packages/audit
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!29 【Mainline】backport some patches

Browse Source 
From: @yixiangzhike
Reviewed-by: @zhujianwei001
Signed-off-by: @zhujianwei001
This commit is contained in:
openeuler-ci-bot 2021-11-17 01:07:20 +00:00 committed by Gitee
commit f44ef3de62
18 changed files with 976 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

38
audit.spec
View File

@ -2,7 +2,7 @@ Summary: User space tools for kernel auditing
Name: audit Name: audit
Epoch: 1 Epoch: 1
Version: 3.0 Version: 3.0
Release: 3 Release: 4
License: GPLv2+ and LGPLv2+ License: GPLv2+ and LGPLv2+
URL: https://people.redhat.com/sgrubb/audit/ URL: https://people.redhat.com/sgrubb/audit/
Source0: https://people.redhat.com/sgrubb/audit/%{name}-%{version}.tar.gz Source0: https://people.redhat.com/sgrubb/audit/%{name}-%{version}.tar.gz
@ -16,6 +16,23 @@ Patch4: backport-Add-missing-call-to-free_interpretation_list.patch
Patch5: backport-fix-2-more-issues-found-by-fuzzing.patch Patch5: backport-fix-2-more-issues-found-by-fuzzing.patch
Patch6: backport-Fix-an-auparse-memory-leak-caused-in-recent-glibc.patch Patch6: backport-Fix-an-auparse-memory-leak-caused-in-recent-glibc.patch
Patch7: backport-Fix-double-free-with-corrupted-logs.patch Patch7: backport-Fix-double-free-with-corrupted-logs.patch
Patch8: backport-Turn-libaucommon-into-a-libtool-convenience-library-.patch
Patch9: backport-Fix-the-closing-timing-of-audit_fd-166.patch
Patch10: backport-Fix-some-string-length-issues.patch
Patch11: backport-Move-the-free_config-to-success-path.patch
Patch12: backport-Check-for-fuzzer-induced-invalid-value.patch
Patch13: backport-error-out-if-log-is-mangled.patch
Patch14: backport-Dont-run-off-the-end-with-corrupt-logs.patch
Patch15: backport-Another-hardening-measure-for-corrupted-logs.patch
Patch16: backport-Fix-busy-loop-in-normalizer-when-logs-are-corrupt.patch
Patch17: backport-Better-fix-for-busy-loop-in-normalizer-when-logs-are.patch
Patch18: backport-flush-uid-gid-caches-when-user-group-added-deleted-m.patch
Patch19: backport-In-auditd-check-if-log_file-is-valid-before-closing-.patch
Patch20: backport-Check-ctime-return-code.patch
Patch21: backport-When-interpreting-if-val-is-NULL-return-an-empty-str.patch
Patch22: backport-auditd.service-Restart-on-failure-ignoring-some-exit.patch
Patch23: backport-0001-In-auditd-close-the-logging-file-descriptor-when-log.patch
Patch24: backport-0002-In-auditd-close-the-logging-file-descriptor-when-log.patch
BuildRequires: gcc swig libtool systemd kernel-headers >= 2.6.29 BuildRequires: gcc swig libtool systemd kernel-headers >= 2.6.29
BuildRequires: openldap-devel krb5-devel libcap-ng-devel BuildRequires: openldap-devel krb5-devel libcap-ng-devel
@ -346,6 +363,25 @@ fi
%attr(644,root,root) %{_mandir}/man8/*.8.gz %attr(644,root,root) %{_mandir}/man8/*.8.gz
%changelog %changelog
* Tue Nov 16 2021 yixiangzhike <yixiangzhike007@163.com> - 3.0-4
- backport some patches
Turn libaucommon into a libtool convenience library
Fix the closing timing of audit_fd
Fix some string length issues
Move the free_config to success path
Check for fuzzer induced invalid value
error out if log is mangled
Dont run off the end with corrupt logs
Another hardening measure for corrupted logs
Fix busy loop in normalizer when logs are corrupt
Better fix for busy loop in normalizer when logs are corrupt
flush uid gid caches when user group added deleted modified
In auditd check if log_file is valid before closing handle
Check ctime return code
When interpreting if val is NULL return an empty string
auditd.service Restart on failure ignoring some exit
In auditd close the logging file descriptor when logging is suspended
* Wed Sep 1 2021 steven.ygui <steven_ygui@163.com> - 3.0-3 * Wed Sep 1 2021 steven.ygui <steven_ygui@163.com> - 3.0-3
- backport some patches to fix memory leak and double free issues - backport some patches to fix memory leak and double free issues

32
backport-0001-In-auditd-close-the-logging-file-descriptor-when-log.patch Normal file
View File

@ -0,0 +1,32 @@
From d62c38a55520e58220d8e42497c4ab343185106f Mon Sep 17 00:00:00 2001
From: Steve Grubb <sgrubb@redhat.com>
Date: Thu, 28 Oct 2021 13:22:24 -0400
Subject: [PATCH 2237/2246] In auditd, close the logging file descriptor when
logging is suspended
---
src/auditd-event.c | 8 ++++++++
1 files changed, 8 insertions(+)
diff --git a/src/auditd-event.c b/src/auditd-event.c
index f886b67..4dee990 100644
--- a/src/auditd-event.c
+++ b/src/auditd-event.c
@@ -723,6 +723,14 @@ static void check_log_file_size(void)
case SZ_SUSPEND:
audit_msg(LOG_ERR,
"Audit daemon is suspending logging due to logfile size.");
+ // We need to close the file so that manual
+ // intervention can move or delete the file.
+ // We don't want to keep logging to a deleted
+ // file.
+ if (log_file)
+ fclose(log_file);
+ log_file = NULL;
+ log_fd = -1;
logging_suspended = 1;
break;
case SZ_ROTATE:
--
1.8.3.1

