summaryrefslogtreecommitdiff
path: root/system/audit
diff options
context:
space:
mode:
Diffstat (limited to 'system/audit')
-rw-r--r--system/audit/README16
-rw-r--r--system/audit/README.SLACKWARE16
-rw-r--r--system/audit/audit-2.0.4-sysconfig.diff21
-rw-r--r--system/audit/audit.SlackBuild127
-rw-r--r--system/audit/audit.info10
-rw-r--r--system/audit/doinst.sh36
-rw-r--r--system/audit/slack-desc19
7 files changed, 245 insertions, 0 deletions
diff --git a/system/audit/README b/system/audit/README
new file mode 100644
index 0000000000..59dba16797
--- /dev/null
+++ b/system/audit/README
@@ -0,0 +1,16 @@
+Audit for Slackware
+
+The Linux Auditing System is a kernel subsystem the allows the kernel to
+record events of interest to intrusion detection systems, such as file
+access attempts, specific system calls, or custom events generated by
+trusted system binaries like login or sshd. The audit package provides the
+tools to configure the audit system, and to collect and process its output.
+
+To collect audit events, your kernel must have the audit system enabled,
+which is present in the stock Slackware kernels.
+
+The audit package has no other dependencies. However, certain audit events
+of interest, such as failed login attempts from /bin/login, password changes,
+etcetera are generated by their respective binaries using libaudit. If your
+site policy requires auditing those events, some reconfiguration and/or
+patching may be required.
diff --git a/system/audit/README.SLACKWARE b/system/audit/README.SLACKWARE
new file mode 100644
index 0000000000..36ae25c925
--- /dev/null
+++ b/system/audit/README.SLACKWARE
@@ -0,0 +1,16 @@
+# NOTES:
+# This slackbuild won't do much unless you rebuild your kernel with audit enabled.
+# Optionally you can enable syscall-level audit.
+#
+# RULES:
+# Some example rulesets are available at /usr/doc/audit-2.0.4/contrib
+# stig.rules is an example ruleset for systems that are subject to the US Department of Defense
+# UNIX STIG audit requirement, although I read recently on the gov-sec@ Redhat list that
+# they hadn't been updating it religiously.
+#
+# ROTATION:
+# The audit log (/var/log/audit/audit.log) is rotated on a size basis automatically by auditd.
+# Periodic rotation (i.e. logrotate) is a bad idea for audit, since an attacker could trigger a
+# common event rapidly to exhaust log space, then do something nefarious that would go unaudited.
+# This package uses the default rotation size of 8MB.
+
diff --git a/system/audit/audit-2.0.4-sysconfig.diff b/system/audit/audit-2.0.4-sysconfig.diff
new file mode 100644
index 0000000000..2004313a11
--- /dev/null
+++ b/system/audit/audit-2.0.4-sysconfig.diff
@@ -0,0 +1,21 @@
+diff -Nur audit-2.0.4.orig//init.d/auditd.init audit-2.0.4/init.d/auditd.init
+--- audit-2.0.4.orig//init.d/auditd.init 2009-12-07 15:16:41.000000000 -0600
++++ audit-2.0.4/init.d/auditd.init 2010-06-13 02:07:13.368552889 -0500
+@@ -9,7 +9,7 @@
+ # will be sent to syslog.
+ #
+ # processname: /sbin/auditd
+-# config: /etc/sysconfig/auditd
++# config: /etc/rc.d/rc.auditd.conf
+ # config: /etc/audit/auditd.conf
+ # pidfile: /var/run/auditd.pid
+ #
+@@ -42,7 +42,7 @@
+ test $EUID = 0 || exit 4
+
+ # Check config
+-test -f /etc/sysconfig/auditd && . /etc/sysconfig/auditd
++test -f /etc/rc.d/rc.auditd.conf && . /etc/rc.d/rc.auditd.conf
+
+ RETVAL=0
+
diff --git a/system/audit/audit.SlackBuild b/system/audit/audit.SlackBuild
new file mode 100644
index 0000000000..9d2dd86982
--- /dev/null
+++ b/system/audit/audit.SlackBuild
@@ -0,0 +1,127 @@
+#!/bin/sh
+
+# Copyright 2010, R. Andrew Bailey, Chantilly, VA USA
+# All rights reserved.
+#
+# Permission to use, copy, modify, and distribute this software for
+# any purpose with or without fee is hereby granted, provided that
+# the above copyright notice and this permission notice appear in all
+# copies.
+#
+# THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+# IN NO EVENT SHALL THE AUTHORS AND COPYRIGHT HOLDERS AND THEIR
+# CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF
+# USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
+# ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
+# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
+# OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+# SUCH DAMAGE.
+
+PRGNAM=audit
+VERSION=${VERSION:-2.0.4}
+BUILD=${BUILD:-1}
+TAG=${TAG:-_SBo}
+
+# Automatically determine the architecture we're building on:
+if [ -z "$ARCH" ]; then
+ case "$( uname -m )" in
+ i?86) ARCH=i486 ;;
+ arm*) ARCH=arm ;;
+ # Unless $ARCH is already set, use uname -m for all other archs:
+ *) ARCH=$( uname -m ) ;;
+ esac
+fi
+
+CWD=$(pwd)
+TMP=${TMP:-/tmp/SBo}
+PKG=$TMP/package-$PRGNAM
+OUTPUT=${OUTPUT:-/tmp}
+
+if [ "$ARCH" = "i486" ]; then
+ SLKCFLAGS="-O2 -march=i486 -mtune=i686"
+ LIBDIRSUFFIX=""
+elif [ "$ARCH" = "s390" ]; then
+ SLKCFLAGS="-O2"
+ LIBDIRSUFFIX=""
+elif [ "$ARCH" = "x86_64" ]; then
+ SLKCFLAGS="-O2 -fPIC"
+ LIBDIRSUFFIX="64"
+fi
+
+set -e
+
+rm -rf $PKG
+mkdir -p $TMP $PKG $OUTPUT
+cd $TMP
+rm -rf $PRGNAM-$VERSION
+tar xvf $CWD/$PRGNAM-$VERSION.tar.gz
+cd $PRGNAM-$VERSION
+
+chown -R root:root .
+find . \
+ \( -perm 777 -o -perm 775 -o -perm 711 -o -perm 555 -o -perm 511 \) \
+ -exec chmod 755 {} \; -o \
+ \( -perm 666 -o -perm 664 -o -perm 600 -o -perm 444 -o -perm 440 -o -perm 400 \) \
+ -exec chmod 644 {} \;
+
+# Init should check /etc/rc.d/rc.auditd.conf instead of /etc/sysconfig/auditd
+patch -p1 < $CWD/audit-2.0.4-sysconfig.diff
+
+CXXFLAGS="$SLKCFLAGS" \
+CFLAGS="$SLKCFLAGS" \
+./configure \
+ --prefix=/usr \
+ --libdir=/usr/lib${LIBDIRSUFFIX} \
+ --localstatedir=/var \
+ --sysconfdir=/etc \
+ --mandir=/usr/man \
+ --disable-static \
+ --program-prefix= \
+ --program-suffix= \
+ --sbindir=/sbin \
+ --build=$ARCH-slackware-linux
+
+make
+make DESTDIR=$PKG install
+
+find $PKG | xargs file | grep -e "executable" -e "shared object" \
+ | grep ELF | cut -f 1 -d : | xargs strip --strip-unneeded 2> /dev/null || true
+
+# audispd must be 0750 to run
+chmod 0750 $PKG/sbin/audispd
+
+mkdir -p $PKG/etc/rc.d
+mv $PKG/etc/sysconfig/auditd $PKG/etc/rc.d/rc.auditd.conf.new
+mv $PKG/etc/rc.d/init.d/auditd $PKG/etc/rc.d/rc.auditd.new
+rm -rf $PKG/etc/rc.d/init.d $PKG/etc/sysconfig
+
+# Change config files to .new:
+for i in $(find $PKG/etc -type f -name "*.rules" -o -name "*.conf") ; do mv $i $i.new; done
+
+mkdir -p $PKG/var/log/audit $PKG/var/lock/subsys
+
+mkdir -p $PKG/usr/doc/$PRGNAM-$VERSION
+cp -a \
+ AUTHORS COPYING ChangeLog INSTALL NEWS README TODO contrib \
+ $PKG/usr/doc/$PRGNAM-$VERSION
+cat $CWD/$PRGNAM.SlackBuild > $PKG/usr/doc/$PRGNAM-$VERSION/$PRGNAM.SlackBuild
+cat $CWD/README.SLACKWARE > $PKG/usr/doc/$PRGNAM-$VERSION/README.SLACKWARE
+find $PKG/usr/doc -type f -exec chmod 0644 {} \;
+find $PKG/usr/doc -size 0 -exec rm {} \;
+
+find $PKG/usr/man -type f -name "*.?" -exec gzip -9f {} \;
+for i in $(find $PKG/usr/man -type l -name "*.?") ; do ln -s $( readlink $i ).gz $i.gz ; rm $i ; done
+
+mkdir -p $PKG/install
+cat $CWD/slack-desc > $PKG/install/slack-desc
+
+mkdir -p $PKG/install
+cat $CWD/slack-desc > $PKG/install/slack-desc
+cat $CWD/doinst.sh > $PKG/install/doinst.sh
+
+cd $PKG
+/sbin/makepkg -l y -c n $OUTPUT/$PRGNAM-$VERSION-$ARCH-$BUILD$TAG.${PKGTYPE:-tgz}
diff --git a/system/audit/audit.info b/system/audit/audit.info
new file mode 100644
index 0000000000..350ee18dcc
--- /dev/null
+++ b/system/audit/audit.info
@@ -0,0 +1,10 @@
+PRGNAM="audit"
+VERSION="2.0.4"
+HOMEPAGE="http://people.redhat.com/sgrubb/audit/"
+DOWNLOAD="http://people.redhat.com/sgrubb/audit/audit-2.0.4.tar.gz"
+MD5SUM="91eee3f3869dd79123a45c2775f3e85e"
+DOWNLOAD_x86_64=""
+MD5SUM_x86_64=""
+MAINTAINER="Andy Bailey"
+EMAIL="bailey@akamai.com"
+APPROVED="rworkman"
diff --git a/system/audit/doinst.sh b/system/audit/doinst.sh
new file mode 100644
index 0000000000..fb88271cae
--- /dev/null
+++ b/system/audit/doinst.sh
@@ -0,0 +1,36 @@
+config() {
+ NEW="$1"
+ OLD="$(dirname $NEW)/$(basename $NEW .new)"
+ # If there's no config file by that name, mv it over:
+ if [ ! -r $OLD ]; then
+ mv $NEW $OLD
+ elif [ "$(cat $OLD | md5sum)" = "$(cat $NEW | md5sum)" ]; then
+ # toss the redundant copy
+ rm $NEW
+ fi
+ # Otherwise, we leave the .new copy for the admin to consider...
+}
+
+preserve_perms() {
+ NEW="$1"
+ OLD="$(dirname ${NEW})/$(basename ${NEW} .new)"
+ if [ -e ${OLD} ]; then
+ cp -a ${OLD} ${NEW}.incoming
+ cat ${NEW} > ${NEW}.incoming
+ mv ${NEW}.incoming ${NEW}
+ fi
+ config ${NEW}
+}
+
+preserve_perms etc/rc.d/rc.auditd.new
+config etc/rc.d/rc.auditd.conf.new
+config etc/audit/audit.rules.new
+config etc/audit/auditd.conf.new
+config etc/audisp/audispd.conf.new
+config etc/audisp/zos-remote.conf.new
+config etc/audisp/plugins.d/af_unix.conf.new
+config etc/audisp/plugins.d/au-remote.conf.new
+config etc/audisp/plugins.d/audispd-zos-remote.conf.new
+config etc/audisp/plugins.d/syslog.conf.new
+config etc/audisp/audisp-remote.conf.new
+
diff --git a/system/audit/slack-desc b/system/audit/slack-desc
new file mode 100644
index 0000000000..3b055d578b
--- /dev/null
+++ b/system/audit/slack-desc
@@ -0,0 +1,19 @@
+# HOW TO EDIT THIS FILE:
+# The "handy ruler" below makes it easier to edit a package description. Line
+# up the first '|' above the ':' following the base package name, and the '|'
+# on the right side marks the last column you can put a character in. You must
+# make exactly 11 lines for the formatting to be correct. It's also
+# customary to leave one space after the ':'.
+
+ |-----handy-ruler------------------------------------------------------|
+audit: audit (Linux Kernel Audit Framework)
+audit:
+audit: The audit package contains the user space utilities for storing and
+audit: searching the audit records generate by the audit subsystem in the
+audit: Linux 2.6 kernel.
+audit:
+audit: The audit subsystem, which is not enabled in stock Slackware kernels
+audit: must be enabled and the kernel rebuilt in order to use auditd
+audit:
+audit:
+audit: