* audit 3.0.3 released
@ 2021-07-14 19:12 Steve Grubb
2021-07-14 19:27 ` Steve Grubb
0 siblings, 1 reply; 2+ messages in thread
From: Steve Grubb @ 2021-07-14 19:12 UTC (permalink / raw)
To: Linux Audit
Hello,
I've just released a new version of the audit daemon. It can be
downloaded from http://people.redhat.com/sgrubb/audit. It will also be
in rawhide soon. The ChangeLog is:
- Dont interpret audit netlink groups unless AUDIT_NLGRP_MAX is defined
- Add support for AUDIT_RESP_ORIGIN_UNBLOCK_TIMED to ids
- Change auparse_feed_has_data in auparse to include incomplete events
- Auditd, stop linking against -lrt
- Add ProtectHome and RestrictRealtime to auditd.service
- In auditd, read up to 3 netlink packets in a row
- In auditd, do not validate path to plugin unless active
- In auparse, only emit config errors when AUPARSE_DEBUG env variable exists
The main change in this release is that auditd pulls events out of the kernel
at a faster rate. It was so much so, that the plugins can't keep up. So, I
throttled it down a little to give plugin developers a chance to see events
at a higher rate and make changes. I will be doubling the speed on the next
release. So, now would be the time to check 3rd party plugins and ensure they
are dequeuing events as fast as possible. If the plugin has a lot of post
processing, I'd suggest making it multithreaded with a fifo inbetween the
threads. One pulls events aqueues them, the other dequeues and post
processes.
Also notable, the bahavior of auparse_feed_has_data in auparse was changed
to include incomplete events. This is in effort to speed up processing of
events.
One other thing that may cause problems if you build and debug plugins is the
auditd.service systemd file now adds ProtectHome and RestrictRealtime. The
ProtectHome will not let auditd touch anything under /home. That may be an
incovenice for debugging. But its better for everyone else.
SHA256: 23777e1dc9a80a2ee06a4d442a6a0a9bcbf1ae7ee4b5738a220ff619738cc904
Please let me know if you run across any problems with this release.
-Steve
--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: audit 3.0.3 released
2021-07-14 19:12 audit 3.0.3 released Steve Grubb
@ 2021-07-14 19:27 ` Steve Grubb
0 siblings, 0 replies; 2+ messages in thread
From: Steve Grubb @ 2021-07-14 19:27 UTC (permalink / raw)
To: Linux Audit
On Wednesday, July 14, 2021 3:12:35 PM EDT Steve Grubb wrote:
> Hello,
>
> I've just released a new version of the audit daemon. It can be
> downloaded from http://people.redhat.com/sgrubb/audit. It will also be
> in rawhide soon. The ChangeLog is:
>
> - Dont interpret audit netlink groups unless AUDIT_NLGRP_MAX is defined
> - Add support for AUDIT_RESP_ORIGIN_UNBLOCK_TIMED to ids
> - Change auparse_feed_has_data in auparse to include incomplete events
> - Auditd, stop linking against -lrt
> - Add ProtectHome and RestrictRealtime to auditd.service
> - In auditd, read up to 3 netlink packets in a row
> - In auditd, do not validate path to plugin unless active
> - In auparse, only emit config errors when AUPARSE_DEBUG env variable
> exists
>
> The main change in this release is that auditd pulls events out of the
> kernel at a faster rate. It was so much so, that the plugins can't keep
> up. So, I throttled it down a little to give plugin developers a chance to
> see events at a higher rate and make changes. I will be doubling the speed
> on the next release. So, now would be the time to check 3rd party plugins
> and ensure they are dequeuing events as fast as possible. If the plugin
> has a lot of post processing, I'd suggest making it multithreaded with a
> fifo inbetween the threads. One pulls events aqueues them, the other
> dequeues and post processes.
One important thing I forgot...because the events are coming faster, the
internal queueing to plugins needs to be increased to handle bursts. The old
default was 400. I set the new default to 1200. It testing, I've seen the
internal queue get up to 800 or so events. You can check this on your system
by running service auditd state. If you do not have the service command, you
can send signal SIGCONT to auditd and then look at /var/run/auditd.state to
see the man q_depth.
> Also notable, the bahavior of auparse_feed_has_data in auparse was changed
> to include incomplete events. This is in effort to speed up processing of
> events.
>
> One other thing that may cause problems if you build and debug plugins is
> the auditd.service systemd file now adds ProtectHome and RestrictRealtime.
> The ProtectHome will not let auditd touch anything under /home. That may
> be an incovenice for debugging. But its better for everyone else.
>
> SHA256: 23777e1dc9a80a2ee06a4d442a6a0a9bcbf1ae7ee4b5738a220ff619738cc904
>
> Please let me know if you run across any problems with this release.
>
> -Steve
>
>
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://listman.redhat.com/mailman/listinfo/linux-audit
--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2021-07-14 19:27 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-07-14 19:12 audit 3.0.3 released Steve Grubb
2021-07-14 19:27 ` Steve Grubb
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).