rpms/audit/FC-6 audit-1.5.patch,NONE,1.1 audit.spec,1.121,1.122

fedora-cvs-commits at redhat.com fedora-cvs-commits at redhat.com
Sat Mar 3 15:24:35 UTC 2007


Author: sgrubb

Update of /cvs/dist/rpms/audit/FC-6
In directory cvs.devel.redhat.com:/tmp/cvs-serv7921

Modified Files:
	audit.spec 
Added Files:
	audit-1.5.patch 
Log Message:
* Sat Mar 03 2007 Steve Grubb <sgrubb at redhat.com> 1.4.2-3
- Added NISPOM sample rules
- Verify accessibility of files passed in auparse_init
- Fix bug in parser library interpreting socketcalls
- Add support for stdio FILE pointer in auparse_init
- Adjust init script to allow anyone to status auditd (#230626)


audit-1.5.patch:
 auparse/auparse-defs.h |    2 
 auparse/auparse.c      |   18 ++
 auparse/ellist.c       |    2 
 auparse/interpret.c    |    2 
 auparse/test/Makefile  |    2 
 contrib/nispom.rules   |   91 ++++++++++++
 docs/auparse_init.3    |    1 
 init.d/auditd.init     |   16 +-
 src/auditd-config.c    |  367 ++++++++++++++++++++++++-------------------------
 9 files changed, 308 insertions(+), 193 deletions(-)

--- NEW FILE audit-1.5.patch ---
diff -urp audit-1.4.2/auparse/auparse.c audit-1.5.1/auparse/auparse.c
--- audit-1.4.2/auparse/auparse.c	2007-02-19 15:19:12.000000000 -0500
+++ audit-1.5.1/auparse/auparse.c	2007-03-02 16:27:22.000000000 -0500
@@ -101,11 +101,13 @@ auparse_state_t *auparse_init(ausource_t
 		case AUSOURCE_LOGS:
 			if (geteuid()) {
 				errno = EPERM;
-				return NULL;
+				goto bad_exit;
 			}
 			setup_log_file_array(au);
 			break;
 		case AUSOURCE_FILE:
+			if (access(b, R_OK))
+				goto bad_exit;
 			tmp = malloc(2*sizeof(char *));
 			tmp[0] = strdup(b);
 			tmp[1] = NULL;
@@ -113,8 +115,11 @@ auparse_state_t *auparse_init(ausource_t
 			break;
 		case AUSOURCE_FILE_ARRAY:
 			n = 0;
-			while (bb[n])
+			while (bb[n]) {
+				if (access(bb[n], R_OK))
+					goto bad_exit;
 				n++;
+			}
 			tmp = malloc(n*sizeof(char *));
 			for (i=0; i<n; i++)
 				tmp[i] = strdup(bb[i]);
@@ -142,6 +147,10 @@ auparse_state_t *auparse_init(ausource_t
 			au->in = fdopen(n, "r");
 			au->source_list = NULL;
 			break;
+		case AUSOURCE_FILE_POINTER:
+			au->in = (FILE *)b;
+			au->source_list = NULL;
+			break;
 		default:
 			errno = EINVAL;
 			return NULL;
@@ -161,6 +170,9 @@ auparse_state_t *auparse_init(ausource_t
 	au->search_how = AUSEARCH_RULE_CLEAR;
 
 	return au;
+bad_exit:
+	free(au);
+	return NULL;
 }
 
 
@@ -177,6 +189,7 @@ int auparse_reset(auparse_state_t *au)
 		case AUSOURCE_LOGS:
 		case AUSOURCE_FILE:
 		case AUSOURCE_FILE_ARRAY:
+		case AUSOURCE_FILE_POINTER:
 			if (au->in) {
 				fclose(au->in);
 				au->in = NULL;
@@ -452,6 +465,7 @@ static int retrieve_next_line(auparse_st
 	switch (au->source)
 	{
 		case AUSOURCE_DESCRIPTOR:
+		case AUSOURCE_FILE_POINTER:
 			// loop reading lines from a descriptor
 			do {
 				// Get next buffer from file
diff -urp audit-1.4.2/auparse/auparse-defs.h audit-1.5.1/auparse/auparse-defs.h
--- audit-1.4.2/auparse/auparse-defs.h	2007-02-16 13:55:40.000000000 -0500
+++ audit-1.5.1/auparse/auparse-defs.h	2007-03-02 16:23:51.000000000 -0500
@@ -35,7 +35,7 @@ extern "C" {
 /* This tells the library where the data source is located */
 typedef enum { AUSOURCE_LOGS, AUSOURCE_FILE, AUSOURCE_FILE_ARRAY, 
 	AUSOURCE_BUFFER, AUSOURCE_BUFFER_ARRAY,
-	AUSOURCE_DESCRIPTOR } ausource_t;
+	AUSOURCE_DESCRIPTOR, AUSOURCE_FILE_POINTER } ausource_t;
 
 /* This defines the types of searches that can be done */
 typedef enum { AUSEARCH_UNSET, AUSEARCH_EXISTS, AUSEARCH_EQUAL,
diff -urp audit-1.4.2/auparse/ellist.c audit-1.5.1/auparse/ellist.c
--- audit-1.4.2/auparse/ellist.c	2007-02-16 09:45:12.000000000 -0500
+++ audit-1.5.1/auparse/ellist.c	2007-03-02 15:59:34.000000000 -0500
@@ -124,7 +124,7 @@ static int parse_up_record(rnode* r)
 			nvlist_append(&r->nv, &n);
 			if (r->nv.cnt == 1 && strcmp(n.name, "type") == 0) {
 				r->type = audit_name_to_msg_type(n.val);
-			} else if(r->nv.cnt == 7 && strcmp(n.name, "a0") == 0){
+			} else if(r->nv.cnt == 6 && strcmp(n.name, "a0") == 0){
 				errno = 0;
 				r->a0 = strtoull(n.val, NULL, 16);
 				if (errno)
diff -urp audit-1.4.2/auparse/interpret.c audit-1.5.1/auparse/interpret.c
--- audit-1.4.2/auparse/interpret.c	2007-02-19 13:51:51.000000000 -0500
+++ audit-1.5.1/auparse/interpret.c	2007-03-02 16:15:50.000000000 -0500
@@ -402,7 +402,7 @@ static const char *print_syscall(const c
 	char *out;
         int ival;
 
