diff --git a/sdk_container/src/third_party/coreos-overlay/sys-process/audit/README.md b/sdk_container/src/third_party/coreos-overlay/sys-process/audit/README.md deleted file mode 100644 index 20ef8bab00..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/sys-process/audit/README.md +++ /dev/null @@ -1,24 +0,0 @@ -This is a fork of gentoo's `sys-process/audit` package. The main -reasons for having our fork seem to be: - -1. We have our own audit rules (see files in `files/rules.d` - directory). - - - These seem to be mostly similar to what gentoo provides, but split - into several files and they have an additional rule for SELinux - events. - - - We also install it in a different place and place symlinks with - systemd's tmpfiles functionality. - -2. We install a systemd service that loads our rules at startup. - -3. We build and install only a subset of binaries in the project. - Namely, we skip all the daemon stuff that puts the logs in - `/var/log/audit` and some tools that process those logs. Since - audit logs are also written to journal, writing them to disk seems - redundant, thus auditd and the tools seem to be unnecessary. This - also reduces the final image size a bit. - -4. Since we do not install the daemon, we don't do the permissions - lockdown on some auditd files. diff --git a/sdk_container/src/third_party/coreos-overlay/sys-process/audit/audit-3.0.6.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-process/audit/audit-3.0.6.ebuild index 8319056101..515bd1b841 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-process/audit/audit-3.0.6.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/sys-process/audit/audit-3.0.6.ebuild @@ -3,8 +3,7 @@ EAPI=7 -# Flatcar: Support python 3.6. -PYTHON_COMPAT=( python3_{6..10} ) +PYTHON_COMPAT=( python3_{8..10} ) inherit autotools multilib-minimal toolchain-funcs python-r1 linux-info systemd usr-ldscript @@ -14,8 +13,7 @@ SRC_URI="https://people.redhat.com/sgrubb/audit/${P}.tar.gz" LICENSE="GPL-2+ LGPL-2.1+" SLOT="0" -# Flatcar: Build amd64 and arm64 by default. -KEYWORDS="amd64 ~arm arm64 ~hppa ~ia64 ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86" +KEYWORDS="~amd64 ~arm ~arm64 ~hppa ~ia64 ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86" IUSE="gssapi ldap python static-libs test" REQUIRED_USE="python? ( ${PYTHON_REQUIRED_USE} )" @@ -41,20 +39,6 @@ src_prepare() { # Disable installing sample rules so they can be installed as docs. echo -e '%:\n\t:' | tee rules/Makefile.{am,in} >/dev/null - # Flatcar: Do not build daemon stuff. - sed -e '/^SUBDIRS =/s/audisp//' \ - -i Makefile.am || die - # Flatcar: Some legacy stuff is being installed when systemd - # is enabled. Drop all the lines that try doing it. - sed -e '/${DESTDIR}${initdir}/d' \ - -e '/${DESTDIR}${legacydir}/d' \ - -i init.d/Makefile.am || die - # Flatcar: Do not build daemon stuff. - sed -e '/^sbin_PROGRAMS =/s/auditd//' \ - -e '/^sbin_PROGRAMS =/s/aureport//' \ - -e '/^sbin_PROGRAMS =/s/ausearch//' \ - -i src/Makefile.am || die - default eautoreconf } @@ -132,46 +116,30 @@ multilib_src_install_all() { dodoc AUTHORS ChangeLog README* THANKS docinto contrib dodoc contrib/avc_snap - # Flatcar: Do not install any plugin stuff, these are parts of - # auditd that we don't build and install anyway. - # docinto contrib/plugin - # dodoc contrib/plugin/* + docinto contrib/plugin + dodoc contrib/plugin/* docinto rules dodoc rules/*rules - # Flatcar: Do not install stuff auditd stuff. - # newinitd "${FILESDIR}"/auditd-init.d-2.4.3 auditd - # newconfd "${FILESDIR}"/auditd-conf.d-2.1.3 auditd + newinitd "${FILESDIR}"/auditd-init.d-2.4.3 auditd + newconfd "${FILESDIR}"/auditd-conf.d-2.1.3 auditd - # Flatcar: We are not installing audisp too. - # [ -f "${ED}"/sbin/audisp-remote ] && \ - # dodir /usr/sbin && \ - # mv "${ED}"/{sbin,usr/sbin}/audisp-remote || die + [ -f "${ED}"/sbin/audisp-remote ] && \ + dodir /usr/sbin && \ + mv "${ED}"/{sbin,usr/sbin}/audisp-remote || die - # Flatcar: Do not install gentoo rules. # Gentoo rules - # insinto /etc/audit - # newins "${FILESDIR}"/audit.rules-2.1.3 audit.rules - # Flatcar: We are installing our own rules. - insinto /usr/share/audit/rules.d - doins "${FILESDIR}"/rules.d/*.rules - # Flatcar: Do not install deamon stuff. - # doins "${FILESDIR}"/audit.rules.stop* + insinto /etc/audit + newins "${FILESDIR}"/audit.rules-2.1.3 audit.rules + doins "${FILESDIR}"/audit.rules.stop* # audit logs go here - # Flatcar: This is where auditd puts its logs. We don't have - # the daemon, so get rid of the unnecessary directory. - # keepdir /var/log/audit + keepdir /var/log/audit find "${ED}" -type f -name '*.la' -delete || die # Security lockdown_perms "${ED}" - - # Flatcar: Our systemd stuff. - systemd_newtmpfilesd "${FILESDIR}"/audit-rules.tmpfiles audit-rules.conf - systemd_dounit "${FILESDIR}"/audit-rules.service - systemd_enable_service multi-user.target audit-rules.service } pkg_postinst() { @@ -181,11 +149,8 @@ pkg_postinst() { lockdown_perms() { # Upstream wants these to have restrictive perms. # Should not || die as not all paths may exist. - # Flatcar: No lockdown of permissions - it's probably only - # related to auditd. - # local basedir="${1}" - # chmod 0750 "${basedir}"/sbin/au{ditctl,ditd,report,search,trace} 2>/dev/null - # chmod 0750 "${basedir}"/var/log/audit 2>/dev/null - # chmod 0640 "${basedir}"/etc/audit/{auditd.conf,audit*.rules*} 2>/dev/null - : + local basedir="${1}" + chmod 0750 "${basedir}"/sbin/au{ditctl,ditd,report,search,trace} 2>/dev/null + chmod 0750 "${basedir}"/var/log/audit 2>/dev/null + chmod 0640 "${basedir}"/etc/audit/{auditd.conf,audit*.rules*} 2>/dev/null } diff --git a/sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/audit-rules.service b/sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/audit-rules.service deleted file mode 100644 index 8c54802fb5..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/audit-rules.service +++ /dev/null @@ -1,16 +0,0 @@ -[Unit] -Description=Load Security Auditing Rules -DefaultDependencies=no -After=local-fs.target systemd-tmpfiles-setup.service -Conflicts=shutdown.target -Before=sysinit.target shutdown.target -ConditionSecurity=audit - -[Service] -Type=oneshot -RemainAfterExit=yes -ExecStart=/sbin/augenrules --load -ExecStop=-/sbin/auditctl -D - -[Install] -WantedBy=multi-user.target diff --git a/sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/audit-rules.tmpfiles b/sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/audit-rules.tmpfiles deleted file mode 100644 index 2c15b63d23..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/audit-rules.tmpfiles +++ /dev/null @@ -1,5 +0,0 @@ -d /etc/audit - - - - - -d /etc/audit/rules.d - - - - - -L /etc/audit/rules.d/00-clear.rules - - - - /usr/share/audit/rules.d/00-clear.rules -L /etc/audit/rules.d/80-selinux.rules - - - - /usr/share/audit/rules.d/80-selinux.rules -L /etc/audit/rules.d/99-default.rules - - - - /usr/share/audit/rules.d/99-default.rules diff --git a/sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/audit.rules-2.1.3 b/sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/audit.rules-2.1.3 new file mode 100644 index 0000000000..25dbedfd1d --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/audit.rules-2.1.3 @@ -0,0 +1,25 @@ +# Copyright 1999-2011 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# +# This file contains the auditctl rules that are loaded +# whenever the audit daemon is started via the initscripts. +# The rules are simply the parameters that would be passed +# to auditctl. + +# First rule - delete all +# This is to clear out old rules, so we don't append to them. +-D + +# Feel free to add below this line. See auditctl man page + +# The following rule would cause all of the syscalls listed to be ignored in logging. +-a exit,never -F arch=b32 -S read -S write -S open -S fstat -S mmap -S brk -S munmap -S nanosleep -S fcntl -S close -S dup2 -S rt_sigaction -S stat +-a exit,never -F arch=b64 -S read -S write -S open -S fstat -S mmap -S brk -S munmap -S nanosleep -S fcntl -S close -S dup2 -S rt_sigaction -S stat + +# The following rule would cause the capture of all systems not caught above. +# -a exit,always -S all + +# Increase the buffers to survive stress events +-b 8192 + +# vim:ft=conf: diff --git a/sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/audit.rules.stop.post b/sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/audit.rules.stop.post new file mode 100644 index 0000000000..29ae197f18 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/audit.rules.stop.post @@ -0,0 +1,12 @@ +# Copyright 1999-2005 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# +# This file contains the auditctl rules that are loaded immediately after the +# audit deamon is stopped via the initscripts. +# The rules are simply the parameters that would be passed +# to auditctl. + +# Not used for the default Gentoo configuration as of v1.2.3 +# Paranoid security types might wish to reconfigure kauditd here. + +# vim:ft=conf: diff --git a/sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/audit.rules.stop.pre b/sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/audit.rules.stop.pre new file mode 100644 index 0000000000..1f34173369 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/audit.rules.stop.pre @@ -0,0 +1,15 @@ +# Copyright 1999-2011 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# +# This file contains the auditctl rules that are loaded immediately before the +# audit deamon is stopped via the initscripts. +# The rules are simply the parameters that would be passed +# to auditctl. + +# auditd is stopping, don't capture events anymore +-D + +# Disable kernel generating audit events +-e 0 + +# vim:ft=conf: diff --git a/sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/auditd-conf.d-2.1.3 b/sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/auditd-conf.d-2.1.3 new file mode 100644 index 0000000000..c66be166ce --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/auditd-conf.d-2.1.3 @@ -0,0 +1,22 @@ +# Copyright 1999-2011 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 + +# Configuration options for auditd +# -f for foreground mode +# There are some other options as well, but you'll have to look in the source +# code to find them as they aren't ready for use yet. +EXTRAOPTIONS='' + +# Audit rules file to run after starting auditd +RULEFILE_STARTUP=/etc/audit/audit.rules + +# Audit rules file to run before and after stopping auditd +RULEFILE_STOP_PRE=/etc/audit/audit.rules.stop.pre +RULEFILE_STOP_POST=/etc/audit/audit.rules.stop.post + +# If you want to enforce a certain locale for auditd, +# uncomment one of the next lines: +#AUDITD_LANG=none +AUDITD_LANG=C +#AUDITD_LANG=en_US +#AUDITD_LANG=en_US.UTF-8 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/auditd-init.d-2.4.3 b/sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/auditd-init.d-2.4.3 new file mode 100644 index 0000000000..c952554df2 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/auditd-init.d-2.4.3 @@ -0,0 +1,90 @@ +#!/sbin/openrc-run +# Copyright 1999-2015 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 + +extra_started_commands='reload reload_auditd reload_rules' +description='Linux Auditing System' +description_reload='Reload daemon configuration and rules' +description_reload_rules='Reload daemon rules' +description_reload_auditd='Reload daemon configuration' + +name='auditd' +pidfile='/var/run/auditd.pid' +command='/sbin/auditd' + +start_auditd() { + # Env handling taken from the upstream init script + if [ -z "$AUDITD_LANG" -o "$AUDITD_LANG" = "none" -o "$AUDITD_LANG" = "NONE" ]; then + unset LANG LC_TIME LC_ALL LC_MESSAGES LC_NUMERIC LC_MONETARY LC_COLLATE + else + LANG="$AUDITD_LANG" + LC_TIME="$AUDITD_LANG" + LC_ALL="$AUDITD_LANG" + LC_MESSAGES="$AUDITD_LANG" + LC_NUMERIC="$AUDITD_LANG" + LC_MONETARY="$AUDITD_LANG" + LC_COLLATE="$AUDITD_LANG" + export LANG LC_TIME LC_ALL LC_MESSAGES LC_NUMERIC LC_MONETARY LC_COLLATE + fi + unset HOME MAIL USER USERNAME + + ebegin "Starting ${name}" + start-stop-daemon \ + --start --quiet --pidfile ${pidfile} \ + --exec ${command} -- ${EXTRAOPTIONS} + local ret=$? + eend $ret + return $ret +} + +stop_auditd() { + ebegin "Stopping ${name}" + start-stop-daemon --stop --quiet --pidfile ${pidfile} + local ret=$? + eend $ret + return $ret +} + +loadfile() { + local rules="$1" + if [ -n "${rules}" -a -f "${rules}" ]; then + einfo "Loading audit rules from ${rules}" + /sbin/auditctl -R "${rules}" >/dev/null + return $? + else + return 0 + fi +} + +start() { + start_auditd + local ret=$? + if [ $ret -eq 0 -a "${RC_CMD}" != "restart" ]; then + loadfile "${RULEFILE_STARTUP}" + fi + return $ret +} + +reload_rules() { + loadfile "${RULEFILE_STARTUP}" +} + +reload_auditd() { + ebegin "Reloading ${SVCNAME}" + start-stop-daemon --signal HUP \ + --exec "${command}" --pidfile "${pidfile}" + eend $? +} + +reload() { + reload_auditd + reload_rules +} + +stop() { + [ "${RC_CMD}" != "restart" ] && loadfile "${RULEFILE_STOP_PRE}" + stop_auditd + local ret=$? + [ "${RC_CMD}" != "restart" ] && loadfile "${RULEFILE_STOP_POST}" + return $ret +} diff --git a/sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/rules.d/00-clear.rules b/sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/rules.d/00-clear.rules deleted file mode 100644 index f43e62771c..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/rules.d/00-clear.rules +++ /dev/null @@ -1,3 +0,0 @@ -# First rule - delete all -# This is to clear out old rules, so we don't append to them. --D diff --git a/sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/rules.d/80-selinux.rules b/sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/rules.d/80-selinux.rules deleted file mode 100644 index 627b17db3f..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/rules.d/80-selinux.rules +++ /dev/null @@ -1,4 +0,0 @@ -# Enable all SELinux related events -# 1400 to 1499 are for kernel SELinux use (see /include/uapi/linux/audit.h) - --a exclude,never -F msgtype>=1400 -F msgtype<=1499 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/rules.d/99-default.rules b/sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/rules.d/99-default.rules deleted file mode 100644 index cc373d8406..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/rules.d/99-default.rules +++ /dev/null @@ -1,5 +0,0 @@ -# Always report changes to the audit subsystem itself. --a exclude,never -F msgtype=CONFIG_CHANGE - -# Ignore everything else. --a exclude,always -F msgtype>0