From be3514e25ce10dca20b4a6310cd7d290b5ad6cc4 Mon Sep 17 00:00:00 2001 From: slin14 Date: Mon, 12 Nov 2018 19:48:35 +0800 Subject: [PATCH] refactor audit Package audit-config is created to config customized config file of audit. Since there is no other change for audit, we could replace srpm with rpm directly. audit-config is set to depends on audit, so audit rpm will be installed automatically. Test: Pass build and multi node deploy test. Confirm syslog.conf is the same as before in the deploy. Story: 2003768 Task: 27602 Depends-On: https://review.openstack.org/617174 Change-Id: I6101142642dd21c35e7db1352cc8c9aa05fba923 Signed-off-by: slin14 --- centos_iso_image.inc | 2 +- centos_pkg_dirs | 2 +- .../audit-config/centos/audit-config.spec | 40 ++++ .../audit-config/centos/build_srpm.data | 2 + config-files/audit-config/files/LICENSE | 202 ++++++++++++++++++ config-files/audit-config/files/syslog.conf | 14 ++ security/audit/PKG-INFO | 15 -- security/audit/centos/build_srpm.data | 1 - ...te-package-versioning-for-TIS-format.patch | 25 --- .../audit/centos/meta_patches/PATCH_ORDER | 2 - .../meta_patches/meta-enable-audispd.patch | 37 ---- ...001-enable-audispd-and-auth-facility.patch | 31 --- security/audit/centos/srpm_path | 1 - 13 files changed, 260 insertions(+), 114 deletions(-) create mode 100644 config-files/audit-config/centos/audit-config.spec create mode 100644 config-files/audit-config/centos/build_srpm.data create mode 100644 config-files/audit-config/files/LICENSE create mode 100644 config-files/audit-config/files/syslog.conf delete mode 100644 security/audit/PKG-INFO delete mode 100644 security/audit/centos/build_srpm.data delete mode 100644 security/audit/centos/meta_patches/0001-Update-package-versioning-for-TIS-format.patch delete mode 100644 security/audit/centos/meta_patches/PATCH_ORDER delete mode 100644 security/audit/centos/meta_patches/meta-enable-audispd.patch delete mode 100644 security/audit/centos/patches/0001-enable-audispd-and-auth-facility.patch delete mode 100644 security/audit/centos/srpm_path diff --git a/centos_iso_image.inc b/centos_iso_image.inc index 49ce400c3..d3ce28202 100644 --- a/centos_iso_image.inc +++ b/centos_iso_image.inc @@ -247,7 +247,7 @@ libevent tpm2-tools # audit -audit +audit-config # kernel kernel diff --git a/centos_pkg_dirs b/centos_pkg_dirs index e37d167d4..c3abdff27 100644 --- a/centos_pkg_dirs +++ b/centos_pkg_dirs @@ -45,7 +45,6 @@ security/tpm2-tools security/tpm2-openssl-engine security/libtpms security/swtpm -security/audit security/spectre-meltdown-checker kernel/kernel-std config/puppet-4.8.2 @@ -104,6 +103,7 @@ utilities/branding config-files/io-scheduler config-files/sudo-config config-files/memcached-custom +config-files/audit-config config-files/shadow-utils-config config-files/ntp-config tools/collector diff --git a/config-files/audit-config/centos/audit-config.spec b/config-files/audit-config/centos/audit-config.spec new file mode 100644 index 000000000..645add63f --- /dev/null +++ b/config-files/audit-config/centos/audit-config.spec @@ -0,0 +1,40 @@ +Summary: StarlingX audit Configuration File +Name: audit-config +Version: 1.0 +Release: %{tis_patch_ver}%{?_tis_dist} +License: Apache-2.0 +Group: config-files +Packager: StarlingX +URL: unknown +Source: %name-%version.tar.gz + +BuildArch: noarch +Requires: audit +Requires: audit-libs +Requires: audit-libs-python + +%define debug_package %{nil} + +%description +StarlingX audit configuration file + +%prep + +%setup + +%build + +%install +install -d %{buildroot}%{_datadir}/starlingx +install -m640 syslog.conf %{buildroot}%{_datadir}/starlingx/syslog.conf + +%post +if [ $1 -eq 1 ] ; then + cp -f %{_datadir}/starlingx/syslog.conf %{_sysconfdir}/audisp/plugins.d/syslog.conf + chmod 640 %{_sysconfdir}/audisp/plugins.d/syslog.conf +fi + +%files +%defattr(-,root,root) +%license LICENSE +%{_datadir}/starlingx/syslog.conf diff --git a/config-files/audit-config/centos/build_srpm.data b/config-files/audit-config/centos/build_srpm.data new file mode 100644 index 000000000..da1e20bd8 --- /dev/null +++ b/config-files/audit-config/centos/build_srpm.data @@ -0,0 +1,2 @@ +SRC_DIR="files" +TIS_PATCH_VER=0 diff --git a/config-files/audit-config/files/LICENSE b/config-files/audit-config/files/LICENSE new file mode 100644 index 000000000..d64569567 --- /dev/null +++ b/config-files/audit-config/files/LICENSE @@ -0,0 +1,202 @@ + + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright [yyyy] [name of copyright owner] + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. diff --git a/config-files/audit-config/files/syslog.conf b/config-files/audit-config/files/syslog.conf new file mode 100644 index 000000000..0a80d72a6 --- /dev/null +++ b/config-files/audit-config/files/syslog.conf @@ -0,0 +1,14 @@ +# This file controls the configuration of the syslog plugin. +# It simply takes events and writes them to syslog. The +# arguments provided can be the default priority that you +# want the events written with. And optionally, you can give +# a second argument indicating the facility that you want events +# logged to. Valid options are LOG_LOCAL0 through 7, LOG_AUTH, +# LOG_AUTHPRIV, LOG_DAEMON, LOG_SYSLOG, and LOG_USER. + +active = yes +direction = out +path = builtin_syslog +type = builtin +args = LOG_INFO LOG_AUTH +format = string diff --git a/security/audit/PKG-INFO b/security/audit/PKG-INFO deleted file mode 100644 index 379827bd0..000000000 --- a/security/audit/PKG-INFO +++ /dev/null @@ -1,15 +0,0 @@ -Metadata-Version: 1.1 -Name: audit -Version: 2.6.5 -Summary: User space tools for 2.6 Kernel auditing -Home-page: -Author: -Author-email: -License: BSD - -Description: -The audit package contains the user space utilties for -storing and searching the audit records generate by -the audit subsystem in the Linux 2.6 kernel. - -Platform: UNKNOWN diff --git a/security/audit/centos/build_srpm.data b/security/audit/centos/build_srpm.data deleted file mode 100644 index 70b4b5dcb..000000000 --- a/security/audit/centos/build_srpm.data +++ /dev/null @@ -1 +0,0 @@ -TIS_PATCH_VER=2 diff --git a/security/audit/centos/meta_patches/0001-Update-package-versioning-for-TIS-format.patch b/security/audit/centos/meta_patches/0001-Update-package-versioning-for-TIS-format.patch deleted file mode 100644 index 0c0c6d4da..000000000 --- a/security/audit/centos/meta_patches/0001-Update-package-versioning-for-TIS-format.patch +++ /dev/null @@ -1,25 +0,0 @@ -From 5f712d1cb936ace204ccbbcb8cc0002f7ee2cd76 Mon Sep 17 00:00:00 2001 -From: Kam Nasim -Date: Fri, 6 Oct 2017 14:26:03 -0400 -Subject: [PATCH 1/2] Update package versioning for TIS format - ---- - SPECS/audit.spec | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/SPECS/audit.spec b/SPECS/audit.spec -index ad10844..2bbd782 100644 ---- a/SPECS/audit.spec -+++ b/SPECS/audit.spec -@@ -3,7 +3,7 @@ - Summary: User space tools for 2.6 kernel auditing - Name: audit - Version: 2.8.1 --Release: 3%{?dist} -+Release: 3.el7%{?_tis_dist}.%{tis_patch_ver} - License: GPLv2+ - Group: System Environment/Daemons - URL: http://people.redhat.com/sgrubb/audit/ --- -2.7.4 - diff --git a/security/audit/centos/meta_patches/PATCH_ORDER b/security/audit/centos/meta_patches/PATCH_ORDER deleted file mode 100644 index 56ab8f664..000000000 --- a/security/audit/centos/meta_patches/PATCH_ORDER +++ /dev/null @@ -1,2 +0,0 @@ -0001-Update-package-versioning-for-TIS-format.patch -meta-enable-audispd.patch diff --git a/security/audit/centos/meta_patches/meta-enable-audispd.patch b/security/audit/centos/meta_patches/meta-enable-audispd.patch deleted file mode 100644 index aa4183a34..000000000 --- a/security/audit/centos/meta_patches/meta-enable-audispd.patch +++ /dev/null @@ -1,37 +0,0 @@ -From dc0677a11cede908f266ce4695320759b4694d18 Mon Sep 17 00:00:00 2001 -From: Kam Nasim -Date: Fri, 6 Oct 2017 14:10:25 -0400 -Subject: [PATCH 2/2] meta patch for enabling audispd and LOG_AUTH facility - ---- - SPECS/audit.spec | 7 +++++++ - 1 file changed, 7 insertions(+) - -diff --git a/SPECS/audit.spec b/SPECS/audit.spec -index 2bbd782..9e70f5d 100644 ---- a/SPECS/audit.spec -+++ b/SPECS/audit.spec -@@ -20,6 +20,10 @@ Patch4: audit-2.8.2-ipv6-bind.patch - Patch5: audit-2.8.2-fix-reset-lost-return.patch - # This patch makes date a numeric field so auparse_search works - Patch6: audit-2.8.2-auparse-numeric_field.patch -+ -+# WRS Patches -+Patch1000: 0001-enable-audispd-and-auth-facility.patch -+ - BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) - BuildRequires: openldap-devel - BuildRequires: swig -@@ -100,6 +104,9 @@ like relay events to remote machines. - %patch5 -p1 - %patch6 -p1 - -+# WRS patches -+%patch1000 -p1 -+ - %build - %configure --sbindir=/sbin --libdir=/%{_lib} --with-python=yes \ - --with-libwrap --enable-gssapi-krb5=yes \ --- -2.7.4 - diff --git a/security/audit/centos/patches/0001-enable-audispd-and-auth-facility.patch b/security/audit/centos/patches/0001-enable-audispd-and-auth-facility.patch deleted file mode 100644 index 7f5ed346c..000000000 --- a/security/audit/centos/patches/0001-enable-audispd-and-auth-facility.patch +++ /dev/null @@ -1,31 +0,0 @@ -From de26fc2d64a7afe600d528f34a5bd4f59e250883 Mon Sep 17 00:00:00 2001 -From: Kam Nasim -Date: Fri, 6 Oct 2017 12:57:24 -0400 -Subject: [PATCH] US103091: IMA: System Configuration - -enable audispd to send audit events to the LOG_AUTH facility where -it will be used by syslog-ng to filter them into a seperate ima log as -well as send them to an FM Event log stream ---- - audisp/plugins/builtins/syslog.conf | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/audisp/plugins/builtins/syslog.conf b/audisp/plugins/builtins/syslog.conf -index 7d7dbd7..0a80d72 100644 ---- a/audisp/plugins/builtins/syslog.conf -+++ b/audisp/plugins/builtins/syslog.conf -@@ -6,9 +6,9 @@ - # logged to. Valid options are LOG_LOCAL0 through 7, LOG_AUTH, - # LOG_AUTHPRIV, LOG_DAEMON, LOG_SYSLOG, and LOG_USER. - --active = no -+active = yes - direction = out - path = builtin_syslog - type = builtin --args = LOG_INFO -+args = LOG_INFO LOG_AUTH - format = string --- -1.8.3.1 - diff --git a/security/audit/centos/srpm_path b/security/audit/centos/srpm_path deleted file mode 100644 index df8e681c8..000000000 --- a/security/audit/centos/srpm_path +++ /dev/null @@ -1 +0,0 @@ -mirror:Source/audit-2.8.1-3.el7.src.rpm