-
Notifications
You must be signed in to change notification settings - Fork 211
/
audit.spec
286 lines (248 loc) · 10.2 KB
/
audit.spec
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
Summary: User space tools for kernel auditing
Name: audit
Version: 4.0.3
Release: 1%{dist}
License: GPL-2.0-or-later AND LGPL-2.0-or-later
Group: System Environment/Daemons
URL: http://people.redhat.com/sgrubb/audit/
Source0: http://people.redhat.com/sgrubb/audit/%{name}-%{version}.tar.gz
BuildRequires: make gcc
BuildRequires: kernel-headers >= 5.0
BuildRequires: systemd
Requires: %{name}-libs = %{version}-%{release}
Requires: %{name}-rules%{?_isa} = %{version}-%{release}
Requires(post): systemd coreutils
Requires(preun): systemd
Requires(postun): systemd coreutils
Recommends: initscripts-service
%description
The audit package contains the user space utilities for
storing and searching the audit records generated by
the audit subsystem in the Linux 2.6 and later kernels.
%package libs
Summary: Dynamic library for libaudit
License: LGPL-2.0-or-later
BuildRequires: libcap-ng-devel
%description libs
The audit-libs package contains the dynamic libraries needed for
applications to use the audit framework.
%package libs-devel
Summary: Header files for libaudit
License: LGPL-2.0-or-later
Requires: %{name}-libs%{?_isa} = %{version}-%{release}
Requires: kernel-headers >= 5.0
%description libs-devel
The audit-libs-devel package contains the header files needed for
developing applications that need to use the audit framework libraries.
%package libs-static
Summary: Static version of libaudit library
License: LGPL-2.0-or-later
Requires: kernel-headers >= 5.0
%description libs-static
The audit-libs-static package contains the static libraries
needed for developing applications that need to use static audit
framework libraries
%package python3-audit
Summary: Python3 bindings for libaudit
License: LGPL-2.0-or-later
BuildRequires: python3-devel python-unversioned-command swig
Requires: %{name}-libs%{?_isa} = %{version}-%{release}
%description python3-audit
The audit-libs-python3 package contains the bindings so that libaudit
and libauparse can be used by python3.
%package -n audispd-plugins
Summary: Plugins for the audit event dispatcher
License: GPL-2.0-or-later
BuildRequires: krb5-devel libcap-ng-devel
Requires: %{name} = %{version}-%{release}
Requires: %{name}-libs%{?_isa} = %{version}-%{release}
%description -n audispd-plugins
The audispd-plugins package provides plugins for the real-time
interface to the audit system, audispd. These plugins can do things
like relay events to remote machines or analyze events for suspicious
behavior.
%package -n audispd-plugins-zos
Summary: z/OS plugin for the audit event dispatcher
License: GPL-2.0-or-later
BuildRequires: openldap-devel
Requires: %{name}%{?_isa} = %{version}-%{release}
Requires: %{name}-libs%{?_isa} = %{version}-%{release}
%description -n audispd-plugins-zos
The audispd-plugins-zos package provides a plugin that will forward all
incoming audit events, as they happen, to a configured z/OS SMF (Service
Management Facility) database, through an IBM Tivoli Directory Server
(ITDS) set for Remote Audit service.
%package rules
Summary: audit rules and utilities
License: GPL-2.0-or-later
Recommends: %{name} = %{version}-%{release}
%description rules
The audit rules package contains the rules and utilities to load audit rules.
%prep
%setup -q
%build
%configure --with-python3=yes \
--enable-gssapi-krb5=yes --with-arm --with-aarch64 \
--with-libcap-ng=yes --without-golang --enable-zos-remote \
--enable-experimental --with-io_uring
make CFLAGS="%{optflags}" %{?_smp_mflags}
%install
mkdir -p $RPM_BUILD_ROOT/{sbin,etc/audit/plugins.d,etc/audit/rules.d}
mkdir -p $RPM_BUILD_ROOT/%{_mandir}/{man5,man8}
mkdir -p $RPM_BUILD_ROOT/%{_libdir}/audit
mkdir --mode=0700 -p $RPM_BUILD_ROOT/%{_var}/log/audit
mkdir -p $RPM_BUILD_ROOT/%{_var}/spool/audit
make DESTDIR=$RPM_BUILD_ROOT install
# Remove these items so they don't get picked up.
rm -f $RPM_BUILD_ROOT/%{_libdir}/libaudit.a
rm -f $RPM_BUILD_ROOT/%{_libdir}/libauparse.a
find $RPM_BUILD_ROOT -name '*.la' -delete
find $RPM_BUILD_ROOT/%{_libdir}/python3.?/site-packages -name '*.a' -delete
# On platforms with 32 & 64 bit libs, we need to coordinate the timestamp
touch -r ./audit.spec $RPM_BUILD_ROOT/etc/libaudit.conf
touch -r ./audit.spec $RPM_BUILD_ROOT/usr/share/man/man5/libaudit.conf.5.gz
%check
make %{?_smp_mflags} check
# Get rid of make files so that they don't get packaged.
rm -f rules/Makefile*
%post
%systemd_post auditd.service
# If an upgrade, restart it if it's running
if [ $1 -eq 2 ]; then
state=$(systemctl status auditd | awk '/Active:/ { print $2 }')
if [ $state = "active" ] ; then
auditctl --signal stop || true
systemctl start auditd
fi
# if an install, start it since preset says we should be running
elif [ $1 -eq 1 ]; then
systemctl start auditd
fi
%post rules
%systemd_post audit-rules.service
# Copy default rules into place on new installation
files=`ls /etc/audit/rules.d/ 2>/dev/null | wc -w`
if [ "$files" -eq 0 ] ; then
cp %{_datadir}/%{name}-rules/10-base-config.rules /etc/audit/rules.d/audit.rules
# Fix up permissions
chmod 0600 /etc/audit/rules.d/audit.rules
# Make the new rules active
augenrules --load
fi
%preun
%systemd_preun auditd.service
# If uninstalling, stop it
if [ $1 -eq 0 ]; then
auditctl --signal stop || true
fi
%preun rules
%systemd_preun audit-rules.service
# If uninstalling, delete the rules loaded in the kernel
if [ $1 -eq 0 ]; then
auditctl -D > /dev/null 2>&1
fi
%files libs
%license COPYING.LIB
/%{_lib}/libaudit.so.1*
/%{_lib}/libauparse.*
%config(noreplace) %attr(640,root,root) /etc/libaudit.conf
%{_mandir}/man5/libaudit.conf.5.gz
%files libs-devel
%doc contrib/plugin
%{_libdir}/libaudit.so
%{_libdir}/libauparse.so
%{_includedir}/libaudit.h
%{_includedir}/audit_logging.h
%{_includedir}/audit-records.h
%{_includedir}/auparse.h
%{_includedir}/auparse-defs.h
%{_datadir}/aclocal/audit.m4
%{_libdir}/pkgconfig/audit.pc
%{_libdir}/pkgconfig/auparse.pc
%{_mandir}/man3/*
%attr(644,root,root) %{_mandir}/man5/ausearch-expression.5.gz
%files libs-static
%license COPYING.LIB
%{_libdir}/libaudit.a
%{_libdir}/libauparse.a
%files -n python3-audit
%defattr(-,root,root,-)
%attr(755,root,root) %{python3_sitearch}/*
%files
%license COPYING
%doc README.md ChangeLog rules init.d/auditd.cron
%attr(644,root,root) %{_mandir}/man8/auditd.8.gz
%attr(644,root,root) %{_mandir}/man8/aureport.8.gz
%attr(644,root,root) %{_mandir}/man8/ausearch.8.gz
%attr(644,root,root) %{_mandir}/man8/aulast.8.gz
%attr(644,root,root) %{_mandir}/man8/aulastlog.8.gz
%attr(644,root,root) %{_mandir}/man8/ausyscall.8.gz
%attr(644,root,root) %{_mandir}/man5/auditd.conf.5.gz
%attr(644,root,root) %{_mandir}/man5/auditd-plugins.5.gz
%attr(755,root,root) %{_sbindir}auditd
%attr(755,root,root) %{_sbindir}ausearch
%attr(755,root,root) %{_sbindir}aureport
%attr(755,root,root) %{_bindir}/aulast
