From: frank Date: Mon, 16 Jan 2012 13:29:53 +0000 (+0100) Subject: committing changes in /etc after emerge run X-Git-Url: https://git.uhu-banane.org/?a=commitdiff_plain;h=e590e2321349b25c6d123652cb842e08f54903d7;p=config%2Fbruni%2Fetc.git committing changes in /etc after emerge run Package changes: +sys-process/audit-1.7.4 --- diff --git a/.etckeeper b/.etckeeper index 3223c3aa..e8db243c 100755 --- a/.etckeeper +++ b/.etckeeper @@ -40,6 +40,21 @@ maybe chmod 0755 './X11/xinit/xinitrc.d' maybe chmod 0755 './X11/xinit/xinitrc.d/80-dbus' maybe chmod 0755 './X11/xinit/xinitrc.d/90-consolekit' maybe chmod 0600 './aiccu.conf' +maybe chmod 0755 './audisp' +maybe chmod 0640 './audisp/audisp-remote.conf' +maybe chmod 0640 './audisp/audispd.conf' +maybe chmod 0750 './audisp/plugins.d' +maybe chmod 0640 './audisp/plugins.d/af_unix.conf' +maybe chmod 0640 './audisp/plugins.d/au-remote.conf' +maybe chmod 0640 './audisp/plugins.d/audispd-zos-remote.conf' +maybe chmod 0640 './audisp/plugins.d/syslog.conf' +maybe chmod 0640 './audisp/zos-remote.conf' +maybe chmod 0755 './audit' +maybe chmod 0640 './audit/audit.rules' +maybe chmod 0640 './audit/audit.rules-2.1.3' +maybe chmod 0640 './audit/audit.rules.stop.post' +maybe chmod 0640 './audit/audit.rules.stop.pre' +maybe chmod 0640 './audit/auditd.conf' maybe chmod 0755 './bash' maybe chmod 0644 './bash/bash_logout' maybe chmod 0644 './bash/bashrc' @@ -59,6 +74,7 @@ maybe chmod 0755 './ca-certificates/update.d' maybe chmod 0644 './colordiffrc' maybe chmod 0644 './colordiffrc-lightbg' maybe chmod 0755 './conf.d' +maybe chmod 0644 './conf.d/auditd' maybe chmod 0644 './conf.d/bluetooth' maybe chmod 0644 './conf.d/bootmisc' maybe chmod 0644 './conf.d/consolefont' @@ -417,6 +433,7 @@ maybe chmod 0644 './hosts' maybe chmod 0755 './init.d' maybe chmod 0755 './init.d/NetworkManager' maybe chmod 0755 './init.d/aiccu' +maybe chmod 0755 './init.d/auditd' maybe chmod 0755 './init.d/bluetooth' maybe chmod 0755 './init.d/bootmisc' maybe chmod 0755 './init.d/consolefont' @@ -522,6 +539,7 @@ maybe chmod 0644 './ld.so.conf' maybe chmod 0755 './ld.so.conf.d' maybe chmod 0644 './ld.so.conf.d/05binutils.conf' maybe chmod 0440 './ldap.conf.sudo' +maybe chmod 0640 './libaudit.conf' maybe chmod 0644 './lisp-config.lisp' maybe chmod 0755 './local.d' maybe chmod 0644 './local.d/README' diff --git a/audisp/audisp-remote.conf b/audisp/audisp-remote.conf new file mode 100644 index 00000000..93d01c10 --- /dev/null +++ b/audisp/audisp-remote.conf @@ -0,0 +1,12 @@ +# +# This file controls the configuration of the audit remote +# logging subsystem, audisp-remote. +# + +remote_server = +port = 60 +transport = tcp +mode = immediate +queue_depth = 20 +fail_action = SYSLOG + diff --git a/audisp/audispd.conf b/audisp/audispd.conf new file mode 100644 index 00000000..9989dc23 --- /dev/null +++ b/audisp/audispd.conf @@ -0,0 +1,11 @@ +# +# This file controls the configuration of the audit event +# dispatcher daemon, audispd. +# + +q_depth = 80 +overflow_action = SYSLOG +priority_boost = 4 +name_format = HOSTNAME +#name = mydomain + diff --git a/audisp/plugins.d/af_unix.conf b/audisp/plugins.d/af_unix.conf new file mode 100644 index 00000000..8bba3e3d --- /dev/null +++ b/audisp/plugins.d/af_unix.conf @@ -0,0 +1,14 @@ + +# This file controls the configuration of the +# af_unix socket plugin. It simply takes events +# and writes them to a unix domain socket. This +# plugin can take 2 arguments, the path for the +# socket and the socket permissions in octal. + +active = yes +direction = out +path = builtin_af_unix +type = builtin +args = 0640 /var/run/audispd_events +format = string + diff --git a/audisp/plugins.d/au-remote.conf b/audisp/plugins.d/au-remote.conf new file mode 100644 index 00000000..e0adf96c --- /dev/null +++ b/audisp/plugins.d/au-remote.conf @@ -0,0 +1,12 @@ + +# This file controls the audispd data path to the +# remote event logger. This plugin will send events to +# a remote machine (Central Logger). + +active = no +direction = out +path = /sbin/audisp-remote +type = always +#args = +format = string + diff --git a/audisp/plugins.d/audispd-zos-remote.conf b/audisp/plugins.d/audispd-zos-remote.conf new file mode 100644 index 00000000..13aef2ce --- /dev/null +++ b/audisp/plugins.d/audispd-zos-remote.conf @@ -0,0 +1,14 @@ +# This is the configuration for the audispd-zos-remote +# audit dispatcher plugin - See audispd(8) +# +# Note that this specific plugin has a configuration file of +# its own. The complete path for this file must be entered as +# the argument for the plugin in the 'args' field below +# See audispd-zos-remote(8) + +active = no +direction = out +path = /sbin/audispd-zos-remote +type = always +args = /etc/audisp/zos-remote.conf +format = string diff --git a/audisp/plugins.d/syslog.conf b/audisp/plugins.d/syslog.conf new file mode 100644 index 00000000..a0c9df7d --- /dev/null +++ b/audisp/plugins.d/syslog.conf @@ -0,0 +1,10 @@ +# This file controls the configuration of the +# syslog plugin. It simply takes events and writes +# them to syslog. + +active = no +direction = out +path = builtin_syslog +type = builtin +args = LOG_INFO +format = string diff --git a/audisp/zos-remote.conf b/audisp/zos-remote.conf new file mode 100644 index 00000000..8cf85f71 --- /dev/null +++ b/audisp/zos-remote.conf @@ -0,0 +1,10 @@ +## This is the configuration file for the audispd-zos-remote +## Audit dispatcher plugin. +## See zos-remote.conf(5) for more information + +server = zos_server.localdomain +port = 389 +user = RACF_ID +password = racf_password +timeout = 15 +q_depth = 64 diff --git a/audit/audit.rules b/audit/audit.rules new file mode 100644 index 00000000..9d9578ec --- /dev/null +++ b/audit/audit.rules @@ -0,0 +1,25 @@ +# Copyright 1999-2005 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Header: /var/cvsroot/gentoo-x86/sys-process/audit/files/audit.rules,v 1.1 2006/06/22 07:41:46 robbat2 Exp $ +# +# This file contains the auditctl rules that are loaded +# whenever the audit daemon is started via the initscripts. +# The rules are simply the parameters that would be passed +# to auditctl. + +# First rule - delete all +# This is to clear out old rules, so we don't append to them. +-D + +# Feel free to add below this line. See auditctl man page + +# The following rule would cause all of the syscalls listed to be ignored in logging. +# -a entry,never -S read -S write -S open -S fstat -S fstat64 -S mmap -S brk -S munmap -S _llseek -S nanosleep -S fcntl64 -S close -S dup2 -S rt_sigaction -S stat64 -S stat + +# The following rule would cause the capture of all systems not caught above. +# -a entry,always -S all + +# Increase the buffers to survive stress events +-b 256 + +# vim:ft=conf: diff --git a/audit/audit.rules-2.1.3 b/audit/audit.rules-2.1.3 new file mode 100644 index 00000000..b2b4f02f --- /dev/null +++ b/audit/audit.rules-2.1.3 @@ -0,0 +1,26 @@ +# Copyright 1999-2011 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Header: /var/cvsroot/gentoo-x86/sys-process/audit/files/audit.rules-2.1.3,v 1.1 2011/09/11 02:58:55 robbat2 Exp $ +# +# This file contains the auditctl rules that are loaded +# whenever the audit daemon is started via the initscripts. +# The rules are simply the parameters that would be passed +# to auditctl. + +# First rule - delete all +# This is to clear out old rules, so we don't append to them. +-D + +# Feel free to add below this line. See auditctl man page + +# The following rule would cause all of the syscalls listed to be ignored in logging. +-a exit,never -F arch=b32 -S read -S write -S open -S fstat -S mmap -S brk -S munmap -S nanosleep -S fcntl -S close -S dup2 -S rt_sigaction -S stat +-a exit,never -F arch=b64 -S read -S write -S open -S fstat -S mmap -S brk -S munmap -S nanosleep -S fcntl -S close -S dup2 -S rt_sigaction -S stat + +# The following rule would cause the capture of all systems not caught above. +# -a exit,always -S all + +# Increase the buffers to survive stress events +-b 8192 + +# vim:ft=conf: diff --git a/audit/audit.rules.stop.post b/audit/audit.rules.stop.post new file mode 100644 index 00000000..34db08cd --- /dev/null +++ b/audit/audit.rules.stop.post @@ -0,0 +1,13 @@ +# Copyright 1999-2005 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Header: /var/cvsroot/gentoo-x86/sys-process/audit/files/audit.rules.stop.post,v 1.1 2006/06/22 07:41:46 robbat2 Exp $ +# +# This file contains the auditctl rules that are loaded immediately after the +# audit deamon is stopped via the initscripts. +# The rules are simply the parameters that would be passed +# to auditctl. + +# Not used for the default Gentoo configuration as of v1.2.3 +# Paranoid security types might wish to reconfigure kauditd here. + +# vim:ft=conf: diff --git a/audit/audit.rules.stop.pre b/audit/audit.rules.stop.pre new file mode 100644 index 00000000..c5fb4f94 --- /dev/null +++ b/audit/audit.rules.stop.pre @@ -0,0 +1,16 @@ +# Copyright 1999-2011 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Header: /var/cvsroot/gentoo-x86/sys-process/audit/files/audit.rules.stop.pre,v 1.2 2011/09/11 02:58:55 robbat2 Exp $ +# +# This file contains the auditctl rules that are loaded immediately before the +# audit deamon is stopped via the initscripts. +# The rules are simply the parameters that would be passed +# to auditctl. + +# auditd is stopping, don't capture events anymore +-D + +# Disable kernel generating audit events +-e 0 + +# vim:ft=conf: diff --git a/audit/auditd.conf b/audit/auditd.conf new file mode 100644 index 00000000..e8071a0c --- /dev/null +++ b/audit/auditd.conf @@ -0,0 +1,25 @@ +# +# This file controls the configuration of the audit daemon +# + +log_file = /var/log/audit/audit.log +log_format = RAW +log_group = root +priority_boost = 4 +flush = INCREMENTAL +freq = 20 +num_logs = 4 +disp_qos = lossy +dispatcher = /sbin/audispd +name_format = NONE +##name = mydomain +max_log_file = 5 +max_log_file_action = ROTATE +space_left = 75 +space_left_action = SYSLOG +action_mail_acct = root +admin_space_left = 50 +admin_space_left_action = SUSPEND +disk_full_action = SUSPEND +disk_error_action = SUSPEND + diff --git a/conf.d/auditd b/conf.d/auditd new file mode 100644 index 00000000..e7222866 --- /dev/null +++ b/conf.d/auditd @@ -0,0 +1,16 @@ +# Copyright 1999-2005 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Header: /var/cvsroot/gentoo-x86/sys-process/audit/files/auditd-conf.d-1.2.3,v 1.1 2006/06/22 07:41:46 robbat2 Exp $ + +# Configuration options for auditd +# -f for foreground mode +# There are some other options as well, but you'll have to look in the source +# code to find them as they aren't ready for use yet. +EXTRAOPTIONS='' + +# Audit rules file to run after starting auditd +RULEFILE_STARTUP=/etc/audit/audit.rules + +# Audit rules file to run before and after stopping auditd +RULEFILE_STOP_PRE=/etc/audit/audit.rules.stop.pre +RULEFILE_STOP_POST=/etc/audit/audit.rules.stop.post diff --git a/init.d/auditd b/init.d/auditd new file mode 100755 index 00000000..862a6bea --- /dev/null +++ b/init.d/auditd @@ -0,0 +1,58 @@ +#!/sbin/runscript +# Copyright 1999-2005 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Header: /var/cvsroot/gentoo-x86/sys-process/audit/files/auditd-init.d-1.2.3,v 1.1 2006/06/22 07:41:46 robbat2 Exp $ + +start_auditd() { + ebegin "Starting auditd" + start-stop-daemon \ + --start --quiet --pidfile /var/run/auditd.pid \ + --exec /sbin/auditd -- ${EXTRAOPTIONS} + local ret=$? + eend $ret + return $ret +} + +stop_auditd() { + ebegin "Stopping auditd" + start-stop-daemon \ + --stop --quiet --pidfile /var/run/auditd.pid + local ret=$? + eend $ret + return $ret +} + + +loadfile() { + local rules="$1" + if [ -n "${rules}" -a -f "${rules}" ]; then + einfo "Loading audit rules from ${rules}" + /sbin/auditctl -R "${rules}" 1>/dev/null + return $? + else + return 0 + fi +} + +start() { + start_auditd + local ret=$? + if [ $ret -eq 0 ]; then + loadfile "${RULEFILE_STARTUP}" + fi + return $ret +} + +stop() { + loadfile "${RULEFILE_STOP_PRE}" + stop_auditd + local ret=$? + loadfile "${RULEFILE_STOP_POST}" + return $ret +} + +# This is a special case, we do not want to touch the rules at all +restart() { + stop_auditd + start_auditd +} diff --git a/libaudit.conf b/libaudit.conf new file mode 100644 index 00000000..90855d72 --- /dev/null +++ b/libaudit.conf @@ -0,0 +1,7 @@ +# This is the configuration file for libaudit tunables. +# It is currently only used for the failure_action tunable. + +# failure_action can be: log, ignore, terminate +failure_action = ignore + +