libaudit vsn 1/2 changes

Steve Grubb sgrubb at redhat.com
Tue May 30 19:36:04 UTC 2017 

On Tuesday, May 30, 2017 2:19:09 PM EDT Frederick House wrote:
> Does anyone know the specific changes to libaudit v1 that warranted a major
> version upgrade to v2 (i.e., libaudit.so.0 -> libaudit.so.1)? I'd like to
> understand the major differences without having to diff the source code of
> audit-1.8 and audit.2.0!

>From the old 2.0 changelog:

- Removed old syscall rules API - not needed since 2.6.16
- Remove all use of the old rule structs from API
- Removed ancient defines that are part of kernel 2.6.29 headers
- Bump soname number for libaudit
- In auditctl, deprecate the entry filter and move rules to exit filter
- Remove support for the legacy negate syscall rule operator

The main thing was we had to remove hidden function calls that were using an 
old API that had been deprecated. Specifically this was audit_add_rule() and 
audit_delete_rule(). They in turn used a deprecated kernel API.

The way that it played out was that we made the new API in the kernel. User 
space used both for a while and then user space started only using the new 
API. The old API was hidden so that new programs had to use the new API but 
anything compiled against the old API would continue working for a while. 
After a couple of years we were pretty sure nothing was using the old kernel 
API and its code could be removed. The first step was removing the last bits 
of support from user space and then a year or two later move it out of the 
kernel.

This happened way back in 2009.

-Steve


> -----Original Message-----
> From: linux-audit-bounces at redhat.com [mailto:linux-audit-bounces at redhat.com]
> On Behalf Of linux-audit-request at redhat.com Sent: Tuesday, May 30, 2017
> 13:43 PM
> To: Frederick House <fred.house at mandiant.com>
> Subject: Welcome to the "Linux-audit" mailing list
> 
> Welcome to the Linux-audit at redhat.com mailing list!
> 
> To post to this list, send your email to:
> 
>   linux-audit at redhat.com
> 
> General information about the mailing list is at:
> 
>   https://www.redhat.com/mailman/listinfo/linux-audit
> 
> If you ever want to unsubscribe or change your options (eg, switch to or
> from digest mode, change your password, etc.), visit your subscription page
> at:
> 
>  
> https://www.redhat.com/mailman/options/linux-audit/fred.house%40mandiant.co
> m
> 
> 
> You can also make such adjustments via email by sending a message to:
> 
>   Linux-audit-request at redhat.com
> 
> with the word `help' in the subject or body (don't include the quotes), and
> you will get back a message with instructions.
> 
> You must know your password to change your options (including changing the
> password, itself) or to unsubscribe.  It is:
> 
>   TKOSlU3vUH0qJCXgZ6Jd
> 
> Normally, Mailman will remind you of your redhat.com mailing list passwords
> once every month, although you can disable this if you prefer.  This
> reminder will also include instructions on how to unsubscribe or change
> your account options.  There is also a button on your options page that
> will email your current password to you.
> 
> This email and any attachments thereto may contain private, confidential,
> and/or privileged material for the sole use of the intended recipient. Any
> review, copying, or distribution of this email (or any attachments thereto)
> by others is strictly prohibited. If you are not the intended recipient,
> please contact the sender immediately and permanently delete the original
> and any copies of this email and any attachments thereto.
> 
> --
> Linux-audit mailing list
> Linux-audit at redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit

More information about the Linux-audit mailing list