audit-3.1.3 released
by Steve Grubb
Hello,
I've released a new version of the audit daemon on the 3.1 maintenance
branch. It can be downloaded from http://people.redhat.com/sgrubb/audit. The
ChangeLog for it is in the github commits.
This release is a whole bunch of cherry-picked commits from the 4.0 branch.
This represents the end of the line for audit-3.1. At this point, I may
cherry-pick something important and just leave it there for maintainers to
pick up. The only way there would be a 3.1.4 release is if someone finds a
major bug in 3.1.3 in the next week or two.
SHA256: 5c316958a0951e62c426c986e1ee8f771aa94bfa71889d2fd7f5557597fd092b
Let me know if you find any problems with this release.
-Steve
7 months, 3 weeks
Explanation of audit message
by maupertuis.philippe@free.fr
Hello list,
I have some auditd messages like
----
node=xxxxxxxx type=PROCTITLE msg=audit(11/07/2023 15:07:37.822:236474) : proctitle=(systemd)
node= xxxxxxxx type=SYSCALL msg=audit(11/07/2023 15:07:37.822:236474) : arch=x86_64 syscall=socket success=yes exit=12 a0=inet a1=SOCK_DGRAM a2=ip a3=0x7ff7d8a40740 items=0 ppid=1 pid=3394229 auid=abcdef uid= abcdef gid=aqwzsx euid= abcdef suid= abcdef fsuid= abcdef egid= aqwzsx sgid= aqwzsx fsgid= aqwzsx tty=(none) ses=2284 comm=systemd exe=/usr/lib/systemd/systemd key=external-access
----
Which are generated by the rule:
-a always,exit -F arch=b64 -S socket,connect -F a0=0x2 -F auid>=1000 -F auid!=-1 -F key=external-access
Where can I find the description of the message ?
Specifically, what mean exit=12 and a2=ip and a3=0x7ff7d8a40740
Thanks for the explanation
Philippe
7 months, 3 weeks
audit-4.0.1 released
by Steve Grubb
Hello,
I've just released a new version of the audit daemon. It can be
downloaded from http://people.redhat.com/sgrubb/audit. It will also be
in rawhide soon. The ChangeLog is:
- Update TRUSTED_APP interpretation to look for known fields
- In auditd plugins, allow variable amount of arguments (Attila Lakatos)
- Fix augenrules to work correctly when kernel is in immutable mode
- Add ausearch_cur_event to auparse library (Attila Lakatos)
- Add audisp-filter plugin (Attila Lakatos)
- Improve sorting speed of aureport --summary reports
- auditd & audit-rules.service pick up paths automatically (Laurent Bigonville)
- Update auparse normalizer for new syscalls
This is a mix of bug fixes and new features. The new feature is the
audisp-filter auditd plugin. It can chain together another plugin and filter
the events being passed to the other plugin. Also, there has been some more
performance work to see if we can get reporting and interpreting fields
running as fast as possible.
If you notice any problems with this release, please let me know.
SHA256: 3890319b8536446d70801e20a5790c63e879f99be83875a858460641c6c7aff4
-Steve
7 months, 3 weeks