diff -rupN audit-2.2.3/audit.spec audit-2.2.3_burn1/audit.spec --- audit-2.2.3/audit.spec 2013-03-20 07:31:20.000000000 +1100 +++ audit-2.2.3_burn1/audit.spec 2013-04-07 20:52:51.663230537 +1000 @@ -10,7 +10,7 @@ Summary: User space tools for 2.6 kernel auditing Name: audit Version: 2.2.3 -Release: 1 +Release: 2 License: GPLv2+ Group: System Environment/Daemons URL: http://people.redhat.com/sgrubb/audit/ @@ -218,6 +218,7 @@ fi %attr(644,root,root) %{_mandir}/man8/aulast.8.gz %attr(644,root,root) %{_mandir}/man8/aulastlog.8.gz %attr(644,root,root) %{_mandir}/man8/auvirt.8.gz +%attr(644,root,root) %{_mandir}/man8/augenrules.8.gz %attr(644,root,root) %{_mandir}/man8/ausyscall.8.gz %attr(644,root,root) %{_mandir}/man7/audit.rules.7.gz %attr(644,root,root) %{_mandir}/man5/auditd.conf.5.gz @@ -229,6 +230,7 @@ fi %attr(755,root,root) /sbin/aureport %attr(750,root,root) /sbin/autrace %attr(750,root,root) /sbin/audispd +%attr(750,root,root) /sbin/augenrules %attr(755,root,root) %{_bindir}/aulast %attr(755,root,root) %{_bindir}/aulastlog %attr(755,root,root) %{_bindir}/ausyscall @@ -241,10 +243,11 @@ fi %endif %attr(750,root,root) %dir %{_var}/log/audit %attr(750,root,root) %dir /etc/audit +%attr(750,root,root) %dir /etc/audit/rules.d %attr(750,root,root) %dir /etc/audisp %attr(750,root,root) %dir /etc/audisp/plugins.d %config(noreplace) %attr(640,root,root) /etc/audit/auditd.conf -%config(noreplace) %attr(640,root,root) /etc/audit/audit.rules +%config(noreplace) %attr(640,root,root) /etc/audit/rules.d/audit.rules %config(noreplace) %attr(640,root,root) /etc/audisp/audispd.conf %config(noreplace) %attr(640,root,root) /etc/audisp/plugins.d/af_unix.conf %config(noreplace) %attr(640,root,root) /etc/audisp/plugins.d/syslog.conf diff -rupN audit-2.2.3/docs/augenrules.8 audit-2.2.3_burn1/docs/augenrules.8 --- audit-2.2.3/docs/augenrules.8 1970-01-01 10:00:00.000000000 +1000 +++ audit-2.2.3_burn1/docs/augenrules.8 2013-04-07 19:15:26.692978885 +1000 @@ -0,0 +1,36 @@ +.TH AUGENRULES: "8" "Apr 2013" "Red Hat" "System Administration Utilities" +.SH NAME +augenrules \- a script that merges component audit rule files +.SH SYNOPSIS +.B augenrules +.RI [ options ] +.SH DESCRIPTION +\fBaugenrules\fP is a script that merges all component audit rules files, +found in the audit rules directory, \fI/etc/audit/rules.d\fP, placing the +merged file in \fI/etc/audit/audit.rules\fP. Component audit rule files, must +end in \fI.rules\fP in order to be processed. All other files in +\fI/etc/audit/rules.d\fP are ignored. +.P +The files are concatenated in order, based on their natural sort (see -v option of ls(1)) and striped of empty and comment (#) lines. +.P +The last processed -\fID\fP directive without an option, if present, is always +emitted as the first line in the resultant file. Those with an option are +replicated in place. +The last processed -\fIb\fP directive, if present, is always +emitted as the second line in the resultant file. +The last processed -\fIf\fP directive, if present, is always +emitted as the third line in the resultant file. +The last processed -\fIe\fP directive, if present, is always +emitted as the last line in the resultant file. +.P +The generated file is only copied to \fI/etc/audit/rules.d\fP, if it differs. +.SH OPTIONS +.TP +.BR none + +.SH FILES +/etc/audit/rules.d/ +/etc/audit/audit.rules +.SH "SEE ALSO" +.BR audit.rules (8), +.BR auditd (8). diff -rupN audit-2.2.3/docs/Makefile.am audit-2.2.3_burn1/docs/Makefile.am --- audit-2.2.3/docs/Makefile.am 2013-03-20 07:31:12.000000000 +1100 +++ audit-2.2.3_burn1/docs/Makefile.am 2013-04-07 16:35:36.040595035 +1000 @@ -54,5 +54,6 @@ ausearch_clear.3 \ ausearch_next_event.3 ausearch_set_stop.3 \ autrace.8 get_auditfail_action.3 set_aumessage_mode.3 \ audispd.8 audispd.conf.5 audispd-zos-remote.8 libaudit.conf.5 \ +augenrules.8 \ zos-remote.conf.5 diff -rupN audit-2.2.3/docs/Makefile.in audit-2.2.3_burn1/docs/Makefile.in --- audit-2.2.3/docs/Makefile.in 2013-03-20 07:32:00.000000000 +1100 +++ audit-2.2.3_burn1/docs/Makefile.in 2013-04-07 20:53:56.678501579 +1000 @@ -290,6 +290,7 @@ ausearch_clear.3 \ ausearch_next_event.3 ausearch_set_stop.3 \ autrace.8 get_auditfail_action.3 set_aumessage_mode.3 \ audispd.8 audispd.conf.5 audispd-zos-remote.8 libaudit.conf.5 \ +augenrules.8 \ zos-remote.conf.5 all: all-am diff -rupN audit-2.2.3/init.d/auditd.init audit-2.2.3_burn1/init.d/auditd.init --- audit-2.2.3/init.d/auditd.init 2013-03-20 07:30:07.000000000 +1100 +++ audit-2.2.3_burn1/init.d/auditd.init 2013-04-07 16:39:44.654719851 +1000 @@ -71,6 +71,8 @@ start(){ echo if test $RETVAL = 0 ; then touch /var/lock/subsys/auditd + # Prepare the default rules + test -d /etc/audit/rules.d && /sbin/augenrules # Load the default rules test -f /etc/audit/audit.rules && /sbin/auditctl -R /etc/audit/audit.rules >/dev/null fi @@ -102,6 +104,8 @@ stop(){ reload(){ test -f /etc/audit/auditd.conf || exit 6 echo -n $"Reloading configuration: " + # Prepare the default rules + test -d /etc/audit/rules.d && /sbin/augenrules killproc $prog -HUP RETVAL=$? echo diff -rupN audit-2.2.3/init.d/auditd.service audit-2.2.3_burn1/init.d/auditd.service --- audit-2.2.3/init.d/auditd.service 2013-03-20 07:30:07.000000000 +1100 +++ audit-2.2.3_burn1/init.d/auditd.service 2013-04-07 16:40:17.919162224 +1000 @@ -7,6 +7,7 @@ Before=sysinit.target shutdown.target [Service] ExecStart=/sbin/auditd -n +ExecStartPost=/sbin/augenrules ExecStartPost=-/sbin/auditctl -R /etc/audit/audit.rules [Install] diff -rupN audit-2.2.3/init.d/augenrules audit-2.2.3_burn1/init.d/augenrules --- audit-2.2.3/init.d/augenrules 1970-01-01 10:00:00.000000000 +1000 +++ audit-2.2.3_burn1/init.d/augenrules 2013-04-07 20:51:35.027485205 +1000 @@ -0,0 +1,96 @@ +#!/bin/bash + +# Script to concatenate rules files found in a base audit rules directory +# to form a single /etc/audit/audit.rules file suitable for loading into +# the Linux audit system + +# When forming the interim rules file, both empty lines and comment +# lines (starting with # or #) are stripped as the source files +# are processed. +# +# Having formed the interim rules file, the script checks if the file is empty +# or is identical to the existing /etc/audit/audit.rules and if either of +# these cases are true, it does not replace the existing file +# + +# Variables +# +# DestinationFile: +# Destination rules file +# SourceRulesDir: +# Directory location to find component rule files +# TmpRules: +# Temporary interim rules file +# ASuffix: +# Suffix for previous audit.rules file if this script replaces it. +# The file is left in the destination directory with suffix with $ASuffix + +DestinationFile=/etc/audit/audit.rules +SourceRulesDir=/etc/audit/rules.d +TmpRules=/tmp/rules.$$ +ASuffix="prev" + + +# Delete the interim file on faults +trap 'rm -f ${TmpRules}; exit 1' 1 2 3 13 15 + +# Check environment +if [ ! -d ${SourceRulesDir} ]; then + echo "$0: No rules directory - ${SourceRulesDir}" + exit 1 +fi + +# Create the interim rules file ensuring its access modes protect it +# from normal users and strip empty lines and comment lines. We also ensure +# - the last processed -D directive without an option is emitted as the first +# line. -D directives with options are left in place +# - the last processed -b directory is emitted as the second line +# - the last processed -f directory is emitted as the third line +# - the last processed -e directive is emitted as the last line +umask 0137 +for rules in $(/bin/ls -1v ${SourceRulesDir} | grep ".rules$") ; do + cat ${SourceRulesDir}/${rules} +done | awk '\ +BEGIN { + minus_e = ""; + minus_D = ""; + minus_f = ""; + minus_b = ""; + rest = 0; +} { + if (length($0) < 1) { next; } + if (match($0, "^\\s*#")) { next; } + if (match($0, "^\\s*-e")) { minus_e = $0; next; } + if (match($0, "^\\s*-D\\s*$")) { minus_D = $0; next; } + if (match($0, "^\\s*-f")) { minus_f = $0; next; } + if (match($0, "^\\s*-b")) { minus_b = $0; next; } + rules[rest++] = $0; +} +END { + printf "%s\n%s\n%s\n", minus_D, minus_b, minus_f; + for (i = 0; i < rest; i++) { printf "%s\n", rules[i]; } + printf "%s\n", minus_e; +}' > ${TmpRules} + +# If empty then quit +if [ ! -s ${TmpRules} ]; then + echo "$0: No rules" + rm -f ${TmpRules} + exit 0 +fi + +# If the same then quit +cmp -s ${TmpRules} ${DestinationFile} > /dev/null 2>&1 +if [ $? -eq 0 ]; then + echo "$0: No change" + rm -f ${TmpRules} + exit 0 +fi + +# Otherwise we install the new file +if [ -f ${DestinationFile} ]; then + cp ${DestinationFile} ${DestinationFile}.prev +fi +mv ${TmpRules} ${DestinationFile} + +exit 0 diff -rupN audit-2.2.3/init.d/Makefile.am audit-2.2.3_burn1/init.d/Makefile.am --- audit-2.2.3/init.d/Makefile.am 2013-03-20 07:30:07.000000000 +1100 +++ audit-2.2.3_burn1/init.d/Makefile.am 2013-04-07 20:28:07.196119948 +1000 @@ -22,7 +22,7 @@ CONFIG_CLEAN_FILES = *.rej *.orig EXTRA_DIST = auditd.init auditd.service auditd.sysconfig auditd.conf \ - audit.rules auditd.cron libaudit.conf audispd.conf + audit.rules auditd.cron libaudit.conf audispd.conf augenrules libconfig = libaudit.conf dispconfig = audispd.conf dispconfigdir = $(sysconfdir)/audisp @@ -34,7 +34,10 @@ sysconfigdir = $(sysconfdir)/sysconfig endif auditdir = $(sysconfdir)/audit -dist_audit_DATA = auditd.conf audit.rules +auditrdir = $(auditdir)/rules.d +dist_audit_DATA = auditd.conf +dist_auditr_DATA = audit.rules +sbin_SCRIPTS = augenrules install-data-hook: $(INSTALL_DATA) -D -m 640 ${srcdir}/${dispconfig} ${DESTDIR}${dispconfigdir} @@ -51,6 +54,8 @@ if ENABLE_SYSTEMD else $(INSTALL_SCRIPT) -D ${srcdir}/auditd.init ${DESTDIR}${initdir}/auditd endif + chmod 0750 $(DESTDIR)$(sbindir)/augenrules + uninstall-hook: rm ${DESTDIR}${dispconfigdir}/${dispconfig} diff -rupN audit-2.2.3/init.d/Makefile.in audit-2.2.3_burn1/init.d/Makefile.in --- audit-2.2.3/init.d/Makefile.in 2013-03-20 07:32:00.000000000 +1100 +++ audit-2.2.3_burn1/init.d/Makefile.in 2013-04-07 20:53:56.772513541 +1000 @@ -36,6 +36,7 @@ # Steve Grubb # + VPATH = @srcdir@ am__make_dryrun = \ { \ @@ -74,8 +75,8 @@ build_triplet = @build@ host_triplet = @host@ target_triplet = @target@ subdir = init.d -DIST_COMMON = $(dist_audit_DATA) $(srcdir)/Makefile.am \ - $(srcdir)/Makefile.in +DIST_COMMON = $(dist_audit_DATA) $(dist_auditr_DATA) \ + $(srcdir)/Makefile.am $(srcdir)/Makefile.in ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 am__aclocal_m4_deps = $(top_srcdir)/src/libev/libev.m4 \ $(top_srcdir)/configure.ac @@ -84,13 +85,6 @@ am__configure_deps = $(am__aclocal_m4_de mkinstalldirs = $(install_sh) -d CONFIG_HEADER = $(top_builddir)/config.h CONFIG_CLEAN_VPATH_FILES = -SOURCES = -DIST_SOURCES = -am__can_run_installinfo = \ - case $$AM_UPDATE_INFO_DIR in \ - n|no|NO) false;; \ - *) (install-info --version) >/dev/null 2>&1;; \ - esac am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; am__vpath_adj = case $$p in \ $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \ @@ -118,8 +112,17 @@ am__uninstall_files_from_dir = { \ || { echo " ( cd '$$dir' && rm -f" $$files ")"; \ $(am__cd) "$$dir" && rm -f $$files; }; \ } -am__installdirs = "$(DESTDIR)$(auditdir)" -DATA = $(dist_audit_DATA) +am__installdirs = "$(DESTDIR)$(sbindir)" "$(DESTDIR)$(auditdir)" \ + "$(DESTDIR)$(auditrdir)" +SCRIPTS = $(sbin_SCRIPTS) +SOURCES = +DIST_SOURCES = +am__can_run_installinfo = \ + case $$AM_UPDATE_INFO_DIR in \ + n|no|NO) false;; \ + *) (install-info --version) >/dev/null 2>&1;; \ + esac +DATA = $(dist_audit_DATA) $(dist_auditr_DATA) DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ AMTAR = @AMTAR@ @@ -256,7 +259,7 @@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ CONFIG_CLEAN_FILES = *.rej *.orig EXTRA_DIST = auditd.init auditd.service auditd.sysconfig auditd.conf \ - audit.rules auditd.cron libaudit.conf audispd.conf + audit.rules auditd.cron libaudit.conf audispd.conf augenrules libconfig = libaudit.conf dispconfig = audispd.conf @@ -265,7 +268,10 @@ dispconfigdir = $(sysconfdir)/audisp @ENABLE_SYSTEMD_TRUE@initdir = /usr/lib/systemd/system @ENABLE_SYSTEMD_FALSE@sysconfigdir = $(sysconfdir)/sysconfig auditdir = $(sysconfdir)/audit -dist_audit_DATA = auditd.conf audit.rules +auditrdir = $(auditdir)/rules.d +dist_audit_DATA = auditd.conf +dist_auditr_DATA = audit.rules +sbin_SCRIPTS = augenrules all: all-am .SUFFIXES: @@ -299,6 +305,41 @@ $(top_srcdir)/configure: $(am__configur $(ACLOCAL_M4): $(am__aclocal_m4_deps) cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh $(am__aclocal_m4_deps): +install-sbinSCRIPTS: $(sbin_SCRIPTS) + @$(NORMAL_INSTALL) + @list='$(sbin_SCRIPTS)'; test -n "$(sbindir)" || list=; \ + if test -n "$$list"; then \ + echo " $(MKDIR_P) '$(DESTDIR)$(sbindir)'"; \ + $(MKDIR_P) "$(DESTDIR)$(sbindir)" || exit 1; \ + fi; \ + for p in $$list; do \ + if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \ + if test -f "$$d$$p"; then echo "$$d$$p"; echo "$$p"; else :; fi; \ + done | \ + sed -e 'p;s,.*/,,;n' \ + -e 'h;s|.*|.|' \ + -e 'p;x;s,.*/,,;$(transform)' | sed 'N;N;N;s,\n, ,g' | \ + $(AWK) 'BEGIN { files["."] = ""; dirs["."] = 1; } \ + { d=$$3; if (dirs[d] != 1) { print "d", d; dirs[d] = 1 } \ + if ($$2 == $$4) { files[d] = files[d] " " $$1; \ + if (++n[d] == $(am__install_max)) { \ + print "f", d, files[d]; n[d] = 0; files[d] = "" } } \ + else { print "f", d "/" $$4, $$1 } } \ + END { for (d in files) print "f", d, files[d] }' | \ + while read type dir files; do \ + if test "$$dir" = .; then dir=; else dir=/$$dir; fi; \ + test -z "$$files" || { \ + echo " $(INSTALL_SCRIPT) $$files '$(DESTDIR)$(sbindir)$$dir'"; \ + $(INSTALL_SCRIPT) $$files "$(DESTDIR)$(sbindir)$$dir" || exit $$?; \ + } \ + ; done + +uninstall-sbinSCRIPTS: + @$(NORMAL_UNINSTALL) + @list='$(sbin_SCRIPTS)'; test -n "$(sbindir)" || exit 0; \ + files=`for p in $$list; do echo "$$p"; done | \ + sed -e 's,.*/,,;$(transform)'`; \ + dir='$(DESTDIR)$(sbindir)'; $(am__uninstall_files_from_dir) mostlyclean-libtool: -rm -f *.lo @@ -326,6 +367,27 @@ uninstall-dist_auditDATA: @list='$(dist_audit_DATA)'; test -n "$(auditdir)" || list=; \ files=`for p in $$list; do echo $$p; done | sed -e 's|^.*/||'`; \ dir='$(DESTDIR)$(auditdir)'; $(am__uninstall_files_from_dir) +install-dist_auditrDATA: $(dist_auditr_DATA) + @$(NORMAL_INSTALL) + @list='$(dist_auditr_DATA)'; test -n "$(auditrdir)" || list=; \ + if test -n "$$list"; then \ + echo " $(MKDIR_P) '$(DESTDIR)$(auditrdir)'"; \ + $(MKDIR_P) "$(DESTDIR)$(auditrdir)" || exit 1; \ + fi; \ + for p in $$list; do \ + if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \ + echo "$$d$$p"; \ + done | $(am__base_list) | \ + while read files; do \ + echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(auditrdir)'"; \ + $(INSTALL_DATA) $$files "$(DESTDIR)$(auditrdir)" || exit $$?; \ + done + +uninstall-dist_auditrDATA: + @$(NORMAL_UNINSTALL) + @list='$(dist_auditr_DATA)'; test -n "$(auditrdir)" || list=; \ + files=`for p in $$list; do echo $$p; done | sed -e 's|^.