mirrors/flatcar-scripts
1
0
Fork 0
mirror of https://github.com/flatcar/scripts.git synced 2025-10-02 11:01:14 +02:00
Code Issues Packages Projects Releases Wiki Activity

sys-process/audit: Apply Flatcar modifications

Browse Source
This commit is contained in:
Krzesimir Nowak 2021-12-15 21:00:38 +01:00
parent 25b036f454
commit 52c0685d0f
12 changed files with 111 additions and 182 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
sdk_container/src/third_party/coreos-overlay/sys-process/audit/README.md vendored Normal file
View File

@ -0,0 +1,24 @@
This is a fork of gentoo's `sys-process/audit` package. The main
reasons for having our fork seem to be:
1. We have our own audit rules (see files in `files/rules.d`
directory).
- These seem to be mostly similar to what gentoo provides, but split
into several files and they have an additional rule for SELinux
events.
- We also install it in a different place and place symlinks with
systemd's tmpfiles functionality.
2. We install a systemd service that loads our rules at startup.
3. We build and install only a subset of binaries in the project.
Namely, we skip all the daemon stuff that puts the logs in
`/var/log/audit` and some tools that process those logs. Since
audit logs are also written to journal, writing them to disk seems
redundant, thus auditd and the tools seem to be unnecessary. This
also reduces the final image size a bit.
4. Since we do not install the daemon, we don't do the permissions
lockdown on some auditd files.

72
sdk_container/src/third_party/coreos-overlay/sys-process/audit/audit-3.0.6.ebuild vendored
View File

@ -3,9 +3,11 @@
EAPI=7 EAPI=7
PYTHON_COMPAT=( python3_{8..10} ) # Flatcar: Support python 3.6.
PYTHON_COMPAT=( python3_{6..10} )
inherit autotools multilib-minimal toolchain-funcs python-r1 linux-info systemd usr-ldscript TMPFILES_OPTIONAL=1
inherit autotools multilib-minimal toolchain-funcs python-r1 linux-info systemd usr-ldscript tmpfiles
DESCRIPTION="Userspace utilities for storing and processing auditing records" DESCRIPTION="Userspace utilities for storing and processing auditing records"
HOMEPAGE="https://people.redhat.com/sgrubb/audit/" HOMEPAGE="https://people.redhat.com/sgrubb/audit/"
@ -13,7 +15,8 @@ SRC_URI="https://people.redhat.com/sgrubb/audit/${P}.tar.gz"
LICENSE="GPL-2+ LGPL-2.1+" LICENSE="GPL-2+ LGPL-2.1+"
SLOT="0" SLOT="0"
KEYWORDS="~amd64 ~arm ~arm64 ~hppa ~ia64 ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86" # Flatcar: Build amd64 and arm64 by default.
KEYWORDS="amd64 ~arm arm64 ~hppa ~ia64 ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86"
IUSE="gssapi ldap python static-libs test" IUSE="gssapi ldap python static-libs test"
REQUIRED_USE="python? ( ${PYTHON_REQUIRED_USE} )" REQUIRED_USE="python? ( ${PYTHON_REQUIRED_USE} )"
@ -39,6 +42,20 @@ src_prepare() {
# Disable installing sample rules so they can be installed as docs. # Disable installing sample rules so they can be installed as docs.
echo -e '%:\n\t:' | tee rules/Makefile.{am,in} >/dev/null echo -e '%:\n\t:' | tee rules/Makefile.{am,in} >/dev/null
# Flatcar: Do not build daemon stuff.
sed -e '/^SUBDIRS =/s/audisp//' \
-i Makefile.am || die
# Flatcar: Some legacy stuff is being installed when systemd
# is enabled. Drop all the lines that try doing it.
sed -e '/${DESTDIR}${initdir}/d' \
-e '/${DESTDIR}${legacydir}/d' \
-i init.d/Makefile.am || die
# Flatcar: Do not build daemon stuff.
sed -e '/^sbin_PROGRAMS =/s/auditd//' \
-e '/^sbin_PROGRAMS =/s/aureport//' \
-e '/^sbin_PROGRAMS =/s/ausearch//' \
-i src/Makefile.am || die
default default
eautoreconf eautoreconf
} }
@ -116,30 +133,46 @@ multilib_src_install_all() {
dodoc AUTHORS ChangeLog README* THANKS dodoc AUTHORS ChangeLog README* THANKS
docinto contrib docinto contrib
dodoc contrib/avc_snap dodoc contrib/avc_snap
docinto contrib/plugin # Flatcar: Do not install any plugin stuff, these are parts of
dodoc contrib/plugin/* # auditd that we don't build and install anyway.
# docinto contrib/plugin
# dodoc contrib/plugin/*
docinto rules docinto rules
dodoc rules/*rules dodoc rules/*rules
newinitd "${FILESDIR}"/auditd-init.d-2.4.3 auditd # Flatcar: Do not install stuff auditd stuff.
newconfd "${FILESDIR}"/auditd-conf.d-2.1.3 auditd # newinitd "${FILESDIR}"/auditd-init.d-2.4.3 auditd
# newconfd "${FILESDIR}"/auditd-conf.d-2.1.3 auditd
[ -f "${ED}"/sbin/audisp-remote ] && \ # Flatcar: We are not installing audisp too.
dodir /usr/sbin && \ # [ -f "${ED}"/sbin/audisp-remote ] && \
mv "${ED}"/{sbin,usr/sbin}/audisp-remote || die # dodir /usr/sbin && \
# mv "${ED}"/{sbin,usr/sbin}/audisp-remote || die
# Flatcar: Do not install gentoo rules.
# Gentoo rules # Gentoo rules
insinto /etc/audit # insinto /etc/audit
newins "${FILESDIR}"/audit.rules-2.1.3 audit.rules # newins "${FILESDIR}"/audit.rules-2.1.3 audit.rules
doins "${FILESDIR}"/audit.rules.stop* # Flatcar: We are installing our own rules.
insinto /usr/share/audit/rules.d
doins "${FILESDIR}"/rules.d/*.rules
# Flatcar: Do not install deamon stuff.
# doins "${FILESDIR}"/audit.rules.stop*
# audit logs go here # audit logs go here
keepdir /var/log/audit # Flatcar: This is where auditd puts its logs. We don't have
# the daemon, so get rid of the unnecessary directory.
# keepdir /var/log/audit
find "${ED}" -type f -name '*.la' -delete || die find "${ED}" -type f -name '*.la' -delete || die
# Security # Security
lockdown_perms "${ED}" lockdown_perms "${ED}"
# Flatcar: Our systemd stuff.
newtmpfiles "${FILESDIR}"/audit-rules.tmpfiles audit-rules.conf
systemd_dounit "${FILESDIR}"/audit-rules.service
systemd_enable_service multi-user.target audit-rules.service
} }
pkg_postinst() { pkg_postinst() {
@ -149,8 +182,11 @@ pkg_postinst() {
lockdown_perms() { lockdown_perms() {
# Upstream wants these to have restrictive perms. # Upstream wants these to have restrictive perms.
# Should not || die as not all paths may exist. # Should not || die as not all paths may exist.
local basedir="${1}" # Flatcar: No lockdown of permissions - it's probably only
chmod 0750 "${basedir}"/sbin/au{ditctl,ditd,report,search,trace} 2>/dev/null # related to auditd.
chmod 0750 "${basedir}"/var/log/audit 2>/dev/null # local basedir="${1}"
chmod 0640 "${basedir}"/etc/audit/{auditd.conf,audit*.rules*} 2>/dev/null # chmod 0750 "${basedir}"/sbin/au{ditctl,ditd,report,search,trace} 2>/dev/null
# chmod 0750 "${basedir}"/var/log/audit 2>/dev/null
# chmod 0640 "${basedir}"/etc/audit/{auditd.conf,audit*.rules*} 2>/dev/null
:
} }

16
sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/audit-rules.service vendored Normal file
View File

@ -0,0 +1,16 @@
[Unit]
Description=Load Security Auditing Rules
DefaultDependencies=no
After=local-fs.target systemd-tmpfiles-setup.service
Conflicts=shutdown.target
Before=sysinit.target shutdown.target
ConditionSecurity=audit
[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/sbin/augenrules --load
ExecStop=-/sbin/auditctl -D
[Install]
WantedBy=multi-user.target

5
sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/audit-rules.tmpfiles vendored Normal file
View File

@ -0,0 +1,5 @@
d /etc/audit - - - - -
d /etc/audit/rules.d - - - - -
L /etc/audit/rules.d/00-clear.rules - - - - /usr/share/audit/rules.d/00-clear.rules
L /etc/audit/rules.d/80-selinux.rules - - - - /usr/share/audit/rules.d/80-selinux.rules
L /etc/audit/rules.d/99-default.rules - - - - /usr/share/audit/rules.d/99-default.rules

25
sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/audit.rules-2.1.3 vendored
View File

@ -1,25 +0,0 @@
# Copyright 1999-2011 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
#
# This file contains the auditctl rules that are loaded
# whenever the audit daemon is started via the initscripts.
# The rules are simply the parameters that would be passed
# to auditctl.
# First rule - delete all
# This is to clear out old rules, so we don't append to them.
-D
# Feel free to add below this line. See auditctl man page
# The following rule would cause all of the syscalls listed to be ignored in logging.
-a exit,never -F arch=b32 -S read -S write -S open -S fstat -S mmap -S brk -S munmap -S nanosleep -S fcntl -S close -S dup2 -S rt_sigaction -S stat
-a exit,never -F arch=b64 -S read -S write -S open -S fstat -S mmap -S brk -S munmap -S nanosleep -S fcntl -S close -S dup2 -S rt_sigaction -S stat
# The following rule would cause the capture of all systems not caught above.
# -a exit,always -S all
# Increase the buffers to survive stress events
-b 8192
# vim:ft=conf:

12
sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/audit.rules.stop.post vendored
View File

