[MIR] audit (pulls in libprelude)

As Steve Langasek has previously pointed out[1], the audit source tree includes an embedded copy[2] of libev that is statically links against. If we leave it as-is, we can drop the libev build dependency but that doesn't seem like a clean solution.

1: https://bugs.launchpad.net/ubuntu/+source/cron/+bug/878155/comments/2
2: https://fedorahosted.org/audit/browser/trunk/src/libev?rev=698

After speaking with jdstrand, I'm going to explore the option of disabling the auditd code that listens on the network. Then we may be able to simply support the non-networked auditd and leave all networking capabilities in universe.

Unsubscribing ubuntu-mir and marking the libprelude and libev tasks as invalid while I look into this.

My patches to disable the auditd listener code at build time have been sent to the linux-audit list and the thread is archived here:

https://www.redhat.com/archives/linux-audit/2012-August/msg00007.html

They are pending review.

Worth noting that nscd (from the glibc build) can also take advantage of libaudit if it can link to it at runtime. nscd on its own isn't much of a reason to promote libaudit, but it would be lovely if someone pokes me to re-enable the build-dep if/when libaudit is deemed uncrackful enough to promote.

Here's a debdiff which backports the upstream patches that disable the auditd network listener and splits up the auditd package into auditd-common, auditd, and auditd-light. I've tested the resulting packages and everything looks good except for these dpkg warnings when doing a dist-upgrade to the new auditd package:

...
Preparing to replace auditd 1.7.18-1ubuntu1 (using .../auditd_1.7.18-1ubuntu2_amd64.deb) ...
Unpacking replacement auditd ...
dpkg: warning: unable to delete old directory '/etc/audit': Directory not empty
dpkg: warning: unable to delete old directory '/etc/audisp/plugins.d': Directory not empty
dpkg: warning: unable to delete old directory '/etc/audisp': Directory not empty
dpkg: warning: unable to delete old directory '/var/log/audit': Directory not empty
...

Those directories were moved from the auditd package to the auditd-common package. This is the first time that I've done a package split, so I'm not sure how serious those warnings are or how to fix them.

The attachment "audit_1.7.18-1ubuntu2.debdiff" of this bug report has been identified as being a patch in the form of a debdiff. The ubuntu-sponsors team has been subscribed to the bug report so that they can review and hopefully sponsor the debdiff. In the event that this is in fact not a patch you can resolve this situation by removing the tag 'patch' from the bug report and editing the attachment so that it is not flagged as a patch. Additionally, if you are member of the ubuntu-sponsors team please also unsubscribe the team from this bug report.

[This is an automated message performed by a Launchpad user owned by Brian Murray. Please contact him regarding any issues with the action taken in this bug report.]

I would suggest you to consider updating to 2.2 branch before doing the MIR

2.2 (from debian) has added some new packages and libaudit got a soname bump

Unsubscribing ubuntu-sponsors for now, since debdiff should get rebased on 2.2 branch.

FYI I've just uploaded 1:2.2.2-1 in debian experimental

linux-tools perf depends on libaudit-dev. I've disabled building perf until such time as libaudit-dev is promoted to main.

After speaking with infinity, mdeslaur, and jdstrand, we've decided to *not* split the audit package into an audit daemon with networking support and another without. Instead, we've decided to disable network listener support in the existing auditd binary package.

If we have a large number of users who depend on the auditd network listener support, then we may try to get the split package layout upstream in Debian and then merge that back into Ubuntu. However, I do not believe that the centralized logging functionality in auditd is widely used.

This approach provides a nice balance of security and maintainability, while not confusing users with multiple auditd binary packages.

Here's the debdiff to disable the network listener and remove libwrap and libev as build dependencies. Please see the changelog for more details. I've successfully tested auditd and some of the auditd tools with this debdiff applied.

ACK on the debdiff. Uploaded, thanks!

Ok, the MIR description has been updated to reflect changes that have occurred since I originally opened this MIR request and I've re-subscribed ubuntu-mir.

This bug was fixed in the package audit - 1:2.2.2-1ubuntu2

---------------
audit (1:2.2.2-1ubuntu2) raring; urgency=low

  * Disable auditd network listener with --disable-listener (LP: #1026852)
    - debian/rules: Reduce the risk of a remote attack on auditd, which
      runs as root, by not building the code that listens for audit messages
      over the network. This will prevent users from using auditd as a
      centralized audit message aggregator, but this feature is rarely used.
  * Don't build against libwrap since only auditd's network listener used it
    - debian/control: Remove libwrap0-dev Build-Dependency
    - debian/rules: Remove --with-libwrap from configure arguments
  * Remove libev-dev Build-Dependency (LP: #1026852)
    - debian/control: The upstream audit sources embed and build against their
      own version of libev. This is not desirable, but there's no reason to
      list libev-dev as a build dependency at this time.
 -- Tyler Hicks <email address hidden> Wed, 06 Feb 2013 13:51:35 -0800

MIR review for libprelude:
 * Builds fine with only main enabled
 * Has a test suite and it is enabled in the build
 * No Ubuntu delta
 * dh_makeshlibs is used, but not dh_makeshlibs -V (would be nice to have this in Debian)
 * Has debian/watch file
 * Update history is slow, but there isn't really much to do
 * The current release is not packaged. 1.0.1 is avilable but this only has 2 bug fixes
 * Will entering main make it harder for the people currently keeping it up to date? no-- should be able to just sync
 * Lintian warnings (lintian ../source/*dsc ../binary/*.deb)
 * Is debian/rules a mess? it's fine
 * there are warnings during the build, but they shouldn't be a problem (in the testsuite, setting variables but not using them, unused functions, etc)
 * Incautious use of malloc/sprintf: spot checked various places and it seems fine-- returns code are checked, string operations are ok
 * Uses of sudo (see audit-packaging.sh) or LD_LIBRARY_PATH (see audit-code.sh)
 * Important bugs (crashers, etc) in Debian or Ubuntu: no
 * Does the package have a CVE history? no
 * binaries are compiled with PIE
 * No initscripts/upstart jobs, dbus services, setuid/fscaps, sudo, cron jobs
 * use of chown() suggests privileged operations, but this seems under the control of the admin (ie, no network services processes untrusted input)

Nothing in this review suggests it needs a security audit. ACK

Audit MIR:

 * Builds fine pulling in only libprelude from universe
 * Has a test suire and it is enabled
 * Uses dh_python2 but not reverse depends on python-audit that are on the CD
 * There is an Ubuntu delta, but Tyler is pushing this to Debian. A small delta may remain to disable the network code, but this is manageable
 * uses a symbols file
 * has a debian/watch file
 * update history is fine
 * current release is packaged
 * Entering main will likely make it harder to maintain, but it is something that is needed
 * Lintian is fine
 * debian/rules is ok
 * Errors/warnings during the build: there are quite a few warnings particularly due to -Wunused-result (especially surrounding asprintf)
 * No important bugs in Debian or Ubuntu
 * There is a CVE history. Patch was simple and easy to fix.
 * Binaries compiled with PIE.
 * Lintian clean
 * one daemon, runs as root, does not process network traffic with new build options
 * no dbus services, setuid/fscaps, sudo/gksu/pkexec or cron jobs

Conditional ACK provided the compiler warnings are fixed or shown to not be a problem for any binaries going to main.

Alright, based on the above comments by Jamie, and the knowledge that Tyler will have packages fixing the warnings for me this weekend, I'm going to pre-promote the lot so nscd can build against it.

If we want auditd in main, someone will have to decide where it should be seeded, for now, this will just pull in libaudit-dev and libaudit1, as build-deps of glibc, linux, etc.

Here's the (large) debdiff that fixes the important compiler warnings. I've submitted all three patches upstream:

https://www.redhat.com/archives/linux-audit/2013-February/msg00003.html

There are still remaining compiler warnings, but I consider them to be ok:

../../../../src/libev/ev.c:1254:31: warning: 'ev_default_loop_ptr' initialized and declared 'extern' [enabled by default]
../../../../src/libev/ev.c: In function 'pipecb':
../../../../src/libev/ev.c:1900:16: warning: ignoring return value of 'read', declared with attribute warn_unused_result [-Wunused-result]
../../../../src/libev/ev.c:1907:16: warning: ignoring return value of 'read', declared with attribute warn_unused_result [-Wunused-result]

The ev_default_loop_ptr issue is intentional considering this comment on the line triggering the warning:

/* needs to be initialised to make it a definition despite extern */

The ignored return value of 'read' is ok because the function is just slurping a few bytes off of a signal pipe into a dummy buffer, which is ignored. There is no error handling or logging to be done in this situation, even if read() failed.

There are still a number of compiler warnings in the zos-remote audispd plugin. Most of them are harmless warnings, but the main reason why I feel they can be ignored is because the audisp-plugins package is remaining in universe.

This bug was fixed in the package audit - 1:2.2.2-1ubuntu3

---------------
audit (1:2.2.2-1ubuntu3) raring; urgency=low

  * Fix important build warnings (LP: #1026852)
    - debian/patches/fix-asprintf-warnings.patch: Linux asprintf()
      implementations do not provide guarantees around the strp variable upon
      error so its return code must be checked.
    - debian/patches/fix-unused-result-warnings.patch: Be sure to check the
      return code of various important functions and create an appropriate
      error path.
    - debian/patches/fix-discards-const-qualifier-warnings.patch: Fix some
      areas where the const qualifier was not being respected.
 -- Tyler Hicks <email address hidden> Fri, 08 Feb 2013 18:36:06 -0800

Thanks Tyler :) I added auditd as an on-demand supported install.

> Thanks Tyler :) I added auditd as an on-demand supported install.

(to the raring supported seed)

Override component to main
auditd 1:2.2.2-1ubuntu3 in raring amd64: universe/admin/extra -> main
auditd 1:2.2.2-1ubuntu3 in raring armhf: universe/admin/extra -> main
auditd 1:2.2.2-1ubuntu3 in raring i386: universe/admin/extra -> main
auditd 1:2.2.2-1ubuntu3 in raring powerpc: universe/admin/extra -> main
Override [y|N]? y
4 publications overridden.