59
backport-0002-In-auditd-close-the-logging-file-descriptor-when-log.patch Normal file
View File

@ -0,0 +1,59 @@
From 770e4f538103f8a055f46c04a9e2514f88f175c3 Mon Sep 17 00:00:00 2001
From: Steve Grubb <sgrubb@redhat.com>
Date: Mon, 1 Nov 2021 08:29:56 -0400
Subject: [PATCH 2244/2246] In auditd, close the logging file descriptor when
logging is suspended
---
src/auditd-event.c | 21 +++++++++++++++++++++
1 file changed, 21 insertions(+)
diff --git a/src/auditd-event.c b/src/auditd-event.c
index 4a0a351..e88ef6e 100644
--- a/src/auditd-event.c
+++ b/src/auditd-event.c
@@ -861,6 +861,13 @@ static void do_space_left_action(int admin)
case FA_SUSPEND:
audit_msg(LOG_ALERT,
"Audit daemon is suspending logging due to low disk space.");
+ // We need to close the file so that manual
+ // intervention can move or delete the file. We
+ // don't want to keep logging to a deleted file.
+ if (log_file)
+ fclose(log_file);
+ log_file = NULL;
+ log_fd = -1;
logging_suspended = 1;
break;
case FA_SINGLE:
@@ -909,6 +916,13 @@ static void do_disk_full_action(void)
case FA_SUSPEND:
audit_msg(LOG_ALERT,
"Audit daemon is suspending logging due to no space left on logging partition.");
+ // We need to close the file so that manual
+ // intervention can move or delete the file. We
+ // don't want to keep logging to a deleted file.
+ if (log_file)
+ fclose(log_file);
+ log_file = NULL;
+ log_fd = -1;
logging_suspended = 1;
break;
case FA_SINGLE:
@@ -957,6 +971,13 @@ static void do_disk_error_action(const char *func, int err)
case FA_SUSPEND:
audit_msg(LOG_ALERT,
"Audit daemon is suspending logging due to previously mentioned write error");
+ // We need to close the file so that manual
+ // intervention can move or delete the file. We
+ // don't want to keep logging to a deleted file.
+ if (log_file)
+ fclose(log_file);
+ log_file = NULL;
+ log_fd = -1;
logging_suspended = 1;
break;
case FA_SINGLE:
--
1.8.3.1

85
backport-Another-hardening-measure-for-corrupted-logs.patch Normal file
View File

@ -0,0 +1,85 @@
From ab8f522953a56c860cac2cca2a7d7874419111d5 Mon Sep 17 00:00:00 2001
From: Steve Grubb <sgrubb@redhat.com>
Date: Sat, 7 Aug 2021 13:13:19 -0400
Subject: [PATCH 2198/2246] Another hardening measure for corrupted logs
---
src/ausearch-lookup.c | 3 +++
src/ausearch-parse.c | 25 +++++++++++++++----------
2 files changed, 18 insertions(+), 10 deletions(-)
diff --git a/src/ausearch-lookup.c b/src/ausearch-lookup.c
index e27c784..dd58c36 100644
--- a/src/ausearch-lookup.c
+++ b/src/ausearch-lookup.c
@@ -300,6 +300,9 @@ char *unescape(const char *buf)
while (isxdigit(*ptr))
ptr++;
}
+ if ((ptr - buf) == 0)
+ return NULL;
+
str = strndup(buf, ptr - buf);
if (*buf == '(')
diff --git a/src/ausearch-parse.c b/src/ausearch-parse.c
index d051137..78dc44c 100644
--- a/src/ausearch-parse.c
+++ b/src/ausearch-parse.c
@@ -1658,12 +1658,21 @@ static int parse_sockaddr(const lnode *n, search_items *s)
if (event_hostname || event_filename) {
str = strstr(n->message, "saddr=");
if (str) {
- int len;
+ unsigned int len = 0;
struct sockaddr *saddr;
char name[NI_MAXHOST];
str += 6;
- len = strlen(str)/2;
+ const char *ptr = str;
+ if (*ptr == '(') {
+ const char *ptr2 = strchr(ptr, ')');
+ if (ptr2)
+ len = (ptr2 - ptr) + 1;
+ } else {
+ while (isxdigit(ptr[len]))
+ len++;
+ len /= 2;
+ }
s->hostname = unescape(str);
if (s->hostname == NULL)
return 4;
@@ -1683,17 +1692,13 @@ static int parse_sockaddr(const lnode *n, search_items *s)
}
len = sizeof(struct sockaddr_in6);
} else if (saddr->sa_family == AF_UNIX) {
- struct sockaddr_un *un =
- (struct sockaddr_un *)saddr;
- if (un->sun_path[0])
- len = strlen(un->sun_path);
- else // abstract name
- len = strlen(&un->sun_path[1]);
- if (len == 0) {
+ if (len < 4) {
fprintf(stderr,
"sun_path len too short\n");
return 3;
}
+ struct sockaddr_un *un =
+ (struct sockaddr_un *)saddr;
if (event_filename) {
if (!s->filename) {
//create
@@ -1736,7 +1741,7 @@ static int parse_sockaddr(const lnode *n, search_items *s)
s->hostname = NULL;
return 0;
}
- if (getnameinfo(saddr, len, name, NI_MAXHOST,
+ if (getnameinfo(saddr, len, name, NI_MAXHOST,
NULL, 0, NI_NUMERICHOST) ) {
free(s->hostname);
s->hostname = NULL;
--
1.8.3.1

31
backport-Better-fix-for-busy-loop-in-normalizer-when-logs-are.patch Normal file
View File

@ -0,0 +1,31 @@
From ad62fa01c7a963c56bac75d8f7db6a5c76be4655 Mon Sep 17 00:00:00 2001
From: Steve Grubb <sgrubb@redhat.com>
Date: Sat, 7 Aug 2021 13:59:40 -0400
Subject: [PATCH 2200/2246] Better fix for busy loop in normalizer when logs
are corrupt
---
auparse/normalize.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/auparse/normalize.c b/auparse/normalize.c
index cd0a7c2..0ccabc5 100644
--- a/auparse/normalize.c
+++ b/auparse/normalize.c
@@ -346,10 +346,11 @@ static void collect_id_obj2(auparse_state_t *au, const char *syscall)
if ((strcmp(str, "unset") == 0) && errno == 0) {
// Only move it if its safe to
if (cnt < limit) {
- auparse_next_field(au);
+ if (auparse_next_field(au) == 0)
+ return;
cnt++;
} else
- break;
+ return;
} else
break;
}
--
1.8.3.1

47
backport-Check-ctime-return-code.patch Normal file
View File

@ -0,0 +1,47 @@
From fd76e380ea117000d9d350405e2cfbd070c5c01a Mon Sep 17 00:00:00 2001
From: Steve Grubb <sgrubb@redhat.com>
Date: Sat, 21 Aug 2021 10:18:30 -0400
Subject: [PATCH 2213/2246] Check ctime return code
---
tools/aulast/aulast.c | 16 +++++++++++-----
1 file changed, 11 insertions(+), 5 deletions(-)
diff --git a/tools/aulast/aulast.c b/tools/aulast/aulast.c
index c513aac..8a25f3b 100644
--- a/tools/aulast/aulast.c
+++ b/tools/aulast/aulast.c
@@ -96,8 +96,11 @@ static void report_session(lnode* cur)
int mins, hours, days;
if (notime)
printf("- %-7.5s", " ");
- else
- printf("- %-7.5s", ctime(&cur->end) + 11);
+ else {
+ char *ttime = ctime(&cur->end);
+ printf("- %-7.5s", ttime ? ttime + 11 :
+ "bad value");
+ }
secs = cur->end - cur->start;
mins = (secs / 60) % 60;
hours = (secs / 3600) % 24;
@@ -128,10 +131,13 @@ static void report_session(lnode* cur)
strftime(start, sizeof(start), "%x %T", btm);
if (cur->end != 0) {
btm = localtime(&cur->end);
- strftime(end, sizeof(end), "%x %T", btm);
- printf(" ausearch --start %s --end %s",
- start, end);
+ if (btm) {
+ strftime(end, sizeof(end), "%x %T", btm);
+ printf(" ausearch --start %s --end %s",
+ start, end);
+ } else goto no_end;
} else {
+no_end:
printf(" ausearch --start %s", start);
}
if (cur->name == NULL)
--
1.8.3.1

26
backport-Check-for-fuzzer-induced-invalid-value.patch Normal file
View File

@ -0,0 +1,26 @@
From a3db7a4f849f52105b13fa412e64fc76c6b2895b Mon Sep 17 00:00:00 2001
From: Steve Grubb <sgrubb@redhat.com>
Date: Thu, 5 Aug 2021 21:51:33 -0400
Subject: [PATCH 2182/2246] Check for fuzzer induced invalid value
---
auparse/ellist.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/auparse/ellist.c b/auparse/ellist.c
index 17384a7..175e44e 100644
--- a/auparse/ellist.c
+++ b/auparse/ellist.c
@@ -151,6 +151,9 @@ static int parse_up_record(rnode* r)
n.val = strdup(val);
// Remove trailing punctuation
len = strlen(n.val);
+ // Check for invalid val
+ if (!len)
+ continue;
if (len && n.val[len-1] == ':') {
n.val[len-1] = 0;
len--;
--
1.8.3.1

43
backport-Dont-run-off-the-end-with-corrupt-logs.patch Normal file
View File

@ -0,0 +1,43 @@
From 50c65ae25e64b7bd4489ce22a4c7789fa9a81f2f Mon Sep 17 00:00:00 2001
From: Steve Grubb <sgrubb@redhat.com>
Date: Sat, 7 Aug 2021 11:33:20 -0400
Subject: [PATCH 2197/2246] Dont run off the end with corrupt logs
---
src/ausearch-parse.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/src/ausearch-parse.c b/src/ausearch-parse.c
index 81ef319..d051137 100644
--- a/src/ausearch-parse.c
+++ b/src/ausearch-parse.c
@@ -1031,7 +1031,7 @@ static int parse_user(const lnode *n, search_items *s, anode *avc)
if (str) {
str += 5;
term = str;
- while (*term != ' ' && *term != ':')
+ while (*term != ' ' && *term != ':' && *term)
term++;
if (term == str)
return 24;
@@ -1244,7 +1244,7 @@ skip:
char *end = str;
int legacy = 0;
- while (*end != ' ') {
+ while (*end != ' ' && *end) {
if (!isxdigit(*end)) {
legacy = 1;
}
@@ -1295,7 +1295,7 @@ skip:
char *end = str;
int legacy = 0;
- while (*end != ' ') {
+ while (*end != ' ' && *end) {
if (!isxdigit(*end)) {
legacy = 1;
}
--
1.8.3.1

26
backport-Fix-busy-loop-in-normalizer-when-logs-are-corrupt.patch Normal file
View File

@ -0,0 +1,26 @@
From 2b34fea50a9f6a65dd51a2b7abf67e6f19c8d1f5 Mon Sep 17 00:00:00 2001
From: Steve Grubb <sgrubb@redhat.com>
Date: Sat, 7 Aug 2021 13:51:30 -0400
Subject: [PATCH 2199/2246] Fix busy loop in normalizer when logs are corrupt
---
auparse/normalize.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/auparse/normalize.c b/auparse/normalize.c
index 99f9803..cd0a7c2 100644
--- a/auparse/normalize.c
+++ b/auparse/normalize.c
@@ -348,7 +348,8 @@ static void collect_id_obj2(auparse_state_t *au, const char *syscall)
if (cnt < limit) {
auparse_next_field(au);
cnt++;
- }
+ } else
+ break;
} else
break;
}
--
1.8.3.1

64
backport-Fix-some-string-length-issues.patch Normal file
View File

@ -0,0 +1,64 @@
From 39f868fef95f95786358bc3690a327d4f11d2d43 Mon Sep 17 00:00:00 2001
From: Steve Grubb <sgrubb@redhat.com>
Date: Thu, 3 Jun 2021 16:18:36 -0400
Subject: [PATCH 2084/2246] Fix some string length issues
In interpret, fix the size so that we need to size it again later if new
strings get added. The ausearch/report issues have the size information
available, so FORTIFY_SOURCE should keep things in check.
---
auparse/interpret.c | 2 +-
src/aureport.c | 4 ++--
src/ausearch.c | 4 ++--
3 files changed, 5 insertions(+), 5 deletions(-)
diff --git a/auparse/interpret.c b/auparse/interpret.c
index e22cae7..5d6f31a 100644
--- a/auparse/interpret.c
+++ b/auparse/interpret.c
@@ -1242,7 +1242,7 @@ static const char *print_flags(const char *val)
{
int flags, cnt = 0;
size_t i;
- char *out, buf[80];
+ char *out, buf[sizeof(flag_strings)];
errno = 0;
flags = strtoul(val, NULL, 16);
diff --git a/src/aureport.c b/src/aureport.c
index d0251a4..22618f0 100644
--- a/src/aureport.c
+++ b/src/aureport.c
@@ -168,10 +168,10 @@ static int process_logs(void)
int num = 0;
if (user_file && userfile_is_dir) {
- char dirname[MAXPATHLEN];
+ char dirname[MAXPATHLEN+1];
clear_config (&config);
- strcpy(dirname, user_file);
+ strncpy(dirname, user_file, MAXPATHLEN-32);
if (dirname[strlen(dirname)-1] != '/')
strcat(dirname, "/");
strcat (dirname, "audit.log");
diff --git a/src/ausearch.c b/src/ausearch.c
index 97f89bf..768807e 100644
--- a/src/ausearch.c
+++ b/src/ausearch.c
@@ -228,10 +228,10 @@ static int process_logs(void)
int ret;
if (user_file && userfile_is_dir) {
- char dirname[MAXPATHLEN];
+ char dirname[MAXPATHLEN+1];
clear_config (&config);
- strcpy(dirname, user_file);
+ strncpy(dirname, user_file, MAXPATHLEN-32);
if (dirname[strlen(dirname)-1] != '/')
strcat(dirname, "/");
strcat (dirname, "audit.log");
--
1.8.3.1

28
backport-Fix-the-closing-timing-of-audit_fd-166.patch Normal file
View File

@ -0,0 +1,28 @@
From 72996b1821b5dbd22f5e08c477660a75a38e4414 Mon Sep 17 00:00:00 2001
From: MIZUTA Takeshi <mizuta.takeshi@fujitsu.com>
Date: Wed, 14 Apr 2021 20:08:17 +0900
Subject: [PATCH 2048/2246] Fix the closing timing of audit_fd (#166)
---
lib/netlink.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/lib/netlink.c b/lib/netlink.c
index 9525b8d..f7cbeb0 100644
--- a/lib/netlink.c
+++ b/lib/netlink.c
@@ -64,10 +64,10 @@ int audit_open(void)
}
if (fcntl(fd, F_SETFD, FD_CLOEXEC) == -1) {
saved_errno = errno;
- close(fd);
audit_msg(LOG_ERR,
"Error setting audit netlink socket CLOEXEC flag (%s)",
strerror(errno));
+ close(fd);
errno = saved_errno;
return -1;
}
--
1.8.3.1

135
backport-In-auditd-check-if-log_file-is-valid-before-closing-.patch Normal file
View File

@ -0,0 +1,135 @@
From 6531c7dfb832ea245d8004662ea7c4e90107c0df Mon Sep 17 00:00:00 2001
From: Steve Grubb <sgrubb@redhat.com>
Date: Wed, 11 Aug 2021 15:10:18 -0400
Subject: [PATCH 2207/2246] In auditd, check if log_file is valid before
closing handle
---
src/auditd-event.c | 44 +++++++++++++++++++++++++++++++----------------
1 files changed, 29 insertions(+), 15 deletions(-)
diff --git a/src/auditd-event.c b/src/auditd-event.c
index 3655726..788c44a 100644
--- a/src/auditd-event.c
+++ b/src/auditd-event.c
@@ -71,7 +71,7 @@ static void init_flush_thread(void);
/* Local Data */
static struct daemon_conf *config;
static volatile int log_fd;
-static FILE *log_file;
+static FILE *log_file = NULL;
static unsigned int disk_err_warning = 0;
static int fs_space_warning = 0;
static int fs_admin_space_warning = 0;
@@ -174,7 +175,8 @@ int init_event(struct daemon_conf *conf)
format_buf = (char *)malloc(FORMAT_BUF_LEN);
if (format_buf == NULL) {
audit_msg(LOG_ERR, "No memory for formatting, exiting");
- fclose(log_file);
+ if (log_file)
+ fclose(log_file);
log_file = NULL;
return 1;
}
@@ -212,7 +214,8 @@ static void *flush_thread_main(void *arg)
flush = 0;
pthread_mutex_unlock(&flush_lock);
- fsync(log_fd);
+ if (log_fd >= 0)
+ fsync(log_fd);
}
return NULL;
}
@@ -589,7 +592,8 @@ void handle_event(struct auditd_event *e)
if (config->daemonize == D_BACKGROUND) {
if (config->flush == FT_INCREMENTAL) {
/* EIO is only likely failure */
- if (fsync(log_fd) != 0) {
+ if (log_fd >= 0 &&
+ fsync(log_fd) != 0) {
do_disk_error_action(
"fsync",
errno);
@@ -744,6 +748,9 @@ static void check_space_left(void)
int rc;
struct statfs buf;
+ if (log_fd < 0)
+ return;
+
rc = fstatfs(log_fd, &buf);
if (rc == 0) {
if (buf.f_bavail < 5) {
@@ -831,7 +838,8 @@ static void do_space_left_action(int admin)
case FA_EXEC:
// Close the logging file in case the script zips or
// moves the file. We'll reopen in sigusr2 handler
- fclose(log_file);
+ if (log_file)
+ fclose(log_file);
log_file = NULL;
log_fd = -1;
logging_suspended = 1;
@@ -881,7 +889,8 @@ static void do_disk_full_action(void)
case FA_EXEC:
// Close the logging file in case the script zips or
// moves the file. We'll reopen in sigusr2 handler
- fclose(log_file);
+ if (log_file)
+ fclose(log_file);
log_file = NULL;
log_fd = -1;
logging_suspended = 1;
@@ -928,7 +937,8 @@ static void do_disk_error_action(const char *func, int err)
case FA_EXEC:
// Close the logging file in case the script zips or
// moves the file. We'll reopen in sigusr2 handler
- fclose(log_file);
+ if (log_file)
+ fclose(log_file);
log_file = NULL;
log_fd = -1;
logging_suspended = 1;
@@ -1053,17 +1063,21 @@ static void rotate_logs(unsigned int num_logs, unsigned int keep_logs)
/* Close audit file. fchmod and fchown errors are not fatal because we
* already adjusted log file permissions and ownership when opening the
* log file. */
- if (fchmod(log_fd, config->log_group ? S_IRUSR|S_IRGRP : S_IRUSR) < 0){
- audit_msg(LOG_WARNING, "Couldn't change permissions while "
+ if (log_fd >= 0) {
+ if (fchmod(log_fd, config->log_group ? S_IRUSR|S_IRGRP :
+ S_IRUSR) < 0){
+ audit_msg(LOG_WARNING, "Couldn't change permissions while "
"rotating log file (%s)", strerror(errno));
- }
- if (fchown(log_fd, 0, config->log_group) < 0) {
- audit_msg(LOG_WARNING, "Couldn't change ownership while "
+ }
+ if (fchown(log_fd, 0, config->log_group) < 0) {
+ audit_msg(LOG_WARNING, "Couldn't change ownership while "
"rotating log file (%s)", strerror(errno));
+ }
}
- fclose(log_file);
+ if (log_file)
+ fclose(log_file);
log_file = NULL;
-
+
/* Rotate */
len = strlen(config->log_file) + 16;
oldname = (char *)malloc(len);
@@ -1470,7 +1484,8 @@ static void reconfigure(struct auditd_event *e)
free((void *)nconf->log_file);
if (need_reopen) {
- fclose(log_file);
+ if (log_file)
+ fclose(log_file);
log_file = NULL;
fix_disk_permissions();
if (open_audit_log()) {
--
1.8.3.1

28
backport-Move-the-free_config-to-success-path.patch Normal file
View File

@ -0,0 +1,28 @@
From d89e5647d9e090f45146c144d920bd1f686a8230 Mon Sep 17 00:00:00 2001
From: Steve Grubb <sgrubb@redhat.com>
Date: Thu, 15 Jul 2021 11:36:17 -0400
Subject: [PATCH 2163/2246] Move the free_config to success path
---
src/auditd.c | 4 +++---
1 file changed, 3 insertions(+), 1 deletions(-)
diff --git a/src/auditd.c b/src/auditd.c
index ca69d3b..5478cc4 100644
--- a/src/auditd.c
+++ b/src/auditd.c
@@ -457,8 +457,10 @@ static int become_daemon(void)
return -1;
/* Success - die a happy death */
- if (status == SUCCESS)
+ if (status == SUCCESS) {
+ free_config(&config);
_exit(0);
+ }
return -1;
}
--
1.8.3.1

118
backport-Turn-libaucommon-into-a-libtool-convenience-library-.patch Normal file
View File

@ -0,0 +1,118 @@
From dcbc6c76b10651c1d1b27b95869ab82ee2153afe Mon Sep 17 00:00:00 2001
From: Laurent Bigonville <bigon@users.noreply.github.com>
Date: Tue, 5 Jan 2021 19:29:44 +0100
Subject: [PATCH 1988/2246] Turn libaucommon into a libtool convenience library
(#147)
This makes sure that the functions compiled into libaucommon
(audit_strsplit_r,...) end up in the libaudit/libauparse static library
Fixes: #146
---
audisp/plugins/remote/Makefile.am | 2 +-
audisp/plugins/syslog/Makefile.am | 2 +-
auparse/Makefile.am | 4 ++--
auparse/test/Makefile.am | 6 +++---
common/Makefile.am | 6 +++---
lib/Makefile.am | 4 ++--
6 files changed, 12 insertions(+), 12 deletions(-)
diff --git a/audisp/plugins/remote/Makefile.am b/audisp/plugins/remote/Makefile.am
index 0066e25..bd3f301 100644
--- a/audisp/plugins/remote/Makefile.am
+++ b/audisp/plugins/remote/Makefile.am
@@ -33,7 +33,7 @@ man_MANS = audisp-remote.8 audisp-remote.conf.5
check_PROGRAMS = test-queue
TESTS = $(check_PROGRAMS)
-audisp_remote_DEPENDENCIES = ${top_builddir}/common/libaucommon.a
+audisp_remote_DEPENDENCIES = ${top_builddir}/common/libaucommon.la
audisp_remote_SOURCES = audisp-remote.c remote-config.c queue.c
audisp_remote_CFLAGS = -fPIE -DPIE -g -D_REENTRANT -D_GNU_SOURCE -Wundef
audisp_remote_LDFLAGS = -pie -Wl,-z,relro -Wl,-z,now
diff --git a/audisp/plugins/syslog/Makefile.am b/audisp/plugins/syslog/Makefile.am
index 55ca77b..353229e 100644
--- a/audisp/plugins/syslog/Makefile.am
+++ b/audisp/plugins/syslog/Makefile.am
@@ -29,7 +29,7 @@ plugin_conf = syslog.conf
sbin_PROGRAMS = audisp-syslog
man_MANS = audisp-syslog.8
-audisp_syslog_DEPENDENCIES = ${top_builddir}/common/libaucommon.a
+audisp_syslog_DEPENDENCIES = ${top_builddir}/common/libaucommon.la
audisp_syslog_SOURCES = audisp-syslog.c
audisp_syslog_CFLAGS = -fPIE -DPIE -g -D_GNU_SOURCE -Wundef
audisp_syslog_LDFLAGS = -pie -Wl,-z,relro -Wl,-z,now
diff --git a/auparse/Makefile.am b/auparse/Makefile.am
index b853003..d180c34 100644
--- a/auparse/Makefile.am
+++ b/auparse/Makefile.am
@@ -45,8 +45,8 @@ libauparse_la_SOURCES = lru.c interpret.c nvlist.c ellist.c \
normalize_record_map.h normalize_syscall_map.h
nodist_libauparse_la_SOURCES = $(BUILT_SOURCES)
-libauparse_la_LIBADD = ${top_builddir}/lib/libaudit.la ${top_builddir}/common/libaucommon.a
-libauparse_la_DEPENDENCIES = $(libauparse_la_SOURCES) ${top_builddir}/config.h ${top_builddir}/common/libaucommon.a
+libauparse_la_LIBADD = ${top_builddir}/lib/libaudit.la ${top_builddir}/common/libaucommon.la
+libauparse_la_DEPENDENCIES = $(libauparse_la_SOURCES) ${top_builddir}/config.h ${top_builddir}/common/libaucommon.la
libauparse_la_LDFLAGS = -Wl,-z,relro
message.c:
diff --git a/auparse/test/Makefile.am b/auparse/test/Makefile.am
index 89ffcc4..11d10b0 100644
--- a/auparse/test/Makefile.am
+++ b/auparse/test/Makefile.am
@@ -29,17 +29,17 @@ AM_CPPFLAGS = -I${top_srcdir}/auparse -I${top_srcdir}/lib
lookup_test_SOURCES = lookup_test.c
lookup_test_LDADD = ${top_builddir}/auparse/libauparse.la \
- ${top_builddir}/lib/libaudit.la ${top_builddir}/common/libaucommon.a
+ ${top_builddir}/lib/libaudit.la ${top_builddir}/common/libaucommon.la
auparse_test_SOURCES = auparse_test.c
auparse_test_LDFLAGS = -static
auparse_test_LDADD = ${top_builddir}/auparse/libauparse.la \
- ${top_builddir}/lib/libaudit.la ${top_builddir}/common/libaucommon.a
+ ${top_builddir}/lib/libaudit.la ${top_builddir}/common/libaucommon.la
auparselol_test_SOURCES = auparselol_test.c
auparselol_test_LDFLAGS = -static
auparselol_test_LDADD = ${top_builddir}/auparse/libauparse.la \
- ${top_builddir}/lib/libaudit.la ${top_builddir}/common/libaucommon.a
+ ${top_builddir}/lib/libaudit.la ${top_builddir}/common/libaucommon.la
drop_srcdir = sed 's,$(srcdir)/test,test,'
diff --git a/common/Makefile.am b/common/Makefile.am
index 9e00cbc..8b9aacb 100644
--- a/common/Makefile.am
+++ b/common/Makefile.am
@@ -24,7 +24,7 @@ CONFIG_CLEAN_FILES = *.rej *.orig
AM_CPPFLAGS = -D_GNU_SOURCE -fPIC -DPIC -I${top_srcdir} -I${top_srcdir}/lib
noinst_HEADERS = common.h
-libaucommon_a_DEPENDENCIES = ../config.h
-libaucommon_a_SOURCES = audit-fgets.c strsplit.c
-noinst_LIBRARIES = libaucommon.a
+libaucommon_la_DEPENDENCIES = ../config.h
+libaucommon_la_SOURCES = audit-fgets.c strsplit.c
+noinst_LTLIBRARIES = libaucommon.la
diff --git a/lib/Makefile.am b/lib/Makefile.am
index 107c444..12e5861 100644
--- a/lib/Makefile.am
+++ b/lib/Makefile.am
@@ -38,8 +38,8 @@ include_HEADERS = libaudit.h
libaudit_la_SOURCES = libaudit.c message.c netlink.c \
lookup_table.c audit_logging.c deprecated.c \
dso.h private.h errormsg.h
-libaudit_la_LIBADD = $(CAPNG_LDADD) ${top_builddir}/common/libaucommon.a
-libaudit_la_DEPENDENCIES = $(libaudit_la_SOURCES) ../config.h ${top_builddir}/common/libaucommon.a
+libaudit_la_LIBADD = $(CAPNG_LDADD) ${top_builddir}/common/libaucommon.la
+libaudit_la_DEPENDENCIES = $(libaudit_la_SOURCES) ../config.h ${top_builddir}/common/libaucommon.la
libaudit_la_LDFLAGS = -Wl,-z,relro -version-info $(VERSION_INFO)
nodist_libaudit_la_SOURCES = $(BUILT_SOURCES)
--
1.8.3.1

27
backport-When-interpreting-if-val-is-NULL-return-an-empty-str.patch Normal file
View File

@ -0,0 +1,27 @@
From ce58837d44b7d9fcb4e140c23f68e0c94d95ab6e Mon Sep 17 00:00:00 2001
From: Steve Grubb <sgrubb@redhat.com>
Date: Sat, 21 Aug 2021 10:20:11 -0400
Subject: [PATCH 2214/2246] When interpreting, if val is NULL return an empty
string
---
auparse/interpret.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/auparse/interpret.c b/auparse/interpret.c
index 177ab82..63829aa 100644
--- a/auparse/interpret.c
+++ b/auparse/interpret.c
@@ -840,6 +840,9 @@ static char *print_escaped(const char *val)
{
char *out;
+ if (val == NULL)
+ return strdup(" ");
+
if (*val == '"') {
char *term;
val++;
--
1.8.3.1

35
backport-auditd.service-Restart-on-failure-ignoring-some-exit.patch Normal file
View File

@ -0,0 +1,35 @@
From 30382bfcc0f64f451bc084c9657a546cb34492a7 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Timoth=C3=A9e=20Ravier?= <travier@redhat.com>
Date: Fri, 1 Oct 2021 16:35:57 +0200
Subject: [PATCH 2228/2246] auditd.service: Restart 'on-failure', ignoring some
exit codes (#217)
Use `Restart=on-failure` to automatically restart `auditd`. Do not
restart for intentional exits. See EXIT CODES section in auditd(8).
See:
- https://www.freedesktop.org/software/systemd/man/systemd.service.html#Restart=
- https://www.freedesktop.org/software/systemd/man/systemd.service.html#RestartPreventExitStatus=
Fixes: https://github.com/linux-audit/audit-userspace/issues/211
---
init.d/auditd.service | 3 +++
1 file changed, 3 insertions(+)
diff --git a/init.d/auditd.service b/init.d/auditd.service
index 67cda58..e801281 100644
--- a/init.d/auditd.service
+++ b/init.d/auditd.service
@@ -27,6 +27,9 @@ ExecStartPost=-/sbin/augenrules --load
# By default we don't clear the rules on exit. To enable this, uncomment
# the next line after copying the file to /etc/systemd/system/auditd.service
#ExecStopPost=/sbin/auditctl -R /etc/audit/audit-stop.rules
+Restart=on-failure
+# Do not restart for intentional exits. See EXIT CODES section in auditd(8).
+RestartPreventExitStatus=2 4 6
### Security Settings ###
MemoryDenyWriteExecute=true
--
1.8.3.1

27
backport-error-out-if-log-is-mangled.patch Normal file
View File

@ -0,0 +1,27 @@
From fc97c70fdba18280985747198a6ce836d39cce9e Mon Sep 17 00:00:00 2001
From: Steve Grubb <sgrubb@redhat.com>
Date: Sat, 7 Aug 2021 10:29:07 -0400
Subject: [PATCH 2196/2246] error out if log is mangled
---
src/ausearch-parse.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/src/ausearch-parse.c b/src/ausearch-parse.c
index b0c8b2a..81ef319 100644
--- a/src/ausearch-parse.c
+++ b/src/ausearch-parse.c
@@ -1995,6 +1995,10 @@ other_avc:
*term = '"';
} else {
s->comm = unescape(str);
+ if (s->comm == NULL) {
+ rc = 11;
+ goto err;
+ }
term = str + 6;
}
}
--
1.8.3.1

128
backport-flush-uid-gid-caches-when-user-group-added-deleted-m.patch Normal file
View File

@ -0,0 +1,128 @@
From 8662f61108f8b9365f96ef49ca8ca331a7880f24 Mon Sep 17 00:00:00 2001
From: Steve Grubb <sgrubb@redhat.com>
Date: Tue, 10 Aug 2021 11:27:16 -0400
Subject: [PATCH 2205/2246] flush uid/gid caches when user/group
added/deleted/modified
It was reported in issue #209 that in the enriched format that auditd
is creating the wrong account associations. This is due to caching
previous lookups. The fix is to monitor for account lifecycle changes
and flush the LRUs if any are seen.
---
auparse/auparse-idata.h | 3 ++-
auparse/interpret.c | 12 ++++++++++++
src/auditd-event.c | 27 +++++++++++++++++++++++++--
3 files changed, 39 insertions(+), 3 deletions(-)
diff --git a/auparse/auparse-idata.h b/auparse/auparse-idata.h
index 660901a..eaca86a 100644
--- a/auparse/auparse-idata.h
+++ b/auparse/auparse-idata.h
@@ -1,6 +1,6 @@
/*
* idata.h - Header file for ausearch-lookup.c
-* Copyright (c) 2013,2016-17 Red Hat Inc., Durham, North Carolina.
+* Copyright (c) 2013,2016-17,2021 Red Hat Inc.
* All Rights Reserved.
*
* This library is free software; you can redistribute it and/or
@@ -45,6 +45,7 @@ char *auparse_do_interpretation(int type, const idata *id,
void _auparse_load_interpretations(const char *buf);
void _auparse_free_interpretations(void);
const char *_auparse_lookup_interpretation(const char *name);
+void _auparse_flush_caches(void);
#endif
diff --git a/auparse/interpret.c b/auparse/interpret.c
index 046867b..eef377a 100644
--- a/auparse/interpret.c
+++ b/auparse/interpret.c
@@ -653,6 +653,18 @@ void aulookup_destroy_gid_list(void)
gid_cache_created = 0;
}
+void _auparse_flush_caches(void)
+{
+ if (uid_cache_created) {
+ destroy_lru(uid_cache);
+ uid_cache_created = 0;
+ }
+ if (gid_cache_created) {
+ destroy_lru(gid_cache);
+ gid_cache_created = 0;
+ }
+}
+
static const char *print_uid(const char *val, unsigned int base)
{
int uid;
diff --git a/src/auditd-event.c b/src/auditd-event.c
index cb29fee..3655726 100644
--- a/src/auditd-event.c
+++ b/src/auditd-event.c
@@ -42,6 +42,7 @@
#include "libaudit.h"
#include "private.h"
#include "auparse.h"
+#include "auparse-idata.h"
/* This is defined in auditd.c */
extern volatile int stop;
@@ -56,7 +57,7 @@ static void do_space_left_action(int admin);
static void do_disk_full_action(void);
static void do_disk_error_action(const char *func, int err);
static void fix_disk_permissions(void);
-static void check_excess_logs(void);
+static void check_excess_logs(void);
static void rotate_logs_now(void);
static void rotate_logs(unsigned int num_logs, unsigned int keep_logs);
static void shift_logs(void);
@@ -394,7 +395,7 @@ static const char *format_enrich(const struct audit_reply *rep)
snprintf(format_buf, MAX_AUDIT_MESSAGE_LENGTH,
"type=DAEMON_ERR op=format-enriched msg=NULL res=failed");
} else {
- int rc;
+ int rc, rtype;
size_t mlen, len;
auparse_state_t *au;
char *message;
@@ -427,6 +428,17 @@ static const char *format_enrich(const struct audit_reply *rep)
// Loop over all fields while possible to add field
rc = auparse_first_record(au);
+ rtype = auparse_get_type(au);
+ switch (rtype)
+ { // Flush before adding to pickup new associations
+ case AUDIT_ADD_USER:
+ case AUDIT_ADD_GROUP:
+ _auparse_flush_caches();
+ break;
+ default:
+ break;
+ }
+
while (rc > 0 && len > MIN_SPACE_LEFT) {
// See what kind of field we have
size_t vlen;
@@ -454,6 +466,17 @@ static const char *format_enrich(const struct audit_reply *rep)
rc = auparse_next_field(au);
}
+ switch(rtype)
+ { // Flush after modification to remove stale entries
+ case AUDIT_USER_MGMT:
+ case AUDIT_DEL_USER:
+ case AUDIT_DEL_GROUP:
+ case AUDIT_GRP_MGMT:
+ _auparse_flush_caches();
+ break;
+ default:
+ break;
+ }
auparse_destroy_ext(au, AUPARSE_DESTROY_COMMON);
free(message);
}
--
1.8.3.1