*/||'`; \ + dir='$(DESTDIR)$(auditrdir)'; $(am__uninstall_files_from_dir) tags: TAGS TAGS: @@ -367,9 +429,9 @@ distdir: $(DISTFILES) done check-am: all-am check: check-am -all-am: Makefile $(DATA) +all-am: Makefile $(SCRIPTS) $(DATA) installdirs: - for dir in "$(DESTDIR)$(auditdir)"; do \ + for dir in "$(DESTDIR)$(sbindir)" "$(DESTDIR)$(auditdir)" "$(DESTDIR)$(auditrdir)"; do \ test -z "$$dir" || $(MKDIR_P) "$$dir"; \ done install: install-am @@ -422,14 +484,14 @@ info: info-am info-am: -install-data-am: install-dist_auditDATA +install-data-am: install-dist_auditDATA install-dist_auditrDATA @$(NORMAL_INSTALL) $(MAKE) $(AM_MAKEFLAGS) install-data-hook install-dvi: install-dvi-am install-dvi-am: -install-exec-am: +install-exec-am: install-sbinSCRIPTS @$(NORMAL_INSTALL) $(MAKE) $(AM_MAKEFLAGS) install-exec-hook install-html: install-html-am @@ -468,7 +530,8 @@ ps: ps-am ps-am: -uninstall-am: uninstall-dist_auditDATA +uninstall-am: uninstall-dist_auditDATA uninstall-dist_auditrDATA \ + uninstall-sbinSCRIPTS @$(NORMAL_INSTALL) $(MAKE) $(AM_MAKEFLAGS) uninstall-hook .MAKE: install-am install-data-am install-exec-am install-strip \ @@ -478,14 +541,16 @@ uninstall-am: uninstall-dist_auditDATA distclean distclean-generic distclean-libtool distdir dvi \ dvi-am html html-am info info-am install install-am \ install-data install-data-am install-data-hook \ - install-dist_auditDATA install-dvi install-dvi-am install-exec \ - install-exec-am install-exec-hook install-html install-html-am \ - install-info install-info-am install-man install-pdf \ - install-pdf-am install-ps install-ps-am install-strip \ - installcheck installcheck-am installdirs maintainer-clean \ + install-dist_auditDATA install-dist_auditrDATA install-dvi \ + install-dvi-am install-exec install-exec-am install-exec-hook \ + install-html install-html-am install-info install-info-am \ + install-man install-pdf install-pdf-am install-ps \ + install-ps-am install-sbinSCRIPTS install-strip installcheck \ + installcheck-am installdirs maintainer-clean \ maintainer-clean-generic mostlyclean mostlyclean-generic \ mostlyclean-libtool pdf pdf-am ps ps-am uninstall uninstall-am \ - uninstall-dist_auditDATA uninstall-hook + uninstall-dist_auditDATA uninstall-dist_auditrDATA \ + uninstall-hook uninstall-sbinSCRIPTS install-data-hook: @@ -497,6 +562,7 @@ install-exec-hook: @ENABLE_SYSTEMD_TRUE@ mkdir -p ${DESTDIR}${initdir} @ENABLE_SYSTEMD_TRUE@ $(INSTALL_SCRIPT) -D -m 640 ${srcdir}/auditd.service ${DESTDIR}${initdir} @ENABLE_SYSTEMD_FALSE@ $(INSTALL_SCRIPT) -D ${srcdir}/auditd.init ${DESTDIR}${initdir}/auditd + chmod 0750 $(DESTDIR)$(sbindir)/augenrules uninstall-hook: rm ${DESTDIR}${dispconfigdir}/${dispconfig}