diff -Nru audit-1.7.18/debian/auditd-common.auditd.default audit-1.7.18/debian/auditd-common.auditd.default --- audit-1.7.18/debian/auditd-common.auditd.default 1969-12-31 16:00:00.000000000 -0800 +++ audit-1.7.18/debian/auditd-common.auditd.default 2011-07-29 08:42:05.000000000 -0700 @@ -0,0 +1,7 @@ +# Add extra options here +EXTRAOPTIONS="" + +# This option is used to determine if rules & watches should be deleted on +# shutdown. This is beneficial in most cases so that a watch doesn't linger +# on a drive that is being unmounted. If set to no, it will NOT be cleaned up. +AUDITD_CLEAN_STOP="yes" diff -Nru audit-1.7.18/debian/auditd-common.auditd.init audit-1.7.18/debian/auditd-common.auditd.init --- audit-1.7.18/debian/auditd-common.auditd.init 1969-12-31 16:00:00.000000000 -0800 +++ audit-1.7.18/debian/auditd-common.auditd.init 2012-01-15 11:24:04.000000000 -0800 @@ -0,0 +1,157 @@ +#! /bin/sh +### BEGIN INIT INFO +# Provides: auditd +# Required-Start: $local_fs +# Required-Stop: $local_fs +# Default-Start: 2 3 4 5 +# Default-Stop: 0 1 6 +# Short-Description: Audit Daemon +# Description: Collects audit information from Linux 2.6 Kernels. +### END INIT INFO + +# Author: Philipp Matthias Hahn +# Based on Debians /etc/init.d/skeleton and Auditds init.d/auditd.init + +# PATH should only include /usr/* if it runs after the mountnfs.sh script +PATH=/sbin:/bin +DESC="audit daemon" +NAME=auditd +DAEMON=/sbin/auditd +PIDFILE=/var/run/"$NAME".pid +SCRIPTNAME=/etc/init.d/"$NAME" + +# Exit if the package is not installed +[ -x "$DAEMON" ] || exit 0 + +# Read configuration variable file if it is present +[ -r /etc/default/"$NAME" ] && . /etc/default/"$NAME" + +# Load the VERBOSE setting and other rcS variables +. /lib/init/vars.sh + +# Define LSB log_* functions. +. /lib/lsb/init-functions + +# +# Function that starts the daemon/service +# +do_start() +{ + # Return + # 0 if daemon has been started + # 1 if daemon was already running + # 2 if daemon could not be started + start-stop-daemon --start --quiet --pidfile "$PIDFILE" --exec "$DAEMON" --test > /dev/null \ + || return 1 + start-stop-daemon --start --quiet --pidfile "$PIDFILE" --exec "$DAEMON" -- \ + $EXTRAOPTIONS \ + || return 2 + if [ -f /etc/audit/audit.rules ] + then + /sbin/auditctl -R /etc/audit/audit.rules >/dev/null + fi + # check if we have a rules directory and load the .rules files + if [ -d /etc/audit/rules.d ]; then + for rulesfile in /etc/audit/rules.d/*.rules + do + [ -f ${rulesfile} ] && /sbin/auditctl -R ${rulesfile} > /dev/null + done + fi +} + +# +# Function that stops the daemon/service +# +do_stop() +{ + # Return + # 0 if daemon has been stopped + # 1 if daemon was already stopped + # 2 if daemon could not be stopped + # other if a failure occurred + start-stop-daemon --stop --quiet --retry=TERM/30/KILL/5 --pidfile "$PIDFILE" --name "$NAME" + RETVAL="$?" + [ "$RETVAL" = 2 ] && return 2 + start-stop-daemon --stop --quiet --oknodo --retry=0/30/KILL/5 --exec "$DAEMON" + [ "$?" = 2 ] && return 2 + # Many daemons don't delete their pidfiles when they exit. + rm -f "$PIDFILE" + rm -f /var/run/audit_events + # Remove watches so shutdown works cleanly + case "$AUDITD_CLEAN_STOP" in + no|NO) ;; + *) /sbin/auditctl -D >/dev/null ;; + esac + return "$RETVAL" +} + +# +# Function that sends a SIGHUP to the daemon/service +# +do_reload() { + start-stop-daemon --stop --signal HUP --quiet --pidfile $PIDFILE --name $NAME + return 0 +} + +case "$1" in + start) + [ "$VERBOSE" != no ] && log_daemon_msg "Starting $DESC" "$NAME" + do_start + case "$?" in + 0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;; + 2) [ "$VERBOSE" != no ] && log_end_msg 1 ;; + esac + ;; + stop) + [ "$VERBOSE" != no ] && log_daemon_msg "Stopping $DESC" "$NAME" + do_stop + case "$?" in + 0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;; + 2) [ "$VERBOSE" != no ] && log_end_msg 1 ;; + esac + ;; + reload|force-reload) + log_daemon_msg "Reloading $DESC" "$NAME" + do_reload + log_end_msg $? + ;; + restart) + log_daemon_msg "Restarting $DESC" "$NAME" + do_stop + case "$?" in + 0|1) + do_start + case "$?" in + 0) log_end_msg 0 ;; + 1) log_end_msg 1 ;; # Old process is still running + *) log_end_msg 1 ;; # Failed to start + esac + ;; + *) + # Failed to stop + log_end_msg 1 + ;; + esac + ;; + rotate) + log_daemon_msg "Rotating $DESC logs" "$NAME" + start-stop-daemon --stop --signal USR1 --quiet --pidfile "$PIDFILE" --name "$NAME" + log_end_msg $? + ;; + status) + pidofproc -p "$PIDFILE" "$DAEMON" >/dev/null + status=$? + if [ $status -eq 0 ]; then + log_success_msg "$NAME is running." + else + log_failure_msg "$NAME is not running." + fi + exit $status + ;; + *) + echo "Usage: $SCRIPTNAME {start|stop|restart|reload|force-reload|rotate|status}" >&2 + exit 3 + ;; +esac + +: diff -Nru audit-1.7.18/debian/auditd-common.auditd.logrotate audit-1.7.18/debian/auditd-common.auditd.logrotate --- audit-1.7.18/debian/auditd-common.auditd.logrotate 1969-12-31 16:00:00.000000000 -0800 +++ audit-1.7.18/debian/auditd-common.auditd.logrotate 2011-07-26 09:34:26.000000000 -0700 @@ -0,0 +1,10 @@ +/var/log/audit/audit.log { + rotate 4 + missingok + notifempty + weekly + compress + postrotate + /etc/init.d/auditd rotate >/dev/null + endscript +} diff -Nru audit-1.7.18/debian/auditd-common.dirs audit-1.7.18/debian/auditd-common.dirs --- audit-1.7.18/debian/auditd-common.dirs 1969-12-31 16:00:00.000000000 -0800 +++ audit-1.7.18/debian/auditd-common.dirs 2011-07-29 09:56:56.000000000 -0700 @@ -0,0 +1,2 @@ +var/log/audit +usr/share/pam-configs diff -Nru audit-1.7.18/debian/auditd-common.docs audit-1.7.18/debian/auditd-common.docs --- audit-1.7.18/debian/auditd-common.docs 1969-12-31 16:00:00.000000000 -0800 +++ audit-1.7.18/debian/auditd-common.docs 2011-07-26 09:34:26.000000000 -0700 @@ -0,0 +1,2 @@ +README +TODO diff -Nru audit-1.7.18/debian/auditd-common.examples audit-1.7.18/debian/auditd-common.examples --- audit-1.7.18/debian/auditd-common.examples 1969-12-31 16:00:00.000000000 -0800 +++ audit-1.7.18/debian/auditd-common.examples 2011-07-26 09:34:26.000000000 -0700 @@ -0,0 +1,5 @@ +contrib/capp.rules +contrib/lspp.rules +contrib/nispom.rules +contrib/stig.rules +init.d/auditd.cron diff -Nru audit-1.7.18/debian/auditd-common.install audit-1.7.18/debian/auditd-common.install --- audit-1.7.18/debian/auditd-common.install 1969-12-31 16:00:00.000000000 -0800 +++ audit-1.7.18/debian/auditd-common.install 2012-11-16 11:07:17.000000000 -0800 @@ -0,0 +1,26 @@ +etc/audisp/audispd.conf +etc/audisp/plugins.d/af_unix.conf +etc/audisp/plugins.d/syslog.conf +etc/audit +sbin/audispd +sbin/auditctl +sbin/aureport +sbin/ausearch +sbin/autrace +usr/bin/aulast +usr/bin/aulastlog +usr/bin/ausyscall +usr/share/man/man5/audispd.conf.5 +usr/share/man/man5/auditd.conf.5 +usr/share/man/man5/ausearch-expression.5 +usr/share/man/man7/audit.rules.7 +usr/share/man/man8/audispd.8 +usr/share/man/man8/auditctl.8 +usr/share/man/man8/auditd.8 +usr/share/man/man8/aulast.8 +usr/share/man/man8/aulastlog.8 +usr/share/man/man8/aureport.8 +usr/share/man/man8/ausearch.8 +usr/share/man/man8/ausyscall.8 +usr/share/man/man8/autrace.8 +../../debian/pam-configs/* usr/share/pam-configs/ diff -Nru audit-1.7.18/debian/auditd-common.lintian-overrides audit-1.7.18/debian/auditd-common.lintian-overrides --- audit-1.7.18/debian/auditd-common.lintian-overrides 1969-12-31 16:00:00.000000000 -0800 +++ audit-1.7.18/debian/auditd-common.lintian-overrides 2012-11-19 23:56:02.000000000 -0800 @@ -0,0 +1,20 @@ +## Only to be forked by auditd, which explicitely checks for 750 +#auditd-common: executable-is-not-world-readable sbin/audispd 0750 != 0755 +## Only root can run +#auditd-common: non-standard-executable-perm sbin/auditctl 0754 != 0755 +#auditd-common: non-standard-executable-perm sbin/auditd 0754 != 0755 +#auditd-common: non-standard-executable-perm sbin/autrace 0754 != 0755 +#auditd-common: non-standard-executable-perm usr/bin/aulastlog 0754 != 0755 +### Only to be forked by auditd, which explicitely checks for 750 +auditd-common: executable-is-not-world-readable sbin/audispd 0750 +## Normal users should not see what is being audited +auditd-common: non-standard-dir-perm etc/audisp/ 0750 != 0755 +auditd-common: non-standard-file-perm etc/audisp/audispd.conf 0640 != 0644 +auditd-common: non-standard-dir-perm etc/audisp/plugins.d/ 0750 != 0755 +auditd-common: non-standard-file-perm etc/audisp/plugins.d/af_unix.conf 0640 != 0644 +auditd-common: non-standard-file-perm etc/audisp/plugins.d/syslog.conf 0640 != 0644 +auditd-common: non-standard-dir-perm etc/audit/ 0750 != 0755 +auditd-common: non-standard-file-perm etc/audit/auditd.conf 0640 != 0644 +auditd-common: non-standard-file-perm etc/audit/audit.rules 0640 != 0644 +# Contains sensitive information +auditd-common: non-standard-dir-perm var/log/audit/ 0750 != 0755 diff -Nru audit-1.7.18/debian/auditd-common.postinst audit-1.7.18/debian/auditd-common.postinst --- audit-1.7.18/debian/auditd-common.postinst 1969-12-31 16:00:00.000000000 -0800 +++ audit-1.7.18/debian/auditd-common.postinst 2011-07-29 09:54:34.000000000 -0700 @@ -0,0 +1,26 @@ +#!/bin/sh + +set -e + +case "$1" in + configure) + # Remove old rc links. + if dpkg --compare-versions "$2" lt "1.6.5-0ubuntu2"; then + update-rc.d -f auditd remove > /dev/null + fi + ;; + + abort-upgrade|abort-remove|abort-deconfigure) + ;; + + *) + echo "postinst called with unknown argument \`$1'" >&2 + exit 1 + ;; +esac + +pam-auth-update --package + +#DEBHELPER# + +exit 0 diff -Nru audit-1.7.18/debian/auditd-common.postrm audit-1.7.18/debian/auditd-common.postrm --- audit-1.7.18/debian/auditd-common.postrm 1969-12-31 16:00:00.000000000 -0800 +++ audit-1.7.18/debian/auditd-common.postrm 2011-07-26 09:34:26.000000000 -0700 @@ -0,0 +1,37 @@ +#!/bin/sh +# postrm script for auditd +# +# see: dh_installdeb(1) + +set -e + +# summary of how this script can be called: +# * `remove' +# * `purge' +# * `upgrade' +# * `failed-upgrade' +# * `abort-install' +# * `abort-install' +# * `abort-upgrade' +# * `disappear' +# +# for details, see http://www.debian.org/doc/debian-policy/ or +# the debian-policy package + +# dh_installdeb will replace this with shell code automatically +# generated by other debhelper scripts. + +#DEBHELPER# + +case "$1" in + purge) + rm -rf /var/log/audit + rm -f /var/run/audit_events + ;; + remove|upgrade|failed-upgrade|abort-install|abort-upgrade|disappear) + ;; + *) + echo "postrm called with unknown argument \`$1'" >&2 + exit 0 + ;; +esac diff -Nru audit-1.7.18/debian/auditd-common.prerm audit-1.7.18/debian/auditd-common.prerm --- audit-1.7.18/debian/auditd-common.prerm 1969-12-31 16:00:00.000000000 -0800 +++ audit-1.7.18/debian/auditd-common.prerm 2011-07-29 09:50:38.000000000 -0700 @@ -0,0 +1,21 @@ +#!/bin/sh + +set -e + +case "${1}" in + remove) + pam-auth-update --package --remove auditd + ;; + + upgrade|deconfigure|failed-upgrade) + ;; + + *) + echo "prerm called with unknown argument \`${1}'" >&2 + exit 1 + ;; +esac + +#DEBHELPER# + +exit 0 diff -Nru audit-1.7.18/debian/auditd-light.install audit-1.7.18/debian/auditd-light.install --- audit-1.7.18/debian/auditd-light.install 1969-12-31 16:00:00.000000000 -0800 +++ audit-1.7.18/debian/auditd-light.install 2012-11-16 11:05:50.000000000 -0800 @@ -0,0 +1 @@ +sbin/auditd diff -Nru audit-1.7.18/debian/auditd.default audit-1.7.18/debian/auditd.default --- audit-1.7.18/debian/auditd.default 2011-07-29 08:42:05.000000000 -0700 +++ audit-1.7.18/debian/auditd.default 1969-12-31 16:00:00.000000000 -0800 @@ -1,7 +0,0 @@ -# Add extra options here -EXTRAOPTIONS="" - -# This option is used to determine if rules & watches should be deleted on -# shutdown. This is beneficial in most cases so that a watch doesn't linger -# on a drive that is being unmounted. If set to no, it will NOT be cleaned up. -AUDITD_CLEAN_STOP="yes" diff -Nru audit-1.7.18/debian/auditd.dirs audit-1.7.18/debian/auditd.dirs --- audit-1.7.18/debian/auditd.dirs 2011-07-29 09:56:56.000000000 -0700 +++ audit-1.7.18/debian/auditd.dirs 1969-12-31 16:00:00.000000000 -0800 @@ -1,2 +0,0 @@ -var/log/audit -usr/share/pam-configs diff -Nru audit-1.7.18/debian/auditd.examples audit-1.7.18/debian/auditd.examples --- audit-1.7.18/debian/auditd.examples 2011-07-26 09:34:26.000000000 -0700 +++ audit-1.7.18/debian/auditd.examples 1969-12-31 16:00:00.000000000 -0800 @@ -1,5 +0,0 @@ -contrib/capp.rules -contrib/lspp.rules -contrib/nispom.rules -contrib/stig.rules -init.d/auditd.cron diff -Nru audit-1.7.18/debian/auditd.init audit-1.7.18/debian/auditd.init --- audit-1.7.18/debian/auditd.init 2012-01-15 11:24:04.000000000 -0800 +++ audit-1.7.18/debian/auditd.init 1969-12-31 16:00:00.000000000 -0800 @@ -1,157 +0,0 @@ -#! /bin/sh -### BEGIN INIT INFO -# Provides: auditd -# Required-Start: $local_fs -# Required-Stop: $local_fs -# Default-Start: 2 3 4 5 -# Default-Stop: 0 1 6 -# Short-Description: Audit Daemon -# Description: Collects audit information from Linux 2.6 Kernels. -### END INIT INFO - -# Author: Philipp Matthias Hahn -# Based on Debians /etc/init.d/skeleton and Auditds init.d/auditd.init - -# PATH should only include /usr/* if it runs after the mountnfs.sh script -PATH=/sbin:/bin -DESC="audit daemon" -NAME=auditd -DAEMON=/sbin/auditd -PIDFILE=/var/run/"$NAME".pid -SCRIPTNAME=/etc/init.d/"$NAME" - -# Exit if the package is not installed -[ -x "$DAEMON" ] || exit 0 - -# Read configuration variable file if it is present -[ -r /etc/default/"$NAME" ] && . /etc/default/"$NAME" - -# Load the VERBOSE setting and other rcS variables -. /lib/init/vars.sh - -# Define LSB log_* functions. -. /lib/lsb/init-functions - -# -# Function that starts the daemon/service -# -do_start() -{ - # Return - # 0 if daemon has been started - # 1 if daemon was already running - # 2 if daemon could not be started - start-stop-daemon --start --quiet --pidfile "$PIDFILE" --exec "$DAEMON" --test > /dev/null \ - || return 1 - start-stop-daemon --start --quiet --pidfile "$PIDFILE" --exec "$DAEMON" -- \ - $EXTRAOPTIONS \ - || return 2 - if [ -f /etc/audit/audit.rules ] - then - /sbin/auditctl -R /etc/audit/audit.rules >/dev/null - fi - # check if we have a rules directory and load the .rules files - if [ -d /etc/audit/rules.d ]; then - for rulesfile in /etc/audit/rules.d/*.rules - do - [ -f ${rulesfile} ] && /sbin/auditctl -R ${rulesfile} > /dev/null - done - fi -} - -# -# Function that stops the daemon/service -# -do_stop() -{ - # Return - # 0 if daemon has been stopped - # 1 if daemon was already stopped - # 2 if daemon could not be stopped - # other if a failure occurred - start-stop-daemon --stop --quiet --retry=TERM/30/KILL/5 --pidfile "$PIDFILE" --name "$NAME" - RETVAL="$?" - [ "$RETVAL" = 2 ] && return 2 - start-stop-daemon --stop --quiet --oknodo --retry=0/30/KILL/5 --exec "$DAEMON" - [ "$?" = 2 ] && return 2 - # Many daemons don't delete their pidfiles when they exit. - rm -f "$PIDFILE" - rm -f /var/run/audit_events - # Remove watches so shutdown works cleanly - case "$AUDITD_CLEAN_STOP" in - no|NO) ;; - *) /sbin/auditctl -D >/dev/null ;; - esac - return "$RETVAL" -} - -# -# Function that sends a SIGHUP to the daemon/service -# -do_reload() { - start-stop-daemon --stop --signal HUP --quiet --pidfile $PIDFILE --name $NAME - return 0 -} - -case "$1" in - start) - [ "$VERBOSE" != no ] && log_daemon_msg "Starting $DESC" "$NAME" - do_start - case "$?" in - 0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;; - 2) [ "$VERBOSE" != no ] && log_end_msg 1 ;; - esac - ;; - stop) - [ "$VERBOSE" != no ] && log_daemon_msg "Stopping $DESC" "$NAME" - do_stop - case "$?" in - 0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;; - 2) [ "$VERBOSE" != no ] && log_end_msg 1 ;; - esac - ;; - reload|force-reload) - log_daemon_msg "Reloading $DESC" "$NAME" - do_reload - log_end_msg $? - ;; - restart) - log_daemon_msg "Restarting $DESC" "$NAME" - do_stop - case "$?" in - 0|1) - do_start - case "$?" in - 0) log_end_msg 0 ;; - 1) log_end_msg 1 ;; # Old process is still running - *) log_end_msg 1 ;; # Failed to start - esac - ;; - *) - # Failed to stop - log_end_msg 1 - ;; - esac - ;; - rotate) - log_daemon_msg "Rotating $DESC logs" "$NAME" - start-stop-daemon --stop --signal USR1 --quiet --pidfile "$PIDFILE" --name "$NAME" - log_end_msg $? - ;; - status) - pidofproc -p "$PIDFILE" "$DAEMON" >/dev/null - status=$? - if [ $status -eq 0 ]; then - log_success_msg "$NAME is running." - else - log_failure_msg "$NAME is not running." - fi - exit $status - ;; - *) - echo "Usage: $SCRIPTNAME {start|stop|restart|reload|force-reload|rotate|status}" >&2 - exit 3 - ;; -esac - -: diff -Nru audit-1.7.18/debian/auditd.install audit-1.7.18/debian/auditd.install --- audit-1.7.18/debian/auditd.install 2011-07-29 14:06:06.000000000 -0700 +++ audit-1.7.18/debian/auditd.install 2012-11-16 11:07:22.000000000 -0800 @@ -1,27 +1 @@ -etc/audisp/audispd.conf -etc/audisp/plugins.d/af_unix.conf -etc/audisp/plugins.d/syslog.conf -etc/audit -sbin/audispd -sbin/auditctl sbin/auditd -sbin/aureport -sbin/ausearch -sbin/autrace -usr/bin/aulast -usr/bin/aulastlog -usr/bin/ausyscall -usr/share/man/man5/audispd.conf.5 -usr/share/man/man5/auditd.conf.5 -usr/share/man/man5/ausearch-expression.5 -usr/share/man/man7/audit.rules.7 -usr/share/man/man8/audispd.8 -usr/share/man/man8/auditctl.8 -usr/share/man/man8/auditd.8 -usr/share/man/man8/aulast.8 -usr/share/man/man8/aulastlog.8 -usr/share/man/man8/aureport.8 -usr/share/man/man8/ausearch.8 -usr/share/man/man8/ausyscall.8 -usr/share/man/man8/autrace.8 -../../debian/pam-configs/* usr/share/pam-configs/ diff -Nru audit-1.7.18/debian/auditd.lintian-overrides audit-1.7.18/debian/auditd.lintian-overrides --- audit-1.7.18/debian/auditd.lintian-overrides 2011-07-26 09:34:26.000000000 -0700 +++ audit-1.7.18/debian/auditd.lintian-overrides 1969-12-31 16:00:00.000000000 -0800 @@ -1,18 +0,0 @@ -## Only to be forked by auditd, which explicitely checks for 750 -#auditd: executable-is-not-world-readable sbin/audispd 0750 != 0755 -## Only root can run -#auditd: non-standard-executable-perm sbin/auditctl 0754 != 0755 -#auditd: non-standard-executable-perm sbin/auditd 0754 != 0755 -#auditd: non-standard-executable-perm sbin/autrace 0754 != 0755 -#auditd: non-standard-executable-perm usr/bin/aulastlog 0754 != 0755 -## Normal users should not see what is being audited -auditd: non-standard-dir-perm etc/audisp/ 0750 != 0755 -auditd: non-standard-file-perm etc/audisp/audispd.conf 0640 != 0644 -auditd: non-standard-dir-perm etc/audisp/plugins.d/ 0750 != 0755 -auditd: non-standard-file-perm etc/audisp/plugins.d/af_unix.conf 0640 != 0644 -auditd: non-standard-file-perm etc/audisp/plugins.d/syslog.conf 0640 != 0644 -auditd: non-standard-dir-perm etc/audit/ 0750 != 0755 -auditd: non-standard-file-perm etc/audit/auditd.conf 0640 != 0644 -auditd: non-standard-file-perm etc/audit/audit.rules 0640 != 0644 -# Contains sensitive information -auditd: non-standard-dir-perm var/log/audit/ 0750 != 0755 diff -Nru audit-1.7.18/debian/auditd.logrotate audit-1.7.18/debian/auditd.logrotate --- audit-1.7.18/debian/auditd.logrotate 2011-07-26 09:34:26.000000000 -0700 +++ audit-1.7.18/debian/auditd.logrotate 1969-12-31 16:00:00.000000000 -0800 @@ -1,10 +0,0 @@ -/var/log/audit/audit.log { - rotate 4 - missingok - notifempty - weekly - compress - postrotate - /etc/init.d/auditd rotate >/dev/null - endscript -} diff -Nru audit-1.7.18/debian/auditd.postinst audit-1.7.18/debian/auditd.postinst --- audit-1.7.18/debian/auditd.postinst 2011-07-29 09:54:34.000000000 -0700 +++ audit-1.7.18/debian/auditd.postinst 1969-12-31 16:00:00.000000000 -0800 @@ -1,26 +0,0 @@ -#!/bin/sh - -set -e - -case "$1" in - configure) - # Remove old rc links. - if dpkg --compare-versions "$2" lt "1.6.5-0ubuntu2"; then - update-rc.d -f auditd remove > /dev/null - fi - ;; - - abort-upgrade|abort-remove|abort-deconfigure) - ;; - - *) - echo "postinst called with unknown argument \`$1'" >&2 - exit 1 - ;; -esac - -pam-auth-update --package - -#DEBHELPER# - -exit 0 diff -Nru audit-1.7.18/debian/auditd.postrm audit-1.7.18/debian/auditd.postrm --- audit-1.7.18/debian/auditd.postrm 2011-07-26 09:34:26.000000000 -0700 +++ audit-1.7.18/debian/auditd.postrm 1969-12-31 16:00:00.000000000 -0800 @@ -1,37 +0,0 @@ -#!/bin/sh -# postrm script for auditd -# -# see: dh_installdeb(1) - -set -e - -# summary of how this script can be called: -# * `remove' -# * `purge' -# * `upgrade' -# * `failed-upgrade' -# * `abort-install' -# * `abort-install' -# * `abort-upgrade' -# * `disappear' -# -# for details, see http://www.debian.org/doc/debian-policy/ or -# the debian-policy package - -# dh_installdeb will replace this with shell code automatically -# generated by other debhelper scripts. - -#DEBHELPER# - -case "$1" in - purge) - rm -rf /var/log/audit - rm -f /var/run/audit_events - ;; - remove|upgrade|failed-upgrade|abort-install|abort-upgrade|disappear) - ;; - *) - echo "postrm called with unknown argument \`$1'" >&2 - exit 0 - ;; -esac diff -Nru audit-1.7.18/debian/auditd.prerm audit-1.7.18/debian/auditd.prerm --- audit-1.7.18/debian/auditd.prerm 2011-07-29 09:50:38.000000000 -0700 +++ audit-1.7.18/debian/auditd.prerm 1969-12-31 16:00:00.000000000 -0800 @@ -1,21 +0,0 @@ -#!/bin/sh - -set -e - -case "${1}" in - remove) - pam-auth-update --package --remove auditd - ;; - - upgrade|deconfigure|failed-upgrade) - ;; - - *) - echo "prerm called with unknown argument \`${1}'" >&2 - exit 1 - ;; -esac - -#DEBHELPER# - -exit 0 diff -Nru audit-1.7.18/debian/changelog audit-1.7.18/debian/changelog --- audit-1.7.18/debian/changelog 2012-01-15 11:23:54.000000000 -0800 +++ audit-1.7.18/debian/changelog 2012-11-26 12:15:17.000000000 -0800 @@ -1,3 +1,43 @@ +audit (1.7.18-1ubuntu2) raring; urgency=low + + * Create two audit daemon packages. One with a audit daemon capable of + receiving remote audit messages over the network (auditd) and another + package without that capability (auditd-light). Removing the network + listening code from the runs-as-root auditd reduces the daemon's attack + surface and mitigates administrator misconfiguration errors in auditd.conf + that may inadvertently result in a privileged process listening for + network connections. + - debian/patches/conditionalize-auditd-listener.diff: Allow for building + an auditd binary without network listener support through the + --disable-listener configure option + - debian/rules, debian/control: + + Run autoreconf as part of the build process. This is needed to keep + the conditionalize-auditd-listener.diff patch maintainable, since it + adds a new configure option and auto-generated build files would have + to be patched otherwise. + + Adjust auditd package and introduce auditd-common and auditd-light + packages. auditd-common contains all of the old auditd binary package, + except for the audit daemon itself. auditd and auditd-light will only + contain the auditd binary itself and their docs directory will link to + the auditd-common docs. auditd-light must be built in a new build + directory. + - debian/auditd.*, debian/auditd-common.*, debian/auditd.install, + debian/auditd-light.install: Move install, init, postinst, etc. files + from the old audit package to the new auditd-common package and create + new install files for the auditd and auditd-light packages + * Fix auditd warning about excessive permissions on audispd (LP: #683220) + - debian/rules: auditd expects the permissions on the dispatcher binary to + be 0750, so remove other users' rwx permissions to prevent the + "/sbin/audispd permissions should be 0750" warning at auditd startup + - debian/auditd-common.lintian-overrides: Add override for 0750 executable + * debian/patches/{fix-out-of-tree-build,ld-no-add-needed,rpath}.diff: + Makefile.in files are removed by dh_autoreconf_clean. Drop those patch + hunks so that the patches will still apply after debian/rules clean. + * debian/control: Drop the external libdev-dev Build-Dependency since + audit contains its own libev copy + + -- Tyler Hicks Mon, 26 Nov 2012 12:04:35 -0800 + audit (1.7.18-1ubuntu1) precise; urgency=low * debian/auditd.init: apply the intent of Peter Moody's patch to add support diff -Nru audit-1.7.18/debian/control audit-1.7.18/debian/control --- audit-1.7.18/debian/control 2011-07-29 14:22:06.000000000 -0700 +++ audit-1.7.18/debian/control 2012-11-26 11:04:46.000000000 -0800 @@ -1,29 +1,62 @@ Source: audit Priority: extra -Maintainer: Philipp Matthias Hahn +Maintainer: Ubuntu Developers +XSBC-Original-Maintainer: Philipp Matthias Hahn Build-Depends: debhelper (>= 8), python-all-dev (>= 2.6.6-3~), swig, - automake1.10, autoconf (>= 2.59), libtool, autotools-dev, - intltool, cvs, libprelude-dev, libldap2-dev, libev-dev, chrpath, - libwrap0-dev, libkrb5-dev + automake1.10, autoconf (>= 2.59), libtool, dh-autoreconf, + intltool, cvs, libprelude-dev, libldap2-dev, chrpath, libwrap0-dev, + libkrb5-dev Build-Conflicts: autoconf2.13, automake1.4 Standards-Version: 3.9.2 Section: libs Homepage: http://people.redhat.com/sgrubb/audit/ -Package: auditd +Package: auditd-common Section: admin Architecture: any Depends: lsb-base (>= 3.0-6), libpam-runtime (>= 1.0.1-6), ${shlibs:Depends}, ${misc:Depends} +Replaces: auditd (<< 1.7.18-1ubuntu2) +Breaks: auditd (<< 1.7.18-1ubuntu2) Suggests: audispd-plugins Description: User space tools for security auditing - The audit package contains the user space utilities for - storing and searching the audit records generated by - the audit subsystem in the Linux 2.6 kernel. + The auditd-common package contains the user space utilities for searching the + audit records generated by the audit subsystem in the Linux kernel. . Also contains the audit dispatcher "audisp". + . + This package does not contain the audit daemon itself; for this you need to + install either auditd or auditd-light. + +Package: auditd +Section: admin +Architecture: any +Depends: auditd-common (= ${binary:Version}), + ${shlibs:Depends}, ${misc:Depends} +Conflicts: auditd-light +Description: User space security auditing daemon with centralized logging + The auditd package contains the user space audit daemon for storing the + audit records generated by the audit subsystem in the Linux kernel. + . + This package contains a fully featured audit daemon. It can act as a + centralized audit log gatherer by listening for audit messages sent over the + network by remote dispatcher daemons. + +Package: auditd-light +Section: admin +Architecture: any +Depends: auditd-common (= ${binary:Version}), + ${shlibs:Depends}, ${misc:Depends} +Conflicts: auditd +Description: User space security auditing daemon + The auditd-light package contains the user space audit daemon for storing the + audit records generated by the audit subsystem in the Linux kernel. + . + This package contains a lightweight audit daemon. It does not have the + ability to listen for network connections in order to act as a centralized + audit log gatherer; for this you need to install auditd. Package: libaudit0 Architecture: any @@ -57,7 +90,7 @@ Package: audispd-plugins Section: admin Architecture: any -Depends: auditd, +Depends: auditd | auditd-light, ${shlibs:Depends}, ${misc:Depends} Description: Plugins for the audit event dispatcher The audispd-plugins package provides plugins for the real-time diff -Nru audit-1.7.18/debian/docs