diff --git a/sdk_container/src/third_party/coreos-overlay/sys-process/audit/README.md b/sdk_container/src/third_party/coreos-overlay/sys-process/audit/README.md new file mode 100644 index 0000000000..20ef8bab00 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/sys-process/audit/README.md @@ -0,0 +1,24 @@ +This is a fork of gentoo's `sys-process/audit` package. The main +reasons for having our fork seem to be: + +1. We have our own audit rules (see files in `files/rules.d` + directory). + + - These seem to be mostly similar to what gentoo provides, but split + into several files and they have an additional rule for SELinux + events. + + - We also install it in a different place and place symlinks with + systemd's tmpfiles functionality. + +2. We install a systemd service that loads our rules at startup. + +3. We build and install only a subset of binaries in the project. + Namely, we skip all the daemon stuff that puts the logs in + `/var/log/audit` and some tools that process those logs. Since + audit logs are also written to journal, writing them to disk seems + redundant, thus auditd and the tools seem to be unnecessary. This + also reduces the final image size a bit. + +4. Since we do not install the daemon, we don't do the permissions + lockdown on some auditd files. diff --git a/sdk_container/src/third_party/coreos-overlay/sys-process/audit/audit-3.0.6.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-process/audit/audit-3.0.6.ebuild index 515bd1b841..9b96ede524 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-process/audit/audit-3.0.6.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/sys-process/audit/audit-3.0.6.ebuild @@ -3,9 +3,11 @@ EAPI=7 -PYTHON_COMPAT=( python3_{8..10} ) +# Flatcar: Support python 3.6. +PYTHON_COMPAT=( python3_{6..10} ) -inherit autotools multilib-minimal toolchain-funcs python-r1 linux-info systemd usr-ldscript +TMPFILES_OPTIONAL=1 +inherit autotools multilib-minimal toolchain-funcs python-r1 linux-info systemd usr-ldscript tmpfiles DESCRIPTION="Userspace utilities for storing and processing auditing records" HOMEPAGE="https://people.redhat.com/sgrubb/audit/" @@ -13,7 +15,8 @@ SRC_URI="https://people.redhat.com/sgrubb/audit/${P}.tar.gz" LICENSE="GPL-2+ LGPL-2.1+" SLOT="0" -KEYWORDS="~amd64 ~arm ~arm64 ~hppa ~ia64 ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86" +# Flatcar: Build amd64 and arm64 by default. +KEYWORDS="amd64 ~arm arm64 ~hppa ~ia64 ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86" IUSE="gssapi ldap python static-libs test" REQUIRED_USE="python? ( ${PYTHON_REQUIRED_USE} )" @@ -39,6 +42,20 @@ src_prepare() { # Disable installing sample rules so they can be installed as docs. echo -e '%:\n\t:' | tee rules/Makefile.{am,in} >/dev/null + # Flatcar: Do not build daemon stuff. + sed -e '/^SUBDIRS =/s/audisp//' \ + -i Makefile.am || die + # Flatcar: Some legacy stuff is being installed when systemd + # is enabled. Drop all the lines that try doing it. + sed -e '/${DESTDIR}${initdir}/d' \ + -e '/${DESTDIR}${legacydir}/d' \ + -i init.d/Makefile.am || die + # Flatcar: Do not build daemon stuff. + sed -e '/^sbin_PROGRAMS =/s/auditd//' \ + -e '/^sbin_PROGRAMS =/s/aureport//' \ + -e '/^sbin_PROGRAMS =/s/ausearch//' \ + -i src/Makefile.am || die + default eautoreconf } @@ -116,30 +133,46 @@ multilib_src_install_all() { dodoc AUTHORS ChangeLog README* THANKS docinto contrib dodoc contrib/avc_snap - docinto contrib/plugin - dodoc contrib/plugin/* + # Flatcar: Do not install any plugin stuff, these are parts of + # auditd that we don't build and install anyway. + # docinto contrib/plugin + # dodoc contrib/plugin/* docinto rules dodoc rules/*rules - newinitd "${FILESDIR}"/auditd-init.d-2.4.3 auditd - newconfd "${FILESDIR}"/auditd-conf.d-2.1.3 auditd + # Flatcar: Do not install stuff auditd stuff. + # newinitd "${FILESDIR}"/auditd-init.d-2.4.3 auditd + # newconfd "${FILESDIR}"/auditd-conf.d-2.1.3 auditd - [ -f "${ED}"/sbin/audisp-remote ] && \ - dodir /usr/sbin && \ - mv "${ED}"/{sbin,usr/sbin}/audisp-remote || die + # Flatcar: We are not installing audisp too. + # [ -f "${ED}"/sbin/audisp-remote ] && \ + # dodir /usr/sbin && \ + # mv "${ED}"/{sbin,usr/sbin}/audisp-remote || die + # Flatcar: Do not install gentoo rules. # Gentoo rules - insinto /etc/audit - newins "${FILESDIR}"/audit.rules-2.1.3 audit.rules - doins "${FILESDIR}"/audit.rules.stop* + # insinto /etc/audit + # newins "${FILESDIR}"/audit.rules-2.1.3 audit.rules + # Flatcar: We are installing our own rules. + insinto /usr/share/audit/rules.d + doins "${FILESDIR}"/rules.d/*.rules + # Flatcar: Do not install deamon stuff. + # doins "${FILESDIR}"/audit.rules.stop* # audit logs go here - keepdir /var/log/audit + # Flatcar: This is where auditd puts its logs. We don't have + # the daemon, so get rid of the unnecessary directory. + # keepdir /var/log/audit find "${ED}" -type f -name '*.la' -delete || die # Security lockdown_perms "${ED}" + + # Flatcar: Our systemd stuff. + newtmpfiles "${FILESDIR}"/audit-rules.tmpfiles audit-rules.conf + systemd_dounit "${FILESDIR}"/audit-rules.service + systemd_enable_service multi-user.target audit-rules.service } pkg_postinst() { @@ -149,8 +182,11 @@ pkg_postinst() { lockdown_perms() { # Upstream wants these to have restrictive perms. # Should not || die as not all paths may exist. - local basedir="${1}" - chmod 0750 "${basedir}"/sbin/au{ditctl,ditd,report,search,trace} 2>/dev/null - chmod 0750 "${basedir}"/var/log/audit 2>/dev/null - chmod 0640 "${basedir}"/etc/audit/{auditd.conf,audit*.rules*} 2>/dev/null + # Flatcar: No lockdown of permissions - it's probably only + # related to auditd. + # local basedir="${1}" + # chmod 0750 "${basedir}"/sbin/au{ditctl,ditd,report,search,trace} 2>/dev/null + # chmod 0750 "${basedir}"/var/log/audit 2>/dev/null + # chmod 0640 "${basedir}"/etc/audit/{auditd.conf,audit*.rules*} 2>/dev/null + : } diff --git a/sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/audit-rules.service b/sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/audit-rules.service new file mode 100644 index 0000000000..8c54802fb5 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/audit-rules.service @@ -0,0 +1,16 @@ +[Unit] +Description=Load Security Auditing Rules +DefaultDependencies=no +After=local-fs.target systemd-tmpfiles-setup.service +Conflicts=shutdown.target +Before=sysinit.target shutdown.target +ConditionSecurity=audit + +[Service] +Type=oneshot +RemainAfterExit=yes +ExecStart=/sbin/augenrules --load +ExecStop=-/sbin/auditctl -D + +[Install] +WantedBy=multi-user.target diff --git a/sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/audit-rules.tmpfiles b/sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/audit-rules.tmpfiles new file mode 100644 index 0000000000..2c15b63d23 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/audit-rules.tmpfiles @@ -0,0 +1,5 @@ +d /etc/audit - - - - - +d /etc/audit/rules.d - - - - - +L /etc/audit/rules.d/00-clear.rules - - - - /usr/share/audit/rules.d/00-clear.rules +L /etc/audit/rules.d/80-selinux.rules - - - - /usr/share/audit/rules.d/80-selinux.rules +L /etc/audit/rules.d/99-default.rules - - - - /usr/share/audit/rules.d/99-default.rules diff --git a/sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/audit.rules-2.1.3 b/sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/audit.rules-2.1.3 deleted file mode 100644 index 25dbedfd1d..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/audit.rules-2.1.3 +++ /dev/null @@ -1,25 +0,0 @@ -# Copyright 1999-2011 Gentoo Foundation -# Distributed under the terms of the GNU General Public License v2 -# -# This file contains the auditctl rules that are loaded -# whenever the audit daemon is started via the initscripts. -# The rules are simply the parameters that would be passed -# to auditctl. - -# First rule - delete all -# This is to clear out old rules, so we don't append to them. --D - -# Feel free to add below this line. See auditctl man page - -# The following rule would cause all of the syscalls listed to be ignored in logging. --a exit,never -F arch=b32 -S read -S write -S open -S fstat -S mmap -S brk -S munmap -S nanosleep -S fcntl -S close -S dup2 -S rt_sigaction -S stat --a exit,never -F arch=b64 -S read -S write -S open -S fstat -S mmap -S brk -S munmap -S nanosleep -S fcntl -S close -S dup2 -S rt_sigaction -S stat - -# The following rule would cause the capture of all systems not caught above. -# -a exit,always -S all - -# Increase the buffers to survive stress events --b 8192 - -# vim:ft=conf: diff --git a/sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/audit.rules.stop.post b/sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/audit.rules.stop.post deleted file mode 100644 index 29ae197f18..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/audit.rules.stop.post +++ /dev/null @@ -1,12 +0,0 @@ -# Copyright 1999-2005 Gentoo Foundation -# Distributed under the terms of the GNU General Public License v2 -# -# This file contains the auditctl rules that are loaded immediately after the -# audit deamon is stopped via the initscripts. -# The rules are simply the parameters that would be passed -# to auditctl. - -# Not used for the default Gentoo configuration as of v1.2.3 -# Paranoid security types might wish to reconfigure kauditd here. - -# vim:ft=conf: diff --git a/sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/audit.rules.stop.pre b/sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/audit.rules.stop.pre deleted file mode 100644 index 1f34173369..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/audit.rules.stop.pre +++ /dev/null @@ -1,15 +0,0 @@ -# Copyright 1999-2011 Gentoo Foundation -# Distributed under the terms of the GNU General Public License v2 -# -# This file contains the auditctl rules that are loaded immediately before the -# audit deamon is stopped via the initscripts. -# The rules are simply the parameters that would be passed -# to auditctl. - -# auditd is stopping, don't capture events anymore --D - -# Disable kernel generating audit events --e 0 - -# vim:ft=conf: diff --git a/sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/auditd-conf.d-2.1.3 b/sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/auditd-conf.d-2.1.3 deleted file mode 100644 index c66be166ce..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/auditd-conf.d-2.1.3 +++ /dev/null @@ -1,22 +0,0 @@ -# Copyright 1999-2011 Gentoo Foundation -# Distributed under the terms of the GNU General Public License v2 - -# Configuration options for auditd -# -f for foreground mode -# There are some other options as well, but you'll have to look in the source -# code to find them as they aren't ready for use yet. -EXTRAOPTIONS='' - -# Audit rules file to run after starting auditd -RULEFILE_STARTUP=/etc/audit/audit.rules - -# Audit rules file to run before and after stopping auditd -RULEFILE_STOP_PRE=/etc/audit/audit.rules.stop.pre -RULEFILE_STOP_POST=/etc/audit/audit.rules.stop.post - -# If you want to enforce a certain locale for auditd, -# uncomment one of the next lines: -#AUDITD_LANG=none -AUDITD_LANG=C -#AUDITD_LANG=en_US -#AUDITD_LANG=en_US.UTF-8 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/auditd-init.d-2.4.3 b/sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/auditd-init.d-2.4.3 deleted file mode 100644 index c952554df2..