64 -S mmap -S brk -S munmap -S _llseek -S nanosleep -S fcntl64 -S close -S dup2 -S rt_sigaction -S stat64 -S stat
|
||||
|
||||
# The following rule would cause the capture of all systems not caught above.
|
||||
# -a entry,always -S all
|
||||
|
||||
# Increase the buffers to survive stress events
|
||||
-b 256
|
||||
|
||||
# vim:ft=conf:
|
||||
@ -1,25 +0,0 @@
|
||||
# Copyright 1999-2011 Gentoo Foundation
|
||||
# Distributed under the terms of the GNU General Public License v2
|
||||
#
|
||||
# This file contains the auditctl rules that are loaded
|
||||
# whenever the audit daemon is started via the initscripts.
|
||||
# The rules are simply the parameters that would be passed
|
||||
# to auditctl.
|
||||
|
||||
# First rule - delete all
|
||||
# This is to clear out old rules, so we don't append to them.
|
||||
-D
|
||||
|
||||
# Feel free to add below this line. See auditctl man page
|
||||
|
||||
# The following rule would cause all of the syscalls listed to be ignored in logging.
|
||||
-a exit,never -F arch=b32 -S read -S write -S open -S fstat -S mmap -S brk -S munmap -S nanosleep -S fcntl -S close -S dup2 -S rt_sigaction -S stat
|
||||
-a exit,never -F arch=b64 -S read -S write -S open -S fstat -S mmap -S brk -S munmap -S nanosleep -S fcntl -S close -S dup2 -S rt_sigaction -S stat
|
||||
|
||||
# The following rule would cause the capture of all systems not caught above.
|
||||
# -a exit,always -S all
|
||||
|
||||
# Increase the buffers to survive stress events
|
||||
-b 8192
|
||||
|
||||
# vim:ft=conf:
|
||||
@ -1,12 +0,0 @@
|
||||
# Copyright 1999-2005 Gentoo Foundation
|
||||
# Distributed under the terms of the GNU General Public License v2
|
||||
#
|
||||
# This file contains the auditctl rules that are loaded immediately after the
|
||||
# audit deamon is stopped via the initscripts.
|
||||
# The rules are simply the parameters that would be passed
|
||||
# to auditctl.
|
||||
|
||||
# Not used for the default Gentoo configuration as of v1.2.3
|
||||
# Paranoid security types might wish to reconfigure kauditd here.
|
||||
|
||||
# vim:ft=conf:
|
||||
@ -1,15 +0,0 @@
|
||||
# Copyright 1999-2011 Gentoo Foundation
|
||||
# Distributed under the terms of the GNU General Public License v2
|
||||
#
|
||||
# This file contains the auditctl rules that are loaded immediately before the
|
||||
# audit deamon is stopped via the initscripts.
|
||||
# The rules are simply the parameters that would be passed
|
||||
# to auditctl.
|
||||
|
||||
# auditd is stopping, don't capture events anymore
|
||||
-D
|
||||
|
||||
# Disable kernel generating audit events
|
||||
-e 0
|
||||
|
||||
# vim:ft=conf:
|
||||
3
sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/rules.d/00-clear.rules
vendored
Normal file
3
sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/rules.d/00-clear.rules
vendored
Normal file
@ -0,0 +1,3 @@
|
||||
# First rule - delete all
|
||||
# This is to clear out old rules, so we don't append to them.
|
||||
-D
|
||||
@ -0,0 +1,4 @@
|
||||
# Enable all SELinux related events
|
||||
# 1400 to 1499 are for kernel SELinux use (see /include/uapi/linux/audit.h)
|
||||
|
||||
-a exclude,never -F msgtype>=1400 -F msgtype<=1499
|
||||
@ -0,0 +1,5 @@
|
||||
# Always report changes to the audit subsystem itself.
|
||||
-a exclude,never -F msgtype=CONFIG_CHANGE
|
||||
|
||||
# Ignore everything else.
|
||||
-a exclude,always -F msgtype>0
|
||||
Loading…
Reference in New Issue
Block a user