audit-1.7.15 released

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Steve Grubb <sgrubb@redhat.com>
To: Linux Audit <linux-audit@redhat.com>
Subject: audit-1.7.15 released
Date: Fri, 16 Oct 2009 14:35:27 -0400	[thread overview]
Message-ID: <200910161435.27697.sgrubb@redhat.com> (raw)

Hi,

I've just released a new version of the audit daemon. It can be downloaded 
from http://people.redhat.com/sgrubb/audit. It will also be in rawhide  
soon. The ChangeLog is:

- In audisp-remote, add a sigchld handler
- In auditd, check for duplicate remote connections before accepting
- Remove trailing ':' if any are at the end of acct fields in ausearch
- Update remote logging code to do better sanity check of data
- Fix audisp-prelude to prefer files if multiple path records are encountered

Audisp-remote was leaving zombie processes when one of the _action config 
optins was set to exec. Auditd was also not checking for duplicate connections 
from the same machine before accepting.

There were a couple networking packet length check problems reported by 
Sebastian Krahmer of Suse. The most serious issue was in the gssapi code. 
After checking with other distributions, none had enabled this code. So, 
likely this is not a problem for most people. If you roll your own package and 
enable gssapi support, it is recommended for you to upgrade. The main issue 
was that the packet length from the network packet itself was not sanitized 
before trusting. Its believed that this will eventually lead to a problem in 
the kerberos libraries. A few other places in the code were found to be 
trusting the packet length. Analysis found that nothing bad happens in these 
other places. They would all eventually lead to a read of 0 length and auditd 
will disconnect without logging the malicious event. It should be pointed out 
that if you use remote logging, you want to specify the tcp_client_ports to be 
< 1024 to make sure only processes with CAP_NET_BIND_SERVICE can send audit 
events.

Ausearch now trims ':' from acct records in AUDIT_LOGIN events so that it can 
be interpreted correctly, and the audisp-prelude plugin was chosing the first 
audit record when multiple path records are in the same event. In many cases 
this would be a directory, but we now look for the record who's mode field 
indicates that the object is a file.

Please let me know if you run across any problems with this release.

-Steve

                 reply	other threads:[~2009-10-16 18:35 UTC|newest]

Thread overview: [no followups] expand[flat|nested]  mbox.gz  Atom feed

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=200910161435.27697.sgrubb@redhat.com \
    --to=sgrubb@redhat.com \
    --cc=linux-audit@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.