v2.4.4 audit sources

Change-Id: I9315a7408817db51edf084fb4d27fbb492785084
Signed-off-by: Ashlee Young <ashlee@wildernessvoice.com>

15 files changed, 580 insertions, 0 deletions

diff --git a/framework/src/audit/init.d/Makefile.am b/framework/src/audit/init.d/Makefile.am
new file mode 100644
index 00000000..521dd1d0
--- /dev/null
+++ b/framework/src/audit/init.d/Makefile.am
@@ -0,0 +1,82 @@
+# Makefile.am--
+# Copyright 2004-07,2012-13 Red Hat Inc., Durham, North Carolina.
+# All Rights Reserved.
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
+#
+# Authors:
+#   Steve Grubb <sgrubb@redhat.com>
+#
+
+CONFIG_CLEAN_FILES = *.rej *.orig
+EXTRA_DIST = auditd.init auditd.service auditd.sysconfig auditd.conf \
+	audit.rules auditd.cron libaudit.conf audispd.conf auditd.condrestart \
+	auditd.restart auditd.resume auditd.rotate auditd.stop augenrules
+libconfig = libaudit.conf
+dispconfig = audispd.conf
+dispconfigdir = $(sysconfdir)/audisp
+if ENABLE_SYSTEMD
+initdir = /usr/lib/systemd/system
+legacydir = $(libexecdir)/initscripts/legacy-actions/auditd
+else
+initdir = $(sysconfdir)/rc.d/init.d
+sysconfigdir = $(sysconfdir)/sysconfig
+endif
+
+auditdir = $(sysconfdir)/audit
+auditrdir = $(auditdir)/rules.d
+dist_audit_DATA = auditd.conf
+dist_auditr_DATA = audit.rules
+sbin_SCRIPTS = augenrules
+
+install-data-hook:
+	$(INSTALL_DATA) -D -m 640 ${srcdir}/${dispconfig} ${DESTDIR}${dispconfigdir}
+	$(INSTALL_DATA) -D -m 640 ${srcdir}/${libconfig} ${DESTDIR}${sysconfdir}
+if ENABLE_SYSTEMD
+else
+	$(INSTALL_DATA) -D -m 640 ${srcdir}/auditd.sysconfig ${DESTDIR}${sysconfigdir}/auditd
+endif
+
+install-exec-hook:
+if ENABLE_SYSTEMD
+	mkdir -p ${DESTDIR}${initdir}
+	mkdir -p ${DESTDIR}${legacydir}
+	$(INSTALL_SCRIPT) -D -m 640 ${srcdir}/auditd.service ${DESTDIR}${initdir}
+	$(INSTALL_SCRIPT) -D -m 750 ${srcdir}/auditd.rotate ${DESTDIR}${legacydir}/rotate
+	$(INSTALL_SCRIPT) -D -m 750 ${srcdir}/auditd.resume ${DESTDIR}${legacydir}/resume
+	$(INSTALL_SCRIPT) -D -m 750 ${srcdir}/auditd.stop ${DESTDIR}${legacydir}/stop
+	$(INSTALL_SCRIPT) -D -m 750 ${srcdir}/auditd.restart ${DESTDIR}${legacydir}/restart
+	$(INSTALL_SCRIPT) -D -m 750 ${srcdir}/auditd.condrestart ${DESTDIR}${legacydir}/condrestart
+else
+	$(INSTALL_SCRIPT) -D ${srcdir}/auditd.init ${DESTDIR}${initdir}/auditd
+endif
+	chmod 0750 $(DESTDIR)$(sbindir)/augenrules
+
+
+uninstall-hook:
+	rm ${DESTDIR}${dispconfigdir}/${dispconfig}
+	rm ${DESTDIR}${sysconfdir}/${libconfig}
+if ENABLE_SYSTEMD
+	rm ${DESTDIR}${initdir}/auditd.service
+	rm ${DESTDIR}${legacydir}/rotate
+	rm ${DESTDIR}${legacydir}/resume
+	rm ${DESTDIR}${legacydir}/stop
+	rm ${DESTDIR}${legacydir}/restart
+	rm ${DESTDIR}${legacydir}/condrestart
+else
+	rm ${DESTDIR}${sysconfigdir}/auditd
+	rm ${DESTDIR}${initdir}/auditd
+endif
+
diff --git a/framework/src/audit/init.d/audispd.conf b/framework/src/audit/init.d/audispd.conf
new file mode 100644
index 00000000..ee50e5b3
--- /dev/null
+++ b/framework/src/audit/init.d/audispd.conf
@@ -0,0 +1,12 @@
+#
+# This file controls the configuration of the audit event 
+# dispatcher daemon, audispd.
+#
+
+q_depth = 150
+overflow_action = SYSLOG
+priority_boost = 4
+max_restarts = 10
+name_format = HOSTNAME
+#name = mydomain
+
diff --git a/framework/src/audit/init.d/audit.rules b/framework/src/audit/init.d/audit.rules
new file mode 100644
index 00000000..479ff470
--- /dev/null
+++ b/framework/src/audit/init.d/audit.rules
@@ -0,0 +1,14 @@
+# This file contains the auditctl rules that are loaded
+# whenever the audit daemon is started via the initscripts.
+# The rules are simply the parameters that would be passed
+# to auditctl.
+
+# First rule - delete all
+-D
+
+# Increase the buffers to survive stress events.
+# Make this bigger for busy systems
+-b 320
+
+# Feel free to add below this line. See auditctl man page
+
diff --git a/framework/src/audit/init.d/auditd.condrestart b/framework/src/audit/init.d/auditd.condrestart
new file mode 100644
index 00000000..efbaaa85
--- /dev/null
+++ b/framework/src/audit/init.d/auditd.condrestart
@@ -0,0 +1,7 @@
+#!/bin/sh
+# Helper script to provide legacy auditd service options not
+# directly supported by systemd.
+
+/usr/libexec/initscripts/legacy-actions/auditd/restart
+RETVAL="$?"
+exit $RETVAL
diff --git a/framework/src/audit/init.d/auditd.conf b/framework/src/audit/init.d/auditd.conf
new file mode 100644
index 00000000..fdc93f0e
--- /dev/null
+++ b/framework/src/audit/init.d/auditd.conf
@@ -0,0 +1,32 @@
+#
+# This file controls the configuration of the audit daemon
+#
+
+log_file = /var/log/audit/audit.log
+log_format = RAW
+log_group = root
+priority_boost = 4
+flush = INCREMENTAL
+freq = 20
+num_logs = 5
+disp_qos = lossy
+dispatcher = /sbin/audispd
+name_format = NONE
+##name = mydomain
+max_log_file = 6 
+max_log_file_action = ROTATE
+space_left = 75
+space_left_action = SYSLOG
+action_mail_acct = root
+admin_space_left = 50
+admin_space_left_action = SUSPEND
+disk_full_action = SUSPEND
+disk_error_action = SUSPEND
+##tcp_listen_port = 
+tcp_listen_queue = 5
+tcp_max_per_addr = 1
+##tcp_client_ports = 1024-65535
+tcp_client_max_idle = 0
+enable_krb5 = no
+krb5_principal = auditd
+##krb5_key_file = /etc/audit/audit.key
diff --git a/framework/src/audit/init.d/auditd.cron b/framework/src/audit/init.d/auditd.cron
new file mode 100644
index 00000000..7b898697
--- /dev/null
+++ b/framework/src/audit/init.d/auditd.cron
@@ -0,0 +1,14 @@
+#!/bin/sh
+
+##########
+# This script can be installed to get a daily log rotation
+# based on a cron job.
+##########
+
+/sbin/service auditd rotate
+EXITVALUE=$?
+if [ $EXITVALUE != 0 ]; then
+    /usr/bin/logger -t auditd "ALERT exited abnormally with [$EXITVALUE]"
+fi
+exit 0
+
diff --git a/framework/src/audit/init.d/auditd.init b/framework/src/audit/init.d/auditd.init
new file mode 100755
index 00000000..ccf8afb1
--- /dev/null
+++ b/framework/src/audit/init.d/auditd.init
@@ -0,0 +1,175 @@
+#!/bin/bash
+#
+# auditd        This starts and stops auditd
+#
+# chkconfig: 2345 11 88
+# description: This starts the Linux Auditing System Daemon, \
+#              which collects security related events in a dedicated \
+#              audit log. If this daemon is turned off, audit events \
+#              will be sent to syslog.
+#
+# processname: /sbin/auditd
+# config: /etc/sysconfig/auditd
+# config: /etc/audit/auditd.conf
+# pidfile: /var/run/auditd.pid
+#
+# Return values according to LSB for all commands but status:
+# 0 - success
+# 1 - generic or unspecified error
+# 2 - invalid or excess argument(s)
+# 3 - unimplemented feature (e.g. "reload")
+# 4 - insufficient privilege
+# 5 - program is not installed
+# 6 - program is not configured
+# 7 - program is not running
+#
+
+
+PATH=/sbin:/bin:/usr/bin:/usr/sbin
+prog="auditd"
+
+# Source function library.
+. /etc/init.d/functions
+
+# Allow anyone to run status
+if [ "$1" = "status" ] ; then
+	status $prog
+	RETVAL=$?
+	exit $RETVAL
+fi
+
+# Check that we are root ... so non-root users stop here
+test $EUID = 0  ||  exit 4
+
+# Check config
+test -f /etc/sysconfig/auditd && . /etc/sysconfig/auditd
+
+RETVAL=0
+
+start(){
+	test -x /sbin/auditd  || exit 5
+	test -f /etc/audit/auditd.conf  || exit 6
+
+	echo -n $"Starting $prog: "
+
+# Localization for auditd is controlled in /etc/synconfig/auditd
+	if [ -z "$AUDITD_LANG" -o "$AUDITD_LANG" = "none" -o "$AUDITD_LANG" = "NONE" ]; then
+		unset LANG LC_TIME LC_ALL LC_MESSAGES LC_NUMERIC LC_MONETARY LC_COLLATE
+	else
+		LANG="$AUDITD_LANG"
+		LC_TIME="$AUDITD_LANG"
+		LC_ALL="$AUDITD_LANG"
+		LC_MESSAGES="$AUDITD_LANG"
+		LC_NUMERIC="$AUDITD_LANG"
+		LC_MONETARY="$AUDITD_LANG"
+		LC_COLLATE="$AUDITD_LANG"
+		export LANG LC_TIME LC_ALL LC_MESSAGES LC_NUMERIC LC_MONETARY LC_COLLATE
+	fi
+	unset HOME MAIL USER USERNAME
+	daemon $prog "$EXTRAOPTIONS"
+	RETVAL=$?
+	echo
+	if test $RETVAL = 0 ; then
+		touch /var/lock/subsys/auditd
+		# Prepare the default rules
+		if test x"$USE_AUGENRULES" != "x" ; then
+			if test "`echo $USE_AUGENRULES | tr 'NO' 'no'`" != "no"
+			then
+				test -d /etc/audit/rules.d && /sbin/augenrules
+			fi
+		fi
+		# Load the default rules
+		test -f /etc/audit/audit.rules && /sbin/auditctl -R /etc/audit/audit.rules >/dev/null
+	fi
+	return $RETVAL
+}
+
+stop(){
+	echo -n $"Stopping $prog: "
+	killproc $prog
+	RETVAL=$?
+	echo
+	rm -f /var/lock/subsys/auditd
+	# Remove watches so shutdown works cleanly
+	if test x"$AUDITD_CLEAN_STOP" != "x" ; then
+		if test "`echo $AUDITD_CLEAN_STOP | tr 'NO' 'no'`" != "no"
+		then
+			/sbin/auditctl -D >/dev/null
+		fi
+	fi
+	if test x"$AUDITD_STOP_DISABLE" != "x" ; then
+		if test "`echo $AUDITD_STOP_DISABLE | tr 'NO' 'no'`" != "no"
+		then
+			/sbin/auditctl -e 0 >/dev/null
+		fi
+	fi
+	return $RETVAL
+}
+
+reload(){
+	test -f /etc/audit/auditd.conf  || exit 6
+	echo -n $"Reloading configuration: "	
+	killproc $prog -HUP
+	RETVAL=$?
+	echo
+	return $RETVAL
+}
+
+rotate(){
+	echo -n $"Rotating logs: "	
+	killproc $prog -USR1
+	RETVAL=$?
+	echo
+	return $RETVAL
+}
+
+resume(){
+	echo -n $"Resuming logging: "	
+	killproc $prog -USR2
+	RETVAL=$?
+	echo
+	return $RETVAL
+}
+
+restart(){
+	test -f /etc/audit/auditd.conf  || exit 6
+	stop
+	start
+}
+
+condrestart(){
+	[ -e /var/lock/subsys/auditd ] && restart
+	return 0
+}
+
+
+# See how we were called.
+case "$1" in
+    start)
+	start
+	;;
+    stop)
+	stop
+	;;
+    restart)
+	restart
+	;;
+    reload|force-reload)
+	reload
+	;;
+    rotate)
+	rotate
+	;;
+    resume)
+	resume
+	;;
+    condrestart|try-restart)
+	condrestart
+	;;
+    *)
+	echo $"Usage: $0 {start|stop|status|restart|condrestart|try-restart|reload|force-reload|rotate|resume}"
+	RETVAL=3
+esac
+
+exit $RETVAL
+
diff --git a/framework/src/audit/init.d/auditd.restart b/framework/src/audit/init.d/auditd.restart
new file mode 100755
index 00000000..42669ff1
--- /dev/null
+++ b/framework/src/audit/init.d/auditd.restart
@@ -0,0 +1,13 @@
+#!/bin/sh
+# Helper script to provide legacy auditd service options not
+# directly supported by systemd.
+
+test -f /etc/audit/auditd.conf  || exit 6
+
+/usr/libexec/initscripts/legacy-actions/auditd/stop
+sleep 1
+echo "Redirecting start to /bin/systemctl start auditd.service"
+/bin/systemctl start auditd.service
+RETVAL="$?"
+
+exit $RETVAL
diff --git a/framework/src/audit/init.d/auditd.resume b/framework/src/audit/init.d/auditd.resume
new file mode 100644
index 00000000..55c71a4b
--- /dev/null
+++ b/framework/src/audit/init.d/auditd.resume
@@ -0,0 +1,16 @@
+#!/bin/sh
+# Helper script to provide legacy auditd service options not 
+# directly supported by systemd
+
+# Check that we are root ... so non-root users stop here
+test $EUID = 0  ||  exit 4
+
+PATH=/sbin:/bin:/usr/bin:/usr/sbin
+prog="auditd"
+source /etc/init.d/functions
+
+echo -n $"Resuming logging: "
+killproc $prog -USR2
+RETVAL=$?
+echo
+exit $RETVAL
diff --git a/framework/src/audit/init.d/auditd.rotate b/framework/src/audit/init.d/auditd.rotate
new file mode 100644
index 00000000..e89850a6
--- /dev/null
+++ b/framework/src/audit/init.d/auditd.rotate
@@ -0,0 +1,16 @@
+#!/bin/sh
+# Helper script to provide legacy auditd service options not 
+# directly supported by systemd
+
+# Check that we are root ... so non-root users stop here
+test $EUID = 0  ||  exit 4
+
+PATH=/sbin:/bin:/usr/bin:/usr/sbin
+prog="auditd"
+source /etc/init.d/functions
+
+echo -n $"Rotating logs: "
+killproc $prog -USR1
+RETVAL=$?
+echo
+exit $RETVAL
diff --git a/framework/src/audit/init.d/auditd.service b/framework/src/audit/init.d/auditd.service
new file mode 100644
index 00000000..5921c1cd
--- /dev/null
+++ b/framework/src/audit/init.d/auditd.service
@@ -0,0 +1,22 @@
+[Unit]
+Description=Security Auditing Service
+DefaultDependencies=no
+After=local-fs.target systemd-tmpfiles-setup.service
+Conflicts=shutdown.target
+Before=sysinit.target shutdown.target
+RefuseManualStop=yes
+ConditionKernelCommandLine=!audit=0
+
+[Service]
+ExecStart=/sbin/auditd -n
+## To use augenrules, copy this file to /etc/systemd/system/auditd.service
+## and uncomment the next line and delete/comment out the auditctl line.
