* audit-3.0.4 released
@ 2021-08-08 14:19 Steve Grubb
0 siblings, 0 replies; only message in thread
From: Steve Grubb @ 2021-08-08 14:19 UTC (permalink / raw)
To: Linux Audit
I've just released a new version of the audit daemon. It can be
downloaded from http://people.redhat.com/sgrubb/audit. It will also be
in rawhide soon. The ChangeLog is:
- Apply performance speedups to auparse library
- Optimize rule loading in auditctl
- Fix an auparse memory leak caused by glibc-2.33 by replacing realpath
- Update syscall table to the 5.14 kernel
- Fixed various issues when dealing with corrupted logs
The big change in this release is converting the lowest level data structure
in the auparse library from a linked list to an array. Linked lists are not
CPU cache friendly. This change brought about a 20% speed improvement for the
library. The down side is that an array has a fixed size. This is controlled
by the NFIELDS define in rnode.h, which is currently 36. SYSCALL events have
the most normal fields. They currently have about 28. So, 36 should be a good
safety margin going forward.
The only records that potentially have more fields is the EXECVE record. For
the audit-3.0.4 release, this is limited to 36 fields by auparse. This does
not affect ausearch output. Ausearch uses an entirely different method to
parse/disply events. If anyone is *using* auparse and thinks auparse should
handle more EXECVE fields, let me know. I might switch to a hybrid model that
uses a linked list after consuming all of the array.
Next, auparse was switched from doing strtok/strdup to having one record and
an array of pointers that point to a different segment of that record. On a
typical test that I performed,
ausearch -if /var/log/audit/audit.log.1 --format csv > /dev/null 2>&1
valgrind reports 55 million allocations. With this switch, valgrind now
reports 5 million allocations. This speeds up auparse another 35%. All in
all, the test I run above runs in half the time that audit-3.0.3 does.
Because this is a big change in design, I spent a few days fuzzing ausearch/
report/auparse. I don't not want to fix everything a fuzzer makes because it
won't happen in real life. For example, no record will have 10 comm= fields.
But this found a significant number of issues in various places - which are
now fixed. The audit libraries should now be more robust in the face of
Also, I noticed that auparse was leaking memory. This turned out to be a
behavior change in glibc-2.33's realpath function. It was returning an error
even though it succeeded. Therefore, auparse didn't process or free the
allocated buffer. In looking at the source code for realpath, I found that it
also calls stat and readlink. Neither of these should be needed for path
normalization after the fact. So, a new function was created to handle path
normalization. You may notice some changes in paths returned when
interpretting. But they are correct now where glibc was unable to stat the
Please test audit-3.0.4 carefully - it has big changes.
Please let me know if you run across any problems with this release.
Linux-audit mailing list
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2021-08-08 14:21 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-08-08 14:19 audit-3.0.4 released Steve Grubb
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).