Re: [Buildroot] [PATCH 13/13] package/audit: bump version to 4.0.2

[Thomas Petazzoni via buildroot <buildroot@buildroot.org>]

Hello Adam,

Cc Julien for runtime test, Cc Fiona for init script.

On Mon, 16 Sep 2024 17:12:06 +0200
Adam Duskett <adam.duskett@amarulasolutions.com> wrote:

> In addition, audit 4.x now provides two service files:
>  - audit-rules.service
>  - auditd.service, which depends on audit-rules.service
> 
> audit-rules.service is a one-shot service that runs augenrules --load.
> To keep audit compatible with sysvinit-based systems, create a new file,
> S02augenrules, and move S02auditd to S03auditd. This change keeps the basic
> format of the systemd provided service files for ease of maintance.

I don't follow you here. What do you mean by "keep audit compatible
with sysvinit-based systems" ?

Are you saying that to keep consistency/symmetry with the systemd unit
files, you introduce two separate init scripts, one for augenrules
--load, and one for starting the daemon itself?

> Other changes:
>  - The --without-python option is no longer present.
>  - There is no longer a --enable/--disable-systemd option.
>  - audit.rules are no longer autogenerated on startup. As such, the RedHat
>    rpm .spec logic is copied, and $(@D)/rules/10-base-config.rules is copied
>    to $(TARGET_DIR)/etc/audit/rules.d/audit.rules as part of the
>    POST_INSTALL_TARGET_HOOKS. If /etc/audit/rules.d/audit.rules does not exit

                                                                           ^^^ exists ?

>    on the target, auditd fails to run. This change is also a bonus for
>    read-only systems and the audit.rules file is guaranteed to be on the system.

                       ^^^ as ?

> Tested with qemu_x86_64_defconfig and running checking if audit is running
> properly.

Would be nice to have an audit test case in support/testing :-)

> diff --git a/package/audit/S02augenrules b/package/audit/S02augenrules
> new file mode 100644
> index 0000000000..70342a231c
> --- /dev/null
> +++ b/package/audit/S02augenrules
> @@ -0,0 +1,31 @@
> +#!/bin/sh
> +#
> +# audi       This starts and stops auditd

audi?

This scripts doesn't starts auditd.

> +#
> +# description: This starts the Linux Auditing System Daemon,
> +#              which collects security related events in a dedicated
> +#              audit log. If this daemon is turned off, audit events
> +#              will be sent to syslog.

Nope, this is not what this script does.

> +#
> +
> +DAEMON="augenrules"
> +
> +start(){
> +	printf "Starting %s: " "${DAEMON}"

We're not really starting a daemon here.

> +	# Run audit daemon executable

Nope, this is not what is happening.

> +	if /usr/sbin/"${DAEMON}" --load > /dev/null 2>&1; then
> +		echo "OK"
> +	else
> +		echo "FAIL"
> +	fi
> +}

This init script is kind of special, as it doesn't really start a
service, but does a one-shot action. Could you Cc: the next iteration
to Fiona so that she can review the proposal? Or maybe Fiona can even
review this first iteration.


> +	mkdir -p $(TARGET_DIR)/etc/audit/rules.d

This mkdir -p is useless if you add -D to the following $(INSTALL)
command.

> +	$(INSTALL) -m 0640 $(@D)/rules/10-base-config.rules \
> +		$(TARGET_DIR)/etc/audit/rules.d/audit.rules
> +endef
> +AUDIT_POST_INSTALL_TARGET_HOOKS += AUDIT_INSTALL_RULES

Thanks a lot!

Thomas
-- 
Thomas Petazzoni, co-owner and CEO, Bootlin
Embedded Linux and Kernel engineering and training
https://bootlin.com
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot