From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.3 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id C91C0C433E0 for ; Fri, 12 Feb 2021 20:45:58 +0000 (UTC) Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [63.128.21.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 5A7CA64D74 for ; Fri, 12 Feb 2021 20:45:58 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 5A7CA64D74 Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=redhat.com Authentication-Results: mail.kernel.org; spf=tempfail smtp.mailfrom=linux-audit-bounces@redhat.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1613162757; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=9SP2yL0mLceOZCFJOxMZI8pE6AeXCh/Bdnmd0rFFBv8=; b=NqOFzhpcXTT503OqV0KYeE89c9Ky9aAZp+nnMv/hwrAnjIvaLXIgPr6IGTd2VHTAfRz+J2 Dn86XyQaQHoCZr9zOm9XOm6tODDy2Y558AL8XeusISUa0IIwd5a3ZpXvU5r5KSGerzJ1+U w56sPVjpJ6iEm0XRRtjF30Aw4noWYAM= Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-98--Gd0dsZAMSuiUMh3UqFyfA-1; Fri, 12 Feb 2021 15:45:52 -0500 X-MC-Unique: -Gd0dsZAMSuiUMh3UqFyfA-1 Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.phx2.redhat.com [10.5.11.14]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id D4273C285; Fri, 12 Feb 2021 20:45:48 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.21]) by smtp.corp.redhat.com (Postfix) with ESMTPS id EA84C376E; Fri, 12 Feb 2021 20:45:47 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id 26BAE4E58D; Fri, 12 Feb 2021 20:45:26 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx07.intmail.prod.int.phx2.redhat.com [10.5.11.22]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id 11CKjOiE030779 for ; Fri, 12 Feb 2021 15:45:25 -0500 Received: by smtp.corp.redhat.com (Postfix) id ED44F10023AB; Fri, 12 Feb 2021 20:45:24 +0000 (UTC) Received: from x2.localnet (ovpn-117-32.rdu2.redhat.com [10.10.117.32]) by smtp.corp.redhat.com (Postfix) with ESMTP id B60FB1002388 for ; Fri, 12 Feb 2021 20:45:21 +0000 (UTC) From: Steve Grubb To: Linux Audit Subject: audit 3.0.1 released Date: Fri, 12 Feb 2021 15:45:19 -0500 Message-ID: <3094014.aeNJFYEL58@x2> Organization: Red Hat MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.84 on 10.5.11.22 X-loop: linux-audit@redhat.com X-BeenThere: linux-audit@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Linux Audit Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.14 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=linux-audit-bounces@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Hello, I've just released a new version of the audit daemon. It can be downloaded from http://people.redhat.com/sgrubb/audit. It will also be in rawhide soon. The ChangeLog is: - Update syscall table to the 5.11 kernel - Add new --eoe-timeout option to ausearch and aureport (Burn Alting) - Only enable periodic timers when listening on the network - Upgrade libev to 4.33 - Add auparse_new_buffer function to auparse library - Use the select libev backend unless aggregating events - Add sudoers to some base audit rules - Update the auparse normalizer for some new syscalls and event types This release features 2 new experimental plugins. The statsd plugin should be ready to try out. The other IDS plugin is more of a long term work in progress. No timeline for it's development, either. (There is a known bug where the ids plugin fails to build in some environments. There is a brand new commit in github fixing this. Grab it if it fails to build.) During the work for statsd, I found that the audit daemon is a little more active than it should be. This was because it was enabling periodic timers that are used to detect dead network connections when the daemon is configured to be an aggregator. This is fixed and libev was updated to the latest release. While I was in the libev section of code I did some testing betweek using select and epoll as the event backend. Turns out select is about 4 ms faster. So, as long as auditd is not receiving network events, it will use select. If it does receive network events, then it will continue to use epoll in case it needs a lot of descriptors. Ausearch/report now have a new command line option to --eoe-timeout to help gather event records into the right event if they were slow getting output. Auditd also has a setting that could be considered the eoe_timeout default setting. Libauparse automatically tries to read this if it has the permissions. SHA256: 994c4250d8fd43f3087a3c2ce73461832e30f1e9b278bf5bb03c3e07091155a5 Please let me know if you run across any problems with this release. -Steve -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit