audit-3.1.5 released
by Steve Grubb
Hello,
I've released a new version of the audit daemon from the 3.1 maintenance
branch. It can be downloaded from http://people.redhat.com/sgrubb/audit. The
ChangeLog for it is in the github commits.
This really should be the last release of the 3.1 series. The main purpose
was that we found under some conditions upgrading from 3.1 to 4.0 had some
issues stopping the old auditd in order to start the new one. Auditctl was
updated to use the pidfd_send_signal method so that it is able to better
locate auditd to signal it.
At this point, I may cherry-pick something important and just leave it there
for maintainers to pick up.
SHA256: 660213bac2baebabfc32be4d84a4aeb94effbd3e076b1014b78678b4502cf6ba
-Steve
3 months
Linux Audit Syscall Monitoring Error
by Michael McKinley
Good afternoon Linux audit list,
I believe I’ve come across a bug in Linux audit when writing syscall monitors for a directory.
File watchers are suggested to be syscall rules under the hood. I don’t believe this is true, based on the different behavior of syscall rules and file watcher rules when monitoring directories that don’t exist.
Suggested to be equivalent per auditctl(8):-w /tmp/fakedir -p warx -k test1
-s always, exit -F dir=/tmp/fakedir -F perm=warx -k test2
What will happen if the dir doesn’t exist in case 1 is the rule loads and continues. In case 2, the rule will fail to load, thus failing to load all rules below it.
The auditctl(8)
Per the auditctl(8) man page -F (rule fields) are not supported by watchers. This doesn’t appear to be true any longer, as watchers do seem to honor -F (extensive testing not performed).
Any insight or suggestions? I am considering using a watcher with rule fields despite it not being officially supported due to the loading error with syscalls.
3 months, 1 week