diff --git a/pkg/auditd/Dockerfile b/pkg/auditd/Dockerfile index 5c6027d98..816b4f0fe 100644 --- a/pkg/auditd/Dockerfile +++ b/pkg/auditd/Dockerfile @@ -1,15 +1,7 @@ -FROM linuxkit/alpine:d307c8a386fa3f32cddda9409b9687e191cdd6f1 AS build -RUN apk add abuild gcc git - -ADD build.sh / -RUN adduser -D -G abuild builder && sudo -u builder /build.sh - -FROM linuxkit/alpine:d307c8a386fa3f32cddda9409b9687e191cdd6f1 AS mirror -COPY --from=build /home/builder/*apk / +FROM linuxkit/alpine:4584958639b2378246371fe219f33b270667e22e AS mirror RUN mkdir -p /out/etc/apk && cp -r /etc/apk/* /out/etc/apk/ -RUN apk add --initdb -p /out alpine-baselayout busybox tini -RUN apk add --allow-untrusted -p /out /*apk +RUN apk add --initdb -p /out alpine-baselayout apk-tools audit busybox tini # Remove apk residuals. We have a read-only rootfs, so apk is of no use. RUN rm -rf /out/etc/apk /out/lib/apk /out/var/cache @@ -25,5 +17,3 @@ COPY audit.rules /etc/audit COPY runaudit.sh /usr/bin CMD ["/sbin/tini", "/usr/bin/runaudit.sh"] - -LABEL org.mobyproject.config='{"pid": "host", "binds": ["/var/log:/var/log"], "capabilities": ["CAP_AUDIT_CONTROL", "CAP_AUDIT_READ", "CAP_AUDIT_WRITE", "CAP_SYS_NICE"]}' diff --git a/pkg/auditd/build.sh b/pkg/auditd/build.sh deleted file mode 100755 index 57002aa08..000000000 --- a/pkg/auditd/build.sh +++ /dev/null @@ -1,16 +0,0 @@ -#!/bin/sh - -AUDIT_HASH=59763dd8e587d1821f2d039b2bf446c3a31ea58e - -set -e - -cd /home/builder - -git clone https://github.com/alpinelinux/aports && cd aports && git checkout $AUDIT_HASH -cd testing/audit - -abuild-keygen -a -abuild -F -r - -find ~/packages -cp ~/packages/testing/$(abuild -A)/*apk ~ diff --git a/pkg/auditd/build.yml b/pkg/auditd/build.yml index 82454acfd..3388e2f64 100644 --- a/pkg/auditd/build.yml +++ b/pkg/auditd/build.yml @@ -1,2 +1,11 @@ image: auditd network: true +config: + pid: host + binds: + - /var/log:/var/log + capabilities: + - CAP_AUDIT_CONTROL + - CAP_AUDIT_READ + - CAP_AUDIT_WRITE + - CAP_SYS_NICE diff --git a/tools/alpine/packages b/tools/alpine/packages index 0d300913c..67f258660 100644 --- a/tools/alpine/packages +++ b/tools/alpine/packages @@ -4,6 +4,7 @@ alpine-keys apk-tools argp-standalone attr-dev +audit autoconf automake bash diff --git a/tools/alpine/versions.aarch64 b/tools/alpine/versions.aarch64 index c4b11353b..81b5e869b 100644 --- a/tools/alpine/versions.aarch64 +++ b/tools/alpine/versions.aarch64 @@ -1,13 +1,15 @@ -# linuxkit/alpine:dd9b3a4d8c6c7a21b8457aa3017d06eb97ed731c-arm64 +# linuxkit/alpine:9d29dc154440859d729ba864ffd67bb4c90e630d-arm64 # automatically generated list of installed packages abuild-3.1.0-r3 alpine-baselayout-3.0.5-r2 alpine-keys-2.1-r1 alsa-lib-1.1.4.1-r2 -apk-tools-2.8.1-r1 +apk-tools-2.8.1-r2 argp-standalone-1.3-r2 attr-2.4.47-r6 attr-dev-2.4.47-r6 +audit-2.7.7-r1 +audit-libs-2.7.7-r1 autoconf-2.69-r0 automake-1.15.1-r0 bash-4.4.12-r2 @@ -23,7 +25,7 @@ btrfs-progs-4.13.2-r0 btrfs-progs-dev-4.13.2-r0 btrfs-progs-libs-4.13.2-r0 build-base-0.5-r0 -busybox-1.27.2-r6 +busybox-1.27.2-r7 busybox-initscripts-3.1-r2 bzip2-1.0.6-r6 ca-certificates-20171114-r0 @@ -264,7 +266,7 @@ vim-8.0.1359-r0 wayland-libs-client-1.14.0-r2 wayland-libs-cursor-1.14.0-r2 wayland-libs-server-1.14.0-r2 -wireguard-tools-0.0.20171127-r0 +wireguard-tools-0.0.20171211-r0 wireless-tools-30_pre9-r0 wpa_supplicant-2.6-r8 xfsprogs-4.14.0-r0 diff --git a/tools/alpine/versions.x86_64 b/tools/alpine/versions.x86_64 index 2c6a5a1a3..7f037ed54 100644 --- a/tools/alpine/versions.x86_64 +++ b/tools/alpine/versions.x86_64 @@ -1,13 +1,15 @@ -# linuxkit/alpine:d307c8a386fa3f32cddda9409b9687e191cdd6f1-amd64 +# linuxkit/alpine:4584958639b2378246371fe219f33b270667e22e-amd64 # automatically generated list of installed packages abuild-3.1.0-r3 alpine-baselayout-3.0.5-r2 alpine-keys-2.1-r1 alsa-lib-1.1.4.1-r2 -apk-tools-2.8.1-r1 +apk-tools-2.8.1-r2 argp-standalone-1.3-r2 attr-2.4.47-r6 attr-dev-2.4.47-r6 +audit-2.7.7-r1 +audit-libs-2.7.7-r1 autoconf-2.69-r0 automake-1.15.1-r0 bash-4.4.12-r2 @@ -23,7 +25,7 @@ btrfs-progs-4.13.2-r0 btrfs-progs-dev-4.13.2-r0 btrfs-progs-libs-4.13.2-r0 build-base-0.5-r0 -busybox-1.27.2-r6 +busybox-1.27.2-r7 busybox-initscripts-3.1-r2 bzip2-1.0.6-r6 ca-certificates-20171114-r0 @@ -116,7 +118,7 @@ libcap-2.25-r1 libcap-ng-0.7.8-r1 libcap-ng-dev-0.7.8-r1 libcom_err-1.43.7-r0 -libcrypto1.0-1.0.2m-r0 +libcrypto1.0-1.0.2n-r0 libcurl-7.57.0-r0 libdrm-2.4.88-r0 libedit-20170329.3.1-r3 @@ -163,7 +165,7 @@ libseccomp-2.3.2-r0 libseccomp-dev-2.3.2-r0 libsmartcols-2.31-r0 libssh2-1.8.0-r2 -libssl1.0-1.0.2m-r0 +libssl1.0-1.0.2n-r0 libstdc++-6.4.0-r5 libtasn1-4.12-r2 libtirpc-1.0.1-r2 @@ -212,8 +214,8 @@ openrc-0.24.1-r4 openssh-keygen-7.5_p1-r7 openssh-server-7.5_p1-r7 openssh-server-common-7.5_p1-r7 -openssl-1.0.2m-r0 -openssl-dev-1.0.2m-r0 +openssl-1.0.2n-r0 +openssl-dev-1.0.2n-r0 opus-1.2.1-r1 ovmf-0.0.20170624-r0 p11-kit-0.23.2-r2 @@ -272,7 +274,7 @@ vim-8.0.1359-r0 wayland-libs-client-1.14.0-r2 wayland-libs-cursor-1.14.0-r2 wayland-libs-server-1.14.0-r2 -wireguard-tools-0.0.20171127-r0 +wireguard-tools-0.0.20171211-r0 wireless-tools-30_pre9-r0 wpa_supplicant-2.6-r8 xfsprogs-4.14.0-r0