+## Then copy existing rules to /etc/audit/rules.d/
+## Not doing this last step can cause loss of existing rules
+#ExecStartPost=-/sbin/augenrules --load
+ExecStartPost=-/sbin/auditctl -R /etc/audit/audit.rules
+ExecReload=/bin/kill -HUP $MAINPID
+
+[Install]
+WantedBy=multi-user.target
+
diff --git a/framework/src/audit/init.d/auditd.stop b/framework/src/audit/init.d/auditd.stop
new file mode 100644
index 00000000..009da23c
--- /dev/null
+++ b/framework/src/audit/init.d/auditd.stop
@@ -0,0 +1,16 @@
+#!/bin/sh
+# Helper script to provide legacy auditd service options not 
+# directly supported by systemd
+
+# Check that we are root ... so non-root users stop here
+test $EUID = 0  ||  exit 4
+
+PATH=/sbin:/bin:/usr/bin:/usr/sbin
+prog="auditd"
+source /etc/init.d/functions
+
+echo -n $"Stopping logging: "
+killproc $prog -TERM
+RETVAL=$?
+echo
+exit $RETVAL
diff --git a/framework/src/audit/init.d/auditd.sysconfig b/framework/src/audit/init.d/auditd.sysconfig
new file mode 100644
index 00000000..1485539a
--- /dev/null
+++ b/framework/src/audit/init.d/auditd.sysconfig
@@ -0,0 +1,24 @@
+# Add extra options here
+EXTRAOPTIONS=""
+#
+# This is the locale information that audit uses. Its defaulted to en_US.
+# To remove all locale information from audit's environment, set
+# AUDITD_LANG to the empty string or the string "none".
+AUDITD_LANG="en_US"
+#
+# This option is used to determine if rules & watches should be deleted on
+# shutdown. This is beneficial in most cases so that a watch doesn't linger
+# on a drive that is being unmounted. If set to no, it will NOT be cleaned up.
+AUDITD_CLEAN_STOP="yes"
+#
+# This option determines whether the audit system should be disabled when
+# the audit daemon is shutdown
+AUDITD_STOP_DISABLE="yes"
+#
+# This option determines whether or not to call augenrules to compile the
+# audit.rule file from /etc/audit/rules.d. The default is "no" so that nothing
+# happens to existing rules. When setting this up, any existing rules need to
+# be copied into /etc/audit/rules.d or it will be lost when audit.rule gets
+# overwritten.
+USE_AUGENRULES="no"
+
diff --git a/framework/src/audit/init.d/augenrules b/framework/src/audit/init.d/augenrules
new file mode 100644
index 00000000..aa0758f6
--- /dev/null
+++ b/framework/src/audit/init.d/augenrules
@@ -0,0 +1,130 @@
+#!/bin/bash
+
+# Script to concatenate rules files found in a base audit rules directory
+# to form a single /etc/audit/audit.rules file suitable for loading into
+# the Linux audit system
+
+# When forming the interim rules file, both empty lines and comment
+# lines (starting with # or <whitespace>#) are stripped as the source files
+# are processed.
+#
+# Having formed the interim rules file, the script checks if the file is empty
+# or is identical to the existing /etc/audit/audit.rules and if either of
+# these cases are true, it does not replace the existing file
+#
+
+# Variables
+#
+# DestinationFile:
+#   Destination rules file
+# SourceRulesDir:
+#   Directory location to find component rule files
+# TmpRules:
+#   Temporary interim rules file
+# ASuffix:
+#   Suffix for previous audit.rules file if this script replaces it.
+#   The file is left in the destination directory with suffix with $ASuffix
+
+DestinationFile=/etc/audit/audit.rules
+SourceRulesDir=/etc/audit/rules.d
+TmpRules=`mktemp /tmp/aurules.XXXXXXXX`
+ASuffix="prev"
+OnlyCheck=0
+LoadRules=0
+RETVAL=0
+usage="Usage: $0 [--check|--load]"
+
+# Delete the interim file on faults
+trap 'rm -f ${TmpRules}; exit 1' 1 2 3 13 15
+
+try_load() {
+	if [ $LoadRules -eq 1 ] ; then
+		auditctl -R ${DestinationFile}
+		RETVAL=$?
+	fi
+}
+
+while [ $# -ge 1 ]
+do
+	if [ "$1" = "--check" ] ; then
+		OnlyCheck=1
+	elif [ "$1" = "--load" ] ; then
+		LoadRules=1
+	else
+		echo "$usage"
+		exit 1
+	fi
+	shift
+done
+
+# Check environment
+if [ ! -d ${SourceRulesDir} ]; then
+	echo "$0: No rules directory - ${SourceRulesDir}"
+	rm -f ${TmpRules}
+	try_load
+	exit 1
+fi
+
+# Create the interim rules file ensuring its access modes protect it
+# from normal users and strip empty lines and comment lines. We also ensure
+#   - the last processed -D directive without an option is emitted as the first
+#     line. -D directives with options are left in place
+#   - the last processed -b directory is emitted as the second line
+#   - the last processed -f directory is emitted as the third line
+#   - the last processed -e directive is emitted as the last line
+umask 0137
+echo "## This file is automatically generated from $SourceRulesDir" >> ${TmpRules}
+for rules in $(/bin/ls -1v ${SourceRulesDir} | grep ".rules$") ; do
+	cat ${SourceRulesDir}/${rules}
+done | awk '\
+BEGIN   {
+        minus_e = "";
+        minus_D = "";
+        minus_f = "";
+        minus_b = "";
+        rest = 0;
+} {
+        if (length($0) < 1) { next; }
+        if (match($0, "^\\s*#")) { next; }
+        if (match($0, "^\\s*-e")) { minus_e = $0; next; }
+        if (match($0, "^\\s*-D\\s*$")) { minus_D = $0; next; }
+        if (match($0, "^\\s*-f")) { minus_f = $0; next; }
+        if (match($0, "^\\s*-b")) { minus_b = $0; next; }
+        rules[rest++] = $0;
+}
+END     {
+        printf "%s\n%s\n%s\n", minus_D, minus_b, minus_f;
+        for (i = 0; i < rest; i++) { printf "%s\n", rules[i]; }
+        printf "%s\n", minus_e;
+}' >> ${TmpRules}
+
+# If empty then quit
+if [ ! -s ${TmpRules} ]; then
+	echo "$0: No rules"
+	rm -f ${TmpRules}
+	try_load
+	exit $RETVAL
+fi
+
+# If the same then quit
+cmp -s ${TmpRules} ${DestinationFile} > /dev/null 2>&1
+if [ $? -eq 0 ]; then
+	echo "$0: No change"
+	rm -f ${TmpRules}
+	try_load
+	exit $RETVAL
+elif [ $OnlyCheck -eq 1 ] ; then
+	echo "$0: Rules have changed and should be updated"
+	exit 0
+fi
+
+# Otherwise we install the new file
+if [ -f ${DestinationFile} ]; then
+	cp ${DestinationFile} ${DestinationFile}.prev
+fi
+# We copy the file so that it gets the right selinux lable
+cp ${TmpRules} ${DestinationFile}
+rm -f ${TmpRules}
+
+try_load
+exit $RETVAL
diff --git a/framework/src/audit/init.d/libaudit.conf b/framework/src/audit/init.d/libaudit.conf
new file mode 100644
index 00000000..90855d72
--- /dev/null
+++ b/framework/src/audit/init.d/libaudit.conf
@@ -0,0 +1,7 @@
+# This is the configuration file for libaudit tunables.
+# It is currently only used for the failure_action tunable.
+
+# failure_action can be: log, ignore, terminate
+failure_action = ignore
+
+