audit 1.6.4 released

audit 1.6.4 released

[Steve Grubb]

Hi,

I've just released a new version of the audit daemon. It can be downloaded 
from http://people.redhat.com/sgrubb/audit  It will also be in rawhide  
soon. The Changelog is:

- fchmod of log file was on wrong variable
- Allow use of errno strings for exit codes in audit rules

This release fixes a major bug that got introduced in the last release. The 
code that fixes a permission problem was using the wrong variable. It happens 
that the result was applied to /dev/null instead of the audit log. If you had  
selinux in enforcing mode - nothing happened, for everyone else.../dev/null 
probably got messed up. Oopsie.

This release also lets you express audit rules with slightly more readable 
exits codes. This means you can now do things like:

auditctl -a always,exit -S open -F exit=-EPERM

Please let me know if you run across any problems with this release.

-Steve

Re: audit 1.6.4 released

[Eric Paris]

On Sat, 2007-12-29 at 10:44 -0500, Steve Grubb wrote:
> Hi,
> 
> I've just released a new version of the audit daemon. It can be downloaded 
> from http://people.redhat.com/sgrubb/audit  It will also be in rawhide  
> soon. The Changelog is:
> 
> - fchmod of log file was on wrong variable
> - Allow use of errno strings for exit codes in audit rules
> 
> This release fixes a major bug that got introduced in the last release. The 
> code that fixes a permission problem was using the wrong variable. It happens 
> that the result was applied to /dev/null instead of the audit log. If you had  
> selinux in enforcing mode - nothing happened, for everyone else.../dev/null 
> probably got messed up. Oopsie.

close, so close.

Now auditd is fchmoding /var/log/audit/audit.log to 600 and everything
works fine.  But run 'service auditd restart' or just reboot and audit
will refuse to start!

Dec 30 11:53:43 dhcp231-146 auditd: /var/log/audit/audit.log permissions
should be 0640

But at least this time it isn't breaking the whole system   :)

-Eric

Re: audit 1.6.4 released

[Steve Grubb]

On Sunday 30 December 2007 11:24:41 am Eric Paris wrote:
> On Sat, 2007-12-29 at 10:44 -0500, Steve Grubb wrote:
> > This release fixes a major bug that got introduced in the last release.
> > The code that fixes a permission problem was using the wrong variable. It
> > happens that the result was applied to /dev/null instead of the audit
> > log. If you had selinux in enforcing mode - nothing happened, for
> > everyone else.../dev/null probably got messed up. Oopsie.
>
> close, so close.
>
> Now auditd is fchmoding /var/log/audit/audit.log to 600 and everything
> works fine.  But run 'service auditd restart' or just reboot and audit
> will refuse to start!

I forgot to change the parser to allow this config. The following patch was
applied to Fedora rawhide. It will be in the 1.6.5 release sometime soon. I
want to fix a couple more things before releasing 1.6.5.

-Steve


diff -urp audit-1.6.5.orig/src/auditd-config.c audit-1.6.5/src/auditd-config.c
--- audit-1.6.5.orig/src/auditd-config.c	2007-12-30 17:01:29.000000000 -0500
+++ audit-1.6.5/src/auditd-config.c	2007-12-30 17:07:45.000000000 -0500
@@ -505,9 +505,9 @@ static int log_file_parser(struct nv_pai
 		audit_msg(LOG_ERR, "%s is not owned by root", nv->value);
 		return 1;
 	}
-	if ((buf.st_mode & (S_IRWXU|S_IRWXG|S_IRWXO)) != 
-			  (S_IRUSR|S_IWUSR|S_IRGRP)) {
-		audit_msg(LOG_ERR, "%s permissions should be 0640", nv->value);
+	if ( (buf.st_mode & (S_IXUSR|S_IWGRP|S_IXGRP|S_IRWXO)) ) {
+		audit_msg(LOG_ERR, "%s permissions should be 0600 or 0640",
+				nv->value);
 		return 1;
 	}
 	free((void *)config->log_file);

Re: audit 1.6.4 released

[Klaus Heinrich Kiwi]

On Sat, 2007-12-29 at 10:44 -0500, Steve Grubb wrote:
> Hi,
> 
> I've just released a new version of the audit daemon. It can be downloaded 
> from http://people.redhat.com/sgrubb/audit  It will also be in rawhide  
> soon. The Changelog is:

I'm trying to build the rpm but the process fails at:
...
Processing files: audit-libs-python-1.6.4-1
error: File not found by
glob: /var/tmp/audit-1.6.4-root/usr/lib64/python?.?/site-packages/auparse-*.egg-info
Processing files: audispd-plugins-1.6.4-1
Provides: config(audispd-plugins) = 1.6.4-1
...
RPM build errors:
    File not found by
glob: /var/tmp/audit-1.6.4-root/usr/lib64/python?.?/site-packages/auparse-*.egg-info
[root@lepton ~]# 

This happens in both fedora8 and RHEL5.1

Is there something that is supposed to generate this file? I don't see
other errors in the prep/build stage (If something is missing in my
config, maybe the spec file could use a little tweaking to point it out)

Klaus

-- 
Klaus Heinrich Kiwi
Security Development - IBM Linux Technology Center

Re: audit 1.6.4 released

[Steve Grubb]

On Friday 04 January 2008 14:09:17 Klaus Heinrich Kiwi wrote:
> This happens in both fedora8 and RHEL5.1

You have to delete the line in the specfile that packages it up on F8 and 
RHEL5. The specfile is aimed only at rawhide since that is where the 
development work is done. I will be packaging 1.6.5 up for F8 next week.

> Is there something that is supposed to generate this file? 

Python in rawhide.

-Steve

Re: audit 1.6.4 released

[Eric Paris]

shouldn't the spec file then require whatever version of python is
actually required?

-Eric

On Fri, 2008-01-04 at 14:37 -0500, Steve Grubb wrote:
> On Friday 04 January 2008 14:09:17 Klaus Heinrich Kiwi wrote:
> > This happens in both fedora8 and RHEL5.1
> 
> You have to delete the line in the specfile that packages it up on F8 and 
> RHEL5. The specfile is aimed only at rawhide since that is where the 
> development work is done. I will be packaging 1.6.5 up for F8 next week.
> 
> > Is there something that is supposed to generate this file? 
> 
> Python in rawhide.
> 
> -Steve
> 
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit

Re: audit 1.6.4 released

[Steve Grubb]

On Friday 04 January 2008 16:17:06 Eric Paris wrote:
> shouldn't the spec file then require whatever version of python is
> actually required?

If you tie things too tightly to versions, you also create problems. Besides, 
this one has nothing to do with a specific version of python. Its something 
recently turned on for Fedora 9.

http://fedoraproject.org/wiki/Packaging/Python/Eggs

-Steve