system/audit: Added (Auditing System Daemon)

Signed-off-by: Robby Workman <rworkman@slackbuilds.org>
2010-06-13 02:11:41 -05:00 · 2010-06-13 02:11:41 -05:00 · 51963c9cc9
parent feb4d19f4b
commit 51963c9cc9
7 changed files with 245 additions and 0 deletions
--- a/system/audit/README
+++ b/system/audit/README
@ -0,0 +1,16 @@
+Audit for Slackware
+
+The Linux Auditing System is a kernel subsystem the allows the kernel to 
+record events of interest to intrusion detection systems, such as file 
+access attempts, specific system calls, or custom events generated by 
+trusted system binaries like login or sshd.  The audit package provides the 
+tools to configure the audit system, and to collect and process its output.
+
+To collect audit events, your kernel must have the audit system enabled, 
+which is present in the stock Slackware kernels.
+
+The audit package has no other dependencies. However, certain audit events 
+of interest, such as failed login attempts from /bin/login, password changes, 
+etcetera are generated by their respective binaries using libaudit.  If your 
+site policy requires auditing those events, some reconfiguration and/or 
+patching may be required.
--- a/system/audit/README.SLACKWARE
+++ b/system/audit/README.SLACKWARE
@ -0,0 +1,16 @@
+# NOTES:
+# This slackbuild won't do much unless you rebuild your kernel with audit enabled.
+# Optionally you can enable syscall-level audit.
+#
+# RULES: 
+# Some example rulesets are available at /usr/doc/audit-2.0.4/contrib
+# stig.rules is an example ruleset for systems that are subject to the US Department of Defense
+# UNIX STIG audit requirement, although I read recently on the gov-sec@ Redhat list that
+# they hadn't been updating it religiously.
+#
+# ROTATION:
+# The audit log (/var/log/audit/audit.log) is rotated on a size basis automatically by auditd. 
+# Periodic rotation (i.e. logrotate) is a bad idea for audit, since an attacker could trigger a 
+# common event rapidly to exhaust log space, then do something nefarious that would go unaudited.
+# This package uses the default rotation size of 8MB.
+
--- a/system/audit/audit-2.0.4-sysconfig.diff
+++ b/system/audit/audit-2.0.4-sysconfig.diff
@ -0,0 +1,21 @@
+diff -Nur audit-2.0.4.orig//init.d/auditd.init audit-2.0.4/init.d/auditd.init
+--- audit-2.0.4.orig//init.d/auditd.init	2009-12-07 15:16:41.000000000 -0600
+++ audit-2.0.4/init.d/auditd.init	2010-06-13 02:07:13.368552889 -0500
+@@ -9,7 +9,7 @@
+ #              will be sent to syslog.
+ #
+ # processname: /sbin/auditd
+-# config: /etc/sysconfig/auditd
+# config: /etc/rc.d/rc.auditd.conf
+ # config: /etc/audit/auditd.conf
+ # pidfile: /var/run/auditd.pid
+ #
+@@ -42,7 +42,7 @@
+ test $EUID = 0  ||  exit 4
+ 
+ # Check config
+-test -f /etc/sysconfig/auditd && . /etc/sysconfig/auditd
+test -f /etc/rc.d/rc.auditd.conf && . /etc/rc.d/rc.auditd.conf
+ 
+ RETVAL=0
+ 
--- a/system/audit/audit.SlackBuild
+++ b/system/audit/audit.SlackBuild
@ -0,0 +1,127 @@
+#!/bin/sh
+
+# Copyright 2010,  R. Andrew Bailey, Chantilly, VA  USA
+# All rights reserved.
+#
+#   Permission to use, copy, modify, and distribute this software for
+#   any purpose with or without fee is hereby granted, provided that
+#   the above copyright notice and this permission notice appear in all
+#   copies.
+#
+#   THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED
+#   WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+#   MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+#   IN NO EVENT SHALL THE AUTHORS AND COPYRIGHT HOLDERS AND THEIR
+#   CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+#   SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+#   LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF
+#   USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
+#   ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
+#   OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
+#   OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+#   SUCH DAMAGE.
