Re: audit 2.3.6 released
Steve,
I have identified an edge case with checkpointing where the recorded
inode is still a valid inode for one of the /var/log/audit.log* files
but the recorded event is not in the identified file.
This is reproduced by performing an ausearch with checkpoint, then
generate sufficient audit events such that all the events in
the /var/log/audit.log* files are more recent than the checkpointed
event. Quite often, one of the audit.log* files will have the same inode
as initially recorded in the ausearch checkpoint file.
A patch is attached that addresses this.
Essentially the modification
- notices if we identify an audit.log file to use but we do not find the
recorded audit event in that log file and so report an error (to stderr)
and return a new exit code (12)
- allows checkpointing to only use the recorded time from the checkpoint
file for comparisons.
You will note that the patch also contains changes to swig/audit.py.
Although this file is automatically generated, it is part of the 2.3.6
release ... should it be? I also note that a lot of Makefile.in's are
also part of the release. Again, should these automatically generated
files be part of the release?
Rgds
On Fri, 2014-04-11 at 17:17 -0400, Steve Grubb wrote:
I've just released a new version of the audit daemon. It can be
downloaded
from http://people.redhat.com/sgrubb/audit. It will also be in rawhide
soon. The ChangeLog is:
- Add an option to auditctl to interpret a0 - a3 of syscall rules when listing
- Improve ARM and AARCH64 support (AKASHI Takahiro)
- Add ausearch --checkpoint feature (Burn Alting)
- Add --arch option to ausearch
- Improve too long config line in audispd, auditd, and auparse (#1071580)
- Fix aulast to accept the new AUDIT_LOGIN record format
- Remove clear_config symbol in auparse
I decided to go ahead and release this one because of some concern about an
unintended symbol popping up in the auparse ABI.
This release include a bunch of new stuff. You can now add a '-i' to the
listing command of auditctl and it will interpret a0-a3 if they are included
in any rules.
There is new support for arm as mentioned in an email a few weeks ago. If you
were compiling --with-armeb, you now need to change to --with-arm. Cross
compile support is not yet in place.
There is a new checkpoint feature to ausearch. What it does is give you all
the events that have occurred since the last checkpoint.
Ausearch now has a --arch search option just in case you needed to find i386
events on a x86_64 machine.
There were a number of cleanups to the code as well.
Please let me know if you run across any problems with this release.
-Steve
--
Linux-audit mailing list
Linux-audit(a)redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
Attachments:
- audit-2.3.6_checkpoint_mods.patch (text/x-patch — 55.1 KB)