From 51963c9cc9659cad5ac792f27974415d0f88a450 Mon Sep 17 00:00:00 2001 From: Andy Bailey Date: Sun, 13 Jun 2010 02:11:41 -0500 Subject: system/audit: Added (Auditing System Daemon) Signed-off-by: Robby Workman --- system/audit/README | 16 ++++ system/audit/README.SLACKWARE | 16 ++++ system/audit/audit-2.0.4-sysconfig.diff | 21 ++++++ system/audit/audit.SlackBuild | 127 ++++++++++++++++++++++++++++++++ system/audit/audit.info | 10 +++ system/audit/doinst.sh | 36 +++++++++ system/audit/slack-desc | 19 +++++ 7 files changed, 245 insertions(+) create mode 100644 system/audit/README create mode 100644 system/audit/README.SLACKWARE create mode 100644 system/audit/audit-2.0.4-sysconfig.diff create mode 100644 system/audit/audit.SlackBuild create mode 100644 system/audit/audit.info create mode 100644 system/audit/doinst.sh create mode 100644 system/audit/slack-desc (limited to 'system') diff --git a/system/audit/README b/system/audit/README new file mode 100644 index 0000000000..59dba16797 --- /dev/null +++ b/system/audit/README @@ -0,0 +1,16 @@ +Audit for Slackware + +The Linux Auditing System is a kernel subsystem the allows the kernel to +record events of interest to intrusion detection systems, such as file +access attempts, specific system calls, or custom events generated by +trusted system binaries like login or sshd. The audit package provides the +tools to configure the audit system, and to collect and process its output. + +To collect audit events, your kernel must have the audit system enabled, +which is present in the stock Slackware kernels. + +The audit package has no other dependencies. However, certain audit events +of interest, such as failed login attempts from /bin/login, password changes, +etcetera are generated by their respective binaries using libaudit. If your +site policy requires auditing those events, some reconfiguration and/or +patching may be required. diff --git a/system/audit/README.SLACKWARE b/system/audit/README.SLACKWARE new file mode 100644 index 0000000000..36ae25c925 --- /dev/null +++ b/system/audit/README.SLACKWARE @@ -0,0 +1,16 @@ +# NOTES: +# This slackbuild won't do much unless you rebuild your kernel with audit enabled. +# Optionally you can enable syscall-level audit. +# +# RULES: +# Some example rulesets are available at /usr/doc/audit-2.0.4/contrib +# stig.rules is an example ruleset for systems that are subject to the US Department of Defense +# UNIX STIG audit requirement, although I read recently on the gov-sec@ Redhat list that +# they hadn't been updating it religiously. +# +# ROTATION: +# The audit log (/var/log/audit/audit.log) is rotated on a size basis automatically by auditd. +# Periodic rotation (i.e. logrotate) is a bad idea for audit, since an attacker could trigger a +# common event rapidly to exhaust log space, then do something nefarious that would go unaudited. +# This package uses the default rotation size of 8MB. + diff --git a/system/audit/audit-2.0.4-sysconfig.diff b/system/audit/audit-2.0.4-sysconfig.diff new file mode 100644 index 0000000000..2004313a11 --- /dev/null +++ b/system/audit/audit-2.0.4-sysconfig.diff @@ -0,0 +1,21 @@ +diff -Nur audit-2.0.4.orig//init.d/auditd.init audit-2.0.4/init.d/auditd.init +--- audit-2.0.4.orig//init.d/auditd.init 2009-12-07 15:16:41.000000000 -0600 ++++ audit-2.0.4/init.d/auditd.init 2010-06-13 02:07:13.368552889 -0500 +@@ -9,7 +9,7 @@ + # will be sent to syslog. + # + # processname: /sbin/auditd +-# config: /etc/sysconfig/auditd ++# config: /etc/rc.d/rc.auditd.conf + # config: /etc/audit/auditd.conf + # pidfile: /var/run/auditd.pid + # +@@ -42,7 +42,7 @@ + test $EUID = 0 || exit 4 + + # Check config +-test -f /etc/sysconfig/auditd && . /etc/sysconfig/auditd ++test -f /etc/rc.d/rc.auditd.conf && . /etc/rc.d/rc.auditd.conf + + RETVAL=0 + diff --git a/system/audit/audit.SlackBuild b/system/audit/audit.SlackBuild new file mode 100644 index 0000000000..9d2dd86982 --- /dev/null +++ b/system/audit/audit.SlackBuild @@ -0,0 +1,127 @@ +#!