%attr(755,root,root) %{_bindir}/aulastlog
%attr(755,root,root) %{_bindir}/ausyscall
%attr(644,root,root) %{_unitdir}/auditd.service
%attr(750,root,root) %dir %{_libexecdir}/initscripts/legacy-actions/auditd
%attr(750,root,root) %{_libexecdir}/initscripts/legacy-actions/auditd/condrestart
%attr(750,root,root) %{_libexecdir}/initscripts/legacy-actions/auditd/reload
%attr(750,root,root) %{_libexecdir}/initscripts/legacy-actions/auditd/restart
%attr(750,root,root) %{_libexecdir}/initscripts/legacy-actions/auditd/resume
%attr(750,root,root) %{_libexecdir}/initscripts/legacy-actions/auditd/rotate
%attr(750,root,root) %{_libexecdir}/initscripts/legacy-actions/auditd/state
%attr(750,root,root) %{_libexecdir}/initscripts/legacy-actions/auditd/stop
%ghost %{_localstatedir}/run/auditd.state
%attr(-,root,-) %dir %{_var}/log/audit
%attr(750,root,root) %dir /etc/audit/plugins.d
%config(noreplace) %attr(640,root,root) /etc/audit/auditd.conf
%files rules
%attr(755,root,root) %dir %{_datadir}/%{name}-rules
%attr(644,root,root) %{_datadir}/%{name}-rules/*
%attr(644,root,root) %{_mandir}/man8/auditctl.8.gz
%attr(644,root,root) %{_mandir}/man8/augenrules.8.gz
%attr(644,root,root) %{_mandir}/man7/audit.rules.7.gz
%attr(755,root,root) %{_sbindir}/auditctl
%attr(755,root,root) %{_sbindir}/augenrules
%attr(644,root,root) %{_unitdir}/audit-rules.service
%attr(750,root,root) %dir /etc/audit
%attr(750,root,root) %dir /etc/audit/rules.d
%ghost %config(noreplace) %attr(640,root,root) /etc/audit/rules.d/audit.rules
%ghost %config(noreplace) %attr(640,root,root) /etc/audit/audit.rules
%config(noreplace) %attr(640,root,root) /etc/audit/audit-stop.rules
%files -n audispd-plugins
%config(noreplace) %attr(640,root,root) /etc/audit/audisp-remote.conf
%config(noreplace) %attr(640,root,root) /etc/audit/plugins.d/au-remote.conf
%config(noreplace) %attr(640,root,root) /etc/audit/plugins.d/syslog.conf
%config(noreplace) %attr(640,root,root) /etc/audit/audisp-statsd.conf
%config(noreplace) %attr(640,root,root) /etc/audit/plugins.d/au-statsd.conf
%config(noreplace) %attr(640,root,root) /etc/audit/plugins.d/af_unix.conf
%config(noreplace) %attr(640,root,root) /etc/audit/ids.conf
%config(noreplace) %attr(640,root,root) /etc/audit/plugins.d/audisp-ids.conf
%config(noreplace) %attr(640,root,root) /etc/audit/audisp-filter.conf
%config(noreplace) %attr(640,root,root) /etc/audit/plugins.d/filter.conf
%attr(644,root,root) %{_datadir}/%{name}-rules/ids-rules/*
%attr(750,root,root) %{_sbindir}/audisp-remote
%attr(750,root,root) %{_sbindir}/audisp-syslog
%attr(750,root,root) %{_sbindir}/audisp-af_unix
%attr(750,root,root) %{_sbindir}/audisp-ids
%attr(750,root,root) %{_sbindir}/audisp-statsd
%attr(750,root,root) %{_sbindir}/audisp-filter
%attr(700,root,root) %dir %{_var}/spool/audit
%attr(644,root,root) %{_mandir}/man5/audisp-remote.conf.5.gz
%attr(644,root,root) %{_mandir}/man8/audisp-remote.8.gz
%attr(644,root,root) %{_mandir}/man8/audisp-syslog.8.gz
%attr(644,root,root) %{_mandir}/man8/audisp-af_unix.8.gz
%attr(644,root,root) %{_mandir}/man8/audisp-statsd.8.gz
%attr(644,root,root) %{_mandir}/man8/audisp-filter.8.gz
%files -n audispd-plugins-zos
%attr(644,root,root) %{_mandir}/man8/audispd-zos-remote.8.gz
%attr(644,root,root) %{_mandir}/man5/zos-remote.conf.5.gz
%config(noreplace) %attr(640,root,root) /etc/audit/plugins.d/audispd-zos-remote.conf
%config(noreplace) %attr(640,root,root) /etc/audit/zos-remote.conf
%attr(750,root,root) %{_sbindir}/audispd-zos-remote
%changelog
* Thu Aug 08 2024 Steve Grubb <[email protected]> 4.0.3-1
- New upstream release