audit plugin for AVC and USER_AVC messages
by nupurdeora@gmail.com
Hi Steve,
I used your plugin code sample -https://github.com/linux-audit/audit-userspace/blob/master/contrib/plugin/audisp-example.c to handle audit messages when I write some audit rules. it works perfectly fine with some minor tweaks
Now I want to extend the same plugin to filter AVC and USER_AVC messages and sent to our system log. But while developing SELINUX policy there are too many of these and hence the plugin is unable to handle it and system hangs. Is there a way to increase the capacity of plugin to handle so many AVC denials. Eventually when the SELINUX policy is matured , I expect to see a lot less of these denials.
2 months, 2 weeks
audit-4.0.2 released
by Steve Grubb
Hello,
I've just released a new version of the audit daemon. It can be
downloaded from http://people.redhat.com/sgrubb/audit. It will also be
in rawhide soon. The ChangeLog is:
- Fix musl C builds
- Many code cleanups (Yugend)
- Use atomic variables if available for signal related flags
- Dont rotate audit logs when auditd is in debug mode
- Fix a couple memory leaks on error paths
- Correct output when displaying rules with exe/path/dir (Attila Lakatos)
- Fix auparse lookup test to not use the system libaupaurse
- Improve auparse metrics
- Update auparse normalizer for recent syscalls
- Make status report uniform
This release fixes build on distributions using the musl C library. There are
many fix ups from static analysis. There was a segfault when logs get rotated
while in the debug mode. Since debug writes to stdout, it should not ever
rotate the logs. This was found by sending it a signal.
Auditctl out was fixed so it displayed rules correctly when they have exe/
path/dir. The auparse normalizer was updated for some new syscalls. And
lastly, the status report was inconsistent in formatting. It sometimes
omitted = which makes parsing the output a challenge.
If you notice any problems with this release, please let me know.
SHA256: d5d1b5d50ee4a2d0d17875bc6ae6bd6a7d5b34d9557ea847a39faec531faaa0a
-Steve
2 months, 3 weeks