audit-3.0

audit-3.0

[MAUPERTUIS, PHILIPPE]

[-- Attachment #1.1: Type: text/plain, Size: 2172 bytes --]

Hi,
On the mailing list a few days ago, it was announce that Audit-3.0 alpha8  was available.
I am a little bit confused because on a RHEL 8 server I get :
rpm -q audit
audit-3.0-0.10.20180831git0047a6c.el8.x86_64
What are the link between the Rhel 8 rpm and the version audit-3.0 announced.
I can't imagine RHEL8 using an alpha version.

As the side note the Rhel 8 rpm has the following description
rpm -qi audit
Name        : audit
Version     : 3.0
Release     : 0.10.20180831git0047a6c.el8
Architecture: x86_64
Install Date: Mon 17 Jun 2019 05:55:23 PM CEST
Group       : Unspecified
Size        : 678098
License     : GPLv2+
Signature   : RSA/SHA256, Wed 09 Jan 2019 07:26:49 PM CET, Key ID 199e2f91fd431d51
Source RPM  : audit-3.0-0.10.20180831git0047a6c.el8.src.rpm
Build Date  : Wed 09 Jan 2019 06:26:29 PM CET
Build Host  : x86-vm-06.build.eng.bos.redhat.com
Relocations : (not relocatable)
Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
Vendor      : Red Hat, Inc.
URL         : http://people.redhat.com/sgrubb/audit/
Summary     : User space tools for 2.6 kernel auditing

Of course the kernel for REHL8 is :
rpm -q kernel
kernel-4.18.0-80.el8.x86_64

Any clarification is welcome
Philippe

equensWorldline is a registered trade mark and trading name owned by the Worldline Group through its holding company.
This e-mail and the documents attached are confidential and intended solely for the addressee. If you receive this e-mail in error, you are not authorized to copy, disclose, use or retain it. Please notify the sender immediately and delete this email from your systems. As emails may be intercepted, amended or lost, they are not secure. EquensWorldline and the Worldline Group therefore can accept no liability for any errors or their content. Although equensWorldline and the Worldline Group endeavours to maintain a virus-free network, we do not warrant that this transmission is virus-free and can accept no liability for any damages resulting from any virus transmitted. The risks are deemed to be accepted by everyone who communicates with equensWorldline and the Worldline Group by email

[-- Attachment #1.2: Type: text/html, Size: 6181 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

Re: audit-3.0

[Steve Grubb]

Hello Philippe,

On Tuesday, June 18, 2019 9:34:08 AM EDT MAUPERTUIS, PHILIPPE wrote:
> On the mailing list a few days ago, it was announce that Audit-3.0 alpha8 
> was available. I am a little bit confused because on a RHEL 8 server I get
> :
> rpm -q audit
> audit-3.0-0.10.20180831git0047a6c.el8.x86_64
> What are the link between the Rhel 8 rpm and the version audit-3.0
> announced. 

The RHEL 8 rpm is an earlier git snapshot from August 31, 2018 + patches. The 
package version should be a clue that this is a git snapshot. The Fedora 
packaging guidelines say that if it is a pre-release git snapshot, version 
must start with 0 so it can be overridden in the future, and the date + git + 
last commit hash must be included so that anyone can identify exactly what 
this is.

> I can't imagine RHEL8 using an alpha version.

Why? Anything put into RHEL is carefully tested. (Fedora has also been 
running on alpha/git snapshots for about a year, too.) Also, I stopped 
feature development in audit-3.0 around August of last year. Everything going 
in since then has been bugs reported or discovered or at most small patches 
to support new kernel features. So, audit userspace should be considered as 
becoming mature, stable code that will not be developed at the same pace as 
before.

I expect that when container support lands, there will be a couple rounds of 
development to make it nice to use. But then its back to listening for bug 
reports.

To be honest, I think at this point anything of value is really higher up the 
stack. IOW, visualizing, aggregating, or alerting at scale.

-Steve


> As the side note the Rhel 8 rpm has the following description
> rpm -qi audit
> Name        : audit
> Version     : 3.0
> Release     : 0.10.20180831git0047a6c.el8
> Architecture: x86_64
> Install Date: Mon 17 Jun 2019 05:55:23 PM CEST
> Group       : Unspecified
> Size        : 678098
> License     : GPLv2+
> Signature   : RSA/SHA256, Wed 09 Jan 2019 07:26:49 PM CET, Key ID
> 199e2f91fd431d51 Source RPM  :
> audit-3.0-0.10.20180831git0047a6c.el8.src.rpm
> Build Date  : Wed 09 Jan 2019 06:26:29 PM CET
> Build Host  : x86-vm-06.build.eng.bos.redhat.com
> Relocations : (not relocatable)
> Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
> Vendor      : Red Hat, Inc.
> URL         : http://people.redhat.com/sgrubb/audit/
> Summary     : User space tools for 2.6 kernel auditing
> 
> Of course the kernel for REHL8 is :
> rpm -q kernel
> kernel-4.18.0-80.el8.x86_64
> 
> Any clarification is welcome

RE: EXT :Re: audit-3.0

[Boyce, Kevin P [US] (AS)]

Maybe what Philippe means is a carefully tested auditd shouldn't be considered "alpha" anymore?

-----Original Message-----
From: linux-audit-bounces@redhat.com <linux-audit-bounces@redhat.com> On Behalf Of Steve Grubb
Sent: Tuesday, June 18, 2019 10:36 AM
To: linux-audit@redhat.com
Cc: MAUPERTUIS, PHILIPPE <philippe.maupertuis@equensworldline.com>
Subject: EXT :Re: audit-3.0

Hello Philippe,

On Tuesday, June 18, 2019 9:34:08 AM EDT MAUPERTUIS, PHILIPPE wrote:
> On the mailing list a few days ago, it was announce that Audit-3.0 
> alpha8 was available. I am a little bit confused because on a RHEL 8 
> server I get
> :
> rpm -q audit
> audit-3.0-0.10.20180831git0047a6c.el8.x86_64
> What are the link between the Rhel 8 rpm and the version audit-3.0 
> announced.

The RHEL 8 rpm is an earlier git snapshot from August 31, 2018 + patches. The package version should be a clue that this is a git snapshot. The Fedora packaging guidelines say that if it is a pre-release git snapshot, version must start with 0 so it can be overridden in the future, and the date + git + last commit hash must be included so that anyone can identify exactly what this is.

> I can't imagine RHEL8 using an alpha version.

Why? Anything put into RHEL is carefully tested. (Fedora has also been running on alpha/git snapshots for about a year, too.) Also, I stopped feature development in audit-3.0 around August of last year. Everything going in since then has been bugs reported or discovered or at most small patches to support new kernel features. So, audit userspace should be considered as becoming mature, stable code that will not be developed at the same pace as before.

I expect that when container support lands, there will be a couple rounds of development to make it nice to use. But then its back to listening for bug reports.

To be honest, I think at this point anything of value is really higher up the stack. IOW, visualizing, aggregating, or alerting at scale.

-Steve


> As the side note the Rhel 8 rpm has the following description rpm -qi 
> audit
> Name        : audit
> Version     : 3.0
> Release     : 0.10.20180831git0047a6c.el8
> Architecture: x86_64
> Install Date: Mon 17 Jun 2019 05:55:23 PM CEST
> Group       : Unspecified
> Size        : 678098
> License     : GPLv2+
> Signature   : RSA/SHA256, Wed 09 Jan 2019 07:26:49 PM CET, Key ID
> 199e2f91fd431d51 Source RPM  :
> audit-3.0-0.10.20180831git0047a6c.el8.src.rpm
> Build Date  : Wed 09 Jan 2019 06:26:29 PM CET Build Host  : 
> x86-vm-06.build.eng.bos.redhat.com
> Relocations : (not relocatable)
> Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
> Vendor      : Red Hat, Inc.
> URL         : http://people.redhat.com/sgrubb/audit/
> Summary     : User space tools for 2.6 kernel auditing
> 
> Of course the kernel for REHL8 is :
> rpm -q kernel
> kernel-4.18.0-80.el8.x86_64
> 
> Any clarification is welcome



--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit

Re: EXT :Re: audit-3.0

[Steve Grubb]

On Tuesday, June 18, 2019 11:59:05 AM EDT Boyce, Kevin P [US] (AS) wrote:
> Maybe what Philippe means is a carefully tested auditd shouldn't be
> considered "alpha" anymore?

That's a fair point. :-)  

I've considered it Alpha because it's missing container support. IOW, it's 
not feature complete. Container support was listed as the main benefit for 
calling this 3.0. There probably won't be a beta release. It will probably 
just go straight to release after initial testing and then cleanup problems/
round out support on a 3.0.1 release.

-Steve

> -----Original Message-----
> From: linux-audit-bounces@redhat.com <linux-audit-bounces@redhat.com> On
> Behalf Of Steve Grubb Sent: Tuesday, June 18, 2019 10:36 AM
> To: linux-audit@redhat.com
> Cc: MAUPERTUIS, PHILIPPE <philippe.maupertuis@equensworldline.com>
> Subject: EXT :Re: audit-3.0
> 
> Hello Philippe,
> 
> On Tuesday, June 18, 2019 9:34:08 AM EDT MAUPERTUIS, PHILIPPE wrote:
> > On the mailing list a few days ago, it was announce that Audit-3.0
> > alpha8 was available. I am a little bit confused because on a RHEL 8
> > server I get
> > 
> > rpm -q audit
> > audit-3.0-0.10.20180831git0047a6c.el8.x86_64
> > What are the link between the Rhel 8 rpm and the version audit-3.0
> > announced.
> 
> The RHEL 8 rpm is an earlier git snapshot from August 31, 2018 + patches.
> The package version should be a clue that this is a git snapshot. The
> Fedora packaging guidelines say that if it is a pre-release git snapshot,
> version must start with 0 so it can be overridden in the future, and the
> date + git + last commit hash must be included so that anyone can identify
> exactly what this is.
> > I can't imagine RHEL8 using an alpha version.
> 
> Why? Anything put into RHEL is carefully tested. (Fedora has also been
> running on alpha/git snapshots for about a year, too.) Also, I stopped
> feature development in audit-3.0 around August of last year. Everything
> going in since then has been bugs reported or discovered or at most small
> patches to support new kernel features. So, audit userspace should be
> considered as becoming mature, stable code that will not be developed at
> the same pace as before.
> 
> I expect that when container support lands, there will be a couple rounds
> of development to make it nice to use. But then its back to listening for
> bug reports.
> 
> To be honest, I think at this point anything of value is really higher up
> the stack. IOW, visualizing, aggregating, or alerting at scale.
> 
> -Steve
> 
> > As the side note the Rhel 8 rpm has the following description rpm -qi
> > audit
> > Name        : audit
> > Version     : 3.0
> > Release     : 0.10.20180831git0047a6c.el8
> > Architecture: x86_64
> > Install Date: Mon 17 Jun 2019 05:55:23 PM CEST
> > Group       : Unspecified
> > Size        : 678098
> > License     : GPLv2+
> > Signature   : RSA/SHA256, Wed 09 Jan 2019 07:26:49 PM CET, Key ID
> > 199e2f91fd431d51 Source RPM  :
> > audit-3.0-0.10.20180831git0047a6c.el8.src.rpm
> > Build Date  : Wed 09 Jan 2019 06:26:29 PM CET Build Host  :
> > x86-vm-06.build.eng.bos.redhat.com
> > Relocations : (not relocatable)
> > Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
> > Vendor      : Red Hat, Inc.
> > URL         : http://people.redhat.com/sgrubb/audit/
> > Summary     : User space tools for 2.6 kernel auditing
> > 
> > Of course the kernel for REHL8 is :
> > rpm -q kernel
> > kernel-4.18.0-80.el8.x86_64
> > 
> > Any clarification is welcome
> 
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit