audit-2.0.2 released

Steve Grubb sgrubb at redhat.com
Fri Oct 16 18:30:01 UTC 2009 

Hi,

I've just released a new version of the audit daemon. It can be downloaded 
from http://people.redhat.com/sgrubb/audit. It will also be in rawhide  
soon. The ChangeLog is:

- If audisp-remote plugin has a queue at exit, use non-zero exit code
- Fix autrace to use the exit filter
- In audisp-remote, add a sigchld handler
- In auditd, check for duplicate remote connections before accepting
- Remove trailing ':' if any are at the end of acct fields in ausearch
- Update remote logging code to do better sanity check of data
- Fix audisp-prelude to prefer files if multiple path records are encountered
- Add libaudit.conf man page

This is a security and bug fix release. This release is mostly focused on 
networking issues. The audisp-remote now bases its exit code on whether it had 
records that could not be transferred to the aggregator. Audisp-remote was 
also leaving zombie processes when one of the _action config optins was set to 
exec. Auditd was also not checking for duplicate connections from the same 
machine before accepting.

There were a couple networking packet length check problems reported by 
Sebastian Krahmer of Suse. The most serious issue was in the gssapi code. 
After checking with other distributions, none had enabled this code. So, 
likely this is not a problem for most people. If you roll your own package and 
enable gssapi support, it is recommended for you to upgrade. The main issue 
was that the packet length from the network packet itself was not sanitized 
before trusting. Its believed that this will eventually lead to a problem in 
the kerberos libraries. A few other places in the code were found to be 
trusting the packet length. Analysis found that nothing bad happens in these 
other places. They would all eventually lead to a read of 0 length and auditd 
will disconnect without logging the malicious event. It should be pointed out 
that if you use remote logging, you want to specify the tcp_client_ports to be 
< 1024 to make sure only processes with CAP_NET_BIND_SERVICE can send audit 
events.

Other bugs fixed include fixing autrace to place audit rules on the exit filter, 
trim ':' from acct records in AUDIT_LOGIN events so that it can be interpreted 
correctly, and the audisp-prelude plugin was chosing the first audit record 
when multiple path records are in the same event. In many cases this would be 
a directory, but we now look for the record who's mode field indicates that the 
object is a file.

Please let me know if you run across any problems with this release.

-Steve

More information about the Linux-audit mailing list