+
+PRGNAM=audit
+VERSION=${VERSION:-2.0.4}
+BUILD=${BUILD:-1}
+TAG=${TAG:-_SBo}
+
+# Automatically determine the architecture we're building on:
+if [ -z "$ARCH" ]; then
+  case "$( uname -m )" in
+    i?86) ARCH=i486 ;;
+    arm*) ARCH=arm ;;
+    # Unless $ARCH is already set, use uname -m for all other archs:
+       *) ARCH=$( uname -m ) ;;
+  esac
+fi
+
+CWD=$(pwd)
+TMP=${TMP:-/tmp/SBo}
+PKG=$TMP/package-$PRGNAM
+OUTPUT=${OUTPUT:-/tmp}
+
+if [ "$ARCH" = "i486" ]; then
+  SLKCFLAGS="-O2 -march=i486 -mtune=i686"
+  LIBDIRSUFFIX=""
+elif [ "$ARCH" = "s390" ]; then
+  SLKCFLAGS="-O2"
+  LIBDIRSUFFIX=""
+elif [ "$ARCH" = "x86_64" ]; then
+  SLKCFLAGS="-O2 -fPIC"
+  LIBDIRSUFFIX="64"
+fi
+
+set -e
+
+rm -rf $PKG
+mkdir -p $TMP $PKG $OUTPUT
+cd $TMP
+rm -rf $PRGNAM-$VERSION
+tar xvf $CWD/$PRGNAM-$VERSION.tar.gz
+cd $PRGNAM-$VERSION
+
+chown -R root:root .
+find . \
+  \( -perm 777 -o -perm 775 -o -perm 711 -o -perm 555 -o -perm 511 \) \
+  -exec chmod 755 {} \; -o \
+  \( -perm 666 -o -perm 664 -o -perm 600 -o -perm 444 -o -perm 440 -o -perm 400 \) \
+  -exec chmod 644 {} \;
+
+# Init should check /etc/rc.d/rc.auditd.conf instead of /etc/sysconfig/auditd
+patch -p1 < $CWD/audit-2.0.4-sysconfig.diff
+
+CXXFLAGS="$SLKCFLAGS" \
+CFLAGS="$SLKCFLAGS" \
+./configure \
+  --prefix=/usr \
+  --libdir=/usr/lib${LIBDIRSUFFIX} \
+  --localstatedir=/var \
+  --sysconfdir=/etc \
+  --mandir=/usr/man \
+  --disable-static \
+  --program-prefix= \
+  --program-suffix= \
+  --sbindir=/sbin \
+  --build=$ARCH-slackware-linux
+
+make
+make DESTDIR=$PKG install
+
+find $PKG | xargs file | grep -e "executable" -e "shared object" \
+  | grep ELF | cut -f 1 -d : | xargs strip --strip-unneeded 2> /dev/null || true
+
+# audispd must be 0750 to run
+chmod 0750 $PKG/sbin/audispd
+
+mkdir -p $PKG/etc/rc.d
+mv $PKG/etc/sysconfig/auditd $PKG/etc/rc.d/rc.auditd.conf.new
+mv $PKG/etc/rc.d/init.d/auditd $PKG/etc/rc.d/rc.auditd.new
+rm -rf $PKG/etc/rc.d/init.d $PKG/etc/sysconfig 
+
+# Change config files to .new:
+for i in $(find $PKG/etc -type f -name "*.rules" -o -name "*.conf") ; do mv $i $i.new; done 
+
+mkdir -p $PKG/var/log/audit $PKG/var/lock/subsys
+
+mkdir -p $PKG/usr/doc/$PRGNAM-$VERSION
+cp -a \
+  AUTHORS COPYING ChangeLog INSTALL NEWS README TODO contrib \
+  $PKG/usr/doc/$PRGNAM-$VERSION
+cat $CWD/$PRGNAM.SlackBuild > $PKG/usr/doc/$PRGNAM-$VERSION/$PRGNAM.SlackBuild
+cat $CWD/README.SLACKWARE > $PKG/usr/doc/$PRGNAM-$VERSION/README.SLACKWARE
+find $PKG/usr/doc -type f -exec chmod 0644 {} \;
+find $PKG/usr/doc -size 0 -exec rm {} \;
+
+find $PKG/usr/man -type f -name "*.?" -exec gzip -9f {} \;
+for i in $(find $PKG/usr/man -type l -name "*.?") ; do ln -s $( readlink $i ).gz $i.gz ; rm $i ; done
+
+mkdir -p $PKG/install
+cat $CWD/slack-desc > $PKG/install/slack-desc
+
+mkdir -p $PKG/install
+cat $CWD/slack-desc > $PKG/install/slack-desc
+cat $CWD/doinst.sh > $PKG/install/doinst.sh
+
+cd $PKG
+/sbin/makepkg -l y -c n $OUTPUT/$PRGNAM-$VERSION-$ARCH-$BUILD$TAG.${PKGTYPE:-tgz}
--- a/system/audit/audit.info
+++ b/system/audit/audit.info
@ -0,0 +1,10 @@
+PRGNAM="audit"
+VERSION="2.0.4"
+HOMEPAGE="http://people.redhat.com/sgrubb/audit/"
+DOWNLOAD="http://people.redhat.com/sgrubb/audit/audit-2.0.4.tar.gz"
+MD5SUM="91eee3f3869dd79123a45c2775f3e85e"
+DOWNLOAD_x86_64=""
+MD5SUM_x86_64=""
+MAINTAINER="Andy Bailey"
+EMAIL="bailey@akamai.com"
+APPROVED="rworkman"
--- a/system/audit/doinst.sh
+++ b/system/audit/doinst.sh
@ -0,0 +1,36 @@
+config() {
+  NEW="$1"
+  OLD="$(dirname $NEW)/$(basename $NEW .new)"
+  # If there's no config file by that name, mv it over:
+  if [ ! -r $OLD ]; then
+    mv $NEW $OLD
+  elif [ "$(cat $OLD | md5sum)" = "$(cat $NEW | md5sum)" ]; then
+    # toss the redundant copy
+    rm $NEW
+  fi
+  # Otherwise, we leave the .new copy for the admin to consider...
+}
+
+preserve_perms() {
+  NEW="$1"
+  OLD="$(dirname ${NEW})/$(basename ${NEW} .new)"
+  if [ -e ${OLD} ]; then
+    cp -a ${OLD} ${NEW}.incoming
+    cat ${NEW} > ${NEW}.incoming
+    mv ${NEW}.incoming ${NEW}
+  fi
+  config ${NEW}
+}
+
+preserve_perms etc/rc.d/rc.auditd.new
+config etc/rc.d/rc.auditd.conf.new
+config etc/audit/audit.rules.new
+config etc/audit/auditd.conf.new
+config etc/audisp/audispd.conf.new
+config etc/audisp/zos-remote.conf.new
+config etc/audisp/plugins.d/af_unix.conf.new
+config etc/audisp/plugins.d/au-remote.conf.new
+config etc/audisp/plugins.d/audispd-zos-remote.conf.new
+config etc/audisp/plugins.d/syslog.conf.new
+config etc/audisp/audisp-remote.conf.new
+
--- a/system/audit/slack-desc
+++ b/system/audit/slack-desc
@ -0,0 +1,19 @@
+# HOW TO EDIT THIS FILE:
+# The "handy ruler" below makes it easier to edit a package description.  Line
+# up the first '|' above the ':' following the base package name, and the '|'
+# on the right side marks the last column you can put a character in.  You must
+# make exactly 11 lines for the formatting to be correct.  It's also
+# customary to leave one space after the ':'.
+
+     |-----handy-ruler------------------------------------------------------|
+audit: audit (Linux Kernel Audit Framework)
+audit:
+audit: The audit package contains the user space utilities for storing and
+audit: searching the audit records generate by the audit subsystem in the 
+audit: Linux 2.6 kernel. 
+audit:
+audit: The audit subsystem, which is not enabled in stock Slackware kernels
+audit: must be enabled and the kernel rebuilt in order to use auditd
+audit:
+audit:
+audit: