From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.5 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 4F9E7C4338F for ; Sun, 8 Aug 2021 14:21:10 +0000 (UTC) Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [216.205.24.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id CCA9961051 for ; Sun, 8 Aug 2021 14:21:09 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.4.1 mail.kernel.org CCA9961051 Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=redhat.com Authentication-Results: mail.kernel.org; spf=tempfail smtp.mailfrom=redhat.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1628432468; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=CqzL4D7dlvqVIAzHjHpM+f8ELPKNC29g8EzCSxclpBw=; b=iDKvKwiMYZ+xmDUXEg8Wwflx8JRgJic1xHcLZtUsXYFFOhrgCdQPC615giW8aZeUgpSZlG tSSIwkbQnRxiL7iUaoXTmgNML40s36/czO3g7wDwlGVVOlWIeeEtBFNfHfiX18Of154LnU norsxNVsLFanvLGkFWEBk02MZxaelC8= Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-579-PQSL3KpCPrSerX7Xabxjxw-1; Sun, 08 Aug 2021 10:21:06 -0400 X-MC-Unique: PQSL3KpCPrSerX7Xabxjxw-1 Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.phx2.redhat.com [10.5.11.16]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 6BE22871803; Sun, 8 Aug 2021 14:21:03 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 0509A5C1D0; Sun, 8 Aug 2021 14:21:02 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id 91032180BAB1; Sun, 8 Aug 2021 14:21:00 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.12]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id 178EJpvm001482 for ; Sun, 8 Aug 2021 10:19:51 -0400 Received: by smtp.corp.redhat.com (Postfix) id E0E5B60C81; Sun, 8 Aug 2021 14:19:51 +0000 (UTC) Received: from x2.localnet (unknown [10.22.8.35]) by smtp.corp.redhat.com (Postfix) with ESMTP id AD21960C4A for ; Sun, 8 Aug 2021 14:19:47 +0000 (UTC) From: Steve Grubb To: Linux Audit Subject: audit-3.0.4 released Date: Sun, 08 Aug 2021 10:19:47 -0400 Message-ID: <3655074.kQq0lBPeGt@x2> Organization: Red Hat MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.12 X-loop: linux-audit@redhat.com X-BeenThere: linux-audit@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Linux Audit Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.16 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=linux-audit-bounces@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Hello, I've just released a new version of the audit daemon. It can be downloaded from http://people.redhat.com/sgrubb/audit. It will also be in rawhide soon. The ChangeLog is: - Apply performance speedups to auparse library - Optimize rule loading in auditctl - Fix an auparse memory leak caused by glibc-2.33 by replacing realpath - Update syscall table to the 5.14 kernel - Fixed various issues when dealing with corrupted logs The big change in this release is converting the lowest level data structure in the auparse library from a linked list to an array. Linked lists are not CPU cache friendly. This change brought about a 20% speed improvement for the library. The down side is that an array has a fixed size. This is controlled by the NFIELDS define in rnode.h, which is currently 36. SYSCALL events have the most normal fields. They currently have about 28. So, 36 should be a good safety margin going forward. The only records that potentially have more fields is the EXECVE record. For the audit-3.0.4 release, this is limited to 36 fields by auparse. This does not affect ausearch output. Ausearch uses an entirely different method to parse/disply events. If anyone is