/bin/sh + +# Copyright 2010, R. Andrew Bailey, Chantilly, VA USA +# All rights reserved. +# +# Permission to use, copy, modify, and distribute this software for +# any purpose with or without fee is hereby granted, provided that +# the above copyright notice and this permission notice appear in all +# copies. +# +# THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED +# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +# MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. +# IN NO EVENT SHALL THE AUTHORS AND COPYRIGHT HOLDERS AND THEIR +# CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT +# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF +# USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND +# ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, +# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT +# OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +# SUCH DAMAGE. + +PRGNAM=audit +VERSION=${VERSION:-2.0.4} +BUILD=${BUILD:-1} +TAG=${TAG:-_SBo} + +# Automatically determine the architecture we're building on: +if [ -z "$ARCH" ]; then + case "$( uname -m )" in + i?86) ARCH=i486 ;; + arm*) ARCH=arm ;; + # Unless $ARCH is already set, use uname -m for all other archs: + *) ARCH=$( uname -m ) ;; + esac +fi + +CWD=$(pwd) +TMP=${TMP:-/tmp/SBo} +PKG=$TMP/package-$PRGNAM +OUTPUT=${OUTPUT:-/tmp} + +if [ "$ARCH" = "i486" ]; then + SLKCFLAGS="-O2 -march=i486 -mtune=i686" + LIBDIRSUFFIX="" +elif [ "$ARCH" = "s390" ]; then + SLKCFLAGS="-O2" + LIBDIRSUFFIX="" +elif [ "$ARCH" = "x86_64" ]; then + SLKCFLAGS="-O2 -fPIC" + LIBDIRSUFFIX="64" +fi + +set -e + +rm -rf $PKG +mkdir -p $TMP $PKG $OUTPUT +cd $TMP +rm -rf $PRGNAM-$VERSION +tar xvf $CWD/$PRGNAM-$VERSION.tar.gz +cd $PRGNAM-$VERSION + +chown -R root:root . +find . \ + \( -perm 777 -o -perm 775 -o -perm 711 -o -perm 555 -o -perm 511 \) \ + -exec chmod 755 {} \; -o \ + \( -perm 666 -o -perm 664 -o -perm 600 -o -perm 444 -o -perm 440 -o -perm 400 \) \ + -exec chmod 644 {} \; + +# Init should check /etc/rc.d/rc.auditd.conf instead of /etc/sysconfig/auditd +patch -p1 < $CWD/audit-2.0.4-sysconfig.diff + +CXXFLAGS="$SLKCFLAGS" \ +CFLAGS="$SLKCFLAGS" \ +./configure \ + --prefix=/usr \ + --libdir=/usr/lib${LIBDIRSUFFIX} \ + --localstatedir=/var \ + --sysconfdir=/etc \ + --mandir=/usr/man \ + --disable-static \ + --program-prefix= \ + --program-suffix= \ + --sbindir=/sbin \ + --build=$ARCH-slackware-linux + +make +make DESTDIR=$PKG install + +find $PKG | xargs file | grep -e "executable" -e "shared object" \ + | grep ELF | cut -f 1 -d : | xargs strip --strip-unneeded 2> /dev/null || true + +# audispd must be 0750 to run +chmod 0750 $PKG/sbin/audispd + +mkdir -p $PKG/etc/rc.d +mv $PKG/etc/sysconfig/auditd $PKG/etc/rc.d/rc.auditd.conf.new +mv $PKG/etc/rc.d/init.d/auditd $PKG/etc/rc.d/rc.auditd.new +rm -rf $PKG/etc/rc.d/init.d $PKG/etc/sysconfig + +# Change config files to .new: +for i in $(find $PKG/etc -type f -name "*.rules" -o -name "*.conf") ; do mv $i $i.new; done + +mkdir -p $PKG/var/log/audit $PKG/var/lock/subsys + +mkdir -p $PKG/usr/doc/$PRGNAM-$VERSION +cp -a \ + AUTHORS COPYING ChangeLog INSTALL NEWS README TODO contrib \ + $PKG/usr/doc/$PRGNAM-$VERSION +cat $CWD/$PRGNAM.SlackBuild > $PKG/usr/doc/$PRGNAM-$VERSION/$PRGNAM.SlackBuild +cat $CWD/README.SLACKWARE > $PKG/usr/doc/$PRGNAM-$VERSION/README.SLACKWARE +find $PKG/usr/doc -type f -exec chmod 0644 {} \; +find $PKG/usr/doc -size 0 -exec rm {} \; + +find $PKG/usr/man -type f -name "*.?" -exec gzip -9f {} \; +for i in $(find $PKG/usr/man -type l -name "*.?") ; do ln -s $( readlink $i ).gz $i.gz ; rm $i ; done + +mkdir -p $PKG/install +cat $CWD/slack-desc > $PKG/install/slack-desc + +mkdir -p $PKG/install +cat $CWD/slack-desc > $PKG/install/slack-desc +cat $CWD/doinst.sh > $PKG/install/doinst.sh + +cd $PKG +/sbin/makepkg -l y -c n $OUTPUT/$PRGNAM-$VERSION-$ARCH-$BUILD$TAG.${PKGTYPE:-tgz} diff --git a/system/audit/audit.info b/system/audit/audit.info new file mode 100644 index 0000000000..350ee18dcc --- /dev/null +++ b/system/audit/audit.info @@ -0,0 +1,10 @@ +PRGNAM="audit" +VERSION="2.0.4" +HOMEPAGE="http://people.redhat.com/sgrubb/audit/" +DOWNLOAD="http://people.redhat.com/sgrubb/audit/audit-2.0.4.tar.gz" +MD5SUM="91eee3f3869dd79123a45c2775f3e85e" +DOWNLOAD_x86_64="" +MD5SUM_x86_64="" +MAINTAINER="Andy Bailey" +EMAIL="bailey@akamai.com" +APPROVED="rworkman" diff --git a/system/audit/doinst.sh b/system/audit/doinst.sh new file mode 100644 index 0000000000..fb88271cae --- /dev/null +++ b/system/audit/doinst.sh @@ -0,0 +1,36 @@ +config() { + NEW="$1" + OLD="$(dirname $NEW)/$(basename $NEW .new)" + # If there's no config file by that name, mv it over: + if [ ! -r $OLD ]; then + mv $NEW $OLD + elif [ "$(cat $OLD | md5sum)" = "$(cat $NEW | md5sum)" ]; then + # toss the redundant copy + rm $NEW + fi + # Otherwise, we leave the .new copy for the admin to consider... +} + +preserve_perms() { + NEW="$1" + OLD="$(dirname ${NEW})/$(basename ${NEW} .new)" + if [ -e ${OLD} ]; then + cp -a ${OLD} ${NEW}.incoming + cat ${NEW} > ${NEW}.incoming + mv ${NEW}.incoming ${NEW} + fi + config ${NEW} +} + +preserve_perms etc/rc.d/rc.auditd.new +config etc/rc.d/rc.auditd.conf.new +config etc/audit/audit.rules.new +config etc/audit/auditd.conf.new +config etc/audisp/audispd.conf.new +config etc/audisp/zos-remote.conf.new +config etc/audisp/plugins.d/af_unix.conf.new +config etc/audisp/plugins.d/au-remote.conf.new +config etc/audisp/plugins.d/audispd-zos-remote.conf.new +config etc/audisp/plugins.d/syslog.conf.new +config etc/audisp/audisp-remote.conf.new + diff --git a/system/audit/slack-desc b/system/audit/slack-desc new file mode 100644 index 0000000000..3b055d578b --- /dev/null +++ b/system/audit/slack-desc @@ -0,0 +1,19 @@ +# HOW TO EDIT THIS FILE: +# The "handy ruler" below makes it easier to edit a package description. Line +# up the first '|' above the ':' following the base package name, and the '|' +# on the right side marks the last column you can put a character in. You must +# make exactly 11 lines for the formatting to be correct. It's also +# customary to leave one space after the ':'. + + |-----handy-ruler------------------------------------------------------| +audit: audit (Linux Kernel Audit Framework) +audit: +audit: The audit package contains the user space utilities for storing and +audit: searching the audit records generate by the audit subsystem in the +audit: Linux 2.6 kernel. +audit: +audit: The audit subsystem, which is not enabled in stock Slackware kernels +audit: must be enabled and the kernel rebuilt in order to use auditd +audit: +audit: +audit: -- cgit v1.2.3