audit 2.5 released

Steve Grubb sgrubb at redhat.com
Mon Jan 11 19:14:15 UTC 2016 

Hello,

I've just released a new version of the audit daemon. It can be downloaded 
from http://people.redhat.com/sgrubb/audit. It will also be in rawhide
soon. The ChangeLog is:

- Make augenrules the default method to load audit rules
- Put rules in its own directory and break out rules into groups
- Have auditd do a fsync before closing log
- Make default flush setting larger
- In auparse. terminate the generated strings (Burn Alting)
- In auditd, add incremental_async flushing mode
- Clean up dangling fields in DAEMON events
- Add audit by process name support to auditctl (Richard Briggs)
- Relax permissions on systemd files
- Fix auparse to handle interlaced events (Burn Alting)
- Allow more syslog facilities in audispd-syslog (Aleksander Adamowski)

This release of the audit system represents a break with the past in a couple 
ways. The default way to load rules is now via the augenrules program. And 
this release of the audit package includes entirely new rules for use. The 
nispom and stig rules still exist, but they have been renamed and moved. To 
see the new rules, look in the rules documentation directory. There is a 
README file that explains the new system.

The audit daemon has underwent some major performance improvements. The audit 
daemon moved from a multi-threaded data flow to a singly-threaded data flow with 
asynchronous flushing. This new mode, INCREMENTAL_ASYNC, is now the default 
flush setting. Using it makes the audit daemon log over 90 times faster. (At 
least that what I measured using the XFS file system. YMMV.) The audit daemon's 
internal events were also reviewed and modernized with op= fields. Also, 
because the audit daemon is now singly-threaded for the main data flow, there 
is no need to make a multi-thread-safe copy of libaudit. This means the audit 
daemon binary is significantly smaller.

This release adds audit by executable name support if your kernel also 
supports it. The audit by executable names support will allow you to write 
rules that target an exact application so that you can see if it is doing 
something odd. An example rule would look like this:

-a always,exit -F arch=x86_64 -S connect,sendto -F exe=/bin/sh -F key=bash-
network

I think you will need the 4.4 kernel or later to use this feature.

Also in this release, there is a re-working of the auparse library by Burn 
Alting to handle interlaced audit events. The kernel makes no effort to 
serialize events going to user space, If for some reason two events got 
interlaced where records for each one alternated with the other, the auparse 
library previously considered one event ending and another starting for each 
interlaced record - thus breaking up the event. This release should make all 
tools linking against auparse much more reliable.

There were also a number of other minor cleanups and enhancements.

Please let me know if you run across any problems with this release.

-Steve

More information about the Linux-audit mailing list