packages/audit
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

add

Browse Source
This commit is contained in:
fangxiuning 2025-02-25 21:46:21 +08:00
parent 01c5459283
commit a6ce871024
3 changed files with 102 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
audit.spec
View File

@ -2,7 +2,7 @@ Summary: User space tools for kernel auditing
Name: audit
Epoch: 1
Version: 3.0.1
Release: 17
Release: 18
License: GPLv2+ and LGPLv2+
URL: https://people.redhat.com/sgrubb/audit/
Source0: https://people.redhat.com/sgrubb/audit/%{name}-%{version}.tar.gz
@ -81,6 +81,8 @@ Patch69: backport-Fix-memory-leaks.patch
Patch70: backport-fix-one-more-leak.patch
Patch71: backport-Correct-output-when-displaying-rules-with-exe-path-d.patch
Patch72: backport-ausearch-format-Fix-display-of-renamed-file-411.patch
Patch73: backport-Fix-a-maybe-uninitialized-warning.patch
Patch74: backport-ausearch-parse-fix-parsing-for-success-uid-in-parse_.patch
BuildRequires: gcc swig libtool systemd kernel-headers >= 2.6.29
BuildRequires: openldap-devel krb5-devel libcap-ng-devel
@ -416,6 +418,9 @@ fi
%attr(644,root,root) %{_mandir}/man8/*.8.gz
%changelog
* Tue Feb 25 2025 fangxiuning <fangxiuning@huawei.com> - 1:3.0.1-18
- backport patches to fix bug
* Wed Dec 11 2024 wangjiang <app@cameyan.coom> - 1:3.0.1-17
- backport patches to fix bug

53
backport-Fix-a-maybe-uninitialized-warning.patch Normal file
View File

@ -0,0 +1,53 @@
From 25d5458a396a07e56f36f651da2c51b528fb293a Mon Sep 17 00:00:00 2001
From: Steve Grubb <ausearch.1@gmail.com>
Date: Thu, 2 Jan 2025 16:32:34 -0500
Subject: [PATCH] Fix a maybe uninitialized warning
Reference:https://github.com/linux-audit/audit-userspace/commit/25d5458a396a07e56f36f651da2c51b528fb293a
Conflict:NA
---
src/ausearch-parse.c | 9 +++------
1 file changed, 3 insertions(+), 6 deletions(-)
diff --git a/src/ausearch-parse.c b/src/ausearch-parse.c
index e15396d7..68e2b29e 100644
--- a/src/ausearch-parse.c
+++ b/src/ausearch-parse.c
@@ -1556,7 +1556,7 @@ static int parse_daemon1(const lnode *n, search_items *s)
if (str) {
ptr = str + 5;
term = strchr(ptr, ' ');
- if (term == NULL)
+ if (term == NULL)
return 7;
saved = *term;
*term = 0;
@@ -1565,13 +1565,11 @@ static int parse_daemon1(const lnode *n, search_items *s)
if (errno)
return 8;
*term = saved;
- } else
- term = ptr;
+ }
}
// ses - optional
if (event_session_id != -2) {
- ptr = term;
str = strstr(term, "ses=");
if (str) {
ptr = str + 4;
@@ -1585,8 +1583,7 @@ static int parse_daemon1(const lnode *n, search_items *s)
if (errno)
return 10;
*term = saved;
- } else
- term = ptr;
+ }
}
if (event_subject) {
--
2.33.0

43
backport-ausearch-parse-fix-parsing-for-success-uid-in-parse_.patch Normal file
View File

@ -0,0 +1,43 @@
From f97f0579fafcd9fc58d892699a22ae7ee68aeff3 Mon Sep 17 00:00:00 2001
From: Sergio Correia <scorreia@redhat.com>
Date: Mon, 16 Dec 2024 09:06:13 +0000
Subject: [PATCH] ausearch-parse: fix parsing for success/uid in
parse_daemon1() (#394)
In parse_daemon1(), we may have the uid= field appear both before and
after pid=, which may cause our parsing of it to fail, as we may have
skipped past it. For uid=, let us search from the beginning.
Example for this case:
type=DAEMON_END msg=audit(1709723032.140:753): op=terminate auid=0 uid=0 ses=8 pid=107086 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 res=success
ausearch -if sample.log -a 753 -m DAEMON_END -ui 0 --session 8 -p 107086 --success yes
Signed-off-by: Sergio Correia <scorreia@redhat.com>
Reference:https://github.com/linux-audit/audit-userspace/commit/f97f0579fafcd9fc58d892699a22ae7ee68aeff3
Conflict:NA
---
src/ausearch-parse.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/src/ausearch-parse.c b/src/ausearch-parse.c
index 4c9bef0d..e15396d7 100644
--- a/src/ausearch-parse.c
+++ b/src/ausearch-parse.c
@@ -1549,7 +1549,9 @@ static int parse_daemon1(const lnode *n, search_items *s)
// uid - optional
if (event_uid != -1) {
- ptr = term;
+ // As the uid= field may happen in different orders, e.g. both before
+ // and after pid=, let us search for the uid from the beginning.
+ term = mptr;
str = strstr(term, " uid=");
if (str) {
ptr = str + 5;
--
2.33.0