overlay coreos-base/misc-files: Install audit files

We will move sys-process/audit to portage-stable. In order to do that, we need to move the customizations out of its ebuild.
2025-09-24 23:21:17 +02:00 · 2024-02-26 15:13:42 +01:00 · 2024-02-26 15:13:42 +01:00 · 5cb7639e7c
commit 5cb7639e7c
parent 39bf99b420
5 changed files with 56 additions and 4 deletions
--- a/sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/files/audit/00-clear.rules
+++ b/sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/files/audit/00-clear.rules
@ -0,0 +1,3 @@
+# First rule - delete all
+# This is to clear out old rules, so we don't append to them.
+-D
--- a/sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/files/audit/80-selinux.rules
+++ b/sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/files/audit/80-selinux.rules
@ -0,0 +1,4 @@
+# Enable all SELinux related events
+# 1400 to 1499 are for kernel SELinux use (see /include/uapi/linux/audit.h)
+
+-a exclude,never -F msgtype>=1400 -F msgtype<=1499
--- a/sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/files/audit/99-default.rules
+++ b/sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/files/audit/99-default.rules
@ -0,0 +1,5 @@
+# Always report changes to the audit subsystem itself.
+-a exclude,never -F msgtype=CONFIG_CHANGE
+
+# Ignore everything else.
+-a exclude,always -F msgtype>0
--- a/sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/files/audit/audit-rules.service
+++ b/sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/files/audit/audit-rules.service
@ -0,0 +1,16 @@
+[Unit]
+Description=Load Security Auditing Rules
+DefaultDependencies=no
+After=local-fs.target systemd-tmpfiles-setup.service
+Conflicts=shutdown.target
+Before=sysinit.target shutdown.target
+ConditionSecurity=audit
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+ExecStart=/sbin/augenrules --load
+ExecStop=-/sbin/auditctl -D
+
+[Install]
+WantedBy=multi-user.target
--- a/sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/misc-files-0-r4.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/misc-files-0-r4.ebuild
@ -12,7 +12,7 @@ HOMEPAGE='https://www.flatcar.org/'
 LICENSE='Apache-2.0'
 SLOT='0'
 KEYWORDS='amd64 arm64'
-IUSE="openssh ntp policycoreutils"
+IUSE="audit ntp openssh policycoreutils"

 # No source directory.
 S="${WORKDIR}"
@ -33,6 +33,7 @@ RDEPEND="
        >=app-shells/bash-5.2_p15-r2
        ntp? ( >=net-misc/ntp-4.2.8_p17 )
        policycoreutils? ( >=sys-apps/policycoreutils-3.6 )
+        audit? ( >=sys-process/audit-3.1.1 )
 "

 declare -A CORE_BASH_SYMLINKS
@ -99,10 +100,12 @@ src_install() {
        ['/usr/lib/selinux/mcs']='/usr/share/flatcar/etc/selinux/mcs'
        ['/usr/lib/selinux/semanage.conf']='/usr/share/flatcar/etc/selinux/semanage.conf'
    )
-    if use openssh; then
+    if use audit; then
        compat_symlinks+=(
-            ['/usr/share/ssh/ssh_config']='/usr/share/flatcar/etc/ssh/ssh_config.d/50-flatcar-ssh.conf'
-            ['/usr/share/ssh/sshd_config']='/usr/share/flatcar/etc/ssh/sshd_config.d/50-flatcar-sshd.conf'
+            ['/usr/share/audit/rules.d/00-clear.rules']='/usr/share/flatcar/etc/audit/rules.d/00-clear.rules'
+            ['/usr/share/audit/rules.d/80-selinux.rules']='/usr/share/flatcar/etc/audit/rules.d/80-selinux.rules'
+            ['/usr/share/audit/rules.d/99-default.rules']='/usr/share/flatcar/etc/audit/rules.d/99-default.rules'
+            ['/usr/share/auditd/auditd.conf']='/usr/share/flatcar/etc/audit/auditd.conf'
        )
    fi
    if use ntp; then
@ -110,6 +113,12 @@ src_install() {
            ['/usr/share/ntp/ntp.conf']='/usr/share/flatcar/etc/ntp.conf'
        )
    fi
+    if use openssh; then
+        compat_symlinks+=(
+            ['/usr/share/ssh/ssh_config']='/usr/share/flatcar/etc/ssh/ssh_config.d/50-flatcar-ssh.conf'
+            ['/usr/share/ssh/sshd_config']='/usr/share/flatcar/etc/ssh/sshd_config.d/50-flatcar-sshd.conf'
+        )
+    fi

    local link target
    for link in "${!compat_symlinks[@]}"; do
@ -149,6 +158,21 @@ src_install() {
        fowners --no-dereference 500:500 "${link}"
    done

+    if use audit; then
+        # Install our rules.
+        insinto /etc/audit/rules.d
+        for name in 00-clear.rules 80-selinux.rules 99-default.rules; do
+            doins "${FILESDIR}/audit/${name}"
+            # Upstream wants these to have restrictive perms.
+            fperms 0640 "/etc/audit/rules.d/${name}"
+        done
+        # Install a service that loads the rules (it's possibly
+        # something that a deamon does, but in our case the daemon is
+        # disabled by default).
+        systemd_dounit "${FILESDIR}/audit/audit-rules.service"
+        systemd_enable_service multi-user.target audit-rules.service
+    fi
+
    if use ntp; then
        insinto /etc
        doins "${FILESDIR}/ntp/ntp.conf"