From mboxrd@z Thu Jan 1 00:00:00 1970 From: Steve Grubb Subject: audit 2.5 released Date: Mon, 11 Jan 2016 14:14:15 -0500 Message-ID: <2874850.AoCptcTU1r@x2> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: Received: from x2.localnet (vpn-48-47.rdu2.redhat.com [10.10.48.47]) by int-mx14.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id u0BJEEa8001134 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Mon, 11 Jan 2016 14:14:15 -0500 List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit@redhat.com List-Id: linux-audit@redhat.com Hello, I've just released a new version of the audit daemon. It can be downloaded from http://people.redhat.com/sgrubb/audit. It will also be in rawhide soon. The ChangeLog is: - Make augenrules the default method to load audit rules - Put rules in its own directory and break out rules into groups - Have auditd do a fsync before closing log - Make default flush setting larger - In auparse. terminate the generated strings (Burn Alting) - In auditd, add incremental_async flushing mode - Clean up dangling fields in DAEMON events - Add audit by process name support to auditctl (Richard Briggs) - Relax permissions on systemd files - Fix auparse to handle interlaced events (Burn Alting) - Allow more syslog facilities in audispd-syslog (Aleksander Adamowski) This release of the audit system represents a break with the past in a couple ways. The default way to load rules is now via the augenrules program. And this release of the audit package includes entirely new rules for use. The nispom and stig rules still exist, but they have been renamed and moved. To see the new rules, look in the rules documentation directory. There is a README file that explains the new system. The audit daemon has underwent some major performance improvements. The audit daemon moved from a multi-threaded data flow to a singly-threaded data flow with asynchronous flushing. This new mode, INCREMENTAL_ASYNC, is now the default flush setting. Using it makes the audit daemon log over 90 times faster. (At least that what I measured using the XFS file system. YMMV.) The audit daemon's internal events were also reviewed and modernized with op= fields. Also, because the audit daemon is now singly-threaded for the main data flow, there is no need to make a multi-thread-safe copy of libaudit. This means the audit daemon binary is significantly smaller. This release adds audit by executable name support if your kernel also supports it. The audit by executable names support will allow you to write rules that target an exact application so that you can see if it is doing something odd. An example rule would look like this: -a always,exit -F arch=x86_64 -S connect,sendto -F exe=/bin/sh -F key=bash- network I think you will need the 4.4 kernel or later to use this feature. Also in this release, there is a re-working of the auparse library by Burn Alting to handle interlaced audit events. The kernel makes no effort to serialize events going to user space, If for some reason two events got interlaced where records for each one alternated with the other, the auparse library previously considered one event ending and another starting for each interlaced record - thus breaking up the event. This release should make all tools linking against auparse much more reliable. There were also a number of other minor cleanups and enhancements. Please let me know if you run across any problems with this release. -Steve