From bd92490f20237768da0514173fc178fc7141f82e Mon Sep 17 00:00:00 2001 From: root Date: Tue, 17 Jul 2012 12:02:26 +0200 Subject: [PATCH] saving uncommitted changes in /etc prior to emerge run --- audisp/audisp-remote.conf | 23 +++++++++++-- audisp/audispd.conf | 3 +- audisp/plugins.d/af_unix.conf | 2 +- audisp/plugins.d/syslog.conf | 9 ++++-- audit/audit.rules | 11 ++++--- audit/auditd.conf | 13 ++++++-- conf.d/auditd | 11 +++++-- init.d/auditd | 61 ++++++++++++++++++++++++++++------- 8 files changed, 105 insertions(+), 28 deletions(-) diff --git a/audisp/audisp-remote.conf b/audisp/audisp-remote.conf index 93d01c1..608e070 100644 --- a/audisp/audisp-remote.conf +++ b/audisp/audisp-remote.conf @@ -5,8 +5,27 @@ remote_server = port = 60 +##local_port = transport = tcp +queue_file = /var/spool/audit/remote.log mode = immediate -queue_depth = 20 -fail_action = SYSLOG +queue_depth = 2048 +format = managed +network_retry_time = 1 +max_tries_per_record = 3 +max_time_per_record = 5 +heartbeat_timeout = 0 +network_failure_action = stop +disk_low_action = ignore +disk_full_action = ignore +disk_error_action = syslog +remote_ending_action = suspend +generic_error_action = syslog +generic_warning_action = syslog +overflow_action = syslog + +##enable_krb5 = no +##krb5_principal = +##krb5_client_name = auditd +##krb5_key_file = /etc/audisp/audisp-remote.key diff --git a/audisp/audispd.conf b/audisp/audispd.conf index 9989dc2..eff4103 100644 --- a/audisp/audispd.conf +++ b/audisp/audispd.conf @@ -3,9 +3,10 @@ # dispatcher daemon, audispd. # -q_depth = 80 +q_depth = 120 overflow_action = SYSLOG priority_boost = 4 +max_restarts = 10 name_format = HOSTNAME #name = mydomain diff --git a/audisp/plugins.d/af_unix.conf b/audisp/plugins.d/af_unix.conf index 8bba3e3..a5ba8b1 100644 --- a/audisp/plugins.d/af_unix.conf +++ b/audisp/plugins.d/af_unix.conf @@ -5,7 +5,7 @@ # plugin can take 2 arguments, the path for the # socket and the socket permissions in octal. -active = yes +active = no direction = out path = builtin_af_unix type = builtin diff --git a/audisp/plugins.d/syslog.conf b/audisp/plugins.d/syslog.conf index a0c9df7..d603b2f 100644 --- a/audisp/plugins.d/syslog.conf +++ b/audisp/plugins.d/syslog.conf @@ -1,6 +1,9 @@ -# This file controls the configuration of the -# syslog plugin. It simply takes events and writes -# them to syslog. +# This file controls the configuration of the syslog plugin. +# It simply takes events and writes them to syslog. The +# arguments provided can be the default priority that you +# want the events written with. And optionally, you can give +# a second argument indicating the facility that you want events +# logged to. Valid options are LOG_LOCAL0 through 7. active = no direction = out diff --git a/audit/audit.rules b/audit/audit.rules index 9d9578e..b2b4f02 100644 --- a/audit/audit.rules +++ b/audit/audit.rules @@ -1,6 +1,6 @@ -# Copyright 1999-2005 Gentoo Foundation +# Copyright 1999-2011 Gentoo Foundation # Distributed under the terms of the GNU General Public License v2 -# $Header: /var/cvsroot/gentoo-x86/sys-process/audit/files/audit.rules,v 1.1 2006/06/22 07:41:46 robbat2 Exp $ +# $Header: /var/cvsroot/gentoo-x86/sys-process/audit/files/audit.rules-2.1.3,v 1.1 2011/09/11 02:58:55 robbat2 Exp $ # # This file contains the auditctl rules that are loaded # whenever the audit daemon is started via the initscripts. @@ -14,12 +14,13 @@ # Feel free to add below this line. See auditctl man page # The following rule would cause all of the syscalls listed to be ignored in logging. -# -a entry,never -S read -S write -S open -S fstat -S fstat64 -S mmap -S brk -S munmap -S _llseek -S nanosleep -S fcntl64 -S close -S dup2 -S rt_sigaction -S stat64 -S stat +-a exit,never -F arch=b32 -S read -S write -S open -S fstat -S mmap -S brk -S munmap -S nanosleep -S fcntl -S close -S dup2 -S rt_sigaction -S stat +-a exit,never -F arch=b64 -S read -S write -S open -S fstat -S mmap -S brk -S munmap -S nanosleep -S fcntl -S close -S dup2 -S rt_sigaction -S stat # The following rule would cause the capture of all systems not caught above. -# -a entry,always -S all +# -a exit,always -S all # Increase the buffers to survive stress events --b 256 +-b 8192 # vim:ft=conf: diff --git a/audit/auditd.conf b/audit/auditd.conf index e8071a0..fdc93f0 100644 --- a/audit/auditd.conf +++ b/audit/auditd.conf @@ -8,12 +8,12 @@ log_group = root priority_boost = 4 flush = INCREMENTAL freq = 20 -num_logs = 4 +num_logs = 5 disp_qos = lossy dispatcher = /sbin/audispd name_format = NONE ##name = mydomain -max_log_file = 5 +max_log_file = 6 max_log_file_action = ROTATE space_left = 75 space_left_action = SYSLOG @@ -22,4 +22,11 @@ admin_space_left = 50 admin_space_left_action = SUSPEND disk_full_action = SUSPEND disk_error_action = SUSPEND - +##tcp_listen_port = +tcp_listen_queue = 5 +tcp_max_per_addr = 1 +##tcp_client_ports = 1024-65535 +tcp_client_max_idle = 0 +enable_krb5 = no +krb5_principal = auditd +##krb5_key_file = /etc/audit/audit.key diff --git a/conf.d/auditd b/conf.d/auditd index e722286..b5f389e 100644 --- a/conf.d/auditd +++ b/conf.d/auditd @@ -1,6 +1,6 @@ -# Copyright 1999-2005 Gentoo Foundation +# Copyright 1999-2011 Gentoo Foundation # Distributed under the terms of the GNU General Public License v2 -# $Header: /var/cvsroot/gentoo-x86/sys-process/audit/files/auditd-conf.d-1.2.3,v 1.1 2006/06/22 07:41:46 robbat2 Exp $ +# $Header: /var/cvsroot/gentoo-x86/sys-process/audit/files/auditd-conf.d-2.1.3,v 1.1 2011/09/11 02:58:55 robbat2 Exp $ # Configuration options for auditd # -f for foreground mode @@ -14,3 +14,10 @@ RULEFILE_STARTUP=/etc/audit/audit.rules # Audit rules file to run before and after stopping auditd RULEFILE_STOP_PRE=/etc/audit/audit.rules.stop.pre RULEFILE_STOP_POST=/etc/audit/audit.rules.stop.post + +# If you want to enforce a certain locale for auditd, +# uncomment one of the next lines: +#AUDITD_LANG=none +AUDITD_LANG=C +#AUDITD_LANG=en_US +#AUDITD_LANG=en_US.UTF-8 diff --git a/init.d/auditd b/init.d/auditd index 862a6be..6ac218d 100755 --- a/init.d/auditd +++ b/init.d/auditd @@ -1,22 +1,46 @@ #!/sbin/runscript -# Copyright 1999-2005 Gentoo Foundation +# Copyright 1999-2011 Gentoo Foundation # Distributed under the terms of the GNU General Public License v2 -# $Header: /var/cvsroot/gentoo-x86/sys-process/audit/files/auditd-init.d-1.2.3,v 1.1 2006/06/22 07:41:46 robbat2 Exp $ +# $Header: /var/cvsroot/gentoo-x86/sys-process/audit/files/auditd-init.d-2.1.3,v 1.1 2011/09/11 02:58:55 robbat2 Exp $ + +extra_started_commands='reload reload_auditd reload_rules' +description='Linux Auditing System' +description_reload='Reload daemon configuration and rules' +description_reload_rules='Reload daemon rules' +description_reload_auditd='Reload daemon configuration' + +name='auditd' +pidfile='/var/run/auditd.pid' +command='/sbin/auditd' start_auditd() { - ebegin "Starting auditd" + # Env handling taken from the upstream init script + if [ -z "$AUDITD_LANG" -o "$AUDITD_LANG" = "none" -o "$AUDITD_LANG" = "NONE" ]; then + unset LANG LC_TIME LC_ALL LC_MESSAGES LC_NUMERIC LC_MONETARY LC_COLLATE + else + LANG="$AUDITD_LANG" + LC_TIME="$AUDITD_LANG" + LC_ALL="$AUDITD_LANG" + LC_MESSAGES="$AUDITD_LANG" + LC_NUMERIC="$AUDITD_LANG" + LC_MONETARY="$AUDITD_LANG" + LC_COLLATE="$AUDITD_LANG" + export LANG LC_TIME LC_ALL LC_MESSAGES LC_NUMERIC LC_MONETARY LC_COLLATE + fi + unset HOME MAIL USER USERNAME + + ebegin "Starting ${name}" start-stop-daemon \ - --start --quiet --pidfile /var/run/auditd.pid \ - --exec /sbin/auditd -- ${EXTRAOPTIONS} + --start --quiet --pidfile ${pidfile} \ + --exec ${command} -- ${EXTRAOPTIONS} local ret=$? eend $ret return $ret } stop_auditd() { - ebegin "Stopping auditd" - start-stop-daemon \ - --stop --quiet --pidfile /var/run/auditd.pid + ebegin "Stopping ${name}" + start-stop-daemon --stop --quiet --pidfile ${pidfile} local ret=$? eend $ret return $ret @@ -37,17 +61,32 @@ loadfile() { start() { start_auditd local ret=$? - if [ $ret -eq 0 ]; then + if [ $ret -eq 0 -a "${RC_CMD}" != "restart" ]; then + touch /var/lock/subsys/${name} loadfile "${RULEFILE_STARTUP}" fi return $ret } +reload_rules() { + loadfile "${RULEFILE_STARTUP}" +} + +reload_auditd() { + [ -f ${pidfile} ] && kill -HUP `cat ${pidfile}` +} + +reload() { + reload_auditd + reload_rules +} + stop() { - loadfile "${RULEFILE_STOP_PRE}" + [ "${RC_CMD}" != "restart" ] && loadfile "${RULEFILE_STOP_PRE}" stop_auditd + rm -f /var/lock/subsys/${name} local ret=$? - loadfile "${RULEFILE_STOP_POST}" + [ "${RC_CMD}" != "restart" ] && loadfile "${RULEFILE_STOP_POST}" return $ret } -- 2.39.5