diff options
Diffstat (limited to 'framework/src/audit/init.d')
| -rw-r--r-- | framework/src/audit/init.d/Makefile.am | 82 | ||||
| -rw-r--r-- | framework/src/audit/init.d/audispd.conf | 12 | ||||
| -rw-r--r-- | framework/src/audit/init.d/audit.rules | 14 | ||||
| -rw-r--r-- | framework/src/audit/init.d/auditd.condrestart | 7 | ||||
| -rw-r--r-- | framework/src/audit/init.d/auditd.conf | 32 | ||||
| -rw-r--r-- | framework/src/audit/init.d/auditd.cron | 14 | ||||
| -rwxr-xr-x | framework/src/audit/init.d/auditd.init | 175 | ||||
| -rwxr-xr-x | framework/src/audit/init.d/auditd.restart | 13 | ||||
| -rw-r--r-- | framework/src/audit/init.d/auditd.resume | 16 | ||||
| -rw-r--r-- | framework/src/audit/init.d/auditd.rotate | 16 | ||||
| -rw-r--r-- | framework/src/audit/init.d/auditd.service | 22 | ||||
| -rw-r--r-- | framework/src/audit/init.d/auditd.stop | 16 | ||||
| -rw-r--r-- | framework/src/audit/init.d/auditd.sysconfig | 24 | ||||
| -rw-r--r-- | framework/src/audit/init.d/augenrules | 130 | ||||
| -rw-r--r-- | framework/src/audit/init.d/libaudit.conf | 7 |
15 files changed, 580 insertions, 0 deletions
diff --git a/framework/src/audit/init.d/Makefile.am b/framework/src/audit/init.d/Makefile.am new file mode 100644 index 00000000..521dd1d0 --- /dev/null +++ b/framework/src/audit/init.d/Makefile.am @@ -0,0 +1,82 @@ +# Makefile.am-- +# Copyright 2004-07,2012-13 Red Hat Inc., Durham, North Carolina. +# All Rights Reserved. +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +# +# Authors: +# Steve Grubb <sgrubb@redhat.com> +# + +CONFIG_CLEAN_FILES = *.rej *.orig +EXTRA_DIST = auditd.init auditd.service auditd.sysconfig auditd.conf \ + audit.rules auditd.cron libaudit.conf audispd.conf auditd.condrestart \ + auditd.restart auditd.resume auditd.rotate auditd.stop augenrules +libconfig = libaudit.conf +dispconfig = audispd.conf +dispconfigdir = $(sysconfdir)/audisp +if ENABLE_SYSTEMD +initdir = /usr/lib/systemd/system +legacydir = $(libexecdir)/initscripts/legacy-actions/auditd +else +initdir = $(sysconfdir)/rc.d/init.d +sysconfigdir = $(sysconfdir)/sysconfig +endif + +auditdir = $(sysconfdir)/audit +auditrdir = $(auditdir)/rules.d +dist_audit_DATA = auditd.conf +dist_auditr_DATA = audit.rules +sbin_SCRIPTS = augenrules + +install-data-hook: + $(INSTALL_DATA) -D -m 640 ${srcdir}/${dispconfig} ${DESTDIR}${dispconfigdir} + $(INSTALL_DATA) -D -m 640 ${srcdir}/${libconfig} ${DESTDIR}${sysconfdir} +if ENABLE_SYSTEMD +else + $(INSTALL_DATA) -D -m 640 ${srcdir}/auditd.sysconfig ${DESTDIR}${sysconfigdir}/auditd +endif + +install-exec-hook: +if ENABLE_SYSTEMD + mkdir -p ${DESTDIR}${initdir} + mkdir -p ${DESTDIR}${legacydir} + $(INSTALL_SCRIPT) -D -m 640 ${srcdir}/auditd.service ${DESTDIR}${initdir} + $(INSTALL_SCRIPT) -D -m 750 ${srcdir}/auditd.rotate ${DESTDIR}${legacydir}/rotate + $(INSTALL_SCRIPT) -D -m 750 ${srcdir}/auditd.resume ${DESTDIR}${legacydir}/resume + $(INSTALL_SCRIPT) -D -m 750 ${srcdir}/auditd.stop ${DESTDIR}${legacydir}/stop + $(INSTALL_SCRIPT) -D -m 750 ${srcdir}/auditd.restart ${DESTDIR}${legacydir}/restart + $(INSTALL_SCRIPT) -D -m 750 ${srcdir}/auditd.condrestart ${DESTDIR}${legacydir}/condrestart +else + $(INSTALL_SCRIPT) -D ${srcdir}/auditd.init ${DESTDIR}${initdir}/auditd +endif + chmod 0750 $(DESTDIR)$(sbindir)/augenrules + + +uninstall-hook: + rm ${DESTDIR}${dispconfigdir}/${dispconfig} + rm ${DESTDIR}${sysconfdir}/${libconfig} +if ENABLE_SYSTEMD + rm ${DESTDIR}${initdir}/auditd.service + rm ${DESTDIR}${legacydir}/rotate + rm ${DESTDIR}${legacydir}/resume + rm ${DESTDIR}${legacydir}/stop + rm ${DESTDIR}${legacydir}/restart + rm ${DESTDIR}${legacydir}/condrestart +else + rm ${DESTDIR}${sysconfigdir}/auditd + rm ${DESTDIR}${initdir}/auditd +endif + diff --git a/framework/src/audit/init.d/audispd.conf b/framework/src/audit/init.d/audispd.conf new file mode 100644 index 00000000..ee50e5b3 --- /dev/null +++ b/framework/src/audit/init.d/audispd.conf @@ -0,0 +1,12 @@ +# +# This file controls the configuration of the audit event +# dispatcher daemon, audispd. +# + +q_depth = 150 +overflow_action = SYSLOG +priority_boost = 4 +max_restarts = 10 +name_format = HOSTNAME +#name = mydomain + diff --git a/framework/src/audit/init.d/audit.rules b/framework/src/audit/init.d/audit.rules new file mode 100644 index 00000000..479ff470 --- /dev/null +++ b/framework/src/audit/init.d/audit.rules @@ -0,0 +1,14 @@ +# This file contains the auditctl rules that are loaded +# whenever the audit daemon is started via the initscripts. +# The rules are simply the parameters that would be passed +# to auditctl. + +# First rule - delete all +-D + +# Increase the buffers to survive stress events. +# Make this bigger for busy systems +-b 320 + +# Feel free to add below this line. See auditctl man page + diff --git a/framework/src/audit/init.d/auditd.condrestart b/framework/src/audit/init.d/auditd.condrestart new file mode 100644 index 00000000..efbaaa85 --- /dev/null +++ b/framework/src/audit/init.d/auditd.condrestart @@ -0,0 +1,7 @@ +#!/bin/sh +# Helper script to provide legacy auditd service options not +# directly supported by systemd. + +/usr/libexec/initscripts/legacy-actions/auditd/restart +RETVAL="$?" +exit $RETVAL diff --git a/framework/src/audit/init.d/auditd.conf b/framework/src/audit/init.d/auditd.conf new file mode 100644 index 00000000..fdc93f0e --- /dev/null +++ b/framework/src/audit/init.d/auditd.conf @@ -0,0 +1,32 @@ +# +# This file controls the configuration of the audit daemon +# + +log_file = /var/log/audit/audit.log +log_format = RAW +log_group = root +priority_boost = 4 +flush = INCREMENTAL +freq = 20 +num_logs = 5 +disp_qos = lossy +dispatcher = /sbin/audispd +name_format = NONE +##name = mydomain +max_log_file = 6 +max_log_file_action = ROTATE +space_left = 75 +space_left_action = SYSLOG +action_mail_acct = root +admin_space_left = 50 +admin_space_left_action = SUSPEND +disk_full_action = SUSPEND +disk_error_action = SUSPEND +##tcp_listen_port = +tcp_listen_queue = 5 +tcp_max_per_addr = 1 +##tcp_client_ports = 1024-65535 +tcp_client_max_idle = 0 +enable_krb5 = no +krb5_principal = auditd +##krb5_key_file = /etc/audit/audit.key diff --git a/framework/src/audit/init.d/auditd.cron b/framework/src/audit/init.d/auditd.cron new file mode 100644 index 00000000..7b898697 --- /dev/null +++ b/framework/src/audit/init.d/auditd.cron @@ -0,0 +1,14 @@ +#!/bin/sh + +########## +# This script can be installed to get a daily log rotation +# based on a cron job. +########## + +/sbin/service auditd rotate +EXITVALUE=$? +if [ $EXITVALUE != 0 ]; then + /usr/bin/logger -t auditd "ALERT exited abnormally with [$EXITVALUE]" +fi +exit 0 + diff --git a/framework/src/audit/init.d/auditd.init b/framework/src/audit/init.d/auditd.init new file mode 100755 index 00000000..ccf8afb1 --- /dev/null +++ b/framework/src/audit/init.d/auditd.init @@ -0,0 +1,175 @@ +#!/bin/bash +# +# auditd This starts and stops auditd +# +# chkconfig: 2345 11 88 +# description: This starts the Linux Auditing System Daemon, \ +# which collects security related events in a dedicated \ +# audit log. If this daemon is turned off, audit events \ +# will be sent to syslog. +# +# processname: /sbin/auditd +# config: /etc/sysconfig/auditd +# config: /etc/audit/auditd.conf +# pidfile: /var/run/auditd.pid +# +# Return values according to LSB for all commands but status: +# 0 - success +# 1 - generic or unspecified error +# 2 - invalid or excess argument(s) +# 3 - unimplemented feature (e.g. "reload") +# 4 - insufficient privilege +# 5 - program is not installed +# 6 - program is not configured +# 7 - program is not running +# + + +PATH=/sbin:/bin:/usr/bin:/usr/sbin +prog="auditd" + +# Source function library. +. /etc/init.d/functions + +# Allow anyone to run status +if [ "$1" = "status" ] ; then + status $prog + RETVAL=$? + exit $RETVAL +fi + +# Check that we are root ... so non-root users stop here +test $EUID = 0 || exit 4 + +# Check config +test -f /etc/sysconfig/auditd && . /etc/sysconfig/auditd + +RETVAL=0 + +start(){ + test -x /sbin/auditd || exit 5 + test -f /etc/audit/auditd.conf || exit 6 + + echo -n $"Starting $prog: " + +# Localization for auditd is controlled in /etc/synconfig/auditd + if [ -z "$AUDITD_LANG" -o "$AUDITD_LANG" = "none" -o "$AUDITD_LANG" = "NONE" ]; then + unset LANG LC_TIME LC_ALL LC_MESSAGES LC_NUMERIC LC_MONETARY LC_COLLATE + else + LANG="$AUDITD_LANG" + LC_TIME="$AUDITD_LANG" + LC_ALL="$AUDITD_LANG" + LC_MESSAGES="$AUDITD_LANG" + LC_NUMERIC="$AUDITD_LANG" + LC_MONETARY="$AUDITD_LANG" + LC_COLLATE="$AUDITD_LANG" + export LANG LC_TIME LC_ALL LC_MESSAGES LC_NUMERIC LC_MONETARY LC_COLLATE + fi + unset HOME MAIL USER USERNAME + daemon $prog "$EXTRAOPTIONS" + RETVAL=$? + echo + if test $RETVAL = 0 ; then + touch /var/lock/subsys/auditd + # Prepare the default rules + if test x"$USE_AUGENRULES" != "x" ; then + if test "`echo $USE_AUGENRULES | tr 'NO' 'no'`" != "no" + then + test -d /etc/audit/rules.d && /sbin/augenrules + fi + fi + # Load the default rules + test -f /etc/audit/audit.rules && /sbin/auditctl -R /etc/audit/audit.rules >/dev/null + fi + return $RETVAL +} + +stop(){ + echo -n $"Stopping $prog: " + killproc $prog + RETVAL=$? + echo + rm -f /var/lock/subsys/auditd + # Remove watches so shutdown works cleanly + if test x"$AUDITD_CLEAN_STOP" != "x" ; then + if test "`echo $AUDITD_CLEAN_STOP | tr 'NO' 'no'`" != "no" + then + /sbin/auditctl -D >/dev/null + fi + fi + if test x"$AUDITD_STOP_DISABLE" != "x" ; then + if test "`echo $AUDITD_STOP_DISABLE | tr 'NO' 'no'`" != "no" + then + /sbin/auditctl -e 0 >/dev/null + fi + fi + return $RETVAL +} + +reload(){ + test -f /etc/audit/auditd.conf || exit 6 + echo -n $"Reloading configuration: " + killproc $prog -HUP + RETVAL=$? + echo + return $RETVAL +} + +rotate(){ + echo -n $"Rotating logs: " + killproc $prog -USR1 + RETVAL=$? + echo + return $RETVAL +} + +resume(){ + echo -n $"Resuming logging: " + killproc $prog -USR2 + RETVAL=$? + echo + return $RETVAL +} + +restart(){ + test -f /etc/audit/auditd.conf || exit 6 + stop + start +} + +condrestart(){ + [ -e /var/lock/subsys/auditd ] && restart + return 0 +} + + +# See how we were called. +case "$1" in + start) + start + ;; + stop) + stop + ;; + restart) + restart + ;; + reload|force-reload) + reload + ;; + rotate) + rotate + ;; + resume) + resume + ;; + condrestart|try-restart) + condrestart + ;; + *) + echo $"Usage: $0 {start|stop|status|restart|condrestart|try-restart|reload|force-reload|rotate|resume}" + RETVAL=3 +esac + +exit $RETVAL + diff --git a/framework/src/audit/init.d/auditd.restart b/framework/src/audit/init.d/auditd.restart new file mode 100755 index 00000000..42669ff1 --- /dev/null +++ b/framework/src/audit/init.d/auditd.restart @@ -0,0 +1,13 @@ +#!/bin/sh +# Helper script to provide legacy auditd service options not +# directly supported by systemd. + +test -f /etc/audit/auditd.conf || exit 6 + +/usr/libexec/initscripts/legacy-actions/auditd/stop +sleep 1 +echo "Redirecting start to /bin/systemctl start auditd.service" +/bin/systemctl start auditd.service +RETVAL="$?" + +exit $RETVAL diff --git a/framework/src/audit/init.d/auditd.resume b/framework/src/audit/init.d/auditd.resume new file mode 100644 index 00000000..55c71a4b --- /dev/null +++ b/framework/src/audit/init.d/auditd.resume @@ -0,0 +1,16 @@ +#!/bin/sh +# Helper script to provide legacy auditd service options not +# directly supported by systemd + +# Check that we are root ... so non-root users stop here +test $EUID = 0 || exit 4 + +PATH=/sbin:/bin:/usr/bin:/usr/sbin +prog="auditd" +source /etc/init.d/functions + +echo -n $"Resuming logging: " +killproc $prog -USR2 +RETVAL=$? +echo +exit $RETVAL diff --git a/framework/src/audit/init.d/auditd.rotate b/framework/src/audit/init.d/auditd.rotate new file mode 100644 index 00000000..e89850a6 --- /dev/null +++ b/framework/src/audit/init.d/auditd.rotate @@ -0,0 +1,16 @@ +#!/bin/sh +# Helper script to provide legacy auditd service options not +# directly supported by systemd + +# Check that we are root ... so non-root users stop here +test $EUID = 0 || exit 4 + +PATH=/sbin:/bin:/usr/bin:/usr/sbin +prog="auditd" +source /etc/init.d/functions + +echo -n $"Rotating logs: " +killproc $prog -USR1 +RETVAL=$? +echo +exit $RETVAL diff --git a/framework/src/audit/init.d/auditd.service b/framework/src/audit/init.d/auditd.service new file mode 100644 index 00000000..5921c1cd --- /dev/null +++ b/framework/src/audit/init.d/auditd.service @@ -0,0 +1,22 @@ +[Unit] +Description=Security Auditing Service +DefaultDependencies=no +After=local-fs.target systemd-tmpfiles-setup.service +Conflicts=shutdown.target +Before=sysinit.target shutdown.target +RefuseManualStop=yes +ConditionKernelCommandLine=!audit=0 + +[Service] +ExecStart=/sbin/auditd -n +## To use augenrules, copy this file to /etc/systemd/system/auditd.service +## and uncomment the next line and delete/comment out the auditctl line. +## Then copy existing rules to /etc/audit/rules.d/ +## Not doing this last step can cause loss of existing rules +#ExecStartPost=-/sbin/augenrules --load +ExecStartPost=-/sbin/auditctl -R /etc/audit/audit.rules +ExecReload=/bin/kill -HUP $MAINPID + +[Install] +WantedBy=multi-user.target + diff --git a/framework/src/audit/init.d/auditd.stop b/framework/src/audit/init.d/auditd.stop new file mode 100644 index 00000000..009da23c --- /dev/null +++ b/framework/src/audit/init.d/auditd.stop @@ -0,0 +1,16 @@ +#!/bin/sh +# Helper script to provide legacy auditd service options not +# directly supported by systemd + +# Check that we are root ... so non-root users stop here +test $EUID = 0 || exit 4 + +PATH=/sbin:/bin:/usr/bin:/usr/sbin +prog="auditd" +source /etc/init.d/functions + +echo -n $"Stopping logging: " +killproc $prog -TERM +RETVAL=$? +echo +exit $RETVAL diff --git a/framework/src/audit/init.d/auditd.sysconfig b/framework/src/audit/init.d/auditd.sysconfig new file mode 100644 index 00000000..1485539a --- /dev/null +++ b/framework/src/audit/init.d/auditd.sysconfig @@ -0,0 +1,24 @@ +# Add extra options here +EXTRAOPTIONS="" +# +# This is the locale information that audit uses. Its defaulted to en_US. +# To remove all locale information from audit's environment, set +# AUDITD_LANG to the empty string or the string "none". +AUDITD_LANG="en_US" +# +# This option is used to determine if rules & watches should be deleted on +# shutdown. This is beneficial in most cases so that a watch doesn't linger +# on a drive that is being unmounted. If set to no, it will NOT be cleaned up. +AUDITD_CLEAN_STOP="yes" +# +# This option determines whether the audit system should be disabled when +# the audit daemon is shutdown +AUDITD_STOP_DISABLE="yes" +# +# This option determines whether or not to call augenrules to compile the +# audit.rule file from /etc/audit/rules.d. The default is "no" so that nothing +# happens to existing rules. When setting this up, any existing rules need to +# be copied into /etc/audit/rules.d or it will be lost when audit.rule gets +# overwritten. +USE_AUGENRULES="no" + diff --git a/framework/src/audit/init.d/augenrules b/framework/src/audit/init.d/augenrules new file mode 100644 index 00000000..aa0758f6 --- /dev/null +++ b/framework/src/audit/init.d/augenrules @@ -0,0 +1,130 @@ +#!/bin/bash + +# Script to concatenate rules files found in a base audit rules directory +# to form a single /etc/audit/audit.rules file suitable for loading into +# the Linux audit system + +# When forming the interim rules file, both empty lines and comment +# lines (starting with # or <whitespace>#) are stripped as the source files +# are processed. +# +# Having formed the interim rules file, the script checks if the file is empty +# or is identical to the existing /etc/audit/audit.rules and if either of +# these cases are true, it does not replace the existing file +# + +# Variables +# +# DestinationFile: +# Destination rules file +# SourceRulesDir: +# Directory location to find component rule files +# TmpRules: +# Temporary interim rules file +# ASuffix: +# Suffix for previous audit.rules file if this script replaces it. +# The file is left in the destination directory with suffix with $ASuffix + +DestinationFile=/etc/audit/audit.rules +SourceRulesDir=/etc/audit/rules.d +TmpRules=`mktemp /tmp/aurules.XXXXXXXX` +ASuffix="prev" +OnlyCheck=0 +LoadRules=0 +RETVAL=0 +usage="Usage: $0 [--check|--load]" + +# Delete the interim file on faults +trap 'rm -f ${TmpRules}; exit 1' 1 2 3 13 15 + +try_load() { + if [ $LoadRules -eq 1 ] ; then + auditctl -R ${DestinationFile} + RETVAL=$? + fi +} + +while [ $# -ge 1 ] +do + if [ "$1" = "--check" ] ; then + OnlyCheck=1 + elif [ "$1" = "--load" ] ; then + LoadRules=1 + else + echo "$usage" + exit 1 + fi + shift +done + +# Check environment +if [ ! -d ${SourceRulesDir} ]; then + echo "$0: No rules directory - ${SourceRulesDir}" + rm -f ${TmpRules} + try_load + exit 1 +fi + +# Create the interim rules file ensuring its access modes protect it +# from normal users and strip empty lines and comment lines. We also ensure +# - the last processed -D directive without an option is emitted as the first +# line. -D directives with options are left in place +# - the last processed -b directory is emitted as the second line +# - the last processed -f directory is emitted as the third line +# - the last processed -e directive is emitted as the last line +umask 0137 +echo "## This file is automatically generated from $SourceRulesDir" >> ${TmpRules} +for rules in $(/bin/ls -1v ${SourceRulesDir} | grep ".rules$") ; do + cat ${SourceRulesDir}/${rules} +done | awk '\ +BEGIN { + minus_e = ""; + minus_D = ""; + minus_f = ""; + minus_b = ""; + rest = 0; +} { + if (length($0) < 1) { next; } + if (match($0, "^\\s*#")) { next; } + if (match($0, "^\\s*-e")) { minus_e = $0; next; } + if (match($0, "^\\s*-D\\s*$")) { minus_D = $0; next; } + if (match($0, "^\\s*-f")) { minus_f = $0; next; } + if (match($0, "^\\s*-b")) { minus_b = $0; next; } + rules[rest++] = $0; +} +END { + printf "%s\n%s\n%s\n", minus_D, minus_b, minus_f; + for (i = 0; i < rest; i++) { printf "%s\n", rules[i]; } + printf "%s\n", minus_e; +}' >> ${TmpRules} + +# If empty then quit +if [ ! -s ${TmpRules} ]; then + echo "$0: No rules" + rm -f ${TmpRules} + try_load + exit $RETVAL +fi + +# If the same then quit +cmp -s ${TmpRules} ${DestinationFile} > /dev/null 2>&1 +if [ $? -eq 0 ]; then + echo "$0: No change" + rm -f ${TmpRules} + try_load + exit $RETVAL +elif [ $OnlyCheck -eq 1 ] ; then + echo "$0: Rules have changed and should be updated" + exit 0 +fi + +# Otherwise we install the new file +if [ -f ${DestinationFile} ]; then + cp ${DestinationFile} ${DestinationFile}.prev +fi +# We copy the file so that it gets the right selinux lable +cp ${TmpRules} ${DestinationFile} +rm -f ${TmpRules} + +try_load +exit $RETVAL diff --git a/framework/src/audit/init.d/libaudit.conf b/framework/src/audit/init.d/libaudit.conf new file mode 100644 index 00000000..90855d72 --- /dev/null +++ b/framework/src/audit/init.d/libaudit.conf @@ -0,0 +1,7 @@ +# This is the configuration file for libaudit tunables. +# It is currently only used for the failure_action tunable. + +# failure_action can be: log, ignore, terminate +failure_action = ignore + + |