9:44 a.m.
Hi,
I've just released a new version of the audit daemon. It can be downloaded
from http://people.redhat.com/sgrubb/audit It will also be in rawhide
soon. The Changelog is:
- fchmod of log file was on wrong variable
- Allow use of errno strings for exit codes in audit rules
This release fixes a major bug that got introduced in the last release. The
code that fixes a permission problem was using the wrong variable. It happens
that the result was applied to /dev/null instead of the audit log. If you had
selinux in enforcing mode - nothing happened, for everyone else.../dev/null
probably got messed up. Oopsie.
This release also lets you express audit rules with slightly more readable
exits codes. This means you can now do things like:
auditctl -a always,exit -S open -F exit=-EPERM
Please let me know if you run across any problems with this release.
-Steve
10:24 a.m.
On Sat, 2007-12-29 at 10:44 -0500, Steve Grubb wrote:
Hi,
I've just released a new version of the audit daemon. It can be downloaded
from http://people.redhat.com/sgrubb/audit It will also be in rawhide
soon. The Changelog is:
- fchmod of log file was on wrong variable
- Allow use of errno strings for exit codes in audit rules
This release fixes a major bug that got introduced in the last release. The
code that fixes a permission problem was using the wrong variable. It happens
that the result was applied to /dev/null instead of the audit log. If you had
selinux in enforcing mode - nothing happened, for everyone else.../dev/null
probably got messed up. Oopsie.
close, so close.
Now auditd is fchmoding /var/log/audit/audit.log to 600 and everything
works fine. But run 'service auditd restart' or just reboot and audit
will refuse to start!
Dec 30 11:53:43 dhcp231-146 auditd: /var/log/audit/audit.log permissions
should be 0640
But at least this time it isn't breaking the whole system :)
-Eric
8:39 a.m.
On Sunday 30 December 2007 11:24:41 am Eric Paris wrote:
On Sat, 2007-12-29 at 10:44 -0500, Steve Grubb wrote:
> This release fixes a major bug that got introduced in the last release.
> The code that fixes a permission problem was using the wrong variable. It
> happens that the result was applied to /dev/null instead of the audit
> log. If you had selinux in enforcing mode - nothing happened, for
> everyone else.../dev/null probably got messed up. Oopsie.
close, so close.
Now auditd is fchmoding /var/log/audit/audit.log to 600 and everything
works fine. But run 'service auditd restart' or just reboot and audit
will refuse to start!
I forgot to change the parser to allow this config. The following patch was
applied to Fedora rawhide. It will be in the 1.6.5 release sometime soon. I
want to fix a couple more things before releasing 1.6.5.
-Steve
diff -urp audit-1.6.5.orig/src/auditd-config.c audit-1.6.5/src/auditd-config.c
--- audit-1.6.5.orig/src/auditd-config.c 2007-12-30 17:01:29.000000000 -0500
+++ audit-1.6.5/src/auditd-config.c 2007-12-30 17:07:45.000000000 -0500
@@ -505,9 +505,9 @@ static int log_file_parser(struct nv_pai
audit_msg(LOG_ERR, "%s is not owned by root", nv->value);
return 1;
}
- if ((buf.st_mode & (S_IRWXU|S_IRWXG|S_IRWXO)) !=
- (S_IRUSR|S_IWUSR|S_IRGRP)) {
- audit_msg(LOG_ERR, "%s permissions should be 0640", nv->value);
+ if ( (buf.st_mode & (S_IXUSR|S_IWGRP|S_IXGRP|S_IRWXO)) ) {
+ audit_msg(LOG_ERR, "%s permissions should be 0600 or 0640",
+ nv->value);
return 1;
}
free((void *)config->log_file);
1:09 p.m.
On Sat, 2007-12-29 at 10:44 -0500, Steve Grubb wrote:
Hi,
I've just released a new version of the audit daemon. It can be downloaded
from http://people.redhat.com/sgrubb/audit It will also be in rawhide
soon. The Changelog is:
I'm trying to build the rpm but the process fails at:
...
Processing files: audit-libs-python-1.6.4-1
error: File not found by
glob: /var/tmp/audit-1.6.4-root/usr/lib64/python?.?/site-packages/auparse-*.egg-info
Processing files: audispd-plugins-1.6.4-1
Provides: config(audispd-plugins) = 1.6.4-1
...
RPM build errors:
File not found by
glob: /var/tmp/audit-1.6.4-root/usr/lib64/python?.?/site-packages/auparse-*.egg-info
[root@lepton ~]#
This happens in both fedora8 and RHEL5.1
Is there something that is supposed to generate this file? I don't see
other errors in the prep/build stage (If something is missing in my
config, maybe the spec file could use a little tweaking to point it out)
Klaus
--
Klaus Heinrich Kiwi
Security Development - IBM Linux Technology Center
1:37 p.m.
On Friday 04 January 2008 14:09:17 Klaus Heinrich Kiwi wrote:
This happens in both fedora8 and RHEL5.1
You have to delete the line in the specfile that packages it up on F8 and
RHEL5. The specfile is aimed only at rawhide since that is where the
development work is done. I will be packaging 1.6.5 up for F8 next week.
Is there something that is supposed to generate this file?
Python in rawhide.
-Steve
3:17 p.m.
shouldn't the spec file then require whatever version of python is
actually required?
-Eric
On Fri, 2008-01-04 at 14:37 -0500, Steve Grubb wrote:
On Friday 04 January 2008 14:09:17 Klaus Heinrich Kiwi wrote:
> This happens in both fedora8 and RHEL5.1
You have to delete the line in the specfile that packages it up on F8 and
RHEL5. The specfile is aimed only at rawhide since that is where the
development work is done. I will be packaging 1.6.5 up for F8 next week.
> Is there something that is supposed to generate this file?
Python in rawhide.
-Steve
--
Linux-audit mailing list
Linux-audit(a)redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
5:08 p.m.
On Friday 04 January 2008 16:17:06 Eric Paris wrote:
shouldn't the spec file then require whatever version of python
is
actually required?
If you tie things too tightly to versions, you also create problems. Besides,
this one has nothing to do with a specific version of python. Its something
recently turned on for Fedora 9.
http://fedoraproject.org/wiki/Packaging/Python/Eggs
-Steve
6205
days inactive
6211
days old
linux-audit@lists.linux-audit.osci.io
6 comments
3 participants
participants (3)
-
Eric Paris -
Klaus Heinrich Kiwi -
Steve Grubb