debian/0000755000000000000000000000000012247640326007174 5ustar debian/auditd.NEWS0000644000000000000000000000067712207604207011150 0ustar audit (1:2.3-1) experimental; urgency=low This new version is providing an executable (augenrules(8)) that can be used to generate the audit.rules file by using snippets installed inside the /etc/audit/rules.d/ directory. The audit.rules file can be automatically regenerated on each startup. To enable this feature, see: /usr/share/doc/auditd/README.Debian. -- Laurent Bigonville Mon, 06 May 2013 20:19:18 +0200 debian/auditd.README.Debian0000644000000000000000000000162712207604207012506 0ustar Generating audit.rules from rules located under /etc/audit/rules.d ------------------------------------------------------------------ The /etc/audit/audit.rules file can be generated using the augenrules(8) executable. This action can be performed automatically on each startup, but is disabled by default to preserve existing rules. To enable it on a SysVinit system, go into /etc/default/auditd and look for the USE_AUGENRULES variable and set it to "yes". Then copy existing rules into /etc/audit/rules.d and restart the audit daemon. For systemd based systems, copy /lib/systemd/system/auditd.service to /etc/systemd/system/auditd.service. Then look for a commented out ExecStartPost variable and uncomment it. Then delete/comment out the auditctl line. The --load option to augenrules will call auditctl for you. Also copy any existing rules into /etc/audit/rules.d so they don't get lost. Then restart auditd. debian/changelog0000644000000000000000000004144712247632372011062 0ustar audit (1:2.3.2-2ubuntu1) trusty; urgency=low * Migrate from the Ubuntu-specific way of providing a rules directory (/etc/audit/rules.d/) to the new, upstream rules directory feature based on /sbin/augenrules. If USE_AUGENRULES is set to "yes" in /etc/default/auditd, then the auditd init script will use /etc/audit/rules.d/*.rules files to generate /etc/audit/audit.rules. Instead of generating the /etc/audit/audit.rules file, the old Ubuntu-specific way of handling a rules directory parsed /etc/audit/audit.rules, in addition to the /etc/audit/rules.d/*.rules files. - debian/auditd.preinst, debian/auditd.postinst, debian/auditd.postrm: When upgrading from a version without augenrules, check for a pre-existing rules directory (/etc/audit/rules.d/). If it exists and is populated with rules files, move /etc/audit/audit.rules to /etc/audit/rules.d/audit.rules and set USE_AUGENRULES to "yes". This migration logic should be dropped after the 14.04 release. * Merge from Debian testing (LP: #1251795). Remaining changes: - debian/rules: Disable auditd network listener, with --disable-listener, to reduce the risk of a remote attack on auditd, which runs as root - debian/control, debian/rules: Remove libwrap0-dev Build-Dependency and --with-libwrap configure argument since libwrap is only used by the auditd network listener * Dropped changes: - debian/auditd.init: apply the intent of Peter Moody's patch to add support for rules.d directory for splitting out audit.d rules + The new augenrules tool, called from the init script, replaces this - debian/control: The upstream audit sources embed and build against their own version of libev. This is not desirable, but there's no reason to list libev-dev as a build dependency at this time. + Debian commented out the libev Build-Dependency - debian/patches/FTBFS-python-multiarch.diff: No longer needed - debian/patches/fix-asprintf-warnings.patch, debian/patches/fix-unused-result-warnings.patch debian/patches/fix-discards-const-qualifier-warnings.patch: Present in upstream release * debian/auditd.init: The start command now requires $remote_fs to be started because it may call /bin/augenrules, which depends on /usr/bin/awk. $PATH must also be updated so that augenrules can find awk. -- Tyler Hicks Fri, 15 Nov 2013 17:24:58 -0800 audit (1:2.3.2-2) unstable; urgency=low * QA upload. * Upload to unstable. -- Laurent Bigonville Thu, 29 Aug 2013 10:38:17 +0200 audit (1:2.3.2-1) experimental; urgency=low * QA upload. * New upstream release * debian/control, debian/rules: Add support for dh-systemd * debian/rules: Call dh_installinit with --restart-after-upgrade to minimize downtime * debian/patches/01-no-refusemanualstop.patch: Remove RefuseManualStop=yes option, this is preventing the auditd daemoin to be restarted on upgrade -- Laurent Bigonville Wed, 07 Aug 2013 19:14:09 +0200 audit (1:2.3.1-1) experimental; urgency=low * QA upload. * New upstream release - debian/libauparse0.symbols: Adjust .symbols file * debian/control: Bump Standards-Version to 3.9.4 (no further changes) * debian/control: Use canonical URL for VCS field * debian/auditd.init: Remove the usage of the VERBOSE variable (see lintian error: init.d-script-call-internal-API) -- Laurent Bigonville Sun, 02 Jun 2013 15:06:23 +0200 audit (1:2.3-1) experimental; urgency=low * QA upload. * New upstream release * debian/auditd.install: Install /sbin/augenrules and the related manpage * debian/auditd.post{inst,rm}: /etc/audit/audit.rules is no longer shipped in the package, copy it on first installation and remove it on purge. * debian/auditd.default, debian/auditd.init: Automatically generate /etc/audit/audit.rules on start if USE_AUGENRULES is set to yes * debian/auditd.NEWS, debian/auditd.README.Debian: Add documentation about automatically generating the audit.rules file on startup. * debian/auditd.lintian-overrides: Adjust overrides to match new installed config files. * debian/auditd.default, debian/auditd.init: Add an option to disable the audit system when the daemon is stopped. -- Laurent Bigonville Mon, 06 May 2013 22:01:18 +0200 audit (1:2.2.3-1) experimental; urgency=low * QA upload. * New upstream release - Properly document audit_open() can fails and sets errno (Closes: #642501) - Drop all the patches, they have been applied upstream * Remove libev-dev Build-Dependency - debian/control: The upstream audit sources embed and build against their own version of libev. This is not desirable, but there's no reason to list libev-dev as a build dependency at this time. (Closes: #699933) -- Laurent Bigonville Thu, 21 Mar 2013 21:39:45 +0100 audit (1:2.2.2-1ubuntu4) raring; urgency=low * debian/patches/fix-unused-result-warnings.patch: Adjust patch to reflect a change made by upstream. Don't treat nice() failures as fatal during an auditd reconfigure. (LP: #1123510) * debian/patches/fix-asprintf-warnings.patch, debian/patches/fix-unused-result-warnings.patch, debian/patches/fix-discards-const-qualifier-warnings.patch: Update patch tags with potential release version and SVN commit id to indicate that these patches were merged upstream. -- Tyler Hicks Mon, 11 Feb 2013 13:25:46 -0800 audit (1:2.2.2-1ubuntu3) raring; urgency=low * Fix important build warnings (LP: #1026852) - debian/patches/fix-asprintf-warnings.patch: Linux asprintf() implementations do not provide guarantees around the strp variable upon error so its return code must be checked. - debian/patches/fix-unused-result-warnings.patch: Be sure to check the return code of various important functions and create an appropriate error path. - debian/patches/fix-discards-const-qualifier-warnings.patch: Fix some areas where the const qualifier was not being respected. -- Tyler Hicks Fri, 08 Feb 2013 18:36:06 -0800 audit (1:2.2.2-1ubuntu2) raring; urgency=low * Disable auditd network listener with --disable-listener (LP: #1026852) - debian/rules: Reduce the risk of a remote attack on auditd, which runs as root, by not building the code that listens for audit messages over the network. This will prevent users from using auditd as a centralized audit message aggregator, but this feature is rarely used. * Don't build against libwrap since only auditd's network listener used it - debian/control: Remove libwrap0-dev Build-Dependency - debian/rules: Remove --with-libwrap from configure arguments * Remove libev-dev Build-Dependency (LP: #1026852) - debian/control: The upstream audit sources embed and build against their own version of libev. This is not desirable, but there's no reason to list libev-dev as a build dependency at this time. -- Tyler Hicks Wed, 06 Feb 2013 13:51:35 -0800 audit (1:2.2.2-1ubuntu1) raring; urgency=low * Merge from Debian experimental (LP: #1092760). Remaining changes: - debian/auditd.init: apply the intent of Peter Moody's patch to add support for rules.d directory for splitting out audit.d rules * The new upstream release fixes two outstanding Ubuntu bugs: - audispd binary has incorrent permissions (LP: #683220) + In auditd, relax some permission checks for external apps - auditctl uses wrong syscall to determine uid (LP: #957519) + In auditctl, check usage against euid rather than uid * Fix FTBFS caused by Python mulitarch layout which splits Python header files across multiple directories - debian/patches/FTBFS-python-multiarch.diff: Use python-config to determine the appropriate include directories -- Tyler Hicks Thu, 20 Dec 2012 18:10:24 -0800 audit (1:2.2.2-1) experimental; urgency=low * QA upload. * New upstream release - Add debian/patches/fix-make-check.diff: Try to unbreak make check - debian/auditd.install: Install systemd service file - debian/libauparse0.symbols: Adjust .symbols file * Enable support for Alpha and ARM ABI (Closes: #681457) -- Laurent Bigonville Wed, 12 Dec 2012 21:43:25 +0100 audit (1:2.2.1-2) experimental; urgency=low * QA upload. * Orphan audit package with maintainer approval * Split libauparse out of libaudit package and put /etc/libaudit.conf in its own package thanks to Alban Browaeys (Closes: #682251) * Drop useless debian/patches/rpath.diff and call to chrpath, call dh_autoreconf to be sure autofoo are up-to-date instead. * debian/auditd.install: Install auvirt executable, thanks to Guido Günther (Closes: #688440) * Convert to multiarch policy (Closes: #687121) * Add missing X-Python-Version header * Enable libcap-ng support * Let's dh_python2 take care of removing *.p[co] files * Drop pam-config stanza for loginuid, it's only intended to be called from entry point PAM services (Closes: #676527) * Drop debian/auditd.postinst: this was needed before squeeze release * Drop useless debian/patches/ld-no-add-needed.diff: libkrb5 is already properly passed at link time * Drop debian/patches/mode.diff: Upstream is now checking if the mode of the executable is either 0750 or 0755 and not only 0750 * Drop several patches and files that were not used anymore but not dropped on disk * Refresh and reapply debian/patches/manpage-dash.diff * debian/control: Add Vcs-* fields * Add debian/gbp.conf file * Run wrap-and-sort script * Only attempt to build on linux-any architectures -- Laurent Bigonville Mon, 12 Nov 2012 00:01:27 +0100 audit (1:2.2.1-1) experimental; urgency=low * Non-maintainer upload (with maintainer's