From: Steve Grubb <sgrubb@redhat.com>
To: linux-audit@redhat.com
Subject: audit 2.5 released
Date: Mon, 11 Jan 2016 14:14:15 -0500 [thread overview]
Message-ID: <2874850.AoCptcTU1r@x2> (raw)
Hello,
I've just released a new version of the audit daemon. It can be downloaded
from http://people.redhat.com/sgrubb/audit. It will also be in rawhide
soon. The ChangeLog is:
- Make augenrules the default method to load audit rules
- Put rules in its own directory and break out rules into groups
- Have auditd do a fsync before closing log
- Make default flush setting larger
- In auparse. terminate the generated strings (Burn Alting)
- In auditd, add incremental_async flushing mode
- Clean up dangling fields in DAEMON events
- Add audit by process name support to auditctl (Richard Briggs)
- Relax permissions on systemd files
- Fix auparse to handle interlaced events (Burn Alting)
- Allow more syslog facilities in audispd-syslog (Aleksander Adamowski)
This release of the audit system represents a break with the past in a couple
ways. The default way to load rules is now via the augenrules program. And
this release of the audit package includes entirely new rules for use. The
nispom and stig rules still exist, but they have been renamed and moved. To
see the new rules, look in the rules documentation directory. There is a
README file that explains the new system.
The audit daemon has underwent some major performance improvements. The audit
daemon moved from a multi-threaded data flow to a singly-threaded data flow with
asynchronous flushing. This new mode, INCREMENTAL_ASYNC, is now the default
flush setting. Using it makes the audit daemon log over 90 times faster. (At
least that what I measured using the XFS file system. YMMV.) The audit daemon's
internal events were also reviewed and modernized with op= fields. Also,
because the audit daemon is now singly-threaded for the main data flow, there
is no need to make a multi-thread-safe copy of libaudit. This means the audit
daemon binary is significantly smaller.
This release adds audit by executable name support if your kernel also
supports it. The audit by executable names support will allow you to write
rules that target an exact application so that you can see if it is doing
something odd. An example rule would look like this:
-a always,exit -F arch=x86_64 -S connect,sendto -F exe=/bin/sh -F key=bash-
network
I think you will need the 4.4 kernel or later to use this feature.
Also in this release, there is a re-working of the auparse library by Burn
Alting to handle interlaced audit events. The kernel makes no effort to
serialize events going to user space, If for some reason two events got
interlaced where records for each one alternated with the other, the auparse
library previously considered one event ending and another starting for each
interlaced record - thus breaking up the event. This release should make all
tools linking against auparse much more reliable.
There were also a number of other minor cleanups and enhancements.
Please let me know if you run across any problems with this release.
-Steve
next reply other threads:[~2016-01-11 19:14 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-01-11 19:14 Steve Grubb [this message]
2016-01-11 19:24 ` audit 2.5 released Paul Moore
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2874850.AoCptcTU1r@x2 \
--to=sgrubb@redhat.com \
--cc=linux-audit@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox