* audit 2.4.5 released
@ 2015-12-18 19:49 Steve Grubb
2015-12-18 21:08 ` Paul Moore
2016-01-01 5:41 ` Burn Alting
0 siblings, 2 replies; 6+ messages in thread
From: Steve Grubb @ 2015-12-18 19:49 UTC (permalink / raw)
To: linux-audit
Hello,
I've just released a new version of the audit daemon. It can be downloaded
from http://people.redhat.com/sgrubb/audit. It will also be in rawhide
soon. The ChangeLog is:
- Fix auditd disk flushing for data and sync modes
- Fix auditctl to not show options not supported on older OS
- Add audit.m4 file to aid adding support to other projects
- Fix C99 inline function build issue
- Add account lock and unlock event types
- Change logging loophole check to geteuid()
- Fix ausearch to not consider AUDIT_PROCTITLE events malformed (Burn Alting)
- Fix ausearch to parse FEATURE_CHANGE events
This release fixes disk flushing to work as it was intended. If you use either
the data or sync mode, you might notice a performance change.
This release also fixes a build issue when using a new compiler.
The loophole that we allow for a process to continue when it should fail was
changed to use the euid rather than the uid. This should be more correct based
on the capabilities man page.
Ausearch was having problems parsing AUDIT_PROCTITLE and FEATURE_CHANGE
events. This was cleaned up and now passed the ausearch-test test suite.
This release will also be the beginning point of a new branch, audit-2.4, that
will be lightly maintained for a while. At this point I don't think there will
be a 2.4.6 release, but you never know.
Going forward to the 2.5 release, I would like to make a lot of changes to the
rules and break them up into small ones that can be assembled by augenrules. I
will also restructure a few of the directories and get things ready to start
doing more with the data format. The audit by process name patch will be
applied real soon since a kernel with that work should be landing soon.
Please let me know if you run across any problems with this release.
-Steve
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: audit 2.4.5 released
2015-12-18 19:49 audit 2.4.5 released Steve Grubb
@ 2015-12-18 21:08 ` Paul Moore
2015-12-18 21:20 ` Steve Grubb
2016-01-01 5:41 ` Burn Alting
1 sibling, 1 reply; 6+ messages in thread
From: Paul Moore @ 2015-12-18 21:08 UTC (permalink / raw)
To: Steve Grubb; +Cc: linux-audit
On Fri, Dec 18, 2015 at 2:49 PM, Steve Grubb <sgrubb@redhat.com> wrote:
> Hello,
>
> I've just released a new version of the audit daemon. It can be downloaded
> from http://people.redhat.com/sgrubb/audit. It will also be in rawhide
> soon. The ChangeLog is:
>
> - Fix auditd disk flushing for data and sync modes
> - Fix auditctl to not show options not supported on older OS
> - Add audit.m4 file to aid adding support to other projects
> - Fix C99 inline function build issue
> - Add account lock and unlock event types
> - Change logging loophole check to geteuid()
> - Fix ausearch to not consider AUDIT_PROCTITLE events malformed (Burn Alting)
> - Fix ausearch to parse FEATURE_CHANGE events
Perhaps I missed it, but when can we expect the audit-by-exec support?
--
paul moore
www.paul-moore.com
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: audit 2.4.5 released
2015-12-18 21:08 ` Paul Moore
@ 2015-12-18 21:20 ` Steve Grubb
2015-12-18 23:32 ` Paul Moore
0 siblings, 1 reply; 6+ messages in thread
From: Steve Grubb @ 2015-12-18 21:20 UTC (permalink / raw)
To: Paul Moore; +Cc: linux-audit
On Friday, December 18, 2015 04:08:07 PM Paul Moore wrote:
> On Fri, Dec 18, 2015 at 2:49 PM, Steve Grubb <sgrubb@redhat.com> wrote:
> > Hello,
> >
> > I've just released a new version of the audit daemon. It can be downloaded
> > from http://people.redhat.com/sgrubb/audit. It will also be in rawhide
> > soon. The ChangeLog is:
> >
> > - Fix auditd disk flushing for data and sync modes
> > - Fix auditctl to not show options not supported on older OS
> > - Add audit.m4 file to aid adding support to other projects
> > - Fix C99 inline function build issue
> > - Add account lock and unlock event types
> > - Change logging loophole check to geteuid()
> > - Fix ausearch to not consider AUDIT_PROCTITLE events malformed (Burn
> > Alting) - Fix ausearch to parse FEATURE_CHANGE events
>
> Perhaps I missed it, but when can we expect the audit-by-exec support?
It will be in the 2.5 release. It should be one of the first couple of things I
apply to the svn repo. I'm going to shoot for a January release of the audit
package.
-Steve
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: audit 2.4.5 released
2015-12-18 21:20 ` Steve Grubb
@ 2015-12-18 23:32 ` Paul Moore
0 siblings, 0 replies; 6+ messages in thread
From: Paul Moore @ 2015-12-18 23:32 UTC (permalink / raw)
To: Steve Grubb; +Cc: linux-audit
On Fri, Dec 18, 2015 at 4:20 PM, Steve Grubb <sgrubb@redhat.com> wrote:
> On Friday, December 18, 2015 04:08:07 PM Paul Moore wrote:
>> On Fri, Dec 18, 2015 at 2:49 PM, Steve Grubb <sgrubb@redhat.com> wrote:
>> > Hello,
>> >
>> > I've just released a new version of the audit daemon. It can be downloaded
>> > from http://people.redhat.com/sgrubb/audit. It will also be in rawhide
>> > soon. The ChangeLog is:
>> >
>> > - Fix auditd disk flushing for data and sync modes
>> > - Fix auditctl to not show options not supported on older OS
>> > - Add audit.m4 file to aid adding support to other projects
>> > - Fix C99 inline function build issue
>> > - Add account lock and unlock event types
>> > - Change logging loophole check to geteuid()
>> > - Fix ausearch to not consider AUDIT_PROCTITLE events malformed (Burn
>> > Alting) - Fix ausearch to parse FEATURE_CHANGE events
>>
>> Perhaps I missed it, but when can we expect the audit-by-exec support?
>
> It will be in the 2.5 release. It should be one of the first couple of things I
> apply to the svn repo. I'm going to shoot for a January release of the audit
> package.
Okay, thanks for the update.
In the future I'd like us to coordinate a bit better when adding new
features that span kernel and userspace; I dislike implementing new
features in the kernel that lay dormant for a release or two.
--
paul moore
www.paul-moore.com
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: audit 2.4.5 released
2015-12-18 19:49 audit 2.4.5 released Steve Grubb
2015-12-18 21:08 ` Paul Moore
@ 2016-01-01 5:41 ` Burn Alting
2016-01-02 17:27 ` Steve Grubb
1 sibling, 1 reply; 6+ messages in thread
From: Burn Alting @ 2016-01-01 5:41 UTC (permalink / raw)
To: Steve Grubb; +Cc: linux-audit
[-- Attachment #1: Type: text/plain, Size: 888 bytes --]
On Fri, 2015-12-18 at 14:49 -0500, Steve Grubb wrote:
> Hello,
>
> I've just released a new version of the audit daemon. It can be downloaded
> from http://people.redhat.com/sgrubb/audit. It will also be in rawhide
> soon. The ChangeLog is:
>
> - Fix auditd disk flushing for data and sync modes
> - Fix auditctl to not show options not supported on older OS
> - Add audit.m4 file to aid adding support to other projects
> - Fix C99 inline function build issue
> - Add account lock and unlock event types
> - Change logging loophole check to geteuid()
> - Fix ausearch to not consider AUDIT_PROCTITLE events malformed (Burn Alting)
> - Fix ausearch to parse FEATURE_CHANGE events
>
> Please let me know if you run across any problems with this release.
Minor bug fix ... the various auparse/interpret.c:*_escape() routines
did not terminate the strings they generated.
Regards
Burn
[-- Attachment #2: audit-2.4.5_escape_bug.patch --]
[-- Type: text/x-patch, Size: 818 bytes --]
diff -Npru audit-2.4.5/auparse/interpret.c audit-2.4.5_escape_bug/auparse/interpret.c
--- audit-2.4.5/auparse/interpret.c 2015-12-19 06:20:59.000000000 +1100
+++ audit-2.4.5_escape_bug/auparse/interpret.c 2016-01-01 16:33:26.567241361 +1100
@@ -163,6 +163,7 @@ static void tty_escape(const char *s, ch
dest[j++] = s[i];
i++;
}
+ dest[j] = '\0'; /* terminate string */
}
static const char sh_set[] = "\"'`$\\";
@@ -195,6 +196,7 @@ static void shell_escape(const char *s,
dest[j++] = s[i];
i++;
}
+ dest[j] = '\0'; /* terminate string */
}
static const char quote_set[] = ";'\"`#$&*?[]<>{}\\";
@@ -227,6 +229,7 @@ static void shell_quote_escape(const cha
dest[j++] = s[i];
i++;
}
+ dest[j] = '\0'; /* terminate string */
}
/* This should return the count of what needs escaping */
[-- Attachment #3: Type: text/plain, Size: 0 bytes --]
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: audit 2.4.5 released
2016-01-01 5:41 ` Burn Alting
@ 2016-01-02 17:27 ` Steve Grubb
0 siblings, 0 replies; 6+ messages in thread
From: Steve Grubb @ 2016-01-02 17:27 UTC (permalink / raw)
To: burn; +Cc: linux-audit
On Friday, January 01, 2016 04:41:01 PM Burn Alting wrote:
> On Fri, 2015-12-18 at 14:49 -0500, Steve Grubb wrote:
> > Hello,
> >
> > I've just released a new version of the audit daemon. It can be downloaded
> > from http://people.redhat.com/sgrubb/audit. It will also be in rawhide
> > soon. The ChangeLog is:
> >
> > - Fix auditd disk flushing for data and sync modes
> > - Fix auditctl to not show options not supported on older OS
> > - Add audit.m4 file to aid adding support to other projects
> > - Fix C99 inline function build issue
> > - Add account lock and unlock event types
> > - Change logging loophole check to geteuid()
> > - Fix ausearch to not consider AUDIT_PROCTITLE events malformed (Burn
> > Alting) - Fix ausearch to parse FEATURE_CHANGE events
> >
> > Please let me know if you run across any problems with this release.
>
> Minor bug fix ... the various auparse/interpret.c:*_escape() routines
> did not terminate the strings they generated.
Applied. Thanks!
-Steve
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2016-01-02 17:27 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2015-12-18 19:49 audit 2.4.5 released Steve Grubb
2015-12-18 21:08 ` Paul Moore
2015-12-18 21:20 ` Steve Grubb
2015-12-18 23:32 ` Paul Moore
2016-01-01 5:41 ` Burn Alting
2016-01-02 17:27 ` Steve Grubb
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.