audit 3.0.3 released

Steve Grubb sgrubb at redhat.com
Wed Jul 14 19:27:33 UTC 2021 

On Wednesday, July 14, 2021 3:12:35 PM EDT Steve Grubb wrote:
> Hello,
> 
> I've just released a new version of the audit daemon. It can be
> downloaded from http://people.redhat.com/sgrubb/audit. It will also be
> in rawhide soon. The ChangeLog is:
> 
> - Dont interpret audit netlink groups unless AUDIT_NLGRP_MAX is defined
> - Add support for AUDIT_RESP_ORIGIN_UNBLOCK_TIMED to ids
> - Change auparse_feed_has_data in auparse to include incomplete events
> - Auditd, stop linking against -lrt
> - Add ProtectHome and RestrictRealtime to auditd.service
> - In auditd, read up to 3 netlink packets in a row
> - In auditd, do not validate path to plugin unless active
> - In auparse, only emit config errors when AUPARSE_DEBUG env variable
> exists
> 
> The main change in this release is that auditd pulls events out of the
> kernel at a faster rate. It was so much so, that the plugins can't keep
> up. So, I throttled it down a little to give plugin developers a chance to
> see events at a higher rate and make changes. I will be doubling the speed
> on the next release. So, now would be the time to check 3rd party plugins
> and ensure they are dequeuing events as fast as possible. If the plugin
> has a lot of post processing, I'd suggest making it multithreaded with a
> fifo inbetween the threads. One pulls events aqueues them, the other
> dequeues and post processes.

One important thing I forgot...because the events are coming faster, the 
internal queueing to plugins needs to be increased to handle bursts. The old 
default was 400. I set the new default to 1200. It testing, I've seen the 
internal queue get up to 800 or so events. You can check this on your system 
by running service auditd state. If you do not have the service command, you 
can send signal SIGCONT to auditd and then look at /var/run/auditd.state to 
see the man q_depth.



> Also notable, the bahavior of  auparse_feed_has_data in auparse was changed
> to include incomplete events. This is in effort to speed up processing of
> events.
> 
> One other thing that may cause problems if you build and debug plugins is
> the auditd.service systemd file now adds ProtectHome and RestrictRealtime.
> The ProtectHome will not let auditd touch anything under /home. That may
> be an incovenice for debugging. But its better for everyone else.
> 
> SHA256: 23777e1dc9a80a2ee06a4d442a6a0a9bcbf1ae7ee4b5738a220ff619738cc904
> 
> Please let me know if you run across any problems with this release.
> 
> -Steve
> 
> 
> --
> Linux-audit mailing list
> Linux-audit at redhat.com
> https://listman.redhat.com/mailman/listinfo/linux-audit

More information about the Linux-audit mailing list