@ -1,12 +0,0 @@
# Copyright 1999-2005 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
#
# This file contains the auditctl rules that are loaded immediately after the
# audit deamon is stopped via the initscripts.
# The rules are simply the parameters that would be passed
# to auditctl.
# Not used for the default Gentoo configuration as of v1.2.3
# Paranoid security types might wish to reconfigure kauditd here.
# vim:ft=conf:

15
sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/audit.rules.stop.pre vendored
View File

@ -1,15 +0,0 @@
# Copyright 1999-2011 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
#
# This file contains the auditctl rules that are loaded immediately before the
# audit deamon is stopped via the initscripts.
# The rules are simply the parameters that would be passed
# to auditctl.
# auditd is stopping, don't capture events anymore
-D
# Disable kernel generating audit events
-e 0
# vim:ft=conf:

22
sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/auditd-conf.d-2.1.3 vendored
View File

@ -1,22 +0,0 @@
# Copyright 1999-2011 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
# Configuration options for auditd
# -f for foreground mode
# There are some other options as well, but you'll have to look in the source
# code to find them as they aren't ready for use yet.
EXTRAOPTIONS=''
# Audit rules file to run after starting auditd
RULEFILE_STARTUP=/etc/audit/audit.rules
# Audit rules file to run before and after stopping auditd
RULEFILE_STOP_PRE=/etc/audit/audit.rules.stop.pre
RULEFILE_STOP_POST=/etc/audit/audit.rules.stop.post
# If you want to enforce a certain locale for auditd,
# uncomment one of the next lines:
#AUDITD_LANG=none
AUDITD_LANG=C
#AUDITD_LANG=en_US
#AUDITD_LANG=en_US.UTF-8

90
sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/auditd-init.d-2.4.3 vendored
View File

@ -1,90 +0,0 @@
#!/sbin/openrc-run
# Copyright 1999-2015 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
extra_started_commands='reload reload_auditd reload_rules'
description='Linux Auditing System'
description_reload='Reload daemon configuration and rules'
description_reload_rules='Reload daemon rules'
description_reload_auditd='Reload daemon configuration'
name='auditd'
pidfile='/var/run/auditd.pid'
command='/sbin/auditd'
start_auditd() {
# Env handling taken from the upstream init script
if [ -z "$AUDITD_LANG" -o "$AUDITD_LANG" = "none" -o "$AUDITD_LANG" = "NONE" ]; then
unset LANG LC_TIME LC_ALL LC_MESSAGES LC_NUMERIC LC_MONETARY LC_COLLATE
else
LANG="$AUDITD_LANG"
LC_TIME="$AUDITD_LANG"
LC_ALL="$AUDITD_LANG"
LC_MESSAGES="$AUDITD_LANG"
LC_NUMERIC="$AUDITD_LANG"
LC_MONETARY="$AUDITD_LANG"
LC_COLLATE="$AUDITD_LANG"
export LANG LC_TIME LC_ALL LC_MESSAGES LC_NUMERIC LC_MONETARY LC_COLLATE
fi
unset HOME MAIL USER USERNAME
ebegin "Starting ${name}"
start-stop-daemon \
--start --quiet --pidfile ${pidfile} \
--exec ${command} -- ${EXTRAOPTIONS}
local ret=$?
eend $ret
return $ret
}
stop_auditd() {
ebegin "Stopping ${name}"
start-stop-daemon --stop --quiet --pidfile ${pidfile}
local ret=$?
eend $ret
return $ret
}
loadfile() {
local rules="$1"
if [ -n "${rules}" -a -f "${rules}" ]; then
einfo "Loading audit rules from ${rules}"
/sbin/auditctl -R "${rules}" >/dev/null
return $?
else
return 0
fi
}
start() {
start_auditd
local ret=$?
if [ $ret -eq 0 -a "${RC_CMD}" != "restart" ]; then
loadfile "${RULEFILE_STARTUP}"
fi
return $ret
}
reload_rules() {
loadfile "${RULEFILE_STARTUP}"
}
reload_auditd() {
ebegin "Reloading ${SVCNAME}"
start-stop-daemon --signal HUP \
--exec "${command}" --pidfile "${pidfile}"
eend $?
}
reload() {
reload_auditd
reload_rules
}
stop() {
[ "${RC_CMD}" != "restart" ] && loadfile "${RULEFILE_STOP_PRE}"
stop_auditd
local ret=$?
[ "${RC_CMD}" != "restart" ] && loadfile "${RULEFILE_STOP_POST}"
return $ret
}

3
sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/rules.d/00-clear.rules vendored Normal file
View File

@ -0,0 +1,3 @@
# First rule - delete all
# This is to clear out old rules, so we don't append to them.
-D

4
sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/rules.d/80-selinux.rules vendored Normal file
View File

@ -0,0 +1,4 @@
# Enable all SELinux related events
# 1400 to 1499 are for kernel SELinux use (see /include/uapi/linux/audit.h)
-a exclude,never -F msgtype>=1400 -F msgtype<=1499

5
sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/rules.d/99-default.rules vendored Normal file
View File

@ -0,0 +1,5 @@
# Always report changes to the audit subsystem itself.
-a exclude,never -F msgtype=CONFIG_CHANGE
# Ignore everything else.
-a exclude,always -F msgtype>0