-        if (machine <= 0)
+        if (machine < 0)
                 machine = audit_detect_machine();
         if (machine < 0) {
                 out = strdup(val);
diff -urp audit-1.4.2/auparse/test/Makefile audit-1.5.1/auparse/test/Makefile
--- audit-1.4.2/auparse/test/Makefile	2007-03-03 10:04:32.000000000 -0500
+++ audit-1.5.1/auparse/test/Makefile	2007-03-02 16:17:38.000000000 -0500
@@ -4,7 +4,7 @@ LIBS=-lauparse -laudit
 
 all: auparse_test
 auparse_test: auparse_test.c
-	gcc $(CFLAGS) auparse_test.c -o auparse_test -L../.libs/ $(LIBS)
+	gcc $(CFLAGS) auparse_test.c -o auparse_test -L../.libs/ -L../../lib/.libs $(LIBS)
 
 check: auparse_test
 	./auparse_test 
diff -urp audit-1.4.2/docs/auparse_init.3 audit-1.5.1/docs/auparse_init.3
--- audit-1.4.2/docs/auparse_init.3	2007-02-16 15:17:38.000000000 -0500
+++ audit-1.5.1/docs/auparse_init.3	2007-03-02 16:29:06.000000000 -0500
@@ -17,6 +17,7 @@ auparse_init initializes an instance of 
 	AUSOURCE_BUFFER - use a buffer
 	AUSOURCE_BUFFER_ARRAY - use an array of buffers
 	AUSOURCE_DESCRIPTOR - use a particular descriptor
+	AUSOURCE_FILE_POINTER - use a stdio FILE pointer
 .fi
 
 The pointer 'b' is used to set the file name, array of filenames, the buffer address, or an array of pointers to buffers, or the descriptor number based on what source is given. When the data source is an array of files or buffers, you would create an array of pointers with the last one being a NULL pointer. Buffers should be NUL terminated.
diff -urp audit-1.4.2/init.d/auditd.init audit-1.5.1/init.d/auditd.init
--- audit-1.4.2/init.d/auditd.init	2007-02-16 09:22:34.000000000 -0500
+++ audit-1.5.1/init.d/auditd.init	2007-03-02 17:02:13.000000000 -0500
@@ -21,12 +21,20 @@
 # 7 - program is not running
 
 PATH=/sbin:/bin:/usr/bin:/usr/sbin
+prog="auditd"
+RETVAL=0
 
 # Source function library.
 . /etc/init.d/functions
 
+# Allow anyone to run status
+if [ "$1" = "status" ] ; then
+	status $prog
+	exit $RETVAL
+fi
+
 # Check that we are root ... so non-root users stop here
-test $EUID = 0  || exit 4
+test $EUID = 0  ||  exit 4
 
 # Check config
 test -f /etc/sysconfig/auditd && . /etc/sysconfig/auditd
@@ -34,9 +42,6 @@ test -f /etc/sysconfig/auditd && . /etc/
 test -x /sbin/auditd  || exit 5
 test -f /etc/audit/auditd.conf  || exit 6
 
-RETVAL=0
-
-prog="auditd"
 
 start(){
     echo -n $"Starting $prog: "
@@ -114,9 +119,6 @@ case "$1" in
     stop)
 	stop
 	;;
-    status)
-	status $prog
-	;;
     restart)
 	restart
 	;;
diff -urp audit-1.4.2/src/auditd-config.c audit-1.5.1/src/auditd-config.c
--- audit-1.4.2/src/auditd-config.c	2007-02-20 17:44:20.000000000 -0500
+++ audit-1.5.1/src/auditd-config.c	2007-02-28 17:35:15.000000000 -0500
@@ -1,5 +1,5 @@
 /* auditd-config.c -- 
- * Copyright 2004-2006 Red Hat Inc., Durham, North Carolina.
+ * Copyright 2004-2007 Red Hat Inc., Durham, North Carolina.
  * All Rights Reserved.
  *
  * This program is free software; you can redistribute it and/or modify
@@ -41,13 +41,15 @@
 struct nv_pair
 {
 	const char *name;
-	char *value;
+	const char *value;
+	const char *option;
 };
 
 struct kw_pair 
 {
 	const char *name;
-	int (*parser)(const char *, int, struct daemon_conf *);
+	int (*parser)(struct nv_pair *, int, struct daemon_conf *);
+	int options;
 };
 
 struct nv_list
@@ -59,58 +61,61 @@ struct nv_list
 static char *get_line(FILE *f, char *buf);
 static int nv_split(char *buf, struct nv_pair *nv);
 static const struct kw_pair *kw_lookup(const char *val);
-static int log_file_parser(const char *val, int line, 
+static int log_file_parser(struct nv_pair *nv, int line, 
 		struct daemon_conf *config);
-static int num_logs_parser(const char *val, int line, 
+static int num_logs_parser(struct nv_pair *nv, int line, 
 		struct daemon_conf *config);
-static int qos_parser(const char *val, int line, 
+static int qos_parser(struct nv_pair *nv, int line, 
 		struct daemon_conf *config);
-static int dispatch_parser(const char *val, int line,
+static int dispatch_parser(struct nv_pair *nv, int line,
 		struct daemon_conf *config);
-static int max_log_size_parser(const char *val, int line, 
+static int max_log_size_parser(struct nv_pair *nv, int line, 
 		struct daemon_conf *config);
-static int max_log_size_action_parser(const char *val, int line, 
+static int max_log_size_action_parser(struct nv_pair *nv, int line, 
 		struct daemon_conf *config);
-static int log_format_parser(const char *val, int line, 
+static int log_format_parser(struct nv_pair *nv, int line, 
 		struct daemon_conf *config);
-static int flush_parser(const char *val, int line, struct daemon_conf *config);
-static int freq_parser(const char *val, int line, struct daemon_conf *config);
-static int space_left_parser(const char *val, int line, 
+static int flush_parser(struct nv_pair *nv, int line,
 		struct daemon_conf *config);
-static int space_action_parser(const char *val, int line, 
+static int freq_parser(struct nv_pair *nv, int line,
 		struct daemon_conf *config);
-static int action_mail_acct_parser(const char *val, int line, 
+static int space_left_parser(struct nv_pair *nv, int line, 
 		struct daemon_conf *config);
-static int admin_space_left_parser(const char *val, int line, 
+static int space_action_parser(struct nv_pair *nv, int line, 
 		struct daemon_conf *config);
-static int admin_space_left_action_parser(const char *val, int line, 
+static int action_mail_acct_parser(struct nv_pair *nv, int line, 
 		struct daemon_conf *config);
-static int disk_full_action_parser(const char *val, int line, 
+static int admin_space_left_parser(struct nv_pair *nv, int line, 
 		struct daemon_conf *config);
-static int disk_error_action_parser(const char *val, int line, 
+static int admin_space_left_action_parser(struct nv_pair *nv, int line, 
+		struct daemon_conf *config);
+static int disk_full_action_parser(struct nv_pair *nv, int line, 
+		struct daemon_conf *config);
+static int disk_error_action_parser(struct nv_pair *nv, int line, 
+		struct daemon_conf *config);
+static int priority_boost_parser(struct nv_pair *nv, int line,
 		struct daemon_conf *config);
-static int priority_boost_parser(const char *val, int line, struct daemon_conf *config);
 static int sanity_check(struct daemon_conf *config);
 
 static const struct kw_pair keywords[] = 
 {
-  {"log_file",                 log_file_parser },
-  {"log_format",               log_format_parser },
-  {"flush",                    flush_parser },
-  {"freq",                     freq_parser },
-  {"num_logs",                 num_logs_parser },
-  {"dispatcher",               dispatch_parser },
-  {"disp_qos",                 qos_parser },
-  {"max_log_file",             max_log_size_parser },
-  {"max_log_file_action",      max_log_size_action_parser },
-  {"space_left",               space_left_parser },
-  {"space_left_action",        space_action_parser },
-  {"action_mail_acct",         action_mail_acct_parser },
-  {"admin_space_left",         admin_space_left_parser },
-  {"admin_space_left_action",  admin_space_left_action_parser },
-  {"disk_full_action",         disk_full_action_parser },
-  {"disk_error_action",        disk_error_action_parser },
-  {"priority_boost",           priority_boost_parser },
+  {"log_file",                 log_file_parser,			0 },
+  {"log_format",               log_format_parser,		0 },
+  {"flush",                    flush_parser,			0 },
+  {"freq",                     freq_parser,			0 },
+  {"num_logs",                 num_logs_parser,			0 },
+  {"dispatcher",               dispatch_parser,			0 },
+  {"disp_qos",                 qos_parser,			0 },
+  {"max_log_file",             max_log_size_parser,		0 },
+  {"max_log_file_action",      max_log_size_action_parser,	0 },
+  {"space_left",               space_left_parser,		0 },
+  {"space_left_action",        space_action_parser,		1 },
+  {"action_mail_acct",         action_mail_acct_parser,		0 },
+  {"admin_space_left",         admin_space_left_parser,		0 },
+  {"admin_space_left_action",  admin_space_left_action_parser,	1 },
+  {"disk_full_action",         disk_full_action_parser,		1 },
+  {"disk_error_action",        disk_error_action_parser,	1 },
+  {"priority_boost",           priority_boost_parser,		0 },
   { NULL,                      NULL }
 };
 
@@ -312,7 +317,7 @@ int load_config(struct daemon_conf *conf
 		}
 
 		/* dispatch to keyword's local parser */
-		rc = kw->parser(nv.value, lineno, config);
+		rc = kw->parser(&nv, lineno, config);
 		if (rc != 0) {
 			fclose(f);
 			return 1; // local parser puts message out
@@ -346,6 +351,7 @@ static int nv_split(char *buf, struct nv
 
 	nv->name = NULL;
 	nv->value = NULL;
+	nv->option = NULL;
 	ptr = strtok(buf, " ");
 	if (ptr == NULL)
 		return 0; /* If there's nothing, go to next line */
@@ -366,14 +372,15 @@ static int nv_split(char *buf, struct nv
 		return 1;
 	nv->value = ptr;
 
-	/* Make sure there's nothing else */
+	/* See if there's an option */
 	ptr = strtok(NULL, " ");
 	if (ptr) {
-		if (strncasecmp(nv->value, "exec", 4) == 0) {
-			nv->value[4] = ' ';
-			return 0;
-		}
-		return 1;
+		nv->option = ptr;
+
+		/* Make sure there's nothing else */
+		ptr = strtok(NULL, " ");
+		if (ptr)
+			return 1;
 	}
 
 	/* Everything is OK */
@@ -391,17 +398,18 @@ static const struct kw_pair *kw_lookup(c
 	return &keywords[i];
 }
  
-static int log_file_parser(const char *val, int line,struct daemon_conf *config)
+static int log_file_parser(struct nv_pair *nv, int line,
+	struct daemon_conf *config)
 {
 	char *dir = NULL, *tdir, *base;
 	DIR *d;
 	int fd, mode;
 	struct stat buf;
 
-	audit_msg(LOG_DEBUG, "log_file_parser called with: %s", val);
+	audit_msg(LOG_DEBUG, "log_file_parser called with: %s", nv->value);
 
 	/* split name into dir and basename. */
-	tdir = strdup(val);
+	tdir = strdup(nv->value);
 	if (tdir)
 		dir = dirname(tdir);
 	if (dir == NULL || strlen(dir) < 4) { //  '/var' is shortest dirname
@@ -412,7 +420,7 @@ static int log_file_parser(const char *v
 		return 1;
 	}
 
-	base = basename((char *)val);
+	base = basename((char *)nv->value);
 	if (base == 0 || strlen(base) == 0) {
 		audit_msg(LOG_ERR, "The file name: %s is too short - line %d", 
 			base, line);
@@ -438,66 +446,66 @@ static int log_file_parser(const char *v
 	else
 		mode = O_RDONLY;
 
-	fd = open(val, mode);
+	fd = open(nv->value, mode);
 	if (fd < 0) {
 		if (errno == ENOENT) {
-			fd = create_log_file(val);
+			fd = create_log_file(nv->value);
 			if (fd < 0) 
 				return 1;
 		} else {
-			audit_msg(LOG_ERR, "Unable to open %s (%s)", val, 
+			audit_msg(LOG_ERR, "Unable to open %s (%s)", nv->value, 
 					strerror(errno));
 			return 1;
 		}
 	}
 	if (fstat(fd, &buf) < 0) {
 		audit_msg(LOG_ERR, "Unable to stat %s (%s)", 
-					val, strerror(errno));
+					nv->value, strerror(errno));
 		close(fd);
 		return 1;
 	}
 	close(fd);
 	if (!S_ISREG(buf.st_mode)) {
-		audit_msg(LOG_ERR, "%s is not a regular file", val);
+		audit_msg(LOG_ERR, "%s is not a regular file", nv->value);
 		return 1;
 	}
 	if (buf.st_uid != 0) {
-		audit_msg(LOG_ERR, "%s is not owned by root", val);
+		audit_msg(LOG_ERR, "%s is not owned by root", nv->value);
 		return 1;
 	}
 	if ((buf.st_mode & (S_IRUSR|S_IWUSR|S_IRGRP)) != 
 			   (S_IRUSR|S_IWUSR|S_IRGRP)) {
-		audit_msg(LOG_ERR, "%s permissions should be 0640", val);
+		audit_msg(LOG_ERR, "%s permissions should be 0640", nv->value);
 		return 1;
 	}
 	free((void *)config->log_file);
-	config->log_file = strdup(val);
+	config->log_file = strdup(nv->value);
 	if (config->log_file == NULL)
 		return 1;
 	return 0;
 }
 
-static int num_logs_parser(const char *val, int line, 
+static int num_logs_parser(struct nv_pair *nv, int line, 
 		struct daemon_conf *config)
 {
-	const char *ptr = val;
+	const char *ptr = nv->value;
 	unsigned long i;
 
-	audit_msg(LOG_DEBUG, "num_logs_parser called with: %s", val);
+	audit_msg(LOG_DEBUG, "num_logs_parser called with: %s", nv->value);
 
 	/* check that all chars are numbers */
 	for (i=0; ptr[i]; i++) {
 		if (!isdigit(ptr[i])) {
 			audit_msg(LOG_ERR, 
 				"Value %s should only be numbers - line %d",
-				val, line);
+				nv->value, line);
 			return 1;
 		}
 	}
 
 	/* convert to unsigned long */
 	errno = 0;
-	i = strtoul(val, NULL, 10);
+	i = strtoul(nv->value, NULL, 10);
 	if (errno) {
 		audit_msg(LOG_ERR, 
 			"Error converting string to a number (%s) - line %d",
@@ -512,36 +520,37 @@ static int num_logs_parser(const char *v
 	return 0;
 }
 
-static int qos_parser(const char *val, int line, 
+static int qos_parser(struct nv_pair *nv, int line, 
 		struct daemon_conf *config)
 {
 	int i;
 
-	audit_msg(LOG_DEBUG, "qos_parser called with: %s", val);
+	audit_msg(LOG_DEBUG, "qos_parser called with: %s", nv->value);
 	for (i=0; qos_options[i].name != NULL; i++) {
-		if (strcasecmp(val, qos_options[i].name) == 0) {
+		if (strcasecmp(nv->value, qos_options[i].name) == 0) {
 			config->qos = qos_options[i].option;
 			return 0;
 		}
 	}
-	audit_msg(LOG_ERR, "Option %s not found - line %d", val, line);
+	audit_msg(LOG_ERR, "Option %s not found - line %d", nv->value, line);
 	return 1;
 }
 
-static int dispatch_parser(const char *val, int line,struct daemon_conf *config)
+static int dispatch_parser(struct nv_pair *nv, int line,
+	struct daemon_conf *config)
 {
 	char *dir = NULL, *tdir, *base;
 	int fd;
 	struct stat buf;
 
-	audit_msg(LOG_DEBUG, "dispatch_parser called with: %s", val);
-	if (val == NULL) {
+	audit_msg(LOG_DEBUG, "dispatch_parser called with: %s", nv->value);
+	if (nv->value == NULL) {
 		config->dispatcher = NULL;
 		return 0;
 	}
 
 	/* split name into dir and basename. */
-	tdir = strdup(val);
+	tdir = strdup(nv->value);
 	if (tdir)
 		dir = dirname(tdir);
 	if (dir == NULL || strlen(dir) < 4) { //  '/var' is shortest dirname
@@ -553,7 +562,7 @@ static int dispatch_parser(const char *v
 	}
 
 	free((void *)tdir);
-	base = basename((char *)val);
+	base = basename((char *)nv->value);
 	if (base == 0 || strlen(base) == 0) {
 		audit_msg(LOG_ERR, "The file name: %s is too short - line %d",
 			base, line);
@@ -561,60 +570,60 @@ static int dispatch_parser(const char *v
 	}
 	/* if the file exists, see that its regular, owned by root,
 	 * and not world anything */
-	fd = open(val, O_RDONLY);
+	fd = open(nv->value, O_RDONLY);
 	if (fd < 0) {
-		audit_msg(LOG_ERR, "Unable to open %s (%s)", val,
+		audit_msg(LOG_ERR, "Unable to open %s (%s)", nv->value,
 			strerror(errno));
 		return 1;
 	}
 	if (fstat(fd, &buf) < 0) {
-		audit_msg(LOG_ERR, "Unable to stat %s (%s)", val,
+		audit_msg(LOG_ERR, "Unable to stat %s (%s)", nv->value,
 			strerror(errno));
 		close(fd);
 		return 1;
 	}
 	close(fd);
 	if (!S_ISREG(buf.st_mode)) {
-		audit_msg(LOG_ERR, "%s is not a regular file", val);
+		audit_msg(LOG_ERR, "%s is not a regular file", nv->value);
 		return 1;
 	}
 	if (buf.st_uid != 0) {
-		audit_msg(LOG_ERR, "%s is not owned by root", val);
+		audit_msg(LOG_ERR, "%s is not owned by root", nv->value);
 		return 1;
 	}
 	if ((buf.st_mode & (S_IRUSR|S_IWUSR|S_IXUSR|S_IRGRP|S_IXGRP)) !=
 			   (S_IRUSR|S_IWUSR|S_IXUSR|S_IRGRP|S_IXGRP)) {
-		audit_msg(LOG_ERR, "%s permissions should be 0750", val);
+		audit_msg(LOG_ERR, "%s permissions should be 0750", nv->value);
 		return 1;
 	}
 	free((void *)config->dispatcher);
-	config->dispatcher = strdup(val);
+	config->dispatcher = strdup(nv->value);
 	if (config->dispatcher == NULL)
 		return 1;
 	return 0;
 }
 
-static int max_log_size_parser(const char *val, int line, 
+static int max_log_size_parser(struct nv_pair *nv, int line, 
 		struct daemon_conf *config)
 {
-	const char *ptr = val;
+	const char *ptr = nv->value;
 	unsigned long i;
 
-	audit_msg(LOG_DEBUG, "max_log_size_parser called with: %s", val);
+	audit_msg(LOG_DEBUG, "max_log_size_parser called with: %s", nv->value);
 
 	/* check that all chars are numbers */
 	for (i=0; ptr[i]; i++) {
 		if (!isdigit(ptr[i])) {
 			audit_msg(LOG_ERR, 
 				"Value %s should only be numbers - line %d",
-				val, line);
+				nv->value, line);
 			return 1;
 		}
 	}
 
 	/* convert to unsigned long */
 	errno = 0;
-	i = strtoul(val, NULL, 10);
+	i = strtoul(nv->value, NULL, 10);
 	if (errno) {
 		audit_msg(LOG_ERR, 
 			"Error converting string to a number (%s) - line %d",
@@ -625,73 +634,76 @@ static int max_log_size_parser(const cha
 	return 0;
 }
 
-static int max_log_size_action_parser(const char *val, int line, 
+static int max_log_size_action_parser(struct nv_pair *nv, int line, 
 		struct daemon_conf *config)
 {
 	int i;
 
-	audit_msg(LOG_DEBUG, "max_log_size_action_parser called with: %s", val);
+	audit_msg(LOG_DEBUG, "max_log_size_action_parser called with: %s",
+		nv->value);
 	for (i=0; size_actions[i].name != NULL; i++) {
-		if (strcasecmp(val, size_actions[i].name) == 0) {
+		if (strcasecmp(nv->value, size_actions[i].name) == 0) {
 			config->max_log_size_action = size_actions[i].option;
 			return 0;
 		}
 	}
-	audit_msg(LOG_ERR, "Option %s not found - line %d", val, line);
+	audit_msg(LOG_ERR, "Option %s not found - line %d", nv->value, line);
 	return 1;
 }
 
-static int log_format_parser(const char *val, int line, 
+static int log_format_parser(struct nv_pair *nv, int line, 
 		struct daemon_conf *config)
 {
 	int i;
 
-	audit_msg(LOG_DEBUG, "log_format_parser called with: %s", val);
+	audit_msg(LOG_DEBUG, "log_format_parser called with: %s", nv->value);
 	for (i=0; log_formats[i].name != NULL; i++) {
-		if (strcasecmp(val, log_formats[i].name) == 0) {
+		if (strcasecmp(nv->value, log_formats[i].name) == 0) {
 			config->log_format = log_formats[i].option;
 			return 0;
 		}
 	}
-	audit_msg(LOG_ERR, "Option %s not found - line %d", val, line);
+	audit_msg(LOG_ERR, "Option %s not found - line %d", nv->value, line);
 	return 1;
 }
 
-static int flush_parser(const char *val, int line, struct daemon_conf *config)
+static int flush_parser(struct nv_pair *nv, int line,
+		struct daemon_conf *config)
 {
 	int i;
 
-	audit_msg(LOG_DEBUG, "flush_parser called with: %s", val);
+	audit_msg(LOG_DEBUG, "flush_parser called with: %s", nv->value);
 	for (i=0; flush_techniques[i].name != NULL; i++) {
-		if (strcasecmp(val, flush_techniques[i].name) == 0) {
+		if (strcasecmp(nv->value, flush_techniques[i].name) == 0) {
 			config->flush = flush_techniques[i].option;
 			return 0;
 		}
 	}
-	audit_msg(LOG_ERR, "Option %s not found - line %d", val, line);
+	audit_msg(LOG_ERR, "Option %s not found - line %d", nv->value, line);
 	return 1;
 }
 
-static int freq_parser(const char *val, int line, struct daemon_conf *config)
+static int freq_parser(struct nv_pair *nv, int line,
+		struct daemon_conf *config)
 {
-	const char *ptr = val;
+	const char *ptr = nv->value;
 	int i;
 
-	audit_msg(LOG_DEBUG, "freq_parser called with: %s", val);
+	audit_msg(LOG_DEBUG, "freq_parser called with: %s", nv->value);
 
 	/* check that all chars are numbers */
 	for (i=0; ptr[i]; i++) {
 		if (!isdigit(ptr[i])) {
 			audit_msg(LOG_ERR, 
 				"Value %s should only be numbers - line %d",
-				val, line);
+				nv->value, line);
 			return 1;
 		}
 	}
 
 	/* convert to unsigned int */
 	errno = 0;
-	i = strtoul(val, NULL, 10);
+	i = strtoul(nv->value, NULL, 10);
 	if (errno) {
 		audit_msg(LOG_ERR, 
 			"Error converting string to a number (%s) - line %d",
@@ -702,34 +714,34 @@ static int freq_parser(const char *val, 
 	if (i > INT_MAX) {
 		audit_msg(LOG_ERR, 
 			"Error - converted number (%s) is too large - line %d",
-			val, line);
+			nv->value, line);
 		return 1;
 	}
 	config->freq = (unsigned int)i;
 	return 0;
 }
 
-static int space_left_parser(const char *val, int line, 
+static int space_left_parser(struct nv_pair *nv, int line, 
 		struct daemon_conf *config)
 {
-	const char *ptr = val;
+	const char *ptr = nv->value;
 	unsigned long i;
 
-	audit_msg(LOG_DEBUG, "space_left_parser called with: %s", val);
+	audit_msg(LOG_DEBUG, "space_left_parser called with: %s", nv->value);
 
 	/* check that all chars are numbers */
 	for (i=0; ptr[i]; i++) {
 		if (!isdigit(ptr[i])) {
 			audit_msg(LOG_ERR, 
 				"Value %s should only be numbers - line %d",
-				val, line);
+				nv->value, line);
 			return 1;
 		}
 	}
 
 	/* convert to unsigned long */
 	errno = 0;
-	i = strtoul(val, NULL, 10);
+	i = strtoul(nv->value, NULL, 10);
 	if (errno) {
 		audit_msg(LOG_ERR, 
 			"Error converting string to a number (%s) - line %d",
@@ -740,57 +752,44 @@ static int space_left_parser(const char 
 	return 0;
 }
 
-static const char *extract_exe_name(const char *val)
+static int check_exe_name(const char *val)
 {
-	int fd;
 	struct stat buf;
-	const char *p = val;
 
-	// Eat leading whitespace
-	while (isspace(*p))
-		p++;
-	if (*p != '/') {
-		audit_msg(LOG_ERR, "Absolute path needed for %s", p);
-		return NULL;
+	if (*val != '/') {
+		audit_msg(LOG_ERR, "Absolute path needed for %s", val);
+		return -1;
 	}
 
-	fd = open(p, O_RDONLY);
-	if (fd < 0) {
-		audit_msg(LOG_ERR, "Unable to open %s (%s)", p,
-			strerror(errno));
-		return NULL;
-	}
-	if (fstat(fd, &buf) < 0) {
-		audit_msg(LOG_ERR, "Unable to stat %s (%s)", p,
+	if (stat(val, &buf) < 0) {
+		audit_msg(LOG_ERR, "Unable to stat %s (%s)", val,
 			strerror(errno));
-		close(fd);
-		return NULL;
+		return -1;
 	}
-	close(fd);
 	if (!S_ISREG(buf.st_mode)) {
-		audit_msg(LOG_ERR, "%s is not a regular file", p);
-		return NULL;
+		audit_msg(LOG_ERR, "%s is not a regular file", val);
+		return -1;
 	}
 	if (buf.st_uid != 0) {
-		audit_msg(LOG_ERR, "%s is not owned by root", p);
-		return NULL;
+		audit_msg(LOG_ERR, "%s is not owned by root", val);
+		return -1;
 	}
 	if ((buf.st_mode & (S_IRUSR|S_IWUSR|S_IXUSR|S_IRGRP|S_IXGRP)) !=
 			   (S_IRUSR|S_IWUSR|S_IXUSR|S_IRGRP|S_IXGRP)) {
-		audit_msg(LOG_ERR, "%s permissions should be 0750", p);
-		return NULL;
+		audit_msg(LOG_ERR, "%s permissions should be 0750", val);
+		return -1;
 	}
-	return strdup(p);
+	return 0;
 }
 
-static int space_action_parser(const char *val, int line, 
+static int space_action_parser(struct nv_pair *nv, int line, 
 		struct daemon_conf *config)
 {
 	int i;
 
-	audit_msg(LOG_DEBUG, "space_action_parser called with: %s", val);
+	audit_msg(LOG_DEBUG, "space_action_parser called with: %s", nv->value);
 	for (i=0; failure_actions[i].name != NULL; i++) {
-		if (strcasecmp(val, failure_actions[i].name) == 0) {
+		if (strcasecmp(nv->value, failure_actions[i].name) == 0) {
 			if (failure_actions[i].option == FA_EMAIL) {
 				if (access(email_command, X_OK)) {
 					audit_msg(LOG_ERR,
@@ -801,17 +800,17 @@ static int space_action_parser(const cha
 			config->space_left_action = failure_actions[i].option;
 			return 0;
 		} else if (i == FA_EXEC) {
-			if (strncasecmp(failure_actions[i].name, val, 4) == 0){
-				const char *e = extract_exe_name(&val[4]);
-				if (e == NULL) 
+			if (strncasecmp(failure_actions[i].name,
+						 nv->value, 4) == 0){
+				if (check_exe_name(nv->option))
 					return 1;
-				config->space_left_exe = e;
+				config->space_left_exe = strdup(nv->option);
 				config->space_left_action = FA_EXEC;
 				return 0;
 			}
 		}
 	}
-	audit_msg(LOG_ERR, "Option %s not found - line %d", val, line);
+	audit_msg(LOG_ERR, "Option %s not found - line %d", nv->value, line);
 	return 1;
 }
 
@@ -856,13 +855,14 @@ int validate_email(const char *acct)
 	return 0;
 }
 
-static int action_mail_acct_parser(const char *val, int line, 
+static int action_mail_acct_parser(struct nv_pair *nv, int line, 
 		struct daemon_conf *config)
 {
 	char *tmail;
 	
-	audit_msg(LOG_DEBUG, "action_mail_acct_parser called with: %s", val);
-	tmail = strdup(val);
+	audit_msg(LOG_DEBUG, "action_mail_acct_parser called with: %s",
+							nv->value);
+	tmail = strdup(nv->value);
 	if (tmail == NULL)
 		return 1;
 
@@ -878,27 +878,28 @@ static int action_mail_acct_parser(const
 	return 0;
 }
 
-static int admin_space_left_parser(const char *val, int line, 
+static int admin_space_left_parser(struct nv_pair *nv, int line, 
 		struct daemon_conf *config)
 {
-	const char *ptr = val;
+	const char *ptr = nv->value;
 	unsigned long i;
 
-	audit_msg(LOG_DEBUG, "admin_space_left_parser called with: %s", val);
+	audit_msg(LOG_DEBUG, "admin_space_left_parser called with: %s",
+							nv->value);
 
 	/* check that all chars are numbers */
 	for (i=0; ptr[i]; i++) {
 		if (!isdigit(ptr[i])) {
 			audit_msg(LOG_ERR, 
 				"Value %s should only be numbers - line %d",
-				val, line);
+				nv->value, line);
 			return 1;
 		}
 	}
 
 	/* convert to unsigned long */
 	errno = 0;
-	i = strtoul(val, NULL, 10);
+	i = strtoul(nv->value, NULL, 10);
 	if (errno) {
 		audit_msg(LOG_ERR, 
 			"Error converting string to a number (%s) - line %d",
@@ -909,14 +910,15 @@ static int admin_space_left_parser(const
 	return 0;
 }
 
-static int admin_space_left_action_parser(const char *val, int line, 
+static int admin_space_left_action_parser(struct nv_pair *nv, int line, 
 		struct daemon_conf *config)
 {
 	int i;
 
-	audit_msg(LOG_DEBUG, "admin_space_left_action_parser called with: %s", val);
+	audit_msg(LOG_DEBUG, "admin_space_left_action_parser called with: %s",
+								nv->value);
 	for (i=0; failure_actions[i].name != NULL; i++) {
-		if (strcasecmp(val, failure_actions[i].name) == 0) {
+		if (strcasecmp(nv->value, failure_actions[i].name) == 0) {
 			if (failure_actions[i].option == FA_EMAIL) {
 				if (access(email_command, X_OK)) {
 					audit_msg(LOG_ERR,
@@ -928,28 +930,30 @@ static int admin_space_left_action_parse
 						failure_actions[i].option;
 			return 0;
 		} else if (i == FA_EXEC) {
-			if (strncasecmp(failure_actions[i].name, val, 4) == 0){
-				const char *e = extract_exe_name(&val[4]);
-				if (e == NULL) 
+			if (strncasecmp(failure_actions[i].name,
+							nv->value, 4) == 0){
+				if (check_exe_name(nv->option))
 					return 1;
-				config->admin_space_left_exe = e;
+				config->admin_space_left_exe = 
+							strdup(nv->option);
 				config->admin_space_left_action = FA_EXEC;
 				return 0;
 			}
 		}
 	}
-	audit_msg(LOG_ERR, "Option %s not found - line %d", val, line);
+	audit_msg(LOG_ERR, "Option %s not found - line %d", nv->value, line);
 	return 1;
 }
 
-static int disk_full_action_parser(const char *val, int line, 
+static int disk_full_action_parser(struct nv_pair *nv, int line, 
 		struct daemon_conf *config)
 {
 	int i;
 
-	audit_msg(LOG_DEBUG, "disk_full_action_parser called with: %s", val);
+	audit_msg(LOG_DEBUG, "disk_full_action_parser called with: %s",
+								nv->value);
 	for (i=0; failure_actions[i].name != NULL; i++) {
-		if (strcasecmp(val, failure_actions[i].name) == 0) {
+		if (strcasecmp(nv->value, failure_actions[i].name) == 0) {
 			if (failure_actions[i].option != FA_EMAIL) {
 				config->disk_full_action =
 						failure_actions[i].option;
@@ -957,32 +961,33 @@ static int disk_full_action_parser(const
 			} else {
 				audit_msg(LOG_ERR, 
 			"Illegal option %s for disk_full_action - line %d",
-					 val, line);
+					nv->value, line);
 				return 1;
 			}
 		} else if (i == FA_EXEC) {
-			if (strncasecmp(failure_actions[i].name, val, 4) == 0){
-				const char *e = extract_exe_name(&val[4]);
-				if (e == NULL) 
+			if (strncasecmp(failure_actions[i].name, 
+							nv->value, 4) == 0){
+				if (check_exe_name(nv->option))
 					return 1;
-				config->disk_full_exe = e;
+				config->disk_full_exe = strdup(nv->option);
 				config->disk_full_action = FA_EXEC;
 				return 0;
 			}
 		}
 	}
-	audit_msg(LOG_ERR, "Option %s not found - line %d", val, line);
+	audit_msg(LOG_ERR, "Option %s not found - line %d", nv->value, line);
 	return 1;
 }
 
-static int disk_error_action_parser(const char *val, int line, 
+static int disk_error_action_parser(struct nv_pair *nv, int line, 
 		struct daemon_conf *config)
 {
 	int i;
 
-	audit_msg(LOG_DEBUG, "disk_error_action_parser called with: %s", val);
+	audit_msg(LOG_DEBUG, "disk_error_action_parser called with: %s",
+								nv->value);
 	for (i=0; failure_actions[i].name != NULL; i++) {
-		if (strcasecmp(val, failure_actions[i].name) == 0) {
+		if (strcasecmp(nv->value, failure_actions[i].name) == 0) {
 			if (failure_actions[i].option != FA_EMAIL) {
 				config->disk_error_action = 
 						failure_actions[i].option;
@@ -990,44 +995,46 @@ static int disk_error_action_parser(cons
 			} else {
 				audit_msg(LOG_ERR, 
 			"Illegal option %s for disk_error_action - line %d",
-					 val, line);
+					nv->value, line);
 				return 1;
 			}
 		} else if (i == FA_EXEC) {
-			if (strncasecmp(failure_actions[i].name, val, 4) == 0){
-				const char *e = extract_exe_name(&val[4]);
-				if (e == NULL) 
+			if (strncasecmp(failure_actions[i].name,
+							nv->value, 4) == 0){
+				if (check_exe_name(nv->option))
 					return 1;
-				config->disk_error_exe = e;
+				config->disk_error_exe = strdup(nv->option);
 				config->disk_error_action = FA_EXEC;
 				return 0;
 			}
 		}
 	}
-	audit_msg(LOG_ERR, "Option %s not found - line %d", val, line);
+	audit_msg(LOG_ERR, "Option %s not found - line %d", nv->value, line);
 	return 1;
 }
 
-static int priority_boost_parser(const char *val, int line, struct daemon_conf *config)
+static int priority_boost_parser(struct nv_pair *nv, int line,
+	struct daemon_conf *config)
 {
-	const char *ptr = val;
+	const char *ptr = nv->value;
 	int i;
 
-	audit_msg(LOG_DEBUG, "priority_boost_parser called with: %s", val);
+	audit_msg(LOG_DEBUG, "priority_boost_parser called with: %s",
+								nv->value);
 
 	/* check that all chars are numbers */
 	for (i=0; ptr[i]; i++) {
 		if (!isdigit(ptr[i])) {
 			audit_msg(LOG_ERR, 
 				"Value %s should only be numbers - line %d",
-				val, line);
+				nv->value, line);
 			return 1;
 		}
 	}
 
 	/* convert to unsigned int */
 	errno = 0;
-	i = strtoul(val, NULL, 10);
+	i = strtoul(nv->value, NULL, 10);
 	if (errno) {
 		audit_msg(LOG_ERR, 
 			"Error converting string to a number (%s) - line %d",
@@ -1038,7 +1045,7 @@ static int priority_boost_parser(const c
 	if (i > INT_MAX) {
 		audit_msg(LOG_ERR, 
 			"Error - converted number (%s) is too large - line %d",
-			val, line);
+			nv->value, line);
 		return 1;
 	}
 	config->priority_boost = (unsigned int)i;
diff -urpN audit-1.4.2/contrib/nispom.rules audit-1.5.1/contrib/nispom.rules
--- audit-1.4.2/contrib/nispom.rules	1969-12-31 19:00:00.000000000 -0500
+++ audit-1.5.1/contrib/nispom.rules	2007-03-01 14:05:25.000000000 -0500
@@ -0,0 +1,91 @@
+##
+## This file contains the a sample audit configuration intended to
+## meet the NISPOM Chapter 8 rules.
+##
+## This file should be saved as /etc/audit/audit.rules.
+##
+
+## Remove any existing rules
+-D
+
+## Increase buffer size to handle the increased number of messages.
+## Feel free to increase this if the machine panic's
+-b 8192
+
+## Audit 1, 1(a) Enough information to determine the date and time of
+## action (e.g., common network time), the system locale of the action,
+## the system entity that initiated or completed the action, the resources
+## involved, and the action involved.
+
+## Things that could affect time
+-a entry,always -S adjtimex -S settimeofday -k time-change
+-w /etc/localtime -p wa -k time-change
+
+## Things that could affect system locale
+-a exit,always -S sethostname -k system-locale
+-w /etc/issue -p wa -k system-locale
+-w /etc/issue.net -p wa -k system-locale
+-w /etc/hosts -p wa -k system-locale
+-w /etc/sysconfig/network -p wa -k system-locale
+
+## Audit 1, 1(b) Successful and unsuccessful logons and logoffs.
+## This is covered by patches to login, gdm, and openssh
+## Might also want to watch these files if needing extra information
+#-w /var/log/faillog -p wa -k logins
+#-w /var/log/lastlog -p wa -k logins
+
+## Audit 1, 1(c) Successful and unsuccessful accesses to
+## security-relevant objects and directories, including
+## creation, open, close, modification, and deletion.
+
+## unsuccessful creation
+-a exit,always -S creat -S mkdir -S mknod -S link -S symlink -F exit=-13 -k creation
+-a exit,always -S mkdirat -S mknodat -S linkat -S symlinkat -F exit=-13 -k creation
+
+## unsuccessful open
+-a exit,always -S open -F exit=-13 -k open
+
+## unsuccessful close
+-a exit,always -S close -F exit=-13 -k close
+
+## unsuccessful modifications
+-a exit,always -S rename -S truncate -S ftruncate -F exit=-13 -k mods
+-a exit,always -S renameat -F exit=-13 -k mods
+-a exit,always -F perm=a -F exit=-13 -k mods
+
+## unsuccessful deletion
+-a exit,always -S rmdir -S unlink -F exit=-13 -k delete 
+-a exit,always -S unlinkat -F exit=-13 -k delete
+
+## Audit 1, 1(d) Changes in user authenticators.
+## Covered by patches to libpam, passwd, and shadow-utils
+## Might also want to watch these files for changes
+-w /etc/group -p wa -k auth
+-w /etc/passwd -p wa -k auth
+-w /etc/gshadow -p wa -k auth
+-w /etc/shadow -p wa -k auth
+-w /etc/security/opasswd -p wa -k auth
+
+## Audit 1, 1(e) The blocking or blacklisting of a user ID,
+## terminal, or access port and the reason for the action.
+## Covered by patches to pam_tally
+
+## Audit 1, 1(f) Denial of access resulting from an excessive
+## number of unsuccessful logon attempts.
+## Covered by patches to pam_tally
+
+## Audit 1, 2 Audit Trail Protection. The contents of audit trails
+## shall be protected against unauthorized access, modification,
+## or deletion.
+## This should be covered by file permissions, but we can watch it
+## to see any activity
+-w /var/log/audit/ -k audit-logs
+-w /var/log/audit/audit.log -k audit-logs
+#-w /var/log/audit/audit.log.1 -k audit-logs
+#-w /var/log/audit/audit.log.2 -k audit-logs
+#-w /var/log/audit/audit.log.3 -k audit-logs
+#-w /var/log/audit/audit.log.4 -k audit-logs
+
+## Put your own watches after this point
+# -w /your-file -p rwxa -k mykey
+


Index: audit.spec
===================================================================
RCS file: /cvs/dist/rpms/audit/FC-6/audit.spec,v
retrieving revision 1.121
retrieving revision 1.122
diff -u -r1.121 -r1.122
--- audit.spec	21 Feb 2007 22:54:58 -0000	1.121
+++ audit.spec	3 Mar 2007 15:24:33 -0000	1.122
@@ -1,12 +1,13 @@
 Summary: User space tools for 2.6 kernel auditing
 Name: audit
 Version: 1.4.2
-Release: 2%{?dist}
+Release: 3%{?dist}
 License: GPL
 Group: System Environment/Daemons
 URL: http://people.redhat.com/sgrubb/audit/
 Source0: %{name}-%{version}.tar.gz
 Patch1: audit-1.4.2-auparse.patch
+Patch2: audit-1.5.patch
 BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 BuildRequires: libtool swig python-devel
 BuildRequires: kernel-headers >= 2.6.18
@@ -57,6 +58,7 @@
 %prep
 %setup -q
 %patch1 -p1
+%patch2 -p1
 
 %build
 autoreconf -fv --install
@@ -176,6 +178,13 @@
 %config(noreplace) %attr(640,root,root) /etc/sysconfig/auditd
 
 %changelog
+* Sat Mar 03 2007 Steve Grubb <sgrubb at redhat.com> 1.4.2-3
+- Added NISPOM sample rules
+- Verify accessibility of files passed in auparse_init
+- Fix bug in parser library interpreting socketcalls
+- Add support for stdio FILE pointer in auparse_init
+- Adjust init script to allow anyone to status auditd (#230626)
+
 * Wed Feb 21 2007 Steve Grubb <sgrubb at redhat.com> 1.4.2-2
 - Fix hidden function in auparse library
 




More information about the fedora-cvs-commits mailing list