audit-4.0 released

Tuesday, 16 January 2024

Hello,

I've just released a new major version of the audit daemon. It can be
downloaded from http://people.redhat.com/sgrubb/audit. It will also be
in rawhide soon. The ChangeLog is:

- Drop python2 support
- Drop auvirt and autrace programs
- Drop SysVinit support
- Require the use of the 5.0 or later kernel headers
- New README.md file
- Rewrite legacy service functions in terms of systemctl
- Consolidate and update end of event detection to a common function
- Split off rule loading from auditd.service into audit-rules.service
- Refactor libaudit.h to split out logging functions and record numbers
- Speed up aureport --summary reports
- Limit libaudit python bindings to logging functions
- Add a metrics function for auparse
- Change auditctl to use pidfd_send_signal for signaling auditd
- Adjust watches to optimize syscalls hooked when watch file access
- Drop nispom rules
- Add intepretations for fsconfig, fsopen, fsmount, & move_mount
- Many code fixups (cgzones)
- Update syscall and interpretation tables to the 6.8 kernel

One of the main features is the separation of loading rules and logging 
events into separate services, audit-rules.service and auditd.service. Don't 
expect distributions to have this release out right away, they likely have to 
submit a request to gatekeepers or oversight committee to ask for a new 
systemd preset so that audit-rules.service is automatically enabled. There 
are also tricky dependencies to solve so that it works like the old setup. 
However, the benefit is that the rules load sooner than auditd which is good 
because some auditable events occur before auditd and they get missed. The 
other benefit is that maybe you are happy with events in journald because you 
send them off to a SIEM. In that case, you do not need to install the audit 
package. Of course, that means you have limited searching and reporting 
locally.

This package will show up in Fedora rawhide soon. I have to wait for a new 
version of the systemd presets to land first. The spec file in the github site 
should give packagers a few ideas how to package this up.

This release also drops support for python2 and SysVinit. The libaudit python 
bindings now only support logging events. The auvirt and autrace programs 
have been dropped. The nispom rules have been dropped. 

The aureport --summary reports are now up to 5 times faster. File watches 
have been optimized to hook only the necessary syscalls instead of all which 
measurably improves whole system performance.

The syscall and interpretation tables have been updated for the 6.8 kernel. 
And there have been many code cleanups, hardening, and refactoring. This 
release makes extensive use of gcc function attributes to try to ensure gcc 
hardens things as much as possible. These function attributes will also now 
produce warnings during package build when users of libaudit/auparse do 
something wrong. This helps ensure code correctness of other packages using 
audit libraries.

The legacy service functions have been rewritten in term of systemctl and new 
auditctl capabilities. This removes a dependency on procps-ng.

SHA256: bf422d4126ab77a92a4c3ac39de5473f278dc3de35724d2518a48c7be15d54d8

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

audit-4.0 released