[PATCH v1 0/2] override audit silence norule for fs cases
by Richard Guy Briggs
The audit subsystem normally suppresses output when there are no rules
present to avoid overwhelming the user with unwanted messages. It could
be argued that another security subsystem would generally want to
override that default. Allow them through for fsnotify and filesystem
security violations.
Richard Guy Briggs (2):
audit: record fanotify event regardless of presence of rules
audit: record AUDIT_ANOM_* events regardless of presence of rules
include/linux/audit.h | 8 +-------
kernel/audit.c | 2 +-
kernel/auditsc.c | 2 +-
3 files changed, 3 insertions(+), 9 deletions(-)
--
2.43.5
5 months, 2 weeks
audit-4.1.1 released
by Steve Grubb
Hello,
We just released a new version of the audit package. It can be downloaded
from:
https://github.com/linux-audit/audit-userspace/releases/
The ChangeLog is:
- Add libauplugin example program and improve its documentation
- auditctl -A option was deleting - now prepends like it used to
- Adjust af_unix and dispatcher to send exact record size in binary mode
- Add bash completions for ausearch, aureport, auditctl, and augenrules
- ausearch/aureport: allow symlinked config
- Add support for file_getattr and file_setattr syscalls
This release is mostly a cleanup from the last release. Various groups found
issues as they pushed the last release through their build systems. This
should have all of those issues worked out.
This release also contains initial support for bash completions for ausearch,
aureport, augenrules, and auditctl. Give it a try and file issues or submit
PR's if you see something wrong.
There is now documentation for libauplugin + a sample program.
The af_unix plugin also got some updates to fix problems in conversion from
the binary interface to string output.
If you notice any problems with this release, please let us know.
SHA256: c2dd5fe7c204a5725bc96e3a6eadc86ece4a13e4a4bb98e79f6fe104a09cd4c3
-Steve
5 months, 3 weeks
audit-4.1 released
by Steven Grubb
We just released a new version of the audit daemon. It can be
downloaded from
https://github.com/linux-audit/audit-userspace/releases/
The ChangeLog is:
- Fix auditd -s enable hang issue (Yan Zhu)
- Optimize event formatting in auditd
- af_unix plugin: Restore terminating newlines
- Add support for "exec" action in max_log_file_action in auditd
- Refactor auparse code to be multi-thread safe
- Add memory pool to netlink event processing to reduce memory churn
- Make all plugins ignore SIGTERM if not from auditd (issue #469)
- Add libauplugin, refactor audisp-filter, ids, and audisp-statsd to use it
- In auditd, safely reconfigure the network settings after SIGHUP
- Make test suite machine independent
- Persistent queue support with metrics helpers
This is a big release with many changes in critical areas. I will write
more about this release at a later time. See the release announcement on
github for more information.
If you notice any problems with this release, please let us know.
SHA256: 5911200423909b141e45bb1ae9d1608b1c974e5a5a52226d2f21501eb4ca809c
-Steve
6 months, 2 weeks
oldstyle permission vs. newstyle syscalls
by Ede Wolf
Hi,
we would like to convert out old style syntax, like
-w /etc/crontab -p wa -l some_label
to the newstyle
-a exit,always. -S unlink...
Just wondering, is there a table, that translates the permission
(r,w,x,a) into their respective syscalls?
Thanks
Ede
6 months, 2 weeks
