From mboxrd@z Thu Jan  1 00:00:00 1970
From: Steve Grubb <sgrubb@redhat.com>
Subject: Audit-3.0 pre-release available
Date: Wed, 18 Jul 2018 11:52:20 -0400
Message-ID: <1813615.GrRj1zR9PD@x2>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
Received: from x2.localnet (ovpn-122-197.rdu2.redhat.com [10.10.122.197])
	by smtp.corp.redhat.com (Postfix) with ESMTP id C6E2E2026D69
	for <linux-audit@redhat.com>; Wed, 18 Jul 2018 15:52:21 +0000 (UTC)
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

Hello,

This is to let everyone know that an audit-3.0 pre-release is being made. 
The big change that is prompting this email is that there is a config change 
that people might need to be aware of. One of the improvements is to drop 
audispd (realtime audit event dispatcher) and merge its functionality into 
auditd. This will eliminate one source of overflow messages and decrease the 
time from event occurrence to plugin seeing it. But since audispd doesn't 
exist anymore, I think that the location for the plugin directory should be 
moved from /etc/audisp/plugins.d/ to /etc/audit/plugins.d/. This way we have 
all audit config items in one place for the first time. There is a config 
option to point auditd to another directory for plugins in case you want to 
use the old location.

I have already coordinated this with some selinux developers. They are moving 
the selinux troubleshooter plugin and adjusting selinux policy for the new 
locations and label transitions from auditd to the plugins. I don't know how 
many people beyond those I have contacted makes use of the audit dispatcher 
plugin capabilities for real time audit analysis. But that is why I'm doing a 
pre-release and making this announcement.

You can find the pre-release here:
http://people.redhat.com/sgrubb/audit/audit-3.0-alpha.tar.gz

Its sha256 hash is:
5c6bd356dfd8f2f6a35df35a8cd5138bd511413ee03d56076b47dc120f406dbf

I will be blogging about the new capabilities in the coming weeks. If you are 
inclined, give it a try. There are changes that packagers will need to make 
to accommodate the move from audisp to auditd directly handling plugins. I 
have also pushed this into Fedora's rawhide and it should be available on the 
next compose.

Thanks,
-Steve