blessing) * New upstream release * Refit patches * debian/control: bump Standards-Version (no changes) * debian/control: bump versioned build dep on debhelper to 9 * debian/control: add build dep on dpkg-dev >= 1.16.1~ to get dpkg-buildflags support for hardening * debian/compat: bump up to 9 -- Andrew Pollock Wed, 11 Jul 2012 16:53:40 -0700 audit (1:1.7.18-1.1) unstable; urgency=low * Non-maintainer upload. * Revert last upload versioned 2.1.3-1 and made by Russell Coker. -- Mehdi Dogguy Tue, 31 Jan 2012 16:34:34 +0100 audit (1.7.18-1ubuntu1) precise; urgency=low * debian/auditd.init: apply the intent of Peter Moody's patch to add support for rules.d directory for splitting out audit.d rules (LP: #730872) -- Andrew Pollock Thu, 29 Dec 2011 15:11:11 -0800 audit (1.7.18-1) unstable; urgency=low * New upstream release. - Fixes inode with != operator (Closes: #539356) * debian/source/format, debian/README.source: Convert to 3.0 (quilt) * debian/patches/htons_family.diff: Don't htons(AF_INET) (Closes: #635202) Thanks to John Feuerstein . * debian/control: - Bump Standards-Version: 3.9.2 - Priority: optional for libaudit0. - Depend on missing python-glade2 (Closes: #635199) - Drop quilt from Build-Depends. - Use automake1.10, DebHelper8 * debian/rules: Switch to debhelper8 and dh_pyhon2 * Build bindings for all Python versions (Closes: #627919) * debian/patches: - fix-out-of-tree-build.diff: Fix an out-of-tree build issue - fix-desktopinfo.diff: Drop Encoding from desktop info file - fix-spelling.diff: Fix spelling mistakes in manual pages - manpage-dash.diff: Quote dashes in manual pages * debian/auditd.init - Change start/stop levels (also debian/rules) (Closes: #586664) - Drop support for customizing language (Closes: #549186) * debian/audit.*: Add support for pam_loginuid (Closes: #560281) -- Philipp Matthias Hahn Fri, 29 Jul 2011 23:28:00 +0200 audit (1.7.13-1.2) unstable; urgency=low * Non-maintainer upload. * Don't ship .la files (Closes: #621141). * Add ${python:Depends} for system-config-audit. -- Luk Claes Sat, 11 Jun 2011 09:48:16 +0200 audit (1.7.13-1.1) unstable; urgency=low * Non-maintainer upload. * debian/patches/ld-no-add-needed.diff - fix build with ld --no-add-needed, patch from bug; Closes: #553961 * debian/patches/add_missing_headers.diff - Add missing headers to fix undefined reference to `S_ISREG' linker error, from Ubuntu * debian/python-audit.install, debian/rules - use '*-packages' instead of 'site-packages', diff from Ubuntu -- Sandro Tosi Wed, 25 May 2011 13:55:43 +0200 audit (1.7.13-1) unstable; urgency=low * New upstream release. * debian/control: ~Suggest audispd-plugins" (Closes: #523098) -- Philipp Matthias Hahn Wed, 22 Apr 2009 21:56:34 +0200 audit (1.7.12-1) unstable; urgency=low * New upstream release. (Closes: #522026) * Fix "typo in long description: (Closes: #513937) * debian/control: - Bump Standards-Version: 3.8.0 -- Philipp Matthias Hahn Tue, 07 Apr 2009 00:03:54 +0200 audit (1.7.11-1) unstable; urgency=low * New upstream release. - Update debian/patches/mode.diff -- Philipp Matthias Hahn Sun, 11 Jan 2009 18:51:38 +0100 audit (1.7.10-1) unstable; urgency=low * New upstream release. -- Philipp Matthias Hahn Sat, 03 Jan 2009 17:16:22 +0100 audit (1.7.9-2) unstable; urgency=low * Fix bashism in debian/rules (Closes: #505261) Thanks to Michael Bienia -- Philipp Matthias Hahn Tue, 11 Nov 2008 19:32:06 +0100 audit (1.7.9-1) unstable; urgency=low * New upstream release. - Includes debian/patches/test.diff * debian/auditd.install: Add aulast. * Fix "fails to start in two cases : auditd not installed or not run as root" by "using su-to-root -X" (Closes: #503656) * debian/control#system-config-audit: - Depends: menu for su-to-root - Depends: chkconfig for restart -- Philipp Matthias Hahn Sun, 09 Nov 2008 21:25:03 +0100 audit (1.7.8-1) unstable; urgency=low * New upstream release. - Includes debian/patches/{man5,rpath,audispd-zos-remote}.diff - Includes debian/patches/automake{,.in}}.diff * debian/control: - Build-Deps: +libev-dev, +chrpath, +libwrap0-dev, +libkrb5-dev, debhelper (>= 6.0.7~) - Enable system-config-audit * debian/rules: - Enable TCP wrapper - Enable GSSAPI-krb5 - chmod o-(r)wx on several files and directories - dh_lintian auditd.lintian-overrides debian/patches/test.diff - Fix "make {dist,}check" in auparse/test/ -- Philipp Matthias Hahn Thu, 23 Oct 2008 01:16:47 +0200 audit (1.7.4-1) unstable; urgency=low * New upstream release (Closes: #452414) * Drop debian/audispd.8 in favour of updtream version. * debian/control: - Build-Deps: +libldap2-dev - Bump Standards-Version: 3.8.0 - New audispd-plugins package. - system-config-audit package is currently disabled: rpath problem. * debian/rules - Include /usr/share/quilt/quilt.mak - Start auditd already in rcS. * Add debian/README.source as required by 3.8.0 * debian/auditd.postinst adopted from the Ubuntu branch. -- Philipp Matthias Hahn Wed, 25 Jun 2008 09:56:59 +0200 audit (1.7.2-0.1) unstable; urgency=low * Not released non-maintainer upload. * New upstream release. * Drop patches not needed now. * Add cvs and intltool to build dependencies. * Enable Prelude support. -- Pierre Chifflier Mon, 28 Apr 2008 10:47:22 +0200 audit (1.5.3-2.1) unstable; urgency=high * Non-maintainer upload by the Security Team. * Added CVE-2008-1628.patch to fix a stack-based buffer overflow in the audit_log_user_command function which can be triggered via a command argument that is passed to