audit 2.3 released

Steve Grubb sgrubb at redhat.com
Wed May 1 14:29:07 UTC 2013 

Hi,

I've just released a new version of the audit daemon. It can be downloaded 
from http://people.redhat.com/sgrubb/audit. It will also be in rawhide  
soon. The ChangeLog is:

- The clone(2) man page is really clone(3), fix interpretation of clone syscall
- Add systemd support for reload (#901533)
- Allow -F msgtype on the user filter
- Add legacy support for resuming logging under systemd (#830780)
- Add legacy support for rotating logs under systemd (#916611)
- In auditd, collect SIGUSR2 info for DAEMON_RESUME events
- Updated man pages
- Update libev to 4.15
- Update syscall tables for 3.9 kernel
- Interpret MQ_OPEN events
- Add augenrules support (Burn Alting)
- Consume less stack sending audit events

I had planned calling this 2.2.4, but since the augenrules program went in, I 
thought this is a major release because something landed that everyone should 
pay attention to. In case it wasn't apparent from the thread what this does, 
I'll now explain it a bit. 

Several people have asked for a way to deposit rules into a directory so that 
based on what is installed, rules can also be added. This makes it easier to 
have a core system that gets packages, config, and files added to make it a 
different kind of server or desktop. My guess is that it will be mostly used to 
add watches on setuid apps which can differ from machine type to machine type.

The place where these rules are stored is /etc/audit/rules.d. Compiling rules 
from that directory will result in a new file being written to 
/etc/audit/audit.rules. That means it can overwrite existing rules. Since we 
don't want that to happen by accident, augenrules is disabled by default.

To enable it on a SysVinit system, go into /etc/sysconfig/auditd and find the 
USE_AUGENRULES variable and set it to "yes". Then copy existing rules into 
/etc/audit/rules.d and restart the audit daemon.

For systemd based systems, copy /lib/systemd/system/auditd.service to 
/etc/systemd/system/auditd.service. Then find a commented out ExecStartPost 
variable and uncomment it. Then delete/comment out the auditctl line. The --
load option to augenrules will call auditctl for you. Also copy any existing 
rules into /etc/audit/rules.d so they don't get lost. Then restart auditd.

In both cases, you can check to make sure you have rules loaded with auditctl 
-l.

Aside from this major change, this release focused on improving the systemd 
support for legacy commands, such as: service auditd rotate, service auditd 
resume. this release also trims about 15k of stack space from logging events 
via pam, it updates the libev version, and it improves interpretations.

Please let me know if you run across any problems with this release.

-Steve

More information about the Linux-audit mailing list