From: Frank Brehm Date: Tue, 20 Dec 2016 15:35:12 +0000 (+0100) Subject: committing changes in /etc after emerge run X-Git-Url: https://git.uhu-banane.net/?a=commitdiff_plain;h=4897ec91425962a224e3a4506351741c9f56aa61;p=config%2Fberta%2Fetc.git committing changes in /etc after emerge run Package changes: +sys-process/audit-2.6.4 --- diff --git a/.etckeeper b/.etckeeper index 1bf6448..c75823c 100755 --- a/.etckeeper +++ b/.etckeeper @@ -19,6 +19,21 @@ maybe chmod 0755 'X11/xinit/xinitrc.d/50-systemd-user.sh' maybe chmod 0755 'X11/xorg.conf.d' maybe chmod 0644 'X11/xorg.conf.d/00-keyboard.conf' maybe chmod 0644 'anacrontab' +maybe chmod 0755 'audisp' +maybe chmod 0640 'audisp/audisp-remote.conf' +maybe chmod 0640 'audisp/audispd.conf' +maybe chmod 0750 'audisp/plugins.d' +maybe chmod 0640 'audisp/plugins.d/af_unix.conf' +maybe chmod 0640 'audisp/plugins.d/au-remote.conf' +maybe chmod 0640 'audisp/plugins.d/audispd-zos-remote.conf' +maybe chmod 0640 'audisp/plugins.d/syslog.conf' +maybe chmod 0640 'audisp/zos-remote.conf' +maybe chmod 0755 'audit' +maybe chmod 0644 'audit/audit-stop.rules' +maybe chmod 0640 'audit/audit.rules' +maybe chmod 0640 'audit/audit.rules.stop.post' +maybe chmod 0640 'audit/audit.rules.stop.pre' +maybe chmod 0640 'audit/auditd.conf' maybe chmod 0755 'bash' maybe chmod 0644 'bash/bash_logout' maybe chmod 0644 'bash/bashrc' @@ -40,6 +55,7 @@ maybe chmod 0644 'colordiffrc' maybe chmod 0644 'colordiffrc-gitdiff' maybe chmod 0644 'colordiffrc-lightbg' maybe chmod 0755 'conf.d' +maybe chmod 0644 'conf.d/auditd' maybe chmod 0644 'conf.d/bootmisc' maybe chmod 0644 'conf.d/busybox-ntpd' maybe chmod 0644 'conf.d/busybox-watchdog' @@ -227,6 +243,7 @@ maybe chmod 0644 'hostname' maybe chmod 0644 'hosts' maybe chmod 0644 'hosts.allow' maybe chmod 0755 'init.d' +maybe chmod 0755 'init.d/auditd' maybe chmod 0755 'init.d/binfmt' maybe chmod 0755 'init.d/bootmisc' maybe chmod 0755 'init.d/busybox-ntpd' @@ -318,6 +335,7 @@ maybe chmod 0644 'layman/overlays/.keep_app-portage_layman-0' maybe chmod 0644 'ld.so.conf' maybe chmod 0755 'ld.so.conf.d' maybe chmod 0644 'ld.so.conf.d/05gcc-x86_64-pc-linux-gnu.conf' +maybe chmod 0640 'libaudit.conf' maybe chmod 0755 'local.d' maybe chmod 0644 'local.d/README' maybe chmod 0644 'locale.conf' diff --git a/audisp/audisp-remote.conf b/audisp/audisp-remote.conf new file mode 100644 index 0000000..c7d1562 --- /dev/null +++ b/audisp/audisp-remote.conf @@ -0,0 +1,32 @@ +# +# This file controls the configuration of the audit remote +# logging subsystem, audisp-remote. +# + +remote_server = +port = 60 +##local_port = +transport = tcp +queue_file = /var/spool/audit/remote.log +mode = immediate +queue_depth = 2048 +format = managed +network_retry_time = 1 +max_tries_per_record = 3 +max_time_per_record = 5 +heartbeat_timeout = 0 + +network_failure_action = stop +disk_low_action = ignore +disk_full_action = warn_once +disk_error_action = warn_once +remote_ending_action = reconnect +generic_error_action = syslog +generic_warning_action = syslog +queue_error = stop +overflow_action = syslog + +##enable_krb5 = no +##krb5_principal = +##krb5_client_name = auditd +##krb5_key_file = /etc/audisp/audisp-remote.key diff --git a/audisp/audispd.conf b/audisp/audispd.conf new file mode 100644 index 0000000..ee50e5b --- /dev/null +++ b/audisp/audispd.conf @@ -0,0 +1,12 @@ +# +# This file controls the configuration of the audit event +# dispatcher daemon, audispd. +# + +q_depth = 150 +overflow_action = SYSLOG +priority_boost = 4 +max_restarts = 10 +name_format = HOSTNAME +#name = mydomain + diff --git a/audisp/plugins.d/af_unix.conf b/audisp/plugins.d/af_unix.conf new file mode 100644 index 0000000..a5ba8b1 --- /dev/null +++ b/audisp/plugins.d/af_unix.conf @@ -0,0 +1,14 @@ + +# This file controls the configuration of the +# af_unix socket plugin. It simply takes events +# and writes them to a unix domain socket. This +# plugin can take 2 arguments, the path for the +# socket and the socket permissions in octal. + +active = no +direction = out +path = builtin_af_unix +type = builtin +args = 0640 /var/run/audispd_events +format = string + diff --git a/audisp/plugins.d/au-remote.conf b/audisp/plugins.d/au-remote.conf new file mode 100644 index 0000000..e0adf96 --- /dev/null +++ b/audisp/plugins.d/au-remote.conf @@ -0,0 +1,12 @@ + +# This file controls the audispd data path to the +# remote event logger. This plugin will send events to +# a remote machine (Central Logger). + +active = no +direction = out +path = /sbin/audisp-remote +type = always +#args = +format = string + diff --git a/audisp/plugins.d/audispd-zos-remote.conf b/audisp/plugins.d/audispd-zos-remote.conf new file mode 100644 index 0000000..13aef2c --- /dev/null +++ b/audisp/plugins.d/audispd-zos-remote.conf @@ -0,0 +1,14 @@ +# This is the configuration for the audispd-zos-remote +# audit dispatcher plugin - See audispd(8) +# +# Note that this specific plugin has a configuration file of +# its own. The complete path for this file must be entered as +# the argument for the plugin in the 'args' field below +# See audispd-zos-remote(8) + +active = no +direction = out +path = /sbin/audispd-zos-remote +type = always +args = /etc/audisp/zos-remote.conf +format = string diff --git a/audisp/plugins.d/syslog.conf b/audisp/plugins.d/syslog.conf new file mode 100644 index 0000000..7d7dbd7 --- /dev/null +++ b/audisp/plugins.d/syslog.conf @@ -0,0 +1,14 @@ +# This file controls the configuration of the syslog plugin. +# It simply takes events and writes them to syslog. The +# arguments provided can be the default priority that you +# want the events written with. And optionally, you can give +# a second argument indicating the facility that you want events +# logged to. Valid options are LOG_LOCAL0 through 7, LOG_AUTH, +# LOG_AUTHPRIV, LOG_DAEMON, LOG_SYSLOG, and LOG_USER. + +active = no +direction = out +path = builtin_syslog +type = builtin +args = LOG_INFO +format = string diff --git a/audisp/zos-remote.conf b/audisp/zos-remote.conf new file mode 100644 index 0000000..8cf85f7 --- /dev/null +++ b/audisp/zos-remote.conf @@ -0,0 +1,10 @@ +## This is the configuration file for the audispd-zos-remote +## Audit dispatcher plugin. +## See zos-remote.conf(5) for more information + +server = zos_server.localdomain +port = 389 +user = RACF_ID +password = racf_password +timeout = 15 +q_depth = 64 diff --git a/audit/audit-stop.rules b/audit/audit-stop.rules new file mode 100644 index 0000000..7e23cff --- /dev/null +++ b/audit/audit-stop.rules @@ -0,0 +1,8 @@ +# These rules are loaded when the audit daemon stops +# if configured to do so. + +# Disable auditing +-e 0 + +# Delete all rules +-D diff --git a/audit/audit.rules b/audit/audit.rules