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/auditd-init.d-2.4.3 +++ /dev/null @@ -1,90 +0,0 @@ -#!/sbin/openrc-run -# Copyright 1999-2015 Gentoo Foundation -# Distributed under the terms of the GNU General Public License v2 - -extra_started_commands='reload reload_auditd reload_rules' -description='Linux Auditing System' -description_reload='Reload daemon configuration and rules' -description_reload_rules='Reload daemon rules' -description_reload_auditd='Reload daemon configuration' - -name='auditd' -pidfile='/var/run/auditd.pid' -command='/sbin/auditd' - -start_auditd() { - # Env handling taken from the upstream init script - if [ -z "$AUDITD_LANG" -o "$AUDITD_LANG" = "none" -o "$AUDITD_LANG" = "NONE" ]; then - unset LANG LC_TIME LC_ALL LC_MESSAGES LC_NUMERIC LC_MONETARY LC_COLLATE - else - LANG="$AUDITD_LANG" - LC_TIME="$AUDITD_LANG" - LC_ALL="$AUDITD_LANG" - LC_MESSAGES="$AUDITD_LANG" - LC_NUMERIC="$AUDITD_LANG" - LC_MONETARY="$AUDITD_LANG" - LC_COLLATE="$AUDITD_LANG" - export LANG LC_TIME LC_ALL LC_MESSAGES LC_NUMERIC LC_MONETARY LC_COLLATE - fi - unset HOME MAIL USER USERNAME - - ebegin "Starting ${name}" - start-stop-daemon \ - --start --quiet --pidfile ${pidfile} \ - --exec ${command} -- ${EXTRAOPTIONS} - local ret=$? - eend $ret - return $ret -} - -stop_auditd() { - ebegin "Stopping ${name}" - start-stop-daemon --stop --quiet --pidfile ${pidfile} - local ret=$? - eend $ret - return $ret -} - -loadfile() { - local rules="$1" - if [ -n "${rules}" -a -f "${rules}" ]; then - einfo "Loading audit rules from ${rules}" - /sbin/auditctl -R "${rules}" >/dev/null - return $? - else - return 0 - fi -} - -start() { - start_auditd - local ret=$? - if [ $ret -eq 0 -a "${RC_CMD}" != "restart" ]; then - loadfile "${RULEFILE_STARTUP}" - fi - return $ret -} - -reload_rules() { - loadfile "${RULEFILE_STARTUP}" -} - -reload_auditd() { - ebegin "Reloading ${SVCNAME}" - start-stop-daemon --signal HUP \ - --exec "${command}" --pidfile "${pidfile}" - eend $? -} - -reload() { - reload_auditd - reload_rules -} - -stop() { - [ "${RC_CMD}" != "restart" ] && loadfile "${RULEFILE_STOP_PRE}" - stop_auditd - local ret=$? - [ "${RC_CMD}" != "restart" ] && loadfile "${RULEFILE_STOP_POST}" - return $ret -} diff --git a/sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/rules.d/00-clear.rules b/sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/rules.d/00-clear.rules new file mode 100644 index 0000000000..f43e62771c --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/rules.d/00-clear.rules @@ -0,0 +1,3 @@ +# First rule - delete all +# This is to clear out old rules, so we don't append to them. +-D diff --git a/sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/rules.d/80-selinux.rules b/sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/rules.d/80-selinux.rules new file mode 100644 index 0000000000..627b17db3f --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/rules.d/80-selinux.rules @@ -0,0 +1,4 @@ +# Enable all SELinux related events +# 1400 to 1499 are for kernel SELinux use (see /include/uapi/linux/audit.h) + +-a exclude,never -F msgtype>=1400 -F msgtype<=1499 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/rules.d/99-default.rules b/sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/rules.d/99-default.rules new file mode 100644 index 0000000000..cc373d8406 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/rules.d/99-default.rules @@ -0,0 +1,5 @@ +# Always report changes to the audit subsystem itself. +-a exclude,never -F msgtype=CONFIG_CHANGE + +# Ignore everything else. +-a exclude,always -F msgtype>0