Question about Auditd SELinux policy
by Max Nebiun
Hi,
I'm try to develop an Auditd plugin.
This plugin needs to read information about some processes by reading /proc filesystem.
But the SELinux policy applied to Auditd (and his plugins) prevent the access.
I'm using AlmaLinux release 8.8 (Sapphire Caracal) distribution
Auditd version: audit-3.0.7-4.el8.x86_64
SELinux Auditd plugin context: system_u:system_r:auditd_t:s0
If I run the plugin directly from bash, it can read all the informations it need (but obviously it cannot receive Auditd logs :-) )
There is a solution?
Thanks in advance.
9 months, 1 week
audit-4.0 released
by Steve Grubb
Hello,
I've just released a new major version of the audit daemon. It can be
downloaded from http://people.redhat.com/sgrubb/audit. It will also be
in rawhide soon. The ChangeLog is:
- Drop python2 support
- Drop auvirt and autrace programs
- Drop SysVinit support
- Require the use of the 5.0 or later kernel headers
- New README.md file
- Rewrite legacy service functions in terms of systemctl
- Consolidate and update end of event detection to a common function
- Split off rule loading from auditd.service into audit-rules.service
- Refactor libaudit.h to split out logging functions and record numbers
- Speed up aureport --summary reports
- Limit libaudit python bindings to logging functions
- Add a metrics function for auparse
- Change auditctl to use pidfd_send_signal for signaling auditd
- Adjust watches to optimize syscalls hooked when watch file access
- Drop nispom rules
- Add intepretations for fsconfig, fsopen, fsmount, & move_mount
- Many code fixups (cgzones)
- Update syscall and interpretation tables to the 6.8 kernel
One of the main features is the separation of loading rules and logging
events into separate services, audit-rules.service and auditd.service. Don't
expect distributions to have this release out right away, they likely have to
submit a request to gatekeepers or oversight committee to ask for a new
systemd preset so that audit-rules.service is automatically enabled. There
are also tricky dependencies to solve so that it works like the old setup.
However, the benefit is that the rules load sooner than auditd which is good
because some auditable events occur before auditd and they get missed. The
other benefit is that maybe you are happy with events in journald because you
send them off to a SIEM. In that case, you do not need to install the audit
package. Of course, that means you have limited searching and reporting
locally.
This package will show up in Fedora rawhide soon. I have to wait for a new
version of the systemd presets to land first. The spec file in the github site
should give packagers a few ideas how to package this up.
This release also drops support for python2 and SysVinit. The libaudit python
bindings now only support logging events. The auvirt and autrace programs
have been dropped. The nispom rules have been dropped.
The aureport --summary reports are now up to 5 times faster. File watches
have been optimized to hook only the necessary syscalls instead of all which
measurably improves whole system performance.
The syscall and interpretation tables have been updated for the 6.8 kernel.
And there have been many code cleanups, hardening, and refactoring. This
release makes extensive use of gcc function attributes to try to ensure gcc
hardens things as much as possible. These function attributes will also now
produce warnings during package build when users of libaudit/auparse do
something wrong. This helps ensure code correctness of other packages using
audit libraries.
The legacy service functions have been rewritten in term of systemctl and new
auditctl capabilities. This removes a dependency on procps-ng.
SHA256: bf422d4126ab77a92a4c3ac39de5473f278dc3de35724d2518a48c7be15d54d8
9 months, 2 weeks
Auditd Plugin Terminating because of "Error receiving audit netlink
packet"
by anurag19aggarwal@gmail.com
Hello All,
We use an auditd plugin to monitor system calls like socket, connect etc. This plugin read data from audit netlink socket and converts into a internal format.
Recently we are noticing that on some distributions like Oracle 9, Kernel Version: 5.15.0-100.96.32.el9uek.x86_64, our plugin is not coming up.
We see the below log in the output of "systemctl status auditd" command:
Error receiving audit netlink packet (No buffer space available)
I have tried to increase the q_depth, and backlog limit of auditd, but still hitting this error.
Any suggestions or help?
Regards
Anurag
10 months