March 2019 - Linux-audit - Linux-Audit List Archives

[PATCH ghak110 V1] audit: connect LOGIN record to its syscall record

by Richard Guy Briggs

Currently the AUDIT_LOGIN event is a standalone record that isn't connected to any other records that may be part of its syscall event. To avoid the confusion of generating two events, connect the records by using its syscall context. Please see the github issue https://github.com/linux-audit/audit-kernel/issues/110 Signed-off-by: Richard Guy Briggs <rgb(a)redhat.com> --- Passes audit-testsuite and ausearch-test-0.6 kernel/audit.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kernel/audit.c b/kernel/audit.c index c89ea48c70a6..b96bf69183f4 100644 --- a/kernel/audit.c +++ b/kernel/audit.c @@ -2220,7 +2220,7 @@ static void audit_log_set_loginuid(kuid_t koldloginuid, kuid_t kloginuid, if (!audit_enabled) return; - ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_LOGIN); + ab = audit_log_start(audit_context(), GFP_KERNEL, AUDIT_LOGIN); if (!ab) return; -- 1.8.3.1

6 years

2
1
0 / 0

[PATCH][v3] audit: fix a memleak caused by auditing load module

by Li RongQing

module.name will be allocated unconditionally when auditing load module, and audit_log_start() can fail with other reasons, or audit_log_exit maybe not called, caused module.name is not freed so free module.name in audit_free_context and __audit_syscall_exit unreferenced object 0xffff88af90837d20 (size 8): comm "modprobe", pid 1036, jiffies 4294704867 (age 3069.138s) hex dump (first 8 bytes): 69 78 67 62 65 00 ff ff ixgbe... backtrace: [<0000000008da28fe>] __audit_log_kern_module+0x33/0x80 [<00000000c1491e61>] load_module+0x64f/0x3850 [<000000007fc9ae3f>] __do_sys_init_module+0x218/0x250 [<0000000000d4a478>] do_syscall_64+0x117/0x400 [<000000004924ded8>] entry_SYSCALL_64_after_hwframe+0x49/0xbe [<000000007dc331dd>] 0xffffffffffffffff Fixes: ca86cad7380e3 ("audit: log module name on init_module") Signed-off-by: Zhang Yu <zhangyu31(a)baidu.com> Signed-off-by: Li RongQing <lirongqing(a)baidu.com> --- v3-->v2: create a helper and git rid of free from show_special as Paul suggest v2-->v1: free module.name always, not check the return of audit_log_start kernel/auditsc.c | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/kernel/auditsc.c b/kernel/auditsc.c index b2d1f043f..001056b4c 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -881,6 +881,13 @@ static inline void audit_proctitle_free(struct audit_context *context) context->proctitle.len = 0; } +static inline void audit_free_module(struct audit_context *context) +{ + if (context->type == AUDIT_KERN_MODULE) { + kfree(context->module.name); + context->module.name = NULL; + } +} static inline void audit_free_names(struct audit_context *context) { struct audit_names *n, *next; @@ -964,6 +971,7 @@ int audit_alloc(struct task_struct *tsk) static inline void audit_free_context(struct audit_context *context) { + audit_free_module(context); audit_free_names(context); unroll_tree_refs(context, NULL, 0); free_tree_refs(context); @@ -1281,7 +1289,6 @@ static void show_special(struct audit_context *context, int *call_panic) audit_log_format(ab, "name="); if (context->module.name) { audit_log_untrustedstring(ab, context->module.name); - kfree(context->module.name); } else audit_log_format(ab, "(null)"); @@ -1583,6 +1590,7 @@ void __audit_syscall_exit(int success, long return_code) if (!list_empty(&context->killed_trees)) audit_kill_trees(&context->killed_trees); + audit_free_module(context); audit_free_names(context); unroll_tree_refs(context, NULL, 0); audit_free_aux(context); -- 2.16.2

6 years

2
2
0 / 0

[PATCH v2 00/13] Prepare syscall_get_arch for PTRACE_GET_SYSCALL_INFO

by Dmitry V. Levin

syscall_get_arch() is required to be implemented on all architectures in order to extend the generic ptrace API with PTRACE_GET_SYSCALL_INFO request: syscall_get_arch() is going to be called from ptrace_request() along with syscall_get_nr(), syscall_get_arguments(), syscall_get_error(), and syscall_get_return_value() functions with a tracee as their argument. The primary intent is that the triple (audit_arch, syscall_nr, arg1..arg6) should describe what system call is being called and what its arguments are. This patchset began as a series called "Prepare for PTRACE_GET_SYSCALL_INFO", then I merged it into a series called "ptrace: add PTRACE_GET_SYSCALL_INFO request" that also contains ptrace-specific changes. The ptrace-specific part, however, needs more attention to workaround problems on niche architectures like alpha, while the syscall_get_arch() part is straightforward, so I decided to split it out into a separate patchset that just prepares syscall_get_arch() for PTRACE_GET_SYSCALL_INFO: it adds syscall_get_arch() to those architectures that haven't implemented it yet, and then adds "struct task_struct *" argument to syscall_get_arch() on all architectures. All patches from this patchset have been already reviewed, so it's ready to be merged without waiting for the ptrace-specific part. As it's all about syscall_get_arch(), it should probably go via audit tree. Notes: v2: rebased to v5.1-rc1, added Acked-by Dmitry V. Levin (13): Move EM_ARCOMPACT and EM_ARCV2 to uapi/linux/elf-em.h arc: define syscall_get_arch() c6x: define syscall_get_arch() h8300: define syscall_get_arch() Move EM_HEXAGON to uapi/linux/elf-em.h hexagon: define syscall_get_arch() m68k: define syscall_get_arch() Move EM_NDS32 to uapi/linux/elf-em.h nds32: define syscall_get_arch() nios2: define syscall_get_arch() Move EM_UNICORE to uapi/linux/elf-em.h unicore32: define syscall_get_arch() syscall_get_arch: add "struct task_struct *" argument arch/alpha/include/asm/syscall.h | 2 +- arch/arc/include/asm/elf.h | 6 +----- arch/arc/include/asm/syscall.h | 11 +++++++++++ arch/arm/include/asm/syscall.h | 2 +- arch/arm64/include/asm/syscall.h | 4 ++-- arch/c6x/include/asm/syscall.h | 7 +++++++ arch/csky/include/asm/syscall.h | 2 +- arch/h8300/include/asm/syscall.h | 6 ++++++ arch/hexagon/include/asm/elf.h | 6 +----- arch/hexagon/include/asm/syscall.h | 8 ++++++++ arch/ia64/include/asm/syscall.h | 2 +- arch/m68k/include/asm/syscall.h | 12 ++++++++++++ arch/microblaze/include/asm/syscall.h | 2 +- arch/mips/include/asm/syscall.h | 6 +++--- arch/mips/kernel/ptrace.c | 2 +- arch/nds32/include/asm/elf.h | 3 +-- arch/nds32/include/asm/syscall.h | 9 +++++++++ arch/nios2/include/asm/syscall.h | 6 ++++++ arch/openrisc/include/asm/syscall.h | 2 +- arch/parisc/include/asm/syscall.h | 4 ++-- arch/powerpc/include/asm/syscall.h | 10 ++++++++-- arch/riscv/include/asm/syscall.h | 2 +- arch/s390/include/asm/syscall.h | 4 ++-- arch/sh/include/asm/syscall_32.h | 2 +- arch/sh/include/asm/syscall_64.h | 2 +- arch/sparc/include/asm/syscall.h | 5 +++-- arch/unicore32/include/asm/elf.h | 3 +-- arch/unicore32/include/asm/syscall.h | 12 ++++++++++++ arch/x86/include/asm/syscall.h | 8 +++++--- arch/x86/um/asm/syscall.h | 2 +- arch/xtensa/include/asm/syscall.h | 2 +- include/asm-generic/syscall.h | 5 +++-- include/uapi/linux/audit.h | 12 ++++++++++++ include/uapi/linux/elf-em.h | 6 ++++++ kernel/auditsc.c | 4 ++-- kernel/seccomp.c | 4 ++-- 36 files changed, 137 insertions(+), 48 deletions(-) create mode 100644 arch/m68k/include/asm/syscall.h create mode 100644 arch/unicore32/include/asm/syscall.h -- ldv

6 years

1
1
0 / 0

[PATCH ghau51/ghau40 v5 0/6] add support for audit container identifier

by Richard Guy Briggs

Add support for audit kernel container identifiers to userspace tools. The first and second add new record types. The third adds filter support. The fourth and 5th start to add search support. The last is intended for debugging and not for upstream, matching the kernel /proc read patch. See: https://github.com/linux-audit/audit-userspace/issues/51 See: https://github.com/linux-audit/audit-userspace/issues/40 See: https://github.com/linux-audit/audit-kernel/issues/90 See: https://github.com/linux-audit/audit-kernel/issues/91 See: https://github.com/linux-audit/audit-testsuite/issues/64 See: https://github.com/linux-audit/audit-kernel/wiki/RFE-Audit-Container-ID Changelog: v5 - updated aux record from AUDIT_CONTAINER to AUDIT_CONTAINER_ID - add AUDIT_CONTAINER_ID to normalization - rebase on AUDIT_ANOM_LINK and AUDIT_MAC_CALIPSO_ADD v4 - change from AUDIT_CONTAINER_ID to AUDIT_CONTAINER_OP - change from AUDIT_FEATURE_BITMAP_CONTAINERID_FILTER to AUDIT_FEATURE_BITMAP_CONTAINERID - change from event_container_id to event_contid internally - change from container_id to contid and event_container_id to event_contid internally - change command line option from --container-id to --contid v3 - change from AUDIT_CONTAINER to AUDIT_CONTAINER_ID - change from AUDIT_CONTAINER_INFO to AUDIT_CONTAINER - change from AUDIT_CONTAINERID to AUDIT_CONTID - update github issue refs - add audit_get_containerid - change event_container_id default value - add --containerid to ausearch options help text - update ausearch parser and error codes v2 - rebase on UINT_MAX patch - add patches for AUDIT_CONTAINER, AUDIT_CONTAINER_INFO, ausearch, normalization Richard Guy Briggs (6): AUDIT_CONTAINER_OP message type basic support AUDIT_CONTAINER_ID message type basic support auditctl: add support for AUDIT_CONTID filter add ausearch containerid support start normalization containerid support libaudit: add support to get the task audit container identifier auparse/normalize_record_map.h | 2 + docs/Makefile.am | 2 +- docs/audit_get_containerid.3 | 25 ++++++ docs/auditctl.8 | 3 + lib/fieldtab.h | 1 + lib/libaudit.c | 65 ++++++++++++++ lib/libaudit.h | 16 ++++ lib/msg_typetab.h | 2 + lib/netlink.c | 1 + src/auditctl-listing.c | 21 +++++ src/aureport-options.c | 1 + src/ausearch-llist.c | 2 + src/ausearch-llist.h | 1 + src/ausearch-match.c | 3 + src/ausearch-options.c | 47 +++++++++- src/ausearch-options.h | 1 + src/ausearch-parse.c | 199 +++++++++++++++++++++++++++++++++++++++++ 17 files changed, 390 insertions(+), 2 deletions(-) create mode 100644 docs/audit_get_containerid.3 -- 1.8.3.1

6 years

1
6
0 / 0

[GIT PULL] Audit patches for v5.1

by Paul Moore

Hi Linus, A lucky 13 audit patches for v5.1. Despite the rather large diffstat, most of the changes are from two bug fix patches that move code from one Kconfig option to another. Beyond that bit of churn, the remaining changes are largely cleanups and bug-fixes as we slowly march towards container auditing. It isn't all boring though, we do have a couple of new things: file capabilities v3 support, and expanded support for filtering on filesystems to solve problems with remote filesystems. All changes pass the audit-testsuite. Please merge for v5.1. Thanks, -Paul -- The following changes since commit bfeffd155283772bbe78c6a05dec7c0128ee500c: Linux 5.0-rc1 (2019-01-06 17:08:20 -0800) are available in the Git repository at: git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/audit.git tags/audit-pr-20190305 for you to fetch changes up to 131d34cb07957151c369366b158690057d2bce5e: audit: mark expected switch fall-through (2019-02-12 20:17:13 -0500) ---------------------------------------------------------------- audit/stable-5.1 PR 20190305 ---------------------------------------------------------------- Gustavo A. R. Silva (1): audit: mark expected switch fall-through Richard Guy Briggs (12): audit: give a clue what CONFIG_CHANGE op was involved audit: hand taken context to audit_kill_trees for syscall logging audit: add syscall information to CONFIG_CHANGE records audit: move loginuid and sessionid from CONFIG_AUDITSYSCALL to CONFIG_AUDIT audit: add support for fcaps v3 audit: more filter PATH records keyed on filesystem magic audit: clean up AUDITSYSCALL prototypes and stubs audit: ignore fcaps on umount audit: remove unused actx param from audit_rule_match audit: remove audit_context when CONFIG_ AUDIT and not AUDITSYSCALL audit: join tty records to their syscall audit: hide auditsc_get_stamp and audit_serial prototypes drivers/tty/tty_audit.c | 2 +- fs/namei.c | 2 +- fs/namespace.c | 2 + fs/proc/base.c | 6 +- include/linux/audit.h | 66 ++++---- include/linux/capability.h | 5 +- include/linux/lsm_hooks.h | 4 +- include/linux/namei.h | 3 + include/linux/sched.h | 4 +- include/linux/security.h | 5 +- init/init_task.c | 2 +- kernel/audit.c | 267 ++++++++++++------------------ kernel/audit.h | 81 +++++---- kernel/audit_fsnotify.c | 2 +- kernel/audit_tree.c | 19 ++- kernel/audit_watch.c | 2 +- kernel/auditfilter.c | 6 +- kernel/auditsc.c | 320 +++++++++++++++++++++++------------- security/apparmor/audit.c | 3 +- security/apparmor/include/audit.h | 3 +- security/commoncap.c | 2 + security/integrity/ima/ima.h | 3 +- security/integrity/ima/ima_policy.c | 6 +- security/security.c | 6 +- security/selinux/include/audit.h | 4 +- security/selinux/ss/services.c | 3 +- security/smack/smack_lsm.c | 4 +- 27 files changed, 440 insertions(+), 392 deletions(-) -- paul moore www.paul-moore.com

6 years, 1 month

2
1
0 / 0

Tracking Content Written to Files

by Wajih Ul Hassan

Hi All, Can I use auditd to track content written to specific files? For example, in this case https://access.redhat.com/solutions/10107, how can I keep track of what string was written to `/etc/hosts` file over time and extract this information later from logs? The reason I asked this question is that I am trying to audit some simulated attack scenario and in this particular attack scenario I need to know the what content was written/changed to a sensitive file over time to fully understand the attack. Even if the attack deletes the contents of the sensitive file at time t_2, I need to extract what was written to file at time t_1. Thanks, Wajih

6 years, 1 month

2
1
0 / 0

[PATCH][v2] audit: fix a memleak caused by auditing load module

by Li RongQing

module.name will be allocated unconditionally when auditing load module, and audit_log_start() can fail with other reasons, or audit_log_exit maybe not called, caused module.name is released so free module.name in audit_free_context and audit exit syscall unreferenced object 0xffff88af90837d20 (size 8): comm "modprobe", pid 1036, jiffies 4294704867 (age 3069.138s) hex dump (first 8 bytes): 69 78 67 62 65 00 ff ff ixgbe... backtrace: [<0000000008da28fe>] __audit_log_kern_module+0x33/0x80 [<00000000c1491e61>] load_module+0x64f/0x3850 [<000000007fc9ae3f>] __do_sys_init_module+0x218/0x250 [<0000000000d4a478>] do_syscall_64+0x117/0x400 [<000000004924ded8>] entry_SYSCALL_64_after_hwframe+0x49/0xbe [<000000007dc331dd>] 0xffffffffffffffff Fixes: ca86cad7380e3 ("audit: log module name on init_module") Signed-off-by: Zhang Yu <zhangyu31(a)baidu.com> Signed-off-by: Li RongQing <lirongqing(a)baidu.com> --- kernel/auditsc.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/kernel/auditsc.c b/kernel/auditsc.c index b2d1f043f..07728b07a 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -964,6 +964,9 @@ int audit_alloc(struct task_struct *tsk) static inline void audit_free_context(struct audit_context *context) { + if (context->type == AUDIT_KERN_MODULE) + kfree(context->module.name); + audit_free_names(context); unroll_tree_refs(context, NULL, 0); free_tree_refs(context); @@ -1282,6 +1285,8 @@ static void show_special(struct audit_context *context, int *call_panic) if (context->module.name) { audit_log_untrustedstring(ab, context->module.name); kfree(context->module.name); + context->module.name = NULL; + context->type = 0; } else audit_log_format(ab, "(null)"); @@ -1583,6 +1588,11 @@ void __audit_syscall_exit(int success, long return_code) if (!list_empty(&context->killed_trees)) audit_kill_trees(&context->killed_trees); + if (context->type == AUDIT_KERN_MODULE) { + kfree(context->module.name); + context->module.name = NULL; + } + audit_free_names(context); unroll_tree_refs(context, NULL, 0); audit_free_aux(context); -- 2.16.2

6 years, 1 month

2
1
0 / 0

[PATCH 00/14] Prepare syscall_get_arch for PTRACE_GET_SYSCALL_INFO

by Dmitry V. Levin

syscall_get_arch() is required to be implemented on all architectures in order to extend the generic ptrace API with PTRACE_GET_SYSCALL_INFO request: syscall_get_arch() is going to be called from ptrace_request() along with syscall_get_nr(), syscall_get_arguments(), syscall_get_error(), and syscall_get_return_value() functions with a tracee as their argument. The primary intent is that the triple (audit_arch, syscall_nr, arg1..arg6) should describe what system call is being called and what its arguments are. This patchset began as a series called "Prepare for PTRACE_GET_SYSCALL_INFO", then I merged it into a series called "ptrace: add PTRACE_GET_SYSCALL_INFO request" that also contains ptrace-specific changes. The ptrace-specific part, however, needs more attention to workaround problems on niche architectures like alpha, while the syscall_get_arch() part is straightforward, so I decided to split it out into a separate patchset that just prepares syscall_get_arch() for PTRACE_GET_SYSCALL_INFO: it adds syscall_get_arch() to those architectures that haven't implemented it yet, and then adds "struct task_struct *" argument to syscall_get_arch() on all architectures. All patches from this patchset have been already reviewed, so it's ready to be merged without waiting for the ptrace-specific part. As it's all about syscall_get_arch(), it should probably go via audit tree. Dmitry V. Levin (14): Move EM_ARCOMPACT and EM_ARCV2 to uapi/linux/elf-em.h arc: define syscall_get_arch() c6x: define syscall_get_arch() h8300: define syscall_get_arch() Move EM_HEXAGON to uapi/linux/elf-em.h hexagon: define syscall_get_arch() m68k: define syscall_get_arch() Move EM_NDS32 to uapi/linux/elf-em.h nds32: define syscall_get_arch() nios2: define syscall_get_arch() riscv: define syscall_get_arch() Move EM_UNICORE to uapi/linux/elf-em.h unicore32: define syscall_get_arch() syscall_get_arch: add "struct task_struct *" argument arch/alpha/include/asm/syscall.h | 2 +- arch/arc/include/asm/elf.h | 6 +----- arch/arc/include/asm/syscall.h | 11 +++++++++++ arch/arm/include/asm/syscall.h | 2 +- arch/arm64/include/asm/syscall.h | 4 ++-- arch/c6x/include/asm/syscall.h | 7 +++++++ arch/csky/include/asm/syscall.h | 2 +- arch/h8300/include/asm/syscall.h | 6 ++++++ arch/hexagon/include/asm/elf.h | 6 +----- arch/hexagon/include/asm/syscall.h | 8 ++++++++ arch/ia64/include/asm/syscall.h | 2 +- arch/m68k/include/asm/syscall.h | 12 ++++++++++++ arch/microblaze/include/asm/syscall.h | 2 +- arch/mips/include/asm/syscall.h | 6 +++--- arch/mips/kernel/ptrace.c | 2 +- arch/nds32/include/asm/elf.h | 3 +-- arch/nds32/include/asm/syscall.h | 9 +++++++++ arch/nios2/include/asm/syscall.h | 6 ++++++ arch/openrisc/include/asm/syscall.h | 2 +- arch/parisc/include/asm/syscall.h | 4 ++-- arch/powerpc/include/asm/syscall.h | 10 ++++++++-- arch/riscv/include/asm/syscall.h | 10 ++++++++++ arch/s390/include/asm/syscall.h | 4 ++-- arch/sh/include/asm/syscall_32.h | 2 +- arch/sh/include/asm/syscall_64.h | 2 +- arch/sparc/include/asm/syscall.h | 5 +++-- arch/unicore32/include/asm/elf.h | 3 +-- arch/unicore32/include/asm/syscall.h | 12 ++++++++++++ arch/x86/include/asm/syscall.h | 8 +++++--- arch/x86/um/asm/syscall.h | 2 +- arch/xtensa/include/asm/syscall.h | 2 +- include/asm-generic/syscall.h | 5 +++-- include/uapi/linux/audit.h | 14 ++++++++++++++ include/uapi/linux/elf-em.h | 6 ++++++ kernel/auditsc.c | 4 ++-- kernel/seccomp.c | 4 ++-- 36 files changed, 148 insertions(+), 47 deletions(-) create mode 100644 arch/m68k/include/asm/syscall.h create mode 100644 arch/unicore32/include/asm/syscall.h -- ldv

6 years, 1 month

6
31
0 / 0

[PATCH] audit: fix a memleak caused by auditing load module

by Li RongQing

we should always free context->module.name, since it will be allocated unconditionally and audit_log_start() can fail with other reasons, and audit_log_exit maybe not called unreferenced object 0xffff88af90837d20 (size 8): comm "modprobe", pid 1036, jiffies 4294704867 (age 3069.138s) hex dump (first 8 bytes): 69 78 67 62 65 00 ff ff ixgbe... backtrace: [<0000000008da28fe>] __audit_log_kern_module+0x33/0x80 [<00000000c1491e61>] load_module+0x64f/0x3850 [<000000007fc9ae3f>] __do_sys_init_module+0x218/0x250 [<0000000000d4a478>] do_syscall_64+0x117/0x400 [<000000004924ded8>] entry_SYSCALL_64_after_hwframe+0x49/0xbe [<000000007dc331dd>] 0xffffffffffffffff Fixes: ca86cad7380e3 ("audit: log module name on init_module") Signed-off-by: Zhang Yu <zhangyu31(a)baidu.com> Signed-off-by: Li RongQing <lirongqing(a)baidu.com> --- kernel/auditsc.c | 22 ++++++++++++++++++++-- 1 file changed, 20 insertions(+), 2 deletions(-) diff --git a/kernel/auditsc.c b/kernel/auditsc.c index b2d1f043f..2bd80375f 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -1186,8 +1186,13 @@ static void show_special(struct audit_context *context, int *call_panic) int i; ab = audit_log_start(context, GFP_KERNEL, context->type); - if (!ab) + if (!ab) { + if (context->type == AUDIT_KERN_MODULE) { + kfree(context->module.name); + context->module.name = NULL; + } return; + } switch (context->type) { case AUDIT_SOCKETCALL: { @@ -1354,8 +1359,15 @@ static void audit_log_exit(struct audit_context *context, struct task_struct *ts context->personality = tsk->personality; ab = audit_log_start(context, GFP_KERNEL, AUDIT_SYSCALL); - if (!ab) + + if (!ab) { + if (context->type == AUDIT_KERN_MODULE) { + kfree(context->module.name); + context->module.name = NULL; + } return; /* audit_panic has been called */ + } + audit_log_format(ab, "arch=%x syscall=%d", context->arch, context->major); if (context->personality != PER_LINUX) @@ -1576,6 +1588,12 @@ void __audit_syscall_exit(int success, long return_code) if (context->in_syscall && context->current_state == AUDIT_RECORD_CONTEXT) audit_log_exit(context, current); + else { + if (context->type == AUDIT_KERN_MODULE) { + kfree(context->module.name); + context->module.name = NULL; + } + } context->in_syscall = 0; context->prio = context->state == AUDIT_RECORD_CONTEXT ? ~0ULL : 0; -- 2.16.2

6 years, 1 month

3
2
0 / 0

audit 2.8.5 released

by Steve Grubb

Hello, I've just released a new version of the audit daemon. It can be downloaded from http://people.redhat.com/sgrubb/audit. It will also be in rawhide soon. The ChangeLog is: - Fix segfault on shutdown - Fix hang on startup (#1587995) - Add sleep to script to dump state so file is ready when needed - Add auparse_normalizer support for SOFTWARE_UPDATE event - Mark netlabel events as simple events so that get processed quicker - When audispd is reconfiguring, only SIGHUP plugins with valid pid (#1614833) - Add 30-ospp-v42.rules to meet new Common Criteria requirements - Update lookup tables for the 4.18 kernel - In aureport, fix segfault in file report - Add auparse_normalizer support for labeled networking events - Fix memory leak in audisp-remote plugin when using krb5 transport. (#1622194) - Event aging is off by a second - In ausearch/auparse, correct event ordering to process oldest first - auparse_reset was not clearing everything it should - Add support for AUDIT_MAC_CALIPSO_ADD, AUDIT_MAC_CALIPSO_DEL events - In ausearch/report, lightly parse selinux portion of USER_AVC events - In ausearch/report, limit record size when malformed - In auditd, fix extract_type function for network originating events - In auditd, calculate right size and location for network originating events - Treat all network originating events as VER2 so dispatcher doesn't format it - In audisp-remote do an initial connection attempt (#1625156) - In auditd, allow expression of space left as a percentage (#1650670) - On PPC64LE systems, only allow 64 bit rules (#1462178) - Make some parts of auditd state report optional based on config - Fix ausearch when checkpointing a single file (Burn Alting) - Fix scripting in 31-privileged.rules wrt filecap (#1662516) - In ausearch, do not checkpt if stdin is input source - In libev, remove __cold__ attribute for functions to allow proper hardening - Add tests to configure.ac for openldap support - Make systemd support files use /run rather than /var/run (Christian Hesse) - Fix minor memory leak in auditd kerberos credentials code - Fix auditd regression where keep_logs is limited by rotate_logs 2 file test - In ausearch/report fix --end to use midnight time instead of now (#1671338) This is a big update to the maintenance branch of the audit package. All of the fixes included here are cherry picked fixes from the audit-3.0 development branch. This might be the last release for the 2.8 code base. We'll just have to see. Work on the audit-3.0 release is waiting for the audit container work to land and then should be released soon thereafter. (Just in case people were wonder what is holding up an official audit-3.0 release.) SHA256: 0e5d4103646e00f8d1981e1cd2faea7a2ae28e854c31a803e907a383c5e2ecb7 Please let me know if you run across any problems with this release. -Steve

6 years, 1 month

4
4
0 / 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

Linux-audit March 2019