that function and might lead to execution of arbitrary code (Closes: #475227). -- Nico Golde Thu, 10 Apr 2008 15:06:25 +0200 audit (1.5.3-2) unstable; urgency=low * debian/auditd.init: Fix inverted AUDITD_CLEAN_STOP (Closes: #428066) -- Philipp Matthias Hahn Tue, 12 Jun 2007 22:33:56 +0200 audit (1.5.3-1) unstable; urgency=low * New upstream version - Includes all debian/patches. * Drop Build-Depends: linux-headers-2.6 -- Philipp Matthias Hahn Wed, 02 May 2007 09:10:06 +0200 audit (1.5.1-2) unstable; urgency=low * Apply patch from upstream to fix SEGFAULT on reload. -- Philipp Matthias Hahn Fri, 23 Mar 2007 22:16:24 +0100 audit (1.5.1-1) unstable; urgency=low * Initial release (Closes: #311214) -- Philipp Matthias Hahn Wed, 21 Mar 2007 09:47:19 +0100 debian/libauparse0.install0000644000000000000000000000002612207604207012763 0ustar lib/*/libauparse.so.* debian/docs0000644000000000000000000000001412207604207010034 0ustar README TODO debian/auditd.postinst0000644000000000000000000000331212247632372012254 0ustar #!/bin/sh # postinst script for auditd # # see: dh_installdeb(1) set -e # summary of how this script can be called: # * `configure' # * `abort-upgrade' # * `abort-remove' `in-favour' # # * `abort-remove' # * `abort-deconfigure' `in-favour' # `removing' # # for details, see http://www.debian.org/doc/debian-policy/ or # the debian-policy package case "$1" in configure) ENABLE_AUGENRULES="/etc/audit/rules.d/TMP_enable_augenrules" FIRST_AUGENRULES_VERSION="1:2.3.2-2ubuntu1" if dpkg --compare-versions "$2" lt-nl "$FIRST_AUGENRULES_VERSION" && \ [ -f "$ENABLE_AUGENRULES" ] then sed -i 's/^USE_AUGENRULES="[Nn][Oo]"$/USE_AUGENRULES="yes"/' \ /etc/default/auditd dpkg-maintscript-helper mv_conffile \ /etc/audit/audit.rules /etc/audit/rules.d/audit.rules \ "${FIRST_AUGENRULES_VERSION}~" -- "$@" rm -f "$ENABLE_AUGENRULES" # Only copy the file on first installation elif [ -z "$2" -a ! -f /etc/audit/audit.rules ] then cp -a /etc/audit/rules.d/audit.rules /etc/audit/audit.rules fi ;; abort-upgrade|abort-remove|abort-deconfigure) ;; *) echo "postinst called with unknown argument \`$1'" >&2 exit 1 ;; esac # dh_installdeb will replace this with shell code automatically # generated by other debhelper scripts. #DEBHELPER# exit 0 debian/python-audit.examples0000644000000000000000000000002112207604207013344 0ustar contrib/avc_snap debian/auditd.init0000644000000000000000000000707712247632372011350 0ustar #! /bin/sh ### BEGIN INIT INFO # Provides: auditd # Required-Start: $remote_fs # Required-Stop: $local_fs # Default-Start: 2 3 4 5 # Default-Stop: 0 1 6 # Short-Description: Audit Daemon # Description: Collects audit information from Linux 2.6 Kernels. ### END INIT INFO # Author: Philipp Matthias Hahn # Based on Debians /etc/init.d/skeleton and Auditds init.d/auditd.init PATH=/sbin:/usr/sbin:/bin:/usr/bin DESC="audit daemon" NAME=auditd DAEMON=/sbin/auditd PIDFILE=/var/run/"$NAME".pid SCRIPTNAME=/etc/init.d/"$NAME" # Exit if the package is not installed [ -x "$DAEMON" ] || exit 0 # Read configuration variable file if it is present [ -r /etc/default/"$NAME" ] && . /etc/default/"$NAME" # Define LSB log_* functions. . /lib/lsb/init-functions # # Function that starts the daemon/service # do_start() { # Return # 0 if daemon has been started # 1 if daemon was already running # 2 if daemon could not be started start-stop-daemon --start --quiet --pidfile "$PIDFILE" --exec "$DAEMON" --test > /dev/null \ || return 1 start-stop-daemon --start --quiet --pidfile "$PIDFILE" --exec "$DAEMON" -- \ $EXTRAOPTIONS \ || return 2 # Call augenrules to compile audit rules. case "$USE_AUGENRULES" in no|NO) ;; *) [ -d /etc/audit/rules.d ] && /sbin/augenrules >/dev/null ;; esac if [ -f /etc/audit/audit.rules ] then /sbin/auditctl -R /etc/audit/audit.rules >/dev/null fi } # # Function that stops the daemon/service # do_stop() { # Return # 0 if daemon has been stopped # 1 if daemon was already stopped # 2 if daemon could not be stopped # other if a failure occurred start-stop-daemon --stop --quiet --retry=TERM/30/KILL/5 --pidfile "$PIDFILE" --name "$NAME" RETVAL="$?" [ "$RETVAL" = 2 ] && return 2 start-stop-daemon --stop --quiet --oknodo --retry=0/30/KILL/5 --exec "$DAEMON" [ "$?" = 2 ] && return 2 # Many daemons don't delete their pidfiles when they exit. rm -f "$PIDFILE" rm -f /var/run/audit_events # Remove watches so shutdown works cleanly case "$AUDITD_CLEAN_STOP" in no|NO) ;; *) /sbin/auditctl -D >/dev/null ;; esac # Disable audit system on daemon shutdown case "$AUDITD_STOP_DISABLE" in no|NO) ;; *) /sbin/auditctl -e 0 >/dev/null ;; esac return "$RETVAL" } # # Function that sends a SIGHUP to the daemon/service # do_reload() { start-stop-daemon --stop --signal HUP --quiet --pidfile $PIDFILE --name $NAME return 0 } case "$1" in start) log_daemon_msg "Starting $DESC" "$NAME" do_start case "$?" in 0|1) log_end_msg 0 ;; 2) log_end_msg 1 ;; esac ;; stop) log_daemon_msg "Stopping $DESC" "$NAME" do_stop case "$?" in 0|1) log_end_msg 0 ;; 2) log_end_msg 1 ;; esac ;; reload|force-reload) log_daemon_msg "Reloading $DESC" "$NAME" do_reload log_end_msg $? ;; restart) log_daemon_msg "Restarting $DESC" "$NAME" do_stop case "$?" in 0|1) do_start case "$?" in 0) log_end_msg 0 ;; 1) log_end_msg 1 ;; # Old process is still running *) log_end_msg 1 ;; # Failed to start esac ;; *) # Failed to stop log_end_msg 1 ;; esac ;; rotate) log_daemon_msg "Rotating $DESC logs" "$NAME" start-stop-daemon --stop --signal USR1 --quiet --pidfile "$PIDFILE" --name "$NAME" log_end_msg $? ;; status) pidofproc -p "$PIDFILE" "$DAEMON" >/dev/null status=$? if [ $status -eq 0 ]; then log_success_msg "$NAME is running." else log_failure_msg "$NAME is not running." fi exit $status ;; *) echo "Usage: $SCRIPTNAME {start|stop|restart|reload|force-reload|rotate|status}" >&2 exit 3 ;; esac : debian/auditd.lintian-overrides0000644000000000000000000000220612207604207014020 0ustar ## Only to be forked by auditd, which explicitely checks for 750 #auditd: executable-is-not-world-readable sbin/audispd 0750 != 0755 ## Only root can run #auditd: non-standard-executable-perm sbin/auditctl 0754 != 0755 #auditd: non-standard-executable-perm sbin/auditd 0754 != 0755 #auditd: non-standard-executable-perm sbin/autrace 0754 != 0755 #auditd: non-standard-executable-perm usr/bin/aulastlog 0754 != 0755 ## Normal users should not see what is being audited auditd: non-standard-dir-perm etc/audisp/ 0750 != 0755 auditd: non-standard-file-perm etc/audisp/audispd.conf 0640 != 0644 auditd: non-standard-dir-perm etc/audisp/plugins.d/ 0750 != 0755 auditd: non-standard-file-perm etc/audisp/plugins.d/af_unix.conf 0640 != 0644 auditd: non-standard-file-perm etc/audisp/plugins.d/syslog.conf 0640 != 0644 auditd: non-standard-dir-perm etc/audit/ 0750 != 0755 auditd: non-standard-dir-perm etc/audit/rules.d/ 0750 != 0755 auditd: non-standard-file-perm etc/audit/auditd.conf 0640 != 0644 auditd: non-standard-file-perm etc/audit/rules.d/audit.rules 0640 != 0644 # Contains sensitive information auditd: non-standard-dir-perm var/log/audit/ 0750 != 0755 debian/compat0000644000000000000000000000000212207604207010364 0ustar 9 debian/libaudit-common.install0000644000000000000000000000006512207604207013642 0ustar etc/libaudit.conf usr/share/man/man5/libaudit.conf.5 debian/libauparse-dev.install0000644000000000000000000000023112207604207013455 0ustar usr/include/auparse-defs.h usr/include/auparse.h usr/lib/*/libauparse.a usr/lib/*/libauparse.so usr/share/man/man3/auparse* usr/share/man/man3/ausearch* debian/python-audit.install0000644000000000000000000000010012207604207013172 0ustar usr/lib/python*/*-packages/*.py usr/lib/python*/*-packages/*.so debian/rules0000755000000000000000000001027412247632372010262 0ustar #!/usr/bin/make -f include /usr/share/python/python.mk DPKG_EXPORT_BUILDFLAGS = 1 include /usr/share/dpkg/buildflags.mk DEB_HOST_MULTIARCH ?= $(shell dpkg-architecture -qDEB_HOST_MULTIARCH) DEB_HOST_ARCH := $(shell dpkg-architecture -qDEB_HOST_ARCH) LDFLAGS += -Wl,--as-needed # For building swig/ and bindings/python/ for all Python version, these directories are cloned and build in addition to the main library PYDEFAULTVER := $(shell pyversions --default --version) PYVERS := $(shell pyversions --requested --version debian/control) PYVERS := $(filter-out $(PYDEFAULTVER), $(PYVERS)) # $(PYDEFAULTVER) ifeq ($(DEB_HOST_ARCH),alpha) EXTRA_ARCH_TABLE := --with-alpha endif %: dh $@ --builddirectory=debian/build --buildsystem=autoconf --with autoreconf --with python2 --with systemd override_dh_auto_configure: debian/config-python-stamp $(PYVERS:%=debian/config-python%-stamp) debian/config-python-stamp: dh_testdir dh_auto_configure -- \ --sbindir=/sbin \ --libdir=/lib/${DEB_HOST_MULTIARCH} \ --enable-shared=audit \ --enable-gssapi-krb5 \ --disable-listener \ --with-apparmor \ --with-prelude \ --with-libcap-ng \ --with-armeb ${EXTRA_ARCH_TABLE} touch $@ debian/config-python%-stamp: debian/config-python-stamp cp -lpr debian/build/swig debian/build/swig.$* cp -lpr debian/build/bindings/python debian/build/bindings/python.$* touch $@ override_dh_auto_clean: $(RM) debian/*-stamp dh_auto_clean override_dh_auto_build: debian/build-python-stamp $(PYVERS:%=debian/build-python%-stamp) debian/build-python-stamp: debian/config-python-stamp dh_testdir dh_auto_build touch $@ debian/build-python%-stamp: debian/config-python%-stamp debian/build-python-stamp PYTHON=/usr/bin/python$* $(MAKE) -C debian/build/swig.$* pyexecdir=$(call py_libdir_sh, $*) PYTHON=/usr/bin/python$* $(MAKE) -C debian/build/bindings/python.$* pyexecdir=$(call py_libdir_sh, $*) touch $@ debian/install-python-stamp: debian/build-python-stamp dh_testdir dh_auto_install --sourcedir=debian/build --destdir=debian/tmp touch $@ debian/install-python%-stamp: debian/build-python%-stamp debian/install-python-stamp PYTHON=/usr/bin/python$* $(MAKE) -C debian/build/swig.$* pyexecdir=$(call py_libdir_sh, $*) DESTDIR=$(CURDIR)/debian/tmp install PYTHON=/usr/bin/python$* $(MAKE) -C debian/build/bindings/python.$* pyexecdir=$(call py_libdir_sh, $*) DESTDIR=$(CURDIR)/debian/tmp install touch $@ override_dh_auto_install: debian/install-python-stamp $(PYVERS:%=debian/install-python%-stamp) # Remove some RedHat specific files $(RM) debian/tmp/etc/rc.d/init.d/auditd $(RM) debian/tmp/etc/sysconfig/auditd # Move the development library to /usr/lib $(RM) debian/tmp/lib/${DEB_HOST_MULTIARCH}/libaudit.so $(RM) debian/tmp/lib/${DEB_HOST_MULTIARCH}/libauparse.so mkdir -p debian/tmp/usr/lib/${DEB_HOST_MULTIARCH}/ ln -s /lib/${DEB_HOST_MULTIARCH}/libaudit.so.1.0.0 \ debian/tmp/usr/lib/${DEB_HOST_MULTIARCH}/libaudit.so ln -s /lib/${DEB_HOST_MULTIARCH}/libauparse.so.0.0.0 \ debian/tmp/usr/lib/${DEB_HOST_MULTIARCH}/libauparse.so mv debian/tmp/lib/${DEB_HOST_MULTIARCH}/libaudit.a \ debian/tmp/usr/lib/${DEB_HOST_MULTIARCH}/libaudit.a mv debian/tmp/lib/${DEB_HOST_MULTIARCH}/libauparse.a \ debian/tmp/usr/lib/${DEB_HOST_MULTIARCH}/libauparse.a override_dh_install: dh_install --list-missing override_dh_installlogrotate: # auditd has a equivalent built-in feature override_dh_installinit: dh_installinit --restart-after-upgrade -- start 37 2 3 4 5 . stop 39 0 1 6 . override_dh_fixperms: dh_fixperms #chmod o-wx debian/auditd/usr/bin/aulastlog #chmod o-wx debian/auditd/sbin/auditctl #chmod o-wx debian/auditd/sbin/auditd #chmod o-wx debian/auditd/sbin/autrace #chmod 750 debian/auditd/sbin/audispd chmod -R o-rwx debian/auditd/var/log/audit chmod -R o-rwx debian/auditd/etc/audit debian/auditd/etc/audisp debian/auditd/etc/audisp/plugins.d get-orig-source: -uscan --upstream-version 0 my-check: find debian/*aud*/ -mindepth 0 -name DEBIAN -prune -o -not -type d -print|sed -e 's,debian/[^/]*/,,' -e 's/\.gz$$//' debian/watch0000644000000000000000000000010512207604207010213 0ustar version=3 http://people.redhat.com/sgrubb/audit/ audit-(.*)\.tar\.gz debian/auditd.dirs0000644000000000000000000000001612207604207011320 0ustar var/log/audit debian/libaudit1.install0000644000000000000000000000002412207604207012430 0ustar lib/*/libaudit.so.* debian/libaudit-dev.install0000644000000000000000000000025612207604207013132 0ustar usr/include/libaudit.h usr/lib/*/libaudit.a usr/lib/*/libaudit.so usr/share/man/man3/audit* usr/share/man/man3/get_auditfail_action.3 usr/share/man/man3/set_aumessage_mode.3 debian/copyright0000644000000000000000000000163212207604207011123 0ustar This package was debianized by Philipp Matthias Hahn on Wed, 21 Mar 2007 09:47:19 +0100. It was downloaded from http://people.redhat.com/sgrubb/audit/ Upstream Author: Rik Faith Steve Grubb Copyright: 2005-2008 Steve Grubb License: The audit daemon is released as GPL'd code. The audit daemon's library libaudit.* is released under LGPL so that it may be linked with 3rd party software. The files in src/libev/ are Copyright (C) 2007,2008,2009 Marc Alexamder Lehmann The Debian packaging is copyright 2007-2011, Philipp Matthias Hahn and is licensed under the GPL. On Debian systems, refer to /usr/share/common-licenses/LGPL-2.1 for the complete text of the GNU Lesser General Public License. On Debian systems, the complete text of the GNU General Public License can be found in /usr/share/common-licenses/GPL file. debian/libaudit-dev.examples0000644000000000000000000000004212207604207013273 0ustar contrib/skeleton.c contrib/plugin debian/source/0000755000000000000000000000000012207604207010466 5ustar debian/source/format0000644000000000000000000000001412207604207011674 0ustar 3.0 (quilt) debian/libauparse0.symbols0000644000000000000000000000303412207604207013007 0ustar libauparse.so.0 libauparse0 #MINVER# auparse_add_callback@Base 1:2.2.1 auparse_destroy@Base 1:2.2.1 auparse_do_interpretation@Base 1:2.3.1 auparse_feed@Base 1:2.2.1 auparse_feed_has_data@Base 1:2.2.2 auparse_find_field@Base 1:2.2.1 auparse_find_field_next@Base 1:2.2.1 auparse_first_field@Base 1:2.2.1 auparse_first_record@Base 1:2.2.1 auparse_flush_feed@Base 1:2.2.1 auparse_get_field_int@Base 1:2.2.1 auparse_get_field_name@Base 1:2.2.1 auparse_get_field_str@Base 1:2.2.1 auparse_get_field_type@Base 1:2.2.1 auparse_get_filename@Base 1:2.2.1 auparse_get_line_number@Base 1:2.2.1 auparse_get_milli@Base 1:2.2.1 auparse_get_node@Base 1:2.2.1 auparse_get_num_fields@Base 1:2.2.1 auparse_get_num_records@Base 1:2.2.1 auparse_get_record_text@Base 1:2.2.1 auparse_get_serial@Base 1:2.2.1 auparse_get_time@Base 1:2.2.1 auparse_get_timestamp@Base 1:2.2.1 auparse_get_type@Base 1:2.2.1 auparse_goto_record_num@Base 1:2.2.1 auparse_init@Base 1:2.2.1 auparse_interp_adjust_type@Base 1:2.3.1 auparse_interpret_field@Base 1:2.2.1 auparse_next_event@Base 1:2.2.1 auparse_next_field@Base 1:2.2.1 auparse_next_record@Base 1:2.2.1 auparse_node_compare@Base 1:2.2.1 auparse_reset@Base 1:2.2.1 auparse_timestamp_compare@Base 1:2.2.1 auparse_type_t@Base 1:2.2.1 ausearch_add_expression@Base 1:2.2.1 ausearch_add_interpreted_item@Base 1:2.2.1 ausearch_add_item@Base 1:2.2.1 ausearch_add_regex@Base 1:2.2.1 ausearch_add_timestamp_item@Base 1:2.2.1 ausearch_clear@Base 1:2.2.1 ausearch_next_event@Base 1:2.2.1 ausearch_set_stop@Base 1:2.2.1 debian/audispd-plugins.install0000644000000000000000000000076212207604207013673 0ustar etc/audisp/audisp-prelude.conf etc/audisp/audisp-remote.conf etc/audisp/plugins.d/au-prelude.conf etc/audisp/plugins.d/au-remote.conf etc/audisp/plugins.d/audispd-zos-remote.conf etc/audisp/zos-remote.conf sbin/audisp-prelude sbin/audisp-remote sbin/audispd-zos-remote usr/share/man/man5/audisp-prelude.conf.5 usr/share/man/man5/audisp-remote.conf.5 usr/share/man/man5/zos-remote.conf.5 usr/share/man/man8/audisp-prelude.8 usr/share/man/man8/audisp-remote.8 usr/share/man/man8/audispd-zos-remote.8 debian/auditd.default0000644000000000000000000000116212207604207012006 0ustar # Add extra options here EXTRAOPTIONS="" # This option is used to determine if rules & watches should be deleted on # shutdown. This is beneficial in most cases so that a watch doesn't linger # on a drive that is being unmounted. If set to no, it will NOT be cleaned up. AUDITD_CLEAN_STOP="yes" # This option determines whether the audit system should be disabled when # the audit daemon is shutdown AUDITD_STOP_DISABLE="no" # This option determines whether or not to call augenrules to compile the # audit rules from /etc/audit/rules.d. The default is "no" so that nothing # happens to existing rules. USE_AUGENRULES="no" debian/libaudit1.symbols0000644000000000000000000000443112207604207012460 0ustar libaudit.so.1 libaudit1 #MINVER# _audit_archadded@Base 1:2.2.1 _audit_elf@Base 1:2.2.1 _audit_permadded@Base 1:2.2.1 _audit_syscalladded@Base 1:2.2.1 audit_action_to_name@Base 1:2.2.1 audit_add_dir@Base 1:2.2.1 audit_add_rule_data@Base 1:2.2.1 audit_add_watch@Base 1:2.2.1 audit_add_watch_dir@Base 1:2.2.1 audit_close@Base 1:2.2.1 audit_delete_rule_data@Base 1:2.2.1 audit_detect_machine@Base 1:2.2.1 audit_elf_to_machine@Base 1:2.2.1 audit_encode_nv_string@Base 1:2.2.1 audit_encode_value@Base 1:2.2.1 audit_errno_to_name@Base 1:2.2.1 audit_field_to_name@Base 1:2.2.1 audit_flag_to_name@Base 1:2.2.1 audit_ftype_to_name@Base 1:2.2.1 audit_get_reply@Base 1:2.2.1 audit_getloginuid@Base 1:2.2.1 audit_is_enabled@Base 1:2.2.1 audit_log_acct_message@Base 1:2.2.1 audit_log_semanage_message@Base 1:2.2.1 audit_log_user_avc_message@Base 1:2.2.1 audit_log_user_comm_message@Base 1:2.2.1 audit_log_user_command@Base 1:2.2.1 audit_log_user_message@Base 1:2.2.1 audit_machine_to_elf@Base 1:2.2.1 audit_machine_to_name@Base 1:2.2.1 audit_make_equivalent@Base 1:2.2.1 audit_msg@Base 1:2.2.1 audit_msg_type_to_name@Base 1:2.2.1 audit_name_to_action@Base 1:2.2.1 audit_name_to_errno@Base 1:2.2.1 audit_name_to_field@Base 1:2.2.1 audit_name_to_flag@Base 1:2.2.1 audit_name_to_ftype@Base 1:2.2.1 audit_name_to_machine@Base 1:2.2.1 audit_name_to_msg_type@Base 1:2.2.1 audit_name_to_syscall@Base 1:2.2.1 audit_number_to_errmsg@Base 1:2.2.1 audit_open@Base 1:2.2.1 audit_operator_to_symbol@Base 1:2.2.1 audit_request_rules_list_data@Base 1:2.2.1 audit_request_signal_info@Base 1:2.2.1 audit_request_status@Base 1:2.2.1 audit_rule_fieldpair_data@Base 1:2.2.1 audit_rule_free_data@Base 1:2.2.1 audit_rule_interfield_comp_data@Base 1:2.2.1 audit_rule_syscall_data@Base 1:2.2.1 audit_rule_syscallbyname_data@Base 1:2.2.1 audit_send@Base 1:2.2.1 audit_send_user_message@Base 1:2.2.1 audit_set_backlog_limit@Base 1:2.2.1 audit_set_enabled@Base 1:2.2.1 audit_set_failure@Base 1:2.2.1 audit_set_pid@Base 1:2.2.1 audit_set_rate_limit@Base 1:2.2.1 audit_setloginuid@Base 1:2.2.1 audit_syscall_to_name@Base 1:2.2.1 audit_trim_subtrees@Base 1:2.2.1 audit_update_watch_perms@Base 1:2.2.1 audit_value_needs_encoding@Base 1:2.2.1 get_auditfail_action@Base 1:2.2.1 set_aumessage_mode@Base 1:2.2.1 debian/auditd.preinst0000644000000000000000000000257012247632372012062 0ustar #!/bin/sh # preinst script for auditd set -e case "$1" in upgrade) if dpkg --compare-versions "$2" le "1:2.2.1-1"; then pam-auth-update --package --remove auditd fi ENABLE_AUGENRULES="/etc/audit/rules.d/TMP_enable_augenrules" FIRST_AUGENRULES_VERSION="1:2.3.2-2ubuntu1" # Migration to augenrules is needed when upgrading from a version that # did not have augenrules and rules.d/ is populated with rules files. # When using augenrules, /etc/audit/audit.rules is generated from the # rules.d/*.rules files, so it must be moved into rules.d/. The # $ENABLE_AUGENRULES file is used to let postinst know that it should # set the USE_AUGENRULES variable to "yes" after the new # /etc/default/auditd is unpacked. if dpkg --compare-versions "$2" lt-nl "$FIRST_AUGENRULES_VERSION" && \ [ -d /etc/audit/rules.d ] && \ [ $(ls -1 /etc/audit/rules.d | grep \.rules$ | wc -l) -ne 0 ]; then touch "$ENABLE_AUGENRULES" dpkg-maintscript-helper mv_conffile \ /etc/audit/audit.rules /etc/audit/rules.d/audit.rules \ "${FIRST_AUGENRULES_VERSION}~" -- "$@" fi ;; install|abort-upgrade) ;; *) echo "preinst called with unknown argument \`$1'" >&2 exit 1 ;; esac #DEBHELPER# exit 0 debian/auditd.examples0000644000000000000000000000014112207604207012174 0ustar contrib/capp.rules contrib/lspp.rules contrib/nispom.rules contrib/stig.rules init.d/auditd.cron debian/patches/0000755000000000000000000000000012207604207010615 5ustar debian/patches/01-no-refusemanualstop.patch0000644000000000000000000000124512207604207016065 0ustar Description: Remove the RefuseManualStop=yes option This option is preventing the daemon to be restarted on upgrade. . When using systemctl to stop audit, the audit framework is recording the pid of systemd instead of the one from the user process that actually stopped the process. This is breaking the conformity with some gouvernemental certifications. Author: Laurent Bigonville Forwarded: not-needed --- a/init.d/auditd.service +++ b/init.d/auditd.service @@ -4,7 +4,6 @@ DefaultDependencies=no After=local-fs.target Conflicts=shutdown.target Before=sysinit.target shutdown.target -RefuseManualStop=yes [Service] ExecStart=/sbin/auditd -n debian/patches/series0000644000000000000000000000003512207604207012030 0ustar 01-no-refusemanualstop.patch debian/gbp.conf0000644000000000000000000000023312207604207010603 0ustar [DEFAULT] debian-branch = debian upstream-branch = upstream pristine-tar = True [git-buildpackage] tarball-dir = ../tarballs/ export-dir = ../build-area/ debian/auditd.install0000644000000000000000000000140312207604207012026 0ustar etc/audisp/audispd.conf etc/audisp/plugins.d/af_unix.conf etc/audisp/plugins.d/syslog.conf etc/audit init.d/auditd.service lib/systemd/system sbin/audispd sbin/auditctl sbin/auditd sbin/augenrules sbin/aureport sbin/ausearch sbin/autrace usr/bin/aulast usr/bin/aulastlog usr/bin/ausyscall usr/bin/auvirt usr/share/man/man5/audispd.conf.5 usr/share/man/man5/auditd.conf.5 usr/share/man/man5/ausearch-expression.5 usr/share/man/man7/audit.rules.7 usr/share/man/man8/audispd.8 usr/share/man/man8/auditctl.8 usr/share/man/man8/auditd.8 usr/share/man/man8/augenrules.8 usr/share/man/man8/aulast.8 usr/share/man/man8/aulastlog.8 usr/share/man/man8/aureport.8 usr/share/man/man8/ausearch.8 usr/share/man/man8/ausyscall.8 usr/share/man/man8/autrace.8 usr/share/man/man8/auvirt.8 debian/auditd.postrm0000644000000000000000000000250212247632372011715 0ustar #!/bin/sh # postrm script for auditd # # see: dh_installdeb(1) set -e # summary of how this script can be called: # * `remove' # * `purge' # * `upgrade' # * `failed-upgrade' # * `abort-install' # * `abort-install' # * `abort-upgrade' # * `disappear' # # for details, see http://www.debian.org/doc/debian-policy/ or # the debian-policy package # dh_installdeb will replace this with shell code automatically # generated by other debhelper scripts. #DEBHELPER# case "$1" in purge) rm -rf /var/log/audit rm -f /var/run/audit_events rm -f /etc/audit/audit.rules ;; remove|upgrade|failed-upgrade|abort-install|abort-upgrade|disappear) ENABLE_AUGENRULES="/etc/audit/rules.d/TMP_enable_augenrules" FIRST_AUGENRULES_VERSION="1:2.3.2-2ubuntu1" dpkg-maintscript-helper mv_conffile \ /etc/audit/audit.rules /etc/audit/rules.d/audit.rules \ "${FIRST_AUGENRULES_VERSION}~" -- "$@" rm -f "$ENABLE_AUGENRULES" ;; *) echo "postrm called with unknown argument \`$1'" >&2 exit 0 ;; esac debian/control0000644000000000000000000001034212247632372010601 0ustar Source: audit Priority: extra Maintainer: Ubuntu Developers XSBC-Original-Maintainer: Debian QA Group Build-Depends: debhelper (>= 9), dh-autoreconf, dh-systemd (>= 1.4), dpkg-dev (>= 1.16.1~), intltool, libcap-ng-dev, # audit sources embed their own patched version of libev # libev-dev, libkrb5-dev, libldap2-dev, libprelude-dev, python-all-dev (>= 2.6.6-3~), swig Standards-Version: 3.9.4 Section: libs Homepage: http://people.redhat.com/sgrubb/audit/ Vcs-Git: git://anonscm.debian.org/collab-maint/audit.git Vcs-Browser: http://anonscm.debian.org/gitweb/?p=collab-maint/audit.git X-Python-Version: >= 2.5 Package: auditd Section: admin Architecture: linux-any Depends: lsb-base (>= 3.0-6), ${misc:Depends}, ${shlibs:Depends} Suggests: audispd-plugins Description: User space tools for security auditing The audit package contains the user space utilities for storing and searching the audit records generated by the audit subsystem in the Linux 2.6 kernel. . Also contains the audit dispatcher "audisp". Package: libauparse0 Architecture: linux-any Priority: optional Pre-Depends: ${misc:Pre-Depends} Depends: ${misc:Depends}, ${shlibs:Depends} Breaks: libaudit0, libaudit1 (<< 1:2.2.1-2) Replaces: libaudit0, libaudit1 (<< 1:2.2.1-2) Multi-Arch: same Description: Dynamic library for parsing security auditing The libauparse package contains the dynamic libraries needed for applications to use the audit framework. It is used to monitor systems for security related events. . This package contains the libauparse0 library. Package: libauparse-dev Section: libdevel Architecture: linux-any Depends: libauparse0 (= ${binary:Version}), ${misc:Depends} Breaks: libaudit-dev (<< 1:2.2.1-2) Replaces: libaudit-dev (<< 1:2.2.1-2) Description: Header files and static library for the libauparse0 library The audit-libs parse package contains the dynamic libraries needed for applications to use the audit framework. It is used to monitor systems for security related events. Package: libaudit1 Architecture: linux-any Priority: optional Pre-Depends: ${misc:Pre-Depends} Depends: libaudit-common (= ${source:Version}), ${misc:Depends}, ${shlibs:Depends} Multi-Arch: same Description: Dynamic library for security auditing The audit-libs package contains the dynamic libraries needed for applications to use the audit framework. It is used to monitor systems for security related events. Package: libaudit-common Architecture: all Priority: optional Depends: ${misc:Depends} Breaks: libaudit0, libaudit1 (<< 1:2.2.1-2) Replaces: libaudit0, libaudit1 (<< 1:2.2.1-2) Multi-Arch: foreign Description: Dynamic library for security auditing - common files The audit-libs package contains the dynamic libraries needed for applications to use the audit framework. It is used to monitor systems for security related events. . This package contains the libaudit.conf configuration file and the associated manpage. Package: libaudit-dev Section: libdevel Architecture: linux-any Depends: libaudit1 (= ${binary:Version}), ${misc:Depends} Description: Header files and static library for security auditing The audit-libs-devel package contains the static libraries and header files needed for developing applications that need to use the audit framework libraries. Package: python-audit Section: python Architecture: linux-any Depends: ${misc:Depends}, ${python:Depends}, ${shlibs:Depends} Provides: ${python:Provides} Description: Python bindings for security auditing The package contains the Python bindings for libaudit and libauparse, which are used to monitor systems for security related events. Python can be used to parse and process the security event messages. Package: audispd-plugins Section: admin Architecture: linux-any Depends: auditd, ${misc:Depends}, ${shlibs:Depends} Description: Plugins for the audit event dispatcher The audispd-plugins package provides plugins for the real-time interface to the audit system, audispd. These plugins can do things like relay events to remote machines or analyze events for suspicious behavior.