Re: EXT :Re: audit-3.0

[Steve Grubb <sgrubb@redhat.com>]

On Tuesday, June 18, 2019 11:59:05 AM EDT Boyce, Kevin P [US] (AS) wrote:
> Maybe what Philippe means is a carefully tested auditd shouldn't be
> considered "alpha" anymore?

That's a fair point. :-)  

I've considered it Alpha because it's missing container support. IOW, it's 
not feature complete. Container support was listed as the main benefit for 
calling this 3.0. There probably won't be a beta release. It will probably 
just go straight to release after initial testing and then cleanup problems/
round out support on a 3.0.1 release.

-Steve

> -----Original Message-----
> From: linux-audit-bounces@redhat.com <linux-audit-bounces@redhat.com> On
> Behalf Of Steve Grubb Sent: Tuesday, June 18, 2019 10:36 AM
> To: linux-audit@redhat.com
> Cc: MAUPERTUIS, PHILIPPE <philippe.maupertuis@equensworldline.com>
> Subject: EXT :Re: audit-3.0
> 
> Hello Philippe,
> 
> On Tuesday, June 18, 2019 9:34:08 AM EDT MAUPERTUIS, PHILIPPE wrote:
> > On the mailing list a few days ago, it was announce that Audit-3.0
> > alpha8 was available. I am a little bit confused because on a RHEL 8
> > server I get
> > 
> > rpm -q audit
> > audit-3.0-0.10.20180831git0047a6c.el8.x86_64
> > What are the link between the Rhel 8 rpm and the version audit-3.0
> > announced.
> 
> The RHEL 8 rpm is an earlier git snapshot from August 31, 2018 + patches.
> The package version should be a clue that this is a git snapshot. The
> Fedora packaging guidelines say that if it is a pre-release git snapshot,
> version must start with 0 so it can be overridden in the future, and the
> date + git + last commit hash must be included so that anyone can identify
> exactly what this is.
> > I can't imagine RHEL8 using an alpha version.
> 
> Why? Anything put into RHEL is carefully tested. (Fedora has also been
> running on alpha/git snapshots for about a year, too.) Also, I stopped
> feature development in audit-3.0 around August of last year. Everything
> going in since then has been bugs reported or discovered or at most small
> patches to support new kernel features. So, audit userspace should be
> considered as becoming mature, stable code that will not be developed at
> the same pace as before.
> 
> I expect that when container support lands, there will be a couple rounds
> of development to make it nice to use. But then its back to listening for
> bug reports.
> 
> To be honest, I think at this point anything of value is really higher up
> the stack. IOW, visualizing, aggregating, or alerting at scale.
> 
> -Steve
> 
> > As the side note the Rhel 8 rpm has the following description rpm -qi
> > audit
> > Name        : audit
> > Version     : 3.0
> > Release     : 0.10.20180831git0047a6c.el8
> > Architecture: x86_64
> > Install Date: Mon 17 Jun 2019 05:55:23 PM CEST
> > Group       : Unspecified
> > Size        : 678098
> > License     : GPLv2+
> > Signature   : RSA/SHA256, Wed 09 Jan 2019 07:26:49 PM CET, Key ID
> > 199e2f91fd431d51 Source RPM  :
> > audit-3.0-0.10.20180831git0047a6c.el8.src.rpm
> > Build Date  : Wed 09 Jan 2019 06:26:29 PM CET Build Host  :
> > x86-vm-06.build.eng.bos.redhat.com
> > Relocations : (not relocatable)
> > Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
> > Vendor      : Red Hat, Inc.
> > URL         : http://people.redhat.com/sgrubb/audit/
> > Summary     : User space tools for 2.6 kernel auditing
> > 
> > Of course the kernel for REHL8 is :
> > rpm -q kernel
> > kernel-4.18.0-80.el8.x86_64
> > 
> > Any clarification is welcome
> 
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit