audit-3.0.4 released

[Steve Grubb <sgrubb@redhat.com>]

Hello,

I've just released a new version of the audit daemon. It can be
downloaded from http://people.redhat.com/sgrubb/audit. It will also be
in rawhide soon. The ChangeLog is:

- Apply performance speedups to auparse library
- Optimize rule loading in auditctl
- Fix an auparse memory leak caused by glibc-2.33 by replacing realpath
- Update syscall table to the 5.14 kernel
- Fixed various issues when dealing with corrupted logs

The big change in this release is converting the lowest level data structure 
in the auparse library from a linked list to an array. Linked lists are not 
CPU cache friendly. This change brought about a 20% speed improvement for the 
library. The down side is that an array has a fixed size. This is controlled 
by the NFIELDS define in rnode.h, which is currently 36. SYSCALL events have 
the most normal fields. They currently have about 28. So, 36 should be a good 
safety margin going forward.

The only records that potentially have more fields is the EXECVE record. For 
the audit-3.0.4 release, this is limited to 36 fields by auparse. This does 
not affect ausearch output. Ausearch uses an entirely different method to 
parse/disply events. If anyone is *using* auparse and thinks auparse should 
handle more EXECVE fields, let me know. I might switch to a hybrid model that 
uses a linked list after consuming all of the array.

Next, auparse was switched from doing strtok/strdup to having one record and 
an array of pointers that point to a different segment of that record. On a 
typical test that I performed, 

ausearch -if /var/log/audit/audit.log.1  --format csv  > /dev/null  2>&1

valgrind reports 55 million allocations. With this switch, valgrind now 
reports 5 million allocations. This speeds up auparse another 35%. All in 
all, the test I run above runs in half the time that audit-3.0.3 does.

Because this is a big change in design, I spent a few days fuzzing ausearch/
report/auparse. I don't not want to fix everything a fuzzer makes because it 
won't happen in real life. For example, no record will have 10 comm= fields. 
But this found a significant number of issues in various places - which are 
now fixed. The audit libraries should now be more robust in the face of 
corrupt logs.

Also, I noticed that auparse was leaking memory. This turned out to be a 
behavior change in glibc-2.33's realpath function. It was returning an error 
even though it succeeded. Therefore, auparse didn't process or free the 
allocated buffer. In looking at the source code for realpath, I found that it 
also calls stat and readlink. Neither of these should be needed for path 
normalization after the fact. So, a new function was created to handle path 
normalization. You may notice some changes in paths returned when 
interpretting. But they are correct now where glibc was unable to stat the 
file.

Please test audit-3.0.4 carefully - it has big changes.

SHA256: 8c5ae825b9d2837742b626fa93b86cb4a84d15530bf05b6cb42be3f304db8cf6

Please let me know if you run across any problems with this release.

-Steve


--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit