audit 2.4.5 released

audit 2.4.5 released

[Steve Grubb]

Hello,

I've just released a new version of the audit daemon. It can be downloaded 
from http://people.redhat.com/sgrubb/audit. It will also be in rawhide
soon. The ChangeLog is:

- Fix auditd disk flushing for data and sync modes
- Fix auditctl to not show options not supported on older OS
- Add audit.m4 file to aid adding support to other projects
- Fix C99 inline function build issue
- Add account lock and unlock event types
- Change logging loophole check to geteuid()
- Fix ausearch to not consider AUDIT_PROCTITLE events malformed (Burn Alting)
- Fix ausearch to parse FEATURE_CHANGE events

This release fixes disk flushing to work as it was intended. If you use either 
the data or sync mode, you might notice a performance change.

This release also fixes a build issue when using a new compiler.

The loophole that we allow for a process to continue when it should fail was 
changed to use the euid rather than the uid. This should be more correct based 
on the capabilities man page.

Ausearch was having problems parsing AUDIT_PROCTITLE and  FEATURE_CHANGE 
events. This was cleaned up and now passed the ausearch-test test suite.

This release will also be the beginning point of a new branch, audit-2.4, that 
will be lightly maintained for a while. At this point I don't think there will 
be a 2.4.6 release, but you never know.

Going forward to the 2.5 release, I would like to make a lot of changes to the 
rules and break them up into small ones that can be assembled by augenrules. I 
will also restructure a few of the directories and get things ready to start 
doing more with the data format. The audit by process name patch will be 
applied real soon since a kernel with that work should be landing soon.

Please let me know if you run across any problems with this release.

-Steve

Re: audit 2.4.5 released

[Paul Moore]

On Fri, Dec 18, 2015 at 2:49 PM, Steve Grubb <sgrubb@redhat.com> wrote:
> Hello,
>
> I've just released a new version of the audit daemon. It can be downloaded
> from http://people.redhat.com/sgrubb/audit. It will also be in rawhide
> soon. The ChangeLog is:
>
> - Fix auditd disk flushing for data and sync modes
> - Fix auditctl to not show options not supported on older OS
> - Add audit.m4 file to aid adding support to other projects
> - Fix C99 inline function build issue
> - Add account lock and unlock event types
> - Change logging loophole check to geteuid()
> - Fix ausearch to not consider AUDIT_PROCTITLE events malformed (Burn Alting)
> - Fix ausearch to parse FEATURE_CHANGE events

Perhaps I missed it, but when can we expect the audit-by-exec support?

-- 
paul moore
www.paul-moore.com

Re: audit 2.4.5 released

[Steve Grubb]

On Friday, December 18, 2015 04:08:07 PM Paul Moore wrote:
> On Fri, Dec 18, 2015 at 2:49 PM, Steve Grubb <sgrubb@redhat.com> wrote:
> > Hello,
> > 
> > I've just released a new version of the audit daemon. It can be downloaded
> > from http://people.redhat.com/sgrubb/audit. It will also be in rawhide
> > soon. The ChangeLog is:
> > 
> > - Fix auditd disk flushing for data and sync modes
> > - Fix auditctl to not show options not supported on older OS
> > - Add audit.m4 file to aid adding support to other projects
> > - Fix C99 inline function build issue
> > - Add account lock and unlock event types
> > - Change logging loophole check to geteuid()
> > - Fix ausearch to not consider AUDIT_PROCTITLE events malformed (Burn
> > Alting) - Fix ausearch to parse FEATURE_CHANGE events
> 
> Perhaps I missed it, but when can we expect the audit-by-exec support?

It will be in the 2.5 release. It should be one of the first couple of things I 
apply to the svn repo. I'm going to shoot for a January release of the audit 
package.

-Steve

Re: audit 2.4.5 released

[Paul Moore]

On Fri, Dec 18, 2015 at 4:20 PM, Steve Grubb <sgrubb@redhat.com> wrote:
> On Friday, December 18, 2015 04:08:07 PM Paul Moore wrote:
>> On Fri, Dec 18, 2015 at 2:49 PM, Steve Grubb <sgrubb@redhat.com> wrote:
>> > Hello,
>> >
>> > I've just released a new version of the audit daemon. It can be downloaded
>> > from http://people.redhat.com/sgrubb/audit. It will also be in rawhide
>> > soon. The ChangeLog is:
>> >
>> > - Fix auditd disk flushing for data and sync modes
>> > - Fix auditctl to not show options not supported on older OS
>> > - Add audit.m4 file to aid adding support to other projects
>> > - Fix C99 inline function build issue
>> > - Add account lock and unlock event types
>> > - Change logging loophole check to geteuid()
>> > - Fix ausearch to not consider AUDIT_PROCTITLE events malformed (Burn
>> > Alting) - Fix ausearch to parse FEATURE_CHANGE events
>>
>> Perhaps I missed it, but when can we expect the audit-by-exec support?
>
> It will be in the 2.5 release. It should be one of the first couple of things I
> apply to the svn repo. I'm going to shoot for a January release of the audit
> package.

Okay, thanks for the update.

In the future I'd like us to coordinate a bit better when adding new
features that span kernel and userspace; I dislike implementing new
features in the kernel that lay dormant for a release or two.

-- 
paul moore
www.paul-moore.com

Re: audit 2.4.5 released

[Burn Alting]

[-- Attachment #1: Type: text/plain, Size: 888 bytes --]

On Fri, 2015-12-18 at 14:49 -0500, Steve Grubb wrote:
> Hello,
> 
> I've just released a new version of the audit daemon. It can be downloaded 
> from http://people.redhat.com/sgrubb/audit. It will also be in rawhide
> soon. The ChangeLog is:
> 
> - Fix auditd disk flushing for data and sync modes
> - Fix auditctl to not show options not supported on older OS
> - Add audit.m4 file to aid adding support to other projects
> - Fix C99 inline function build issue
> - Add account lock and unlock event types
> - Change logging loophole check to geteuid()
> - Fix ausearch to not consider AUDIT_PROCTITLE events malformed (Burn Alting)
> - Fix ausearch to parse FEATURE_CHANGE events
> 
> Please let me know if you run across any problems with this release.

Minor bug fix ... the various auparse/interpret.c:*_escape() routines
did not terminate the strings they generated.

Regards
Burn

[-- Attachment #2: audit-2.4.5_escape_bug.patch --]
[-- Type: text/x-patch, Size: 818 bytes --]

diff -Npru audit-2.4.5/auparse/interpret.c audit-2.4.5_escape_bug/auparse/interpret.c
--- audit-2.4.5/auparse/interpret.c	2015-12-19 06:20:59.000000000 +1100
+++ audit-2.4.5_escape_bug/auparse/interpret.c	2016-01-01 16:33:26.567241361 +1100
@@ -163,6 +163,7 @@ static void tty_escape(const char *s, ch
 			dest[j++] = s[i];
 		i++;
 	}
+	dest[j] = '\0';	/* terminate string */
 }
 
 static const char sh_set[] = "\"'`$\\";
@@ -195,6 +196,7 @@ static void shell_escape(const char *s,
 			dest[j++] = s[i];
 		i++;
 	}
+	dest[j] = '\0';	/* terminate string */
 }
 
 static const char quote_set[] = ";'\"`#$&*?[]<>{}\\";
@@ -227,6 +229,7 @@ static void shell_quote_escape(const cha
 			dest[j++] = s[i];
 		i++;
 	}
+	dest[j] = '\0';	/* terminate string */
 }
 
 /* This should return the count of what needs escaping */

[-- Attachment #3: Type: text/plain, Size: 0 bytes --]

Re: audit 2.4.5 released

[Steve Grubb]

On Friday, January 01, 2016 04:41:01 PM Burn Alting wrote:
> On Fri, 2015-12-18 at 14:49 -0500, Steve Grubb wrote:
> > Hello,
> > 
> > I've just released a new version of the audit daemon. It can be downloaded
> > from http://people.redhat.com/sgrubb/audit. It will also be in rawhide
> > soon. The ChangeLog is:
> > 
> > - Fix auditd disk flushing for data and sync modes
> > - Fix auditctl to not show options not supported on older OS
> > - Add audit.m4 file to aid adding support to other projects
> > - Fix C99 inline function build issue
> > - Add account lock and unlock event types
> > - Change logging loophole check to geteuid()
> > - Fix ausearch to not consider AUDIT_PROCTITLE events malformed (Burn
> > Alting) - Fix ausearch to parse FEATURE_CHANGE events
> > 
> > Please let me know if you run across any problems with this release.
> 
> Minor bug fix ... the various auparse/interpret.c:*_escape() routines
> did not terminate the strings they generated.

Applied. Thanks!

-Steve