audit-1.7.18/debian/docs --- audit-1.7.18/debian/docs 2011-07-26 09:34:26.000000000 -0700 +++ audit-1.7.18/debian/docs 1969-12-31 16:00:00.000000000 -0800 @@ -1,2 +0,0 @@ -README -TODO diff -Nru audit-1.7.18/debian/patches/conditionalize-auditd-listener.diff audit-1.7.18/debian/patches/conditionalize-auditd-listener.diff --- audit-1.7.18/debian/patches/conditionalize-auditd-listener.diff 1969-12-31 16:00:00.000000000 -0800 +++ audit-1.7.18/debian/patches/conditionalize-auditd-listener.diff 2012-11-15 14:55:18.000000000 -0800 @@ -0,0 +1,445 @@ +Description: Build time disabling of auditd network listener + --disable-listener can be used to build an auditd that does not listen for + network connections. This is desireable from a security perspective because + auditd runs as root. +Origin: backport, https://fedorahosted.org/audit/changeset/709/ +Origin: backport, https://fedorahosted.org/audit/changeset/710/ +Origin: backport, https://fedorahosted.org/audit/changeset/711/ +Origin: backport, https://fedorahosted.org/audit/changeset/712/ +Origin: backport, https://fedorahosted.org/audit/changeset/714/ +Forwarded: https://www.redhat.com/archives/linux-audit/2012-August/msg00007.html +Author: Tyler Hicks +Index: audit-1.7.18/configure.ac +=================================================================== +--- audit-1.7.18.orig/configure.ac 2012-10-26 11:38:54.672397260 -0700 ++++ audit-1.7.18/configure.ac 2012-10-26 11:51:47.532381400 -0700 +@@ -78,6 +78,20 @@ + esac + fi + ++#auditd listener ++AC_MSG_CHECKING(whether to include auditd network listener support) ++AC_ARG_ENABLE(listener, ++ [AS_HELP_STRING([--disable-listener], ++ [Disable auditd network listener support])], ++ enable_listener=$enableval, ++ enable_listener=yes) ++if test "x$enable_listener" != "xno"; then ++ AC_DEFINE(USE_LISTENER, 1, ++ [Define if you want to use the auditd network listener.]) ++fi ++AM_CONDITIONAL(ENABLE_LISTENER, test "x$enable_listener" != "xno") ++AC_MSG_RESULT($enable_listener) ++ + #gssapi + AC_ARG_ENABLE(gssapi_krb5, + [AS_HELP_STRING([--enable-gssapi-krb5],[Enable GSSAPI Kerberos 5 support @<:@default=no@:>@])], +Index: audit-1.7.18/src/Makefile.am +=================================================================== +--- audit-1.7.18.orig/src/Makefile.am 2012-10-26 11:38:54.672397260 -0700 ++++ audit-1.7.18/src/Makefile.am 2012-10-26 11:51:47.532381400 -0700 +@@ -30,7 +30,10 @@ + AM_CFLAGS = -D_REENTRANT -D_GNU_SOURCE + noinst_HEADERS = auditd-config.h auditd-event.h auditd-listen.h ausearch-llist.h ausearch-options.h auditctl-llist.h aureport-options.h ausearch-parse.h aureport-scan.h ausearch-lookup.h ausearch-int.h auditd-dispatch.h ausearch-string.h ausearch-nvpair.h ausearch-common.h ausearch-avc.h ausearch-time.h ausearch-lol.h + +-auditd_SOURCES = auditd.c auditd-event.c auditd-config.c auditd-reconfig.c auditd-sendmail.c auditd-dispatch.c auditd-listen.c ++auditd_SOURCES = auditd.c auditd-event.c auditd-config.c auditd-reconfig.c auditd-sendmail.c auditd-dispatch.c ++if ENABLE_LISTENER ++auditd_SOURCES += auditd-listen.c ++endif + auditd_CFLAGS = -pthread -fPIE -DPIE -g -D_REENTRANT -D_GNU_SOURCE -fno-strict-aliasing + auditd_LDFLAGS = -pthread -pie -Wl,-z,relro + auditd_DEPENDENCIES = mt/libauditmt.a libev/libev.a +Index: audit-1.7.18/src/auditd-config.c +=================================================================== +--- audit-1.7.18.orig/src/auditd-config.c 2012-10-26 11:38:54.672397260 -0700 ++++ audit-1.7.18/src/auditd-config.c 2012-10-26 11:51:47.532381400 -0700 +@@ -1187,6 +1187,12 @@ + audit_msg(LOG_DEBUG, "tcp_listen_port_parser called with: %s", + nv->value); + ++#ifndef USE_LISTENER ++ audit_msg(LOG_DEBUG, ++ "Listener support is not enabled, ignoring value at line %d", ++ line); ++ return 0; ++#else + /* check that all chars are numbers */ + for (i=0; ptr[i]; i++) { + if (!isdigit(ptr[i])) { +@@ -1221,6 +1227,7 @@ + } + config->tcp_listen_port = (unsigned int)i; + return 0; ++#endif + } + + static int tcp_listen_queue_parser(struct nv_pair *nv, int line, +@@ -1232,6 +1239,12 @@ + audit_msg(LOG_DEBUG, "tcp_listen_queue_parser called with: %s", + nv->value); + ++#ifndef USE_LISTENER ++ audit_msg(LOG_DEBUG, ++ "Listener support is not enabled, ignoring value at line %d", ++ line); ++ return 0; ++#else + /* check that all chars are numbers */ + for (i=0; ptr[i]; i++) { + if (!isdigit(ptr[i])) { +@@ -1268,6 +1281,7 @@ + } + config->tcp_listen_queue = (unsigned int)i; + return 0; ++#endif + } + + +@@ -1280,6 +1294,12 @@ + audit_msg(LOG_DEBUG, "tcp_max_per_addr_parser called with: %s", + nv->value); + ++#ifndef USE_LISTENER ++ audit_msg(LOG_DEBUG, ++ "Listener support is not enabled, ignoring value at line %d", ++ line); ++ return 0; ++#else + /* check that all chars are numbers */ + for (i=0; ptr[i]; i++) { + if (!isdigit(ptr[i])) { +@@ -1316,6 +1336,7 @@ + } + config->tcp_max_per_addr = (unsigned int)i; + return 0; ++#endif + } + + static int use_libwrap_parser(struct nv_pair *nv, int line, +@@ -1346,6 +1367,12 @@ + audit_msg(LOG_DEBUG, "tcp_listen_queue_parser called with: %s", + nv->value); + ++#ifndef USE_LISTENER ++ audit_msg(LOG_DEBUG, ++ "Listener support is not enabled, ignoring value at line %d", ++ line); ++ return 0; ++#else + /* check that all chars are numbers, with an optional inclusive '-'. */ + for (i=0; ptr[i]; i++) { + if (i > 0 && ptr[i] == '-' && ptr[i+1] != '\0') { +@@ -1410,6 +1437,7 @@ + config->tcp_client_min_port = (unsigned int)minv; + config->tcp_client_max_port = (unsigned int)maxv; + return 0; ++#endif + } + + static int tcp_client_max_idle_parser(struct nv_pair *nv, int line, +@@ -1421,6 +1449,12 @@ + audit_msg(LOG_DEBUG, "tcp_client_max_idle_parser called with: %s", + nv->value); + ++#ifndef USE_LISTENER ++ audit_msg(LOG_DEBUG, ++ "Listener support is not enabled, ignoring value at line %d", ++ line); ++ return 0; ++#else + /* check that all chars are numbers */ + for (i=0; ptr[i]; i++) { + if (!isdigit(ptr[i])) { +@@ -1451,6 +1485,7 @@ + } + config->tcp_client_max_idle = (unsigned int)i; + return 0; ++#endif + } + + static int enable_krb5_parser(struct nv_pair *nv, int line, +Index: audit-1.7.18/src/auditd-config.h +=================================================================== +--- audit-1.7.18.orig/src/auditd-config.h 2012-10-26 11:38:54.672397260 -0700 ++++ audit-1.7.18/src/auditd-config.h 2012-10-26 11:51:47.536381400 -0700 +@@ -96,7 +96,5 @@ + void shutdown_config(void); + void free_config(struct daemon_conf *config); + +-void periodic_reconfigure(void); +- + #endif + +Index: audit-1.7.18/src/auditd-event.c +=================================================================== +--- audit-1.7.18.orig/src/auditd-event.c 2012-10-26 11:38:54.672397260 -0700 ++++ audit-1.7.18/src/auditd-event.c 2012-10-26 11:51:47.536381400 -0700 +@@ -1099,27 +1099,8 @@ + } + } + +- /* Look at network things that do not need restarting */ +- if (oconf->tcp_client_min_port != nconf->tcp_client_min_port || +- oconf->tcp_client_max_port != nconf->tcp_client_max_port || +- oconf->tcp_max_per_addr != nconf->tcp_max_per_addr) { +- oconf->tcp_client_min_port = nconf->tcp_client_min_port; +- oconf->tcp_client_max_port = nconf->tcp_client_max_port; +- oconf->tcp_max_per_addr = nconf->tcp_max_per_addr; +- auditd_set_ports(oconf->tcp_client_min_port, +- oconf->tcp_client_max_port, +- oconf->tcp_max_per_addr); +- } +- if (oconf->tcp_client_max_idle != nconf->tcp_client_max_idle) { +- oconf->tcp_client_max_idle = nconf->tcp_client_max_idle; +- periodic_reconfigure(); +- } +- if (oconf->tcp_listen_port != nconf->tcp_listen_port || +- oconf->tcp_listen_queue != nconf->tcp_listen_queue) { +- oconf->tcp_listen_port = nconf->tcp_listen_port; +- oconf->tcp_listen_queue = nconf->tcp_listen_queue; +- // FIXME: need to restart the network stuff +- } ++ // network listener ++ auditd_tcp_listen_reconfigure(nconf, oconf); + + /* At this point we will work on the items that are related to + * a single log file. */ +Index: audit-1.7.18/src/auditd-listen.c +=================================================================== +--- audit-1.7.18.orig/src/auditd-listen.c 2012-10-26 11:38:54.672397260 -0700 ++++ audit-1.7.18/src/auditd-listen.c 2012-10-26 11:51:47.536381400 -0700 +@@ -75,6 +75,7 @@ + + static int listen_socket; + static struct ev_io tcp_listen_watcher; ++static struct ev_periodic periodic_watcher; + static int min_port, max_port, max_per_addr; + static int use_libwrap = 1; + #ifdef USE_GSSAPI +@@ -842,18 +843,48 @@ + send_audit_event(AUDIT_DAEMON_ACCEPT, emsg); + } + +-void auditd_set_ports(int minp, int maxp, int max_p_addr) ++static void auditd_set_ports(int minp, int maxp, int max_p_addr) + { + min_port = minp; + max_port = maxp; + max_per_addr = max_p_addr; + } + ++static void periodic_handler(struct ev_loop *loop, struct ev_periodic *per, ++ int revents ) ++{ ++ struct daemon_conf *config = (struct daemon_conf *) per->data; ++ struct ev_tcp *ev; ++ int active; ++ ++ if (!config->tcp_client_max_idle) ++ return; ++ ++ for (ev = client_chain; ev; ev = ev->next) { ++ active = ev->client_active; ++ ev->client_active = 0; ++ if (active) ++ continue; ++ ++ audit_msg(LOG_NOTICE, ++ "client %s idle too long - closing connection\n", ++ sockaddr_to_ip (&(ev->addr))); ++ ev_io_stop (loop, &ev->io); ++ close_client(ev); ++ } ++} ++ + int auditd_tcp_listen_init ( struct ev_loop *loop, struct daemon_conf *config ) + { + struct sockaddr_in address; + int one = 1; + ++ ev_periodic_init (&periodic_watcher, periodic_handler, ++ 0, config->tcp_client_max_idle, NULL); ++ periodic_watcher.data = config; ++ if (config->tcp_client_max_idle) ++ ev_periodic_start (loop, &periodic_watcher); ++ + /* If the port is not set, that means we aren't going to + listen for connections. */ + if (config->tcp_listen_port == 0) +@@ -939,7 +970,8 @@ + return 0; + } + +-void auditd_tcp_listen_uninit ( struct ev_loop *loop ) ++void auditd_tcp_listen_uninit ( struct ev_loop *loop, ++ struct daemon_conf *config ) + { + #ifdef USE_GSSAPI + int status; +@@ -963,23 +995,45 @@ + ev_io_stop (loop, &client_chain->io); + close_client (client_chain); + } ++ ++ if (config->tcp_client_max_idle) ++ ev_periodic_stop (loop, &periodic_watcher); + } + +-void auditd_tcp_listen_check_idle (struct ev_loop *loop ) ++static void periodic_reconfigure(struct daemon_conf *config) + { +- struct ev_tcp *ev; +- int active; +- +- for (ev = client_chain; ev; ev = ev->next) { +- active = ev->client_active; +- ev->client_active = 0; +- if (active) +- continue; ++ struct ev_loop *loop = ev_default_loop (EVFLAG_AUTO); ++ if (config->tcp_client_max_idle) { ++ ev_periodic_set (&periodic_watcher, ev_now (loop), ++ config->tcp_client_max_idle, NULL); ++ ev_periodic_start (loop, &periodic_watcher); ++ } else { ++ ev_periodic_stop (loop, &periodic_watcher); ++ } ++} + +- audit_msg(LOG_NOTICE, +- "client %s idle too long - closing connection\n", +- sockaddr_to_ip (&(ev->addr))); +- ev_io_stop (loop, &ev->io); +- close_client(ev); ++void auditd_tcp_listen_reconfigure ( struct daemon_conf *nconf, ++ struct daemon_conf *oconf ) ++{ ++ /* Look at network things that do not need restarting */ ++ if (oconf->tcp_client_min_port != nconf->tcp_client_min_port || ++ oconf->tcp_client_max_port != nconf->tcp_client_max_port || ++ oconf->tcp_max_per_addr != nconf->tcp_max_per_addr) { ++ oconf->tcp_client_min_port = nconf->tcp_client_min_port; ++ oconf->tcp_client_max_port = nconf->tcp_client_max_port; ++ oconf->tcp_max_per_addr = nconf->tcp_max_per_addr; ++ auditd_set_ports(oconf->tcp_client_min_port, ++ oconf->tcp_client_max_port, ++ oconf->tcp_max_per_addr); ++ } ++ if (oconf->tcp_client_max_idle != nconf->tcp_client_max_idle) { ++ oconf->tcp_client_max_idle = nconf->tcp_client_max_idle; ++ periodic_reconfigure(oconf); ++ } ++ if (oconf->tcp_listen_port != nconf->tcp_listen_port || ++ oconf->tcp_listen_queue != nconf->tcp_listen_queue) { ++ oconf->tcp_listen_port = nconf->tcp_listen_port; ++ oconf->tcp_listen_queue = nconf->tcp_listen_queue; ++ // FIXME: need to restart the network stuff + } + } +Index: audit-1.7.18/src/auditd-listen.h +=================================================================== +--- audit-1.7.18.orig/src/auditd-listen.h 2012-10-26 11:38:54.672397260 -0700 ++++ audit-1.7.18/src/auditd-listen.h 2012-10-26 11:51:47.536381400 -0700 +@@ -25,9 +25,31 @@ + #define AUDITD_LISTEN_H + + #include "ev.h" +-void auditd_set_ports(int minp, int maxp, int max_p_addr); ++ ++#ifdef USE_LISTENER + int auditd_tcp_listen_init ( struct ev_loop *loop, struct daemon_conf *config ); +-void auditd_tcp_listen_uninit ( struct ev_loop *loop ); +-void auditd_tcp_listen_check_idle ( struct ev_loop *loop ); ++void auditd_tcp_listen_uninit ( struct ev_loop *loop, ++ struct daemon_conf *config ); ++void auditd_tcp_listen_reconfigure ( struct daemon_conf *nconf, ++ struct daemon_conf *oconf ); ++#else ++static inline int auditd_tcp_listen_init ( struct ev_loop *loop, ++ struct daemon_conf *config ) ++{ ++ return 0; ++} ++ ++static inline void auditd_tcp_listen_uninit ( struct ev_loop *loop, ++ struct daemon_conf *config ) ++{ ++ return; ++} ++ ++static inline void auditd_tcp_listen_reconfigure ( struct daemon_conf *nconf, ++ struct daemon_conf *oconf ) ++{ ++ return; ++} ++#endif /* USE_LISTENER */ + + #endif +Index: audit-1.7.18/src/auditd.c +=================================================================== +--- audit-1.7.18.orig/src/auditd.c 2012-10-26 11:38:54.672397260 -0700 ++++ audit-1.7.18/src/auditd.c 2012-10-26 11:51:47.536381400 -0700 +@@ -68,7 +68,6 @@ + static struct auditd_reply_list *rep = NULL; + static int hup_info_requested = 0, usr1_info_requested = 0; + static char subj[SUBJ_LEN]; +-static struct ev_periodic periodic_watcher; + + /* Local function prototypes */ + int send_audit_event(int type, const char *str); +@@ -435,25 +434,6 @@ + } + } + +-static void periodic_handler(struct ev_loop *loop, struct ev_periodic *per, +- int revents ) +-{ +- if (config.tcp_client_max_idle) +- auditd_tcp_listen_check_idle (loop); +-} +- +-void periodic_reconfigure(void) +-{ +- struct ev_loop *loop = ev_default_loop (EVFLAG_AUTO); +- if (config.tcp_client_max_idle) { +- ev_periodic_set (&periodic_watcher, ev_now (loop), +- config.tcp_client_max_idle, NULL); +- ev_periodic_start (loop, &periodic_watcher); +- } else { +- ev_periodic_stop (loop, &periodic_watcher); +- } +-} +- + int main(int argc, char *argv[]) + { + struct sigaction sa; +@@ -720,11 +700,6 @@ + ev_signal_init (&sigchld_watcher, child_handler, SIGCHLD); + ev_signal_start (loop, &sigchld_watcher); + +- ev_periodic_init (&periodic_watcher, periodic_handler, +- 0, config.tcp_client_max_idle, NULL); +- if (config.tcp_client_max_idle) +- ev_periodic_start (loop, &periodic_watcher); +- + if (auditd_tcp_listen_init (loop, &config)) { + tell_parent (FAILURE); + stop = 1; +@@ -733,15 +708,13 @@ + if (!stop) + ev_loop (loop, 0); + +- auditd_tcp_listen_uninit (loop); ++ auditd_tcp_listen_uninit (loop, &config); + + // Tear down IO watchers Part 1 + ev_signal_stop (loop, &sighup_watcher); + ev_signal_stop (loop, &sigusr1_watcher); + ev_signal_stop (loop, &sigusr2_watcher); + ev_signal_stop (loop, &sigterm_watcher); +- if (config.tcp_client_max_idle) +- ev_periodic_stop (loop, &periodic_watcher); + + /* Write message to log that we are going down */ + rc = audit_request_signal_info(fd); diff -Nru audit-1.7.18/debian/patches/fix-out-of-tree-build.diff audit-1.7.18/debian/patches/fix-out-of-tree-build.diff --- audit-1.7.18/debian/patches/fix-out-of-tree-build.diff 2011-07-28 07:22:18.000000000 -0700 +++ audit-1.7.18/debian/patches/fix-out-of-tree-build.diff 2012-11-19 09:46:06.000000000 -0800 @@ -10,14 +10,3 @@ LDADD = -lpthread prog_confdir = $(sysconfdir)/audisp prog_conf = audisp-prelude.conf ---- a/audisp/plugins/prelude/Makefile.in -+++ b/audisp/plugins/prelude/Makefile.in -@@ -140,7 +140,7 @@ LDFLAGS = @LDFLAGS@ - LIBOBJS = @LIBOBJS@ - LIBPRELUDE_CFLAGS = @LIBPRELUDE_CFLAGS@ - LIBPRELUDE_LDFLAGS = @LIBPRELUDE_LDFLAGS@ --LIBS = -L${top_srcdir}/auparse/.libs -lauparse -lprelude -+LIBS = -L${top_builddir}/auparse/.libs -lauparse -lprelude - LIBTOOL = @LIBTOOL@ - LIBTOOL_DEPS = @LIBTOOL_DEPS@ - LIBWRAP_LIBS = @LIBWRAP_LIBS@ diff -Nru audit-1.7.18/debian/patches/ld-no-add-needed.diff audit-1.7.18/debian/patches/ld-no-add-needed.diff --- audit-1.7.18/debian/patches/ld-no-add-needed.diff 2011-07-26 13:36:43.000000000 -0700 +++ audit-1.7.18/debian/patches/ld-no-add-needed.diff 2012-11-19 09:46:34.000000000 -0800 @@ -1,15 +1,4 @@ Link to Kerberos libraries ---- a/audisp/plugins/remote/Makefile.in -+++ b/audisp/plugins/remote/Makefile.in -@@ -241,7 +241,7 @@ noinst_HEADERS = remote-config.h queue.h - man_MANS = audisp-remote.8 audisp-remote.conf.5 - audisp_remote_SOURCES = audisp-remote.c remote-config.c queue.c - audisp_remote_CFLAGS = -fPIE -DPIE -g -D_REENTRANT -D_GNU_SOURCE -Wundef --audisp_remote_LDFLAGS = -pie -Wl,-z,relro $(gss_libs) -+audisp_remote_LDFLAGS = -pie -Wl,-z,relro -lkrb5 $(gss_libs) - all: all-am - - .SUFFIXES: --- a/audisp/plugins/remote/Makefile.am +++ b/audisp/plugins/remote/Makefile.am @@ -34,7 +34,7 @@ man_MANS = audisp-remote.8 audisp-remote @@ -21,22 +10,6 @@ install-data-hook: mkdir -p -m 0750 ${DESTDIR}${plugin_confdir} ---- a/src/Makefile.in -+++ b/src/Makefile.in -@@ -274,10 +274,10 @@ LDADD = -lpthread - AM_CFLAGS = -D_REENTRANT -D_GNU_SOURCE - noinst_HEADERS = auditd-config.h auditd-event.h auditd-listen.h ausearch-llist.h ausearch-options.h auditctl-llist.h aureport-options.h ausearch-parse.h aureport-scan.h ausearch-lookup.h ausearch-int.h auditd-dispatch.h ausearch-string.h ausearch-nvpair.h ausearch-common.h ausearch-avc.h ausearch-time.h ausearch-lol.h - auditd_SOURCES = auditd.c auditd-event.c auditd-config.c auditd-reconfig.c auditd-sendmail.c auditd-dispatch.c auditd-listen.c --auditd_CFLAGS = -fPIE -DPIE -g -D_REENTRANT -D_GNU_SOURCE -fno-strict-aliasing --auditd_LDFLAGS = -pie -Wl,-z,relro -+auditd_CFLAGS = -pthread -fPIE -DPIE -g -D_REENTRANT -D_GNU_SOURCE -fno-strict-aliasing -+auditd_LDFLAGS = -pthread -pie -Wl,-z,relro - auditd_DEPENDENCIES = mt/libauditmt.a libev/libev.a --auditd_LDADD = @LIBWRAP_LIBS@ @libev_LIBS@ -Llibev -lev -lrt -lm $(gss_libs) -+auditd_LDADD = @LIBWRAP_LIBS@ @libev_LIBS@ -Llibev -lev -lrt -lm -lkrb5 $(gss_libs) - auditctl_SOURCES = auditctl.c auditctl-llist.c delete_all.c - auditctl_DEPENDENCIES = mt/libauditmt.a - aureport_SOURCES = aureport.c auditd-config.c ausearch-llist.c aureport-options.c ausearch-string.c ausearch-parse.c aureport-scan.c aureport-output.c ausearch-lookup.c ausearch-int.c ausearch-time.c ausearch-nvpair.c ausearch-avc.c ausearch-lol.c --- a/src/Makefile.am +++ b/src/Makefile.am @@ -31,10 +31,10 @@ AM_CFLAGS = -D_REENTRANT -D_GNU_SOURCE diff -Nru audit-1.7.18/debian/patches/rpath.diff audit-1.7.18/debian/patches/rpath.diff --- audit-1.7.18/debian/patches/rpath.diff 2011-07-26 13:34:35.000000000 -0700 +++ audit-1.7.18/debian/patches/rpath.diff 2012-11-19 09:48:05.000000000 -0800 @@ -13,33 +13,6 @@ aulast_SOURCES = aulast.c aulast-llist.c - ---- a/tools/aulast/Makefile.in -+++ b/tools/aulast/Makefile.in -@@ -73,6 +73,7 @@ PROGRAMS = $(bin_PROGRAMS) - am_aulast_OBJECTS = aulast.$(OBJEXT) aulast-llist.$(OBJEXT) - aulast_OBJECTS = $(am_aulast_OBJECTS) - aulast_LDADD = $(LDADD) -+aulast_DEPENDENCIES = ${top_builddir}/auparse/libauparse.la - DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir) - depcomp = - am__depfiles_maybe = -@@ -132,7 +133,7 @@ LDFLAGS = @LDFLAGS@ - LIBOBJS = @LIBOBJS@ - LIBPRELUDE_CFLAGS = @LIBPRELUDE_CFLAGS@ - LIBPRELUDE_LDFLAGS = @LIBPRELUDE_LDFLAGS@ --LIBS = -L${top_builddir}/auparse -lauparse -+LIBS = @LIBS@ - LIBTOOL = @LIBTOOL@ - LIBTOOL_DEPS = @LIBTOOL_DEPS@ - LIBWRAP_LIBS = @LIBWRAP_LIBS@ -@@ -226,6 +227,7 @@ CONFIG_CLEAN_FILES = *.loT *.rej *.orig - AUTOMAKE_OPTIONS = no-dependencies - EXTRA_DIST = $(man_MANS) - INCLUDES = -I${top_srcdir} -I${top_srcdir}/lib -I${top_srcdir}/auparse -+LDADD = ${top_builddir}/auparse/libauparse.la - noinst_HEADERS = aulast-llist.h - man_MANS = aulast.8 - aulast_SOURCES = aulast.c aulast-llist.c --- a/tools/aulastlog/Makefile.am +++ b/tools/aulastlog/Makefile.am @@ -24,10 +24,9 @@ CONFIG_CLEAN_FILES = *.loT *.rej *.orig @@ -54,33 +27,6 @@ aulastlog_SOURCES = aulastlog.c aulastlog-llist.c - ---- a/tools/aulastlog/Makefile.in -+++ b/tools/aulastlog/Makefile.in -@@ -73,6 +73,7 @@ PROGRAMS = $(bin_PROGRAMS) - am_aulastlog_OBJECTS = aulastlog.$(OBJEXT) aulastlog-llist.$(OBJEXT) - aulastlog_OBJECTS = $(am_aulastlog_OBJECTS) - aulastlog_LDADD = $(LDADD) -+aulastlog_DEPENDENCIES = ${top_builddir}/auparse/libauparse.la - DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir) - depcomp = - am__depfiles_maybe = -@@ -132,7 +133,7 @@ LDFLAGS = @LDFLAGS@ - LIBOBJS = @LIBOBJS@ - LIBPRELUDE_CFLAGS = @LIBPRELUDE_CFLAGS@ - LIBPRELUDE_LDFLAGS = @LIBPRELUDE_LDFLAGS@ --LIBS = -L${top_builddir}/auparse -lauparse -+LIBS = @LIBS@ - LIBTOOL = @LIBTOOL@ - LIBTOOL_DEPS = @LIBTOOL_DEPS@ - LIBWRAP_LIBS = @LIBWRAP_LIBS@ -@@ -226,6 +227,7 @@ CONFIG_CLEAN_FILES = *.loT *.rej *.orig - AUTOMAKE_OPTIONS = no-dependencies - EXTRA_DIST = $(man_MANS) - INCLUDES = -I${top_srcdir} -I${top_srcdir}/auparse -+LDADD = ${top_builddir}/auparse/libauparse.la - noinst_HEADERS = aulastlog-llist.h - man_MANS = aulastlog.8 - aulastlog_SOURCES = aulastlog.c aulastlog-llist.c --- a/tools/ausyscall/Makefile.am +++ b/tools/ausyscall/Makefile.am @@ -24,7 +24,7 @@ CONFIG_CLEAN_FILES = *.loT *.rej *.orig @@ -92,30 +38,3 @@ bin_PROGRAMS = ausyscall man_MANS = ausyscall.8 ---- a/tools/ausyscall/Makefile.in -+++ b/tools/ausyscall/Makefile.in -@@ -71,6 +71,7 @@ PROGRAMS = $(bin_PROGRAMS) - am_ausyscall_OBJECTS = ausyscall-ausyscall.$(OBJEXT) - ausyscall_OBJECTS = $(am_ausyscall_OBJECTS) - ausyscall_LDADD = $(LDADD) -+ausyscall_DEPENDENCIES = ${top_builddir}/lib/libaudit.la - ausyscall_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \ - $(LIBTOOLFLAGS) --mode=link $(CCLD) $(ausyscall_CFLAGS) \ - $(CFLAGS) $(AM_LDFLAGS) $(LDFLAGS) -o $@ -@@ -132,7 +133,7 @@ LDFLAGS = @LDFLAGS@ - LIBOBJS = @LIBOBJS@ - LIBPRELUDE_CFLAGS = @LIBPRELUDE_CFLAGS@ - LIBPRELUDE_LDFLAGS = @LIBPRELUDE_LDFLAGS@ --LIBS = -L${top_builddir}/lib -laudit -+LIBS = @LIBS@ - LIBTOOL = @LIBTOOL@ - LIBTOOL_DEPS = @LIBTOOL_DEPS@ - LIBWRAP_LIBS = @LIBWRAP_LIBS@ -@@ -226,6 +227,7 @@ CONFIG_CLEAN_FILES = *.loT *.rej *.orig - AUTOMAKE_OPTIONS = no-dependencies - EXTRA_DIST = $(man_MANS) - INCLUDES = -I${top_srcdir} -I${top_srcdir}/lib -+LDADD = ${top_builddir}/lib/libaudit.la - man_MANS = ausyscall.8 - ausyscall_SOURCES = ausyscall.c - ausyscall_CFLAGS = -g -D_GNU_SOURCE diff -Nru audit-1.7.18/debian/patches/series audit-1.7.18/debian/patches/series --- audit-1.7.18/debian/patches/series 2011-07-29 07:36:26.000000000 -0700 +++ audit-1.7.18/debian/patches/series 2012-11-15 16:34:02.000000000 -0800 @@ -9,3 +9,4 @@ fix-desktopinfo.diff fix-spelling.diff manpage-dash.diff +conditionalize-auditd-listener.diff diff -Nru audit-1.7.18/debian/rules audit-1.7.18/debian/rules --- audit-1.7.18/debian/rules 2011-07-29 14:06:09.000000000 -0700 +++ audit-1.7.18/debian/rules 2012-11-26 09:50:38.000000000 -0800 @@ -6,23 +6,26 @@ PYVERS := $(shell pyversions --requested --version debian/control) PYVERS := $(filter-out $(PYDEFAULTVER), $(PYVERS)) # $(PYDEFAULTVER) +COMMON_CONFIGURE_OPTS = --sysconfdir=/etc \ + --sbindir=/sbin \ + --libdir='$${exec_prefix}'/lib \ + --libexecdir=/lib \ + --enable-shared=audit \ + --with-apparmor \ + --with-prelude \ + --with-libwrap + %: - dh $@ --builddirectory=debian/build --buildsystem=autoconf --with autotools_dev --with python2 + dh $@ --builddirectory=debian/build --buildsystem=autoconf --with autoreconf --with python2 + +override_dh_autoreconf: + dh_autoreconf autoreconf -- override_dh_auto_configure: debian/config-python-stamp $(PYVERS:%=debian/config-python%-stamp) + dh_auto_configure -Bdebian/build-auditd-light -- ${COMMON_CONFIGURE_OPTS} --disable-listener --disable-gssapi-krb5 debian/config-python-stamp: dh_testdir - #autoreconf -fv --install - dh_auto_configure -- \ - --sysconfdir=/etc \ - --sbindir=/sbin \ - --libdir='$${exec_prefix}'/lib \ - --libexecdir=/lib \ - --enable-shared=audit \ - --enable-gssapi-krb5 \ - --with-apparmor \ - --with-prelude \ - --with-libwrap + dh_auto_configure -- ${COMMON_CONFIGURE_OPTS} --enable-listener --enable-gssapi-krb5 touch $@ debian/config-python%-stamp: debian/config-python-stamp cp -lpr debian/build/swig debian/build/swig.$* @@ -31,9 +34,15 @@ override_dh_auto_clean: $(RM) debian/*-stamp - dh_auto_clean + dh_auto_clean -pauditd-light -Bdebian/build-auditd-light + dh_auto_clean --remaining-packages + +override_dh_clean: + dh_clean -pauditd-light -Pdebian/tmp-auditd-light + dh_clean --remaining-packages override_dh_auto_build: debian/build-python-stamp $(PYVERS:%=debian/build-python%-stamp) + dh_auto_build -Bdebian/build-auditd-light -- LDFLAGS=-Wl,--as-needed debian/build-python-stamp: debian/config-python-stamp dh_testdir dh_auto_build -- LDFLAGS=-Wl,--as-needed @@ -52,6 +61,8 @@ PYTHON=/usr/bin/python$* $(MAKE) -C debian/build/bindings/python.$* pyexecdir=$(call py_libdir_sh, $*) DESTDIR=$(CURDIR)/debian/tmp install touch $@ override_dh_auto_install: debian/install-python-stamp $(PYVERS:%=debian/install-python%-stamp) + dh_auto_install -Bdebian/build-auditd-light --destdir=debian/tmp-auditd-light + # Remove some RedHat specific files $(RM) debian/tmp/etc/rc.d/init.d/auditd $(RM) debian/tmp/etc/sysconfig/auditd @@ -71,30 +82,33 @@ $(RM) debian/tmp/usr/share/system-config-audit/*.py[co] override_dh_install: - dh_install --sourcedir=debian/tmp --list-missing + dh_install -pauditd-light --sourcedir=debian/tmp-auditd-light + dh_install --remaining-packages --sourcedir=debian/tmp --list-missing override_dh_installlogrotate: # auditd has a equivalent built-in feature override_dh_installinit: - dh_installinit -- start 37 2 3 4 5 . stop 39 0 1 6 . + dh_installinit --name=auditd -- start 37 2 3 4 5 . stop 39 0 1 6 . + +override_dh_installdocs: + dh_installdocs -pauditd -pauditd-light --link-doc=auditd-common + dh_installdocs --remaining-packages override_dh_fixperms: dh_fixperms - #chmod o-wx debian/auditd/usr/bin/aulastlog - #chmod o-wx debian/auditd/sbin/auditctl - #chmod o-wx debian/auditd/sbin/auditd - #chmod o-wx debian/auditd/sbin/autrace - #chmod 750 debian/auditd/sbin/audispd - chmod -R o-rwx debian/auditd/var/log/audit - chmod -R o-rwx debian/auditd/etc/audit debian/auditd/etc/audisp debian/auditd/etc/audisp/plugins.d + chmod -R o-rwx debian/auditd-common/var/log/audit \ + debian/auditd-common/etc/audit \ + debian/auditd-common/etc/audisp \ + debian/auditd-common/etc/audisp/plugins.d \ + debian/auditd-common/sbin/audispd override_dh_makeshlibs: chrpath -d debian/audispd-plugins/sbin/audispd-zos-remote chrpath -d debian/audispd-plugins/sbin/audisp-prelude - chrpath -d debian/auditd/usr/bin/aulast - chrpath -d debian/auditd/usr/bin/aulastlog - chrpath -d debian/auditd/usr/bin/ausyscall + chrpath -d debian/auditd-common/usr/bin/aulast + chrpath -d debian/auditd-common/usr/bin/aulastlog + chrpath -d debian/auditd-common/usr/bin/ausyscall chrpath -d debian/libaudit0/lib/libauparse.so.0.0.0 chrpath -d debian/python-audit/usr/lib/python*/*-packages/_audit.so chrpath -d debian/python-audit/usr/lib/python*/*-packages/auparse.so