Hello community, here is the log from the commit of package audit checked in at Sun May 7 15:43:18 CEST 2006. -------- --- audit/audit.changes 2006-03-20 16:18:49.000000000 +0100 +++ STABLE/audit/audit.changes 2006-05-05 21:08:30.000000000 +0200 @@ -1,0 +2,5 @@ +Fri May 5 21:05:40 CEST 2006 - sbeattie@suse.de + +- disable syscall audit context creation by default #172154 + +------------------------------------------------------------------- New: ---- audit-1.1.3-disable-syscall-contexts.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ audit.spec ++++++ --- /var/tmp/diff_new_pack.JN8z6d/_old 2006-05-07 15:43:09.000000000 +0200 +++ /var/tmp/diff_new_pack.JN8z6d/_new 2006-05-07 15:43:09.000000000 +0200 @@ -14,7 +14,7 @@ BuildRequires: gcc-c++ pam-devel python-devel swig Summary: User Space Tools for 2.6 Kernel Auditing Version: 1.1.3 -Release: 14 +Release: 22 License: GPL Group: System/Monitoring URL: http://people.redhat.com/sgrubb/audit/ @@ -27,6 +27,7 @@ Patch3: %name-fix-broken-kernels.patch Patch4: %name-%version-warning-on-connrefused.patch Patch5: %name-%version-no-errormessage.patch +Patch6: %name-%version-disable-syscall-contexts.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build Requires: %{name}-libs = %{version}-%{release} PreReq: %insserv_prereq %fillup_prereq @@ -82,6 +83,7 @@ %patch3 -p1 %patch4 -p1 %patch5 -p1 +%patch6 -p1 %build autoreconf -fv --install @@ -169,6 +171,8 @@ %ghost /var/log/audit/audit.log %changelog -n audit +* Fri May 05 2006 - sbeattie@suse.de +- disable syscall audit context creation by default #172154 * Mon Mar 20 2006 - meissner@suse.de - Do not print a misleading errormessage when audit is not compiled into the kernel. #152733 ++++++ audit-1.1.3-disable-syscall-contexts.patch ++++++ audit-1.1.3/docs/auditd.8 | 5 +++++ audit-1.1.3/src/auditd.c | 31 ++++++++++++++++++++++--------- 2 files changed, 27 insertions(+), 9 deletions(-) Index: audit-1.1.3/src/auditd.c =================================================================== --- audit-1.1.3/src/auditd.c +++ audit-1.1.3/src/auditd.c @@ -36,6 +36,7 @@ #include <sys/wait.h> #include <fcntl.h> #include <pthread.h> +#include <getopt.h> #include "libaudit.h" #include "auditd-config.h" @@ -66,7 +67,7 @@ static int get_reply(int fd, struct audi */ static void usage(void) { - puts("Usage: auditd [ -f ]"); + puts("Usage: auditd [ -f ] [ -n ]"); exit(2); } @@ -201,16 +202,27 @@ int main(int argc, char *argv[]) struct auditd_reply_list *rep = NULL; struct rlimit limit; int hup_info_requested = 0; + int opt_foreground = 0; + int opt_enabled = 1; + int c; /* Get params && set mode */ - if (argc > 2) - usage(); - if (argc == 2) { - if (strcmp(argv[1], "-f") == 0) { - config.daemonize = D_FOREGROUND; - set_aumessage_mode(MSG_STDERR, DBG_YES); - } else + while ((c = getopt(argc, argv, "fn")) != -1) { + switch (c) { + case 'f': + opt_foreground = 1; + break; + case 'n': + opt_enabled = 0; + break; + default: usage(); + } + } + + if (opt_foreground) { + config.daemonize = D_FOREGROUND; + set_aumessage_mode(MSG_STDERR, DBG_YES); } else { config.daemonize = D_BACKGROUND; @@ -332,7 +344,7 @@ int main(int argc, char *argv[]) } /* Enable auditing just in case it was off */ - if (audit_set_enabled(fd, 1) < 0) { + if (audit_set_enabled(fd, opt_enabled) < 0) { char emsg[64]; snprintf(emsg, sizeof(emsg), "auditd error halt, auid=%u res=failed", @@ -433,6 +445,7 @@ int main(int argc, char *argv[]) /* Write message to log that we are going down */ int rc; + audit_set_enabled(fd, 0); rc = audit_request_signal_info(fd); if (rc > 0) { struct audit_reply trep; Index: audit-1.1.3/docs/auditd.8 =================================================================== --- audit-1.1.3/docs/auditd.8 +++ audit-1.1.3/docs/auditd.8 @@ -4,6 +4,7 @@ auditd \- The Linux audit daemon .SH SYNOPSIS .B auditd [ \fI-f \fR] +[ \fI-n \fR] .SH DESCRIPTION auditd is the userspace component to the Linux Auditing System. It's responsible for writing audit records to the disk. Viewing the logs is done with the .B ausearch @@ -18,6 +19,10 @@ file. .TP \fB\-f\fR leave the audit daemon in the foreground for debugging. Messages also go to stderr rather than the audit log. +.TP +\fB-n\fR +start the audit daemon, but do not enabled system call auditing in the kernel. +This can be done separately by using \fBauditctl -e\fR. .SH SIGNALS \fB\SIGHUP\fR causes auditd to reconfigure. This means that auditd re-reads the configuration file. If there are no syntax errors, it will proceed to implement the requested changes. If the reconfigure is successful, a DAEMON_CONFIG event is recorded in the logs. If not successful, error handling is controlled by space_left_action, admin_space_left_action, disk_full_action, and disk_error_action parameters in auditd.conf. ++++++ auditd.init ++++++ --- audit/auditd.init 2006-03-06 13:38:38.000000000 +0100 +++ STABLE/audit/auditd.init 2006-05-06 06:58:44.000000000 +0200 @@ -98,9 +98,12 @@ case "$1" in start) echo -n "Starting auditd " + if [ "$AUDITD_DISABLE_CONTEXTS" == "yes" ] ; then + EXTRAOPTIONS="$EXTRAOPTIONS -n" + fi ## Start daemon with startproc(8). If this fails ## the return value is set appropriately by startproc. - startproc $AUDITD_BIN + startproc $AUDITD_BIN $EXTRAOPTIONS test -f /etc/audit.rules && /sbin/auditctl -R /etc/audit.rules >/dev/null # Remember status and be verbose ++++++ auditd.sysconfig ++++++ --- audit/auditd.sysconfig 2006-01-13 11:15:02.000000000 +0100 +++ STABLE/audit/auditd.sysconfig 2006-05-06 07:24:48.000000000 +0200 @@ -11,18 +11,25 @@ # Add extra options here EXTRAOPTIONS="" # -# Type: string -# Default: "en_US" +## Type: string +## Default: "en_US" # # This is the locale information that audit uses. Its defaulted to en_US. # To remove all locale information from audit's environment, set # AUDITD_LANG to the empty string or the string "none". AUDITD_LANG="en_US" # -# Type: string -# Default: "yes" +## Type: string +## Default: "yes" # # This option is used to determine if rules & watches should be deleted on # shutdown. This is beneficial in most cases so that a watch doesn't linger # on a drive that is being unmounted. If set to no, it will NOT be cleaned up. AUDITD_CLEAN_STOP="yes" +# +## Type: yesno +## Default: yes +# +# This option disables syscall auditing by default. This can also be +# accomplished by auditctl -e. +AUDITD_DISABLE_CONTEXTS="yes" ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Remember to have fun...