From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.5 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 81A09C12002 for ; Wed, 14 Jul 2021 19:12:52 +0000 (UTC) Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 33906613C1 for ; Wed, 14 Jul 2021 19:12:52 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 33906613C1 Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=redhat.com Authentication-Results: mail.kernel.org; spf=tempfail smtp.mailfrom=linux-audit-bounces@redhat.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1626289971; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=QqO6w12/6+N7YolUjvJ41SFQBiXuRyDyEVwCeNE/2+s=; b=MQ8YwoGSxLeMGCe6z7gASJcMK7kUQ0ZZPcGdHPBYSsqXoDWZ26vl/ep/o4rtH3Pm/BABNL 9bNp2f8f54KqyNIwCaiBLxbe8CBrGDZiMFh4Rl6B+xWUBubz2OvItSYdiEJPY9CZriofxU ESZKdS3toinR/3UCxGJPs+L2JYuWUGI= Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-590-D2lnKicXOVuBJzW70a86jw-1; Wed, 14 Jul 2021 15:12:49 -0400 X-MC-Unique: D2lnKicXOVuBJzW70a86jw-1 Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.phx2.redhat.com [10.5.11.16]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 49D2318D6A2A; Wed, 14 Jul 2021 19:12:45 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.21]) by smtp.corp.redhat.com (Postfix) with ESMTPS id EC2475C1CF; Wed, 14 Jul 2021 19:12:43 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id 44B404A712; Wed, 14 Jul 2021 19:12:42 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.12]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id 16EJCdEW007687 for ; Wed, 14 Jul 2021 15:12:39 -0400 Received: by smtp.corp.redhat.com (Postfix) id E39BE60C05; Wed, 14 Jul 2021 19:12:39 +0000 (UTC) Received: from x2.localnet (ovpn-114-34.rdu2.redhat.com [10.10.114.34]) by smtp.corp.redhat.com (Postfix) with ESMTP id A8E3F60C13 for ; Wed, 14 Jul 2021 19:12:35 +0000 (UTC) From: Steve Grubb To: Linux Audit Subject: audit 3.0.3 released Date: Wed, 14 Jul 2021 15:12:35 -0400 Message-ID: <4663615.31r3eYUQgx@x2> Organization: Red Hat MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.12 X-loop: linux-audit@redhat.com X-BeenThere: linux-audit@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Linux Audit Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.16 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=linux-audit-bounces@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Hello, I've just released a new version of the audit daemon. It can be downloaded from http://people.redhat.com/sgrubb/audit. It will also be in rawhide soon. The ChangeLog is: - Dont interpret audit netlink groups unless AUDIT_NLGRP_MAX is defined - Add support for AUDIT_RESP_ORIGIN_UNBLOCK_TIMED to ids - Change auparse_feed_has_data in auparse to include incomplete events - Auditd, stop linking against -lrt - Add ProtectHome and RestrictRealtime to auditd.service - In auditd, read up to 3 netlink packets in a row - In auditd, do not validate path to plugin unless active - In auparse, only emit config errors when AUPARSE_DEBUG env variable exists The main change in this release is that auditd pulls events out of the kernel at a faster rate. It was so much so, that the plugins can't keep up. So, I throttled it down a little to give plugin developers a chance to see events at a higher rate and make changes. I will be doubling the speed on the next release. So, now would be the time to check 3rd party plugins and ensure they are dequeuing events as fast as possible. If the plugin has a lot of post processing, I'd suggest making it multithreaded with a fifo inbetween the threads. One pulls events aqueues them, the other dequeues and post processes. Also notable, the bahavior of auparse_feed_has_data in auparse was changed to include incomplete events. This is in effort to speed up processing of events. One other thing that may cause problems if you build and debug plugins is the auditd.service systemd file now adds ProtectHome and RestrictRealtime. The ProtectHome will not let auditd touch anything under /home. That may be an incovenice for debugging. But its better for everyone else. SHA256: 23777e1dc9a80a2ee06a4d442a6a0a9bcbf1ae7ee4b5738a220ff619738cc904 Please let me know if you run across any problems with this release. -Steve -- Linux-audit mailing list Linux-audit@redhat.com https://listman.redhat.com/mailman/listinfo/linux-audit