Audit roadmap and new development

Audit roadmap and new development

[Steve Grubb]

Hello,

I wanted to take a few minutes to chat about the future audit roadmap.
The release of audit-2.8.3 represents a breaking point. Its time for
changes. Some of these changes are going to modify configuration files.
And new things that may not be compatible with the old will be
introduced. So, I have created a 2.8_maintenance branch on github. This
will be a lightly maintained branch that preserves the old way. I don't
know if there will ever be an audit-2.8.4 release. But if there is, it
will be from this branch.

Looking towards the future, here's what to expect. The next release
will be called audit-3.0. This is to reflect a break with the old. The
first new thing under development is a TLS transport mechanism for
remote logging. Next, performance improvements will looked into to see
if we can get auparse running more efficiently. Also look for container
support to land in the near future. And another big change...audispd
will be going away. Its functionality will be done by auditd directly.
This will eliminate one place where events get dropped and also speed
up the time between event arrival and a plugin seeing it. This will be
important because there is a new IDS/IPS plugin that is under
development. (Some of you may have seen it in action at DevConf 2018.)
It will need events faster, more reliably, and a faster performing
auparse library.

I expect these to roll out over several releases. I would not expect
these features to land in any stable distro. I would expect these to
show up in the development and new versions of distros because of the
breakage. I look to have all of this work completed by sometime this
summer. Who knows...maybe sooner.

Thoughts?

-Steve

Re: Audit roadmap and new development

[Paul Moore]

On Sun, Mar 11, 2018 at 5:38 AM, Steve Grubb <sgrubb@redhat.com> wrote:
> Hello,
>
> I wanted to take a few minutes to chat about the future audit roadmap.
> The release of audit-2.8.3 represents a breaking point ...

Just a quick note that Steve is talking about the audit userspace
which he maintains, the work for the Linux Kernel's audit subsystem is
tracked via GitHub (link below).  This includes both bug reports *and*
new feature requests.  If you would like to add to that list, feel
free to do so.  If you want to help out and contribute, definitely
feel free to do so! ;)

* https://github.com/linux-audit/audit-kernel/issues

-- 
paul moore
www.paul-moore.com

Re: Audit roadmap and new development

[F Rafi]

[-- Attachment #1.1: Type: text/plain, Size: 1032 bytes --]

So container support can be addressed by userspace changes alone Or will it
require kernel audit subsystem updates as well?

Thanks
Farhan

On Sun, Mar 11, 2018 at 1:08 PM Paul Moore <paul@paul-moore.com> wrote:

> On Sun, Mar 11, 2018 at 5:38 AM, Steve Grubb <sgrubb@redhat.com> wrote:
> > Hello,
> >
> > I wanted to take a few minutes to chat about the future audit roadmap.
> > The release of audit-2.8.3 represents a breaking point ...
>
> Just a quick note that Steve is talking about the audit userspace
> which he maintains, the work for the Linux Kernel's audit subsystem is
> tracked via GitHub (link below).  This includes both bug reports *and*
> new feature requests.  If you would like to add to that list, feel
> free to do so.  If you want to help out and contribute, definitely
> feel free to do so! ;)
>
> * https://github.com/linux-audit/audit-kernel/issues
>
> --
> paul moore
> www.paul-moore.com
>
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit
>

[-- Attachment #1.2: Type: text/html, Size: 1874 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

Re: Audit roadmap and new development

[Paul Moore]

On Sun, Mar 11, 2018 at 1:44 PM, F Rafi <farhanible@gmail.com> wrote:
> So container support can be addressed by userspace changes alone Or will it
> require kernel audit subsystem updates as well?

In order to associate container identifiers with kernel generated
audit events, kernel changes are required.  You may have seen
discussion threads about this on the list, and more recently a partial
RFC patchset from Richard Guy Briggs on this list as well.  Of course
there will likely be some additions to Steve's userspace tools to make
sense of, and interpret, the additional container identifiers in the
audit log, but I expect the bulk of changes to happen in the kernel.

There are a handful of issues in the GitHub audit-kernel issue tracker
related to this work.

> On Sun, Mar 11, 2018 at 1:08 PM Paul Moore <paul@paul-moore.com> wrote:
>>
>> On Sun, Mar 11, 2018 at 5:38 AM, Steve Grubb <sgrubb@redhat.com> wrote:
>> > Hello,
>> >
>> > I wanted to take a few minutes to chat about the future audit roadmap.
>> > The release of audit-2.8.3 represents a breaking point ...
>>
>> Just a quick note that Steve is talking about the audit userspace
>> which he maintains, the work for the Linux Kernel's audit subsystem is
>> tracked via GitHub (link below).  This includes both bug reports *and*
>> new feature requests.  If you would like to add to that list, feel
>> free to do so.  If you want to help out and contribute, definitely
>> feel free to do so! ;)
>>
>> * https://github.com/linux-audit/audit-kernel/issues
>>
>> --
>> paul moore
>> www.paul-moore.com
>>
>> --
>> Linux-audit mailing list
>> Linux-audit@redhat.com
>> https://www.redhat.com/mailman/listinfo/linux-audit

-- 
paul moore
www.paul-moore.com

Re: Audit roadmap and new development

[Steve Grubb]

On Sun, 11 Mar 2018 17:44:39 +0000
F Rafi <farhanible@gmail.com> wrote:

> So container support can be addressed by userspace changes alone

Nope.

> Or will it require kernel audit subsystem updates as well?

The kernel does all the heavy lifting. What this is indicating is that
user space will pick up support to use the kernel's container auditing.
You may have seen a set of patches posted by Richard in the last 2
weeks. That is for the kernel side. There will need to be corresponding
user space code to interface to it. This is probably going to change
events enough that it's again a good reason to break with the old.

-Steve


> On Sun, Mar 11, 2018 at 1:08 PM Paul Moore <paul@paul-moore.com>
> wrote:
> 
> > On Sun, Mar 11, 2018 at 5:38 AM, Steve Grubb <sgrubb@redhat.com>
> > wrote:  
> > > Hello,
> > >
> > > I wanted to take a few minutes to chat about the future audit
> > > roadmap. The release of audit-2.8.3 represents a breaking
> > > point ...  
> >
> > Just a quick note that Steve is talking about the audit userspace
> > which he maintains, the work for the Linux Kernel's audit subsystem
> > is tracked via GitHub (link below).  This includes both bug reports
> > *and* new feature requests.  If you would like to add to that list,
> > feel free to do so.  If you want to help out and contribute,
> > definitely feel free to do so! ;)
> >
> > * https://github.com/linux-audit/audit-kernel/issues
> >
> > --
> > paul moore
> > www.paul-moore.com
> >
> > --
> > Linux-audit mailing list
> > Linux-audit@redhat.com
> > https://www.redhat.com/mailman/listinfo/linux-audit
> >