new file mode 100644 index 0000000..a53a703 --- /dev/null +++ b/audit/audit.rules @@ -0,0 +1,26 @@ +# Copyright 1999-2011 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Id$ +# +# This file contains the auditctl rules that are loaded +# whenever the audit daemon is started via the initscripts. +# The rules are simply the parameters that would be passed +# to auditctl. + +# First rule - delete all +# This is to clear out old rules, so we don't append to them. +-D + +# Feel free to add below this line. See auditctl man page + +# The following rule would cause all of the syscalls listed to be ignored in logging. +-a exit,never -F arch=b32 -S read -S write -S open -S fstat -S mmap -S brk -S munmap -S nanosleep -S fcntl -S close -S dup2 -S rt_sigaction -S stat +-a exit,never -F arch=b64 -S read -S write -S open -S fstat -S mmap -S brk -S munmap -S nanosleep -S fcntl -S close -S dup2 -S rt_sigaction -S stat + +# The following rule would cause the capture of all systems not caught above. +# -a exit,always -S all + +# Increase the buffers to survive stress events +-b 8192 + +# vim:ft=conf: diff --git a/audit/audit.rules.stop.post b/audit/audit.rules.stop.post new file mode 100644 index 0000000..04d81dd --- /dev/null +++ b/audit/audit.rules.stop.post @@ -0,0 +1,13 @@ +# Copyright 1999-2005 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Id$ +# +# This file contains the auditctl rules that are loaded immediately after the +# audit deamon is stopped via the initscripts. +# The rules are simply the parameters that would be passed +# to auditctl. + +# Not used for the default Gentoo configuration as of v1.2.3 +# Paranoid security types might wish to reconfigure kauditd here. + +# vim:ft=conf: diff --git a/audit/audit.rules.stop.pre b/audit/audit.rules.stop.pre new file mode 100644 index 0000000..7fc0d84 --- /dev/null +++ b/audit/audit.rules.stop.pre @@ -0,0 +1,16 @@ +# Copyright 1999-2011 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Id$ +# +# This file contains the auditctl rules that are loaded immediately before the +# audit deamon is stopped via the initscripts. +# The rules are simply the parameters that would be passed +# to auditctl. + +# auditd is stopping, don't capture events anymore +-D + +# Disable kernel generating audit events +-e 0 + +# vim:ft=conf: diff --git a/audit/auditd.conf b/audit/auditd.conf new file mode 100644 index 0000000..50fbde8 --- /dev/null +++ b/audit/auditd.conf @@ -0,0 +1,36 @@ +# +# This file controls the configuration of the audit daemon +# + +local_events = yes +write_logs = yes +log_file = /var/log/audit/audit.log +log_group = root +log_format = RAW +flush = INCREMENTAL_ASYNC +freq = 50 +max_log_file = 8 +num_logs = 5 +priority_boost = 4 +disp_qos = lossy +dispatcher = /sbin/audispd +name_format = NONE +##name = mydomain +max_log_file_action = ROTATE +space_left = 75 +space_left_action = SYSLOG +action_mail_acct = root +admin_space_left = 50 +admin_space_left_action = SUSPEND +disk_full_action = SUSPEND +disk_error_action = SUSPEND +use_libwrap = yes +##tcp_listen_port = +tcp_listen_queue = 5 +tcp_max_per_addr = 1 +##tcp_client_ports = 1024-65535 +tcp_client_max_idle = 0 +enable_krb5 = no +krb5_principal = auditd +##krb5_key_file = /etc/audit/audit.key +distribute_network = no diff --git a/conf.d/auditd b/conf.d/auditd new file mode 100644 index 0000000..923e937 --- /dev/null +++ b/conf.d/auditd @@ -0,0 +1,23 @@ +# Copyright 1999-2011 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Id$ + +# Configuration options for auditd +# -f for foreground mode +# There are some other options as well, but you'll have to look in the source +# code to find them as they aren't ready for use yet. +EXTRAOPTIONS='' + +# Audit rules file to run after starting auditd +RULEFILE_STARTUP=/etc/audit/audit.rules + +# Audit rules file to run before and after stopping auditd +RULEFILE_STOP_PRE=/etc/audit/audit.rules.stop.pre +RULEFILE_STOP_POST=/etc/audit/audit.rules.stop.post + +# If you want to enforce a certain locale for auditd, +# uncomment one of the next lines: +#AUDITD_LANG=none +AUDITD_LANG=C +#AUDITD_LANG=en_US +#AUDITD_LANG=en_US.UTF-8 diff --git a/init.d/auditd b/init.d/auditd new file mode 100755 index 0000000..33c932a --- /dev/null +++ b/init.d/auditd @@ -0,0 +1,91 @@ +#!/sbin/openrc-run +# Copyright 1999-2015 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Id$ + +extra_started_commands='reload reload_auditd reload_rules' +description='Linux Auditing System' +description_reload='Reload daemon configuration and rules' +description_reload_rules='Reload daemon rules' +description_reload_auditd='Reload daemon configuration' + +name='auditd' +pidfile='/var/run/auditd.pid' +command='/sbin/auditd' + +start_auditd() { + # Env handling taken from the upstream init script + if [ -z "$AUDITD_LANG" -o "$AUDITD_LANG" = "none" -o "$AUDITD_LANG" = "NONE" ]; then + unset LANG LC_TIME LC_ALL LC_MESSAGES LC_NUMERIC LC_MONETARY LC_COLLATE + else + LANG="$AUDITD_LANG" + LC_TIME="$AUDITD_LANG" + LC_ALL="$AUDITD_LANG" + LC_MESSAGES="$AUDITD_LANG" + LC_NUMERIC="$AUDITD_LANG" + LC_MONETARY="$AUDITD_LANG" + LC_COLLATE="$AUDITD_LANG" + export LANG LC_TIME LC_ALL LC_MESSAGES LC_NUMERIC LC_MONETARY LC_COLLATE + fi + unset HOME MAIL USER USERNAME + + ebegin "Starting ${name}" + start-stop-daemon \ + --start --quiet --pidfile ${pidfile} \ + --exec ${command} -- ${EXTRAOPTIONS} + local ret=$? + eend $ret + return $ret +} + +stop_auditd() { + ebegin "Stopping ${name}" + start-stop-daemon --stop --quiet --pidfile ${pidfile} + local ret=$? + eend $ret + return $ret +} + +loadfile() { + local rules="$1" + if [ -n "${rules}" -a -f "${rules}" ]; then + einfo "Loading audit rules from ${rules}" + /sbin/auditctl -R "${rules}" >/dev/null + return $? + else + return 0 + fi +} + +start() { + start_auditd + local ret=$? + if [ $ret -eq 0 -a "${RC_CMD}" != "restart" ]; then + loadfile "${RULEFILE_STARTUP}" + fi + return $ret +} + +reload_rules() { + loadfile "${RULEFILE_STARTUP}" +} + +reload_auditd() { + ebegin "Reloading ${SVCNAME}" + start-stop-daemon --signal HUP \ + --exec "${command}" --pidfile "${pidfile}" + eend $? +} + +reload() { + reload_auditd + reload_rules +} + +stop() { + [ "${RC_CMD}" != "restart" ] && loadfile "${RULEFILE_STOP_PRE}" + stop_auditd + local ret=$? + [ "${RC_CMD}" != "restart" ] && loadfile "${RULEFILE_STOP_POST}" + return $ret +} diff --git a/libaudit.conf b/libaudit.conf new file mode 100644 index 0000000..90855d7 --- /dev/null +++ b/libaudit.conf @@ -0,0 +1,7 @@ +# This is the configuration file for libaudit tunables. +# It is currently only used for the failure_action tunable. + +# failure_action can be: log, ignore, terminate +failure_action = ignore + +