audit 3.0.3 released
by Steve Grubb
Hello,
I've just released a new version of the audit daemon. It can be
downloaded from http://people.redhat.com/sgrubb/audit. It will also be
in rawhide soon. The ChangeLog is:
- Dont interpret audit netlink groups unless AUDIT_NLGRP_MAX is defined
- Add support for AUDIT_RESP_ORIGIN_UNBLOCK_TIMED to ids
- Change auparse_feed_has_data in auparse to include incomplete events
- Auditd, stop linking against -lrt
- Add ProtectHome and RestrictRealtime to auditd.service
- In auditd, read up to 3 netlink packets in a row
- In auditd, do not validate path to plugin unless active
- In auparse, only emit config errors when AUPARSE_DEBUG env variable exists
The main change in this release is that auditd pulls events out of the kernel
at a faster rate. It was so much so, that the plugins can't keep up. So, I
throttled it down a little to give plugin developers a chance to see events
at a higher rate and make changes. I will be doubling the speed on the next
release. So, now would be the time to check 3rd party plugins and ensure they
are dequeuing events as fast as possible. If the plugin has a lot of post
processing, I'd suggest making it multithreaded with a fifo inbetween the
threads. One pulls events aqueues them, the other dequeues and post
processes.
Also notable, the bahavior of auparse_feed_has_data in auparse was changed
to include incomplete events. This is in effort to speed up processing of
events.
One other thing that may cause problems if you build and debug plugins is the
auditd.service systemd file now adds ProtectHome and RestrictRealtime. The
ProtectHome will not let auditd touch anything under /home. That may be an
incovenice for debugging. But its better for everyone else.
SHA256: 23777e1dc9a80a2ee06a4d442a6a0a9bcbf1ae7ee4b5738a220ff619738cc904
Please let me know if you run across any problems with this release.
-Steve
3 years, 3 months
The format of password change audit events seems to have changed, Can you confirm the correct record type ?
by Wieprecht, Karen M.
I've noticed that the messages I'm searching for in splunk to show root password changes no longer seem to be in the same format. Most of our systems run RHEL7 release 7.9, and I believe this is a recent change (I've only noticed this problem in the past 3 months or so?), but we do have an older 7.5 system, so I was able to use that to compare against the 7.5 to identify what's changed. I wanted to confirm which record I should be using now since there are several that get generated now
The key differences seem to be in the message generated and the keyname being used for the account being targeted, but I wanted to confirm that there isn't some other record I should be looking at to verify that the root password was changed in the required timeframe since I see several records being generated from a password change, none of which include anything as conclusive as the old message that showed the operation as a "password change". Here are some fo the fields I'm looking at:
type=USER_CHAUTHOK
exe=/usr/bin/passwd
[acct targeted for the passwd change]:
id=root (old format)
acct=root (latest format)
msg
msg='op=change password (old format)
msg='op=PAM:chauthok (latest format)
If you can confirm whether this is the info I should be using now to confirm password changes, that would be much appreciated.
Thanks so much,
Karen Wieprecht
3 years, 3 months
Bad Rule?
by warron.french
I am required to place the following rule into my audit configurations, but
when I do auditd will stop loading rules from this particular rule forward
to the end.
-a always,exit -F path= /etc/NetworkManager/ -F perm=wa -F
key=system-locale
The rule immediately above it was:
-a exit,never -F dir=/usr/local/share/macrovision/storage -k exclude
If I hash out the syntax including NetworkManager all rules load, but
unhashed it stops loading rules from that point to the end.
--------------------------
Warron French
3 years, 3 months