audit 3.0.1 released

Steve Grubb sgrubb at redhat.com
Fri Feb 12 20:45:19 UTC 2021 

Hello,

I've just released a new version of the audit daemon. It can be
downloaded from http://people.redhat.com/sgrubb/audit. It will also be
in rawhide soon. The ChangeLog is:

- Update syscall table to the 5.11 kernel
- Add new --eoe-timeout option to ausearch and aureport (Burn Alting)
- Only enable periodic timers when listening on the network
- Upgrade libev to 4.33
- Add auparse_new_buffer function to auparse library
- Use the select libev backend unless aggregating events
- Add sudoers to some base audit rules
- Update the auparse normalizer for some new syscalls and event types

This release features 2 new experimental plugins. The statsd plugin should be 
ready to try out. The other IDS plugin is more of a long term work in 
progress. No timeline for it's development, either. (There is a known bug 
where the ids plugin fails to build in some environments. There is a brand 
new commit in github fixing this. Grab it if it fails to build.)

During the work for statsd, I found that the audit daemon is a little more 
active than it should be. This was because it was enabling periodic timers 
that are used to detect dead network connections when the daemon is configured 
to be an aggregator. This is fixed and libev was updated to the latest 
release. While I was in the libev section of code I did some testing betweek 
using select and epoll as the event backend. Turns out select is about 4 ms 
faster. So, as long as auditd is not receiving network events, it will use 
select. If it does receive network events, then it will continue to use epoll 
in case it needs a lot of descriptors.

Ausearch/report now have a new command line option to --eoe-timeout to help 
gather event records into the right event if they were slow getting output. 
Auditd also has a setting that could be considered the eoe_timeout default 
setting. Libauparse automatically tries to read this if it has the 
permissions.

SHA256: 994c4250d8fd43f3087a3c2ce73461832e30f1e9b278bf5bb03c3e07091155a5

Please let me know if you run across any problems with this release.

-Steve

More information about the Linux-audit mailing list