Re: EXT :Re: audit-3.0
On Tuesday, June 18, 2019 11:59:05 AM EDT Boyce, Kevin P [US] (AS) wrote:
Maybe what Philippe means is a carefully tested auditd shouldn't
be
considered "alpha" anymore?
That's a fair point. :-)
I've considered it Alpha because it's missing container support. IOW, it's
not feature complete. Container support was listed as the main benefit for
calling this 3.0. There probably won't be a beta release. It will probably
just go straight to release after initial testing and then cleanup problems/
round out support on a 3.0.1 release.
-Steve
-----Original Message-----
From: linux-audit-bounces(a)redhat.com <linux-audit-bounces(a)redhat.com> On
Behalf Of Steve Grubb Sent: Tuesday, June 18, 2019 10:36 AM
To: linux-audit(a)redhat.com
Cc: MAUPERTUIS, PHILIPPE <philippe.maupertuis(a)equensworldline.com>
Subject: EXT :Re: audit-3.0
Hello Philippe,
On Tuesday, June 18, 2019 9:34:08 AM EDT MAUPERTUIS, PHILIPPE wrote:
> On the mailing list a few days ago, it was announce that Audit-3.0
> alpha8 was available. I am a little bit confused because on a RHEL 8
> server I get
>
> rpm -q audit
> audit-3.0-0.10.20180831git0047a6c.el8.x86_64
> What are the link between the Rhel 8 rpm and the version audit-3.0
> announced.
The RHEL 8 rpm is an earlier git snapshot from August 31, 2018 + patches.
The package version should be a clue that this is a git snapshot. The
Fedora packaging guidelines say that if it is a pre-release git snapshot,
version must start with 0 so it can be overridden in the future, and the
date + git + last commit hash must be included so that anyone can identify
exactly what this is.
> I can't imagine RHEL8 using an alpha version.
Why? Anything put into RHEL is carefully tested. (Fedora has also been
running on alpha/git snapshots for about a year, too.) Also, I stopped
feature development in audit-3.0 around August of last year. Everything
going in since then has been bugs reported or discovered or at most small
patches to support new kernel features. So, audit userspace should be
considered as becoming mature, stable code that will not be developed at
the same pace as before.
I expect that when container support lands, there will be a couple rounds
of development to make it nice to use. But then its back to listening for
bug reports.
To be honest, I think at this point anything of value is really higher up
the stack. IOW, visualizing, aggregating, or alerting at scale.
-Steve
> As the side note the Rhel 8 rpm has the following description rpm -qi
> audit
> Name : audit
> Version : 3.0
> Release : 0.10.20180831git0047a6c.el8
> Architecture: x86_64
> Install Date: Mon 17 Jun 2019 05:55:23 PM CEST
> Group : Unspecified
> Size : 678098
> License : GPLv2+
> Signature : RSA/SHA256, Wed 09 Jan 2019 07:26:49 PM CET, Key ID
> 199e2f91fd431d51 Source RPM :
> audit-3.0-0.10.20180831git0047a6c.el8.src.rpm
> Build Date : Wed 09 Jan 2019 06:26:29 PM CET Build Host :
> x86-vm-06.build.eng.bos.redhat.com
> Relocations : (not relocatable)
> Packager : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
> Vendor : Red Hat, Inc.
> URL : http://people.redhat.com/sgrubb/audit/
> Summary : User space tools for 2.6 kernel auditing
>
> Of course the kernel for REHL8 is :
> rpm -q kernel
> kernel-4.18.0-80.el8.x86_64
>
> Any clarification is welcome
--
Linux-audit mailing list
Linux-audit(a)redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit