From 22ba3fdb41503bd9b496bf950ce82e779320b9fc Mon Sep 17 00:00:00 2001 From: Krzesimir Nowak Date: Mon, 17 Aug 2020 22:14:50 +0200 Subject: [PATCH] sys-process/audit: Install Flatcar rules For some reason, locking down is disabled in the same commit, but no clear explanation exist. --- .../sys-process/audit/audit-2.8.5-r1.ebuild | 36 +++++-------------- .../audit/files/audit-rules.service | 16 +++++++++ .../audit/files/audit-rules.tmpfiles | 5 +++ .../sys-process/audit/files/audit.rules | 24 ------------- .../sys-process/audit/files/audit.rules-2.1.3 | 25 ------------- .../audit/files/audit.rules.stop.post | 12 ------- .../audit/files/audit.rules.stop.pre | 15 -------- .../audit/files/rules.d/00-clear.rules | 3 ++ .../audit/files/rules.d/80-selinux.rules | 4 +++ .../audit/files/rules.d/99-default.rules | 5 +++ 10 files changed, 42 insertions(+), 103 deletions(-) create mode 100644 sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/audit-rules.service create mode 100644 sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/audit-rules.tmpfiles delete mode 100644 sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/audit.rules delete mode 100644 sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/audit.rules-2.1.3 delete mode 100644 sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/audit.rules.stop.post delete mode 100644 sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/audit.rules.stop.pre create mode 100644 sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/rules.d/00-clear.rules create mode 100644 sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/rules.d/80-selinux.rules create mode 100644 sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/rules.d/99-default.rules diff --git a/sdk_container/src/third_party/coreos-overlay/sys-process/audit/audit-2.8.5-r1.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-process/audit/audit-2.8.5-r1.ebuild index 342d22d7d9..e4da39e5b0 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-process/audit/audit-2.8.5-r1.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/sys-process/audit/audit-2.8.5-r1.ebuild @@ -9,7 +9,8 @@ EAPI="6" PYTHON_COMPAT=( python{3_6,3_7} ) -inherit autotools multilib multilib-minimal toolchain-funcs preserve-libs python-r1 linux-info systemd usr-ldscript +# Flatcar: We don't use preserve-libs. +inherit autotools multilib multilib-minimal toolchain-funcs python-r1 linux-info systemd usr-ldscript DESCRIPTION="Userspace utilities for storing and processing auditing records" HOMEPAGE="https://people.redhat.com/sgrubb/audit/" @@ -201,36 +202,17 @@ multilib_src_install_all() { mv "${ED}"/{sbin,usr/sbin}/audisp-remote || die fi - # Gentoo rules - insinto /etc/audit/ - newins "${FILESDIR}"/audit.rules-2.1.3 audit.rules - use daemon && doins "${FILESDIR}"/audit.rules.stop* + # Flatcar: We install our own rules. + insinto /usr/share/audit/rules.d + doins "${FILESDIR}"/rules.d/*.rules # audit logs go here use daemon && keepdir /var/log/audit/ find "${D}" -name '*.la' -delete || die - # Security - lockdown_perms "${ED}" -} - -pkg_preinst() { - # Preserve from the audit-1 series - preserve_old_lib /$(get_libdir)/libaudit.so.0 -} - -pkg_postinst() { - lockdown_perms "${EROOT}" - # Preserve from the audit-1 series - preserve_old_lib_notify /$(get_libdir)/libaudit.so.0 -} - -lockdown_perms() { - # Upstream wants these to have restrictive perms. - # Should not || die as not all paths may exist. - local basedir="$1" - chmod 0750 "${basedir}"/sbin/au{ditctl,report,dispd,ditd,search,trace} 2>/dev/null - chmod 0750 "${basedir}"/var/log/audit/ 2>/dev/null - chmod 0640 "${basedir}"/etc/{audit/,}{auditd.conf,audit.rules*} 2>/dev/null + # Flatcar: Our systemd stuff. + systemd_newtmpfilesd "${FILESDIR}"/audit-rules.tmpfiles audit-rules.conf + systemd_dounit "${FILESDIR}"/audit-rules.service + systemd_enable_service multi-user.target audit-rules.service } diff --git a/sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/audit-rules.service b/sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/audit-rules.service new file mode 100644 index 0000000000..8c54802fb5 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/audit-rules.service @@ -0,0 +1,16 @@ +[Unit] +Description=Load Security Auditing Rules +DefaultDependencies=no +After=local-fs.target systemd-tmpfiles-setup.service +Conflicts=shutdown.target +Before=sysinit.target shutdown.target +ConditionSecurity=audit + +[Service] +Type=oneshot +RemainAfterExit=yes +ExecStart=/sbin/augenrules --load +ExecStop=-/sbin/auditctl -D + +[Install] +WantedBy=multi-user.target diff --git a/sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/audit-rules.tmpfiles b/sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/audit-rules.tmpfiles new file mode 100644 index 0000000000..2c15b63d23 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/audit-rules.tmpfiles @@ -0,0 +1,5 @@ +d /etc/audit - - - - - +d /etc/audit/rules.d - - - - - +L /etc/audit/rules.d/00-clear.rules - - - - /usr/share/audit/rules.d/00-clear.rules +L /etc/audit/rules.d/80-selinux.rules - - - - /usr/share/audit/rules.d/80-selinux.rules +L /etc/audit/rules.d/99-default.rules - - - - /usr/share/audit/rules.d/99-default.rules diff --git a/sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/audit.rules b/sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/audit.rules deleted file mode 100644 index ef0e6ee26f..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/audit.rules +++ /dev/null @@ -1,24 +0,0 @@ -# Copyright 1999-2005 Gentoo Foundation -# Distributed under the terms of the GNU General Public License v2 -# -# This file contains the auditctl rules that are loaded -# whenever the audit daemon is started via the initscripts. -# The rules are simply the parameters that would be passed -# to auditctl. - -# First rule - delete all -# This is to clear out old rules, so we don't append to them. --D - -# Feel free to add below this line. See auditctl man page - -# The following rule would cause all of the syscalls listed to be ignored in logging. -# -a entry,never -S read -S write -S open -S fstat -S fstat64 -S mmap -S brk -S munmap -S _llseek -S nanosleep -S fcntl64 -S close -S dup2 -S rt_sigaction -S stat64 -S stat - -# The following rule would cause the capture of all systems not caught above. -# -a entry,always -S all - -# Increase the buffers to survive stress events --b 256 - -# vim:ft=conf: diff --git a/sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/audit.rules-2.1.3 b/sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/audit.rules-2.1.3 deleted file mode 100644 index 25dbedfd1d..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/audit.rules-2.1.3 +++ /dev/null @@ -1,25 +0,0 @@ -# Copyright 1999-2011 Gentoo Foundation -# Distributed under the terms of the GNU General Public License v2 -# -# This file contains the auditctl rules that are loaded -# whenever the audit daemon is started via the initscripts. -# The rules are simply the parameters that would be passed -# to auditctl. - -# First rule - delete all -# This is to clear out old rules, so we don't append to them. --D - -# Feel free to add below this line. See auditctl man page - -# The following rule would cause all of the syscalls listed to be ignored in logging. --a exit,never -F arch=b32 -S read -S write -S open -S fstat -S mmap -S brk -S munmap -S nanosleep -S fcntl -S close -S dup2 -S rt_sigaction -S stat --a exit,never -F arch=b64 -S read -S write -S open -S fstat -S mmap -S brk -S munmap -S nanosleep -S fcntl -S close -S dup2 -S rt_sigaction -S stat - -# The following rule would cause the capture of all systems not caught above. -# -a exit,always -S all - -# Increase the buffers to survive stress events --b 8192 - -# vim:ft=conf: diff --git a/sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/audit.rules.stop.post b/sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/audit.rules.stop.post deleted file mode 100644 index 29ae197f18..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/audit.rules.stop.post +++ /dev/null @@ -1,12 +0,0 @@ -# Copyright 1999-2005 Gentoo Foundation -# Distributed under the terms of the GNU General Public License v2 -# -# This file contains the auditctl rules that are loaded immediately after the -# audit deamon is stopped via the initscripts. -# The rules are simply the parameters that would be passed -# to auditctl. - -# Not used for the default Gentoo configuration as of v1.2.3 -# Paranoid security types might wish to reconfigure kauditd here. - -# vim:ft=conf: diff --git a/sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/audit.rules.stop.pre b/sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/audit.rules.stop.pre deleted file mode 100644 index 1f34173369..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/audit.rules.stop.pre +++ /dev/null @@ -1,15 +0,0 @@ -# Copyright 1999-2011 Gentoo Foundation -# Distributed under the terms of the GNU General Public License v2 -# -# This file contains the auditctl rules that are loaded immediately before the -# audit deamon is stopped via the initscripts. -# The rules are simply the parameters that would be passed -# to auditctl. - -# auditd is stopping, don't capture events anymore --D - -# Disable kernel generating audit events --e 0 - -# vim:ft=conf: diff --git a/sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/rules.d/00-clear.rules b/sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/rules.d/00-clear.rules new file mode 100644 index 0000000000..f43e62771c --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/rules.d/00-clear.rules @@ -0,0 +1,3 @@ +# First rule - delete all +# This is to clear out old rules, so we don't append to them. +-D diff --git a/sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/rules.d/80-selinux.rules b/sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/rules.d/80-selinux.rules new file mode 100644 index 0000000000..627b17db3f --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/rules.d/80-selinux.rules @@ -0,0 +1,4 @@ +# Enable all SELinux related events +# 1400 to 1499 are for kernel SELinux use (see /include/uapi/linux/audit.h) + +-a exclude,never -F msgtype>=1400 -F msgtype<=1499 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/rules.d/99-default.rules b/sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/rules.d/99-default.rules new file mode 100644 index 0000000000..cc373d8406 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/rules.d/99-default.rules @@ -0,0 +1,5 @@ +# Always report changes to the audit subsystem itself. +-a exclude,never -F msgtype=CONFIG_CHANGE + +# Ignore everything else. +-a exclude,always -F msgtype>0