mirrors/flatcar-scripts
1
0
Fork 0
mirror of https://github.com/flatcar/scripts.git synced 2025-09-25 07:31:01 +02:00
Code Issues Packages Projects Releases Wiki Activity

overlay coreos-base/misc-files: Install audit files

Browse Source 
We will move sys-process/audit to portage-stable. In order to do that,
we need to move the customizations out of its ebuild.
This commit is contained in:
Krzesimir Nowak 2024-02-26 15:13:42 +01:00
parent 39bf99b420
commit 5cb7639e7c
5 changed files with 56 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/files/audit/00-clear.rules vendored Normal file
View File

@ -0,0 +1,3 @@
# First rule - delete all
# This is to clear out old rules, so we don't append to them.
-D

4
sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/files/audit/80-selinux.rules vendored Normal file
View File

@ -0,0 +1,4 @@
# Enable all SELinux related events
# 1400 to 1499 are for kernel SELinux use (see /include/uapi/linux/audit.h)
-a exclude,never -F msgtype>=1400 -F msgtype<=1499

5
sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/files/audit/99-default.rules vendored Normal file
View File

@ -0,0 +1,5 @@
# Always report changes to the audit subsystem itself.
-a exclude,never -F msgtype=CONFIG_CHANGE
# Ignore everything else.
-a exclude,always -F msgtype>0

16
sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/files/audit/audit-rules.service vendored Normal file
View File

@ -0,0 +1,16 @@
[Unit]
Description=Load Security Auditing Rules
DefaultDependencies=no
After=local-fs.target systemd-tmpfiles-setup.service
Conflicts=shutdown.target
Before=sysinit.target shutdown.target
ConditionSecurity=audit
[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/sbin/augenrules --load
ExecStop=-/sbin/auditctl -D
[Install]
WantedBy=multi-user.target

32
sdk_container/src/third_party/coreos-overlay/coreos-base/misc-files/misc-files-0-r4.ebuild vendored
View File

@ -12,7 +12,7 @@ HOMEPAGE='https://www.flatcar.org/'
LICENSE='Apache-2.0' LICENSE='Apache-2.0'
SLOT='0' SLOT='0'
KEYWORDS='amd64 arm64' KEYWORDS='amd64 arm64'
IUSE="openssh ntp policycoreutils" IUSE="audit ntp openssh policycoreutils"
# No source directory. # No source directory.
S="${WORKDIR}" S="${WORKDIR}"
@ -33,6 +33,7 @@ RDEPEND="
>=app-shells/bash-5.2_p15-r2 >=app-shells/bash-5.2_p15-r2
ntp? ( >=net-misc/ntp-4.2.8_p17 ) ntp? ( >=net-misc/ntp-4.2.8_p17 )
policycoreutils? ( >=sys-apps/policycoreutils-3.6 ) policycoreutils? ( >=sys-apps/policycoreutils-3.6 )
audit? ( >=sys-process/audit-3.1.1 )
" "
declare -A CORE_BASH_SYMLINKS declare -A CORE_BASH_SYMLINKS
@ -99,10 +100,12 @@ src_install() {
['/usr/lib/selinux/mcs']='/usr/share/flatcar/etc/selinux/mcs' ['/usr/lib/selinux/mcs']='/usr/share/flatcar/etc/selinux/mcs'
['/usr/lib/selinux/semanage.conf']='/usr/share/flatcar/etc/selinux/semanage.conf' ['/usr/lib/selinux/semanage.conf']='/usr/share/flatcar/etc/selinux/semanage.conf'
) )
if use openssh; then if use audit; then
compat_symlinks+=( compat_symlinks+=(
['/usr/share/ssh/ssh_config']='/usr/share/flatcar/etc/ssh/ssh_config.d/50-flatcar-ssh.conf' ['/usr/share/audit/rules.d/00-clear.rules']='/usr/share/flatcar/etc/audit/rules.d/00-clear.rules'
['/usr/share/ssh/sshd_config']='/usr/share/flatcar/etc/ssh/sshd_config.d/50-flatcar-sshd.conf' ['/usr/share/audit/rules.d/80-selinux.rules']='/usr/share/flatcar/etc/audit/rules.d/80-selinux.rules'
['/usr/share/audit/rules.d/99-default.rules']='/usr/share/flatcar/etc/audit/rules.d/99-default.rules'
['/usr/share/auditd/auditd.conf']='/usr/share/flatcar/etc/audit/auditd.conf'
) )
fi fi
if use ntp; then if use ntp; then
@ -110,6 +113,12 @@ src_install() {
['/usr/share/ntp/ntp.conf']='/usr/share/flatcar/etc/ntp.conf' ['/usr/share/ntp/ntp.conf']='/usr/share/flatcar/etc/ntp.conf'
) )
fi fi
if use openssh; then
compat_symlinks+=(
['/usr/share/ssh/ssh_config']='/usr/share/flatcar/etc/ssh/ssh_config.d/50-flatcar-ssh.conf'
['/usr/share/ssh/sshd_config']='/usr/share/flatcar/etc/ssh/sshd_config.d/50-flatcar-sshd.conf'
)
fi
local link target local link target
for link in "${!compat_symlinks[@]}"; do for link in "${!compat_symlinks[@]}"; do
@ -149,6 +158,21 @@ src_install() {
fowners --no-dereference 500:500 "${link}" fowners --no-dereference 500:500 "${link}"
done done
if use audit; then
# Install our rules.
insinto /etc/audit/rules.d
for name in 00-clear.rules 80-selinux.rules 99-default.rules; do
doins "${FILESDIR}/audit/${name}"
# Upstream wants these to have restrictive perms.
fperms 0640 "/etc/audit/rules.d/${name}"
done
# Install a service that loads the rules (it's possibly
# something that a deamon does, but in our case the daemon is
# disabled by default).
systemd_dounit "${FILESDIR}/audit/audit-rules.service"
systemd_enable_service multi-user.target audit-rules.service
fi
if use ntp; then if use ntp; then
insinto /etc insinto /etc
doins "${FILESDIR}/ntp/ntp.conf" doins "${FILESDIR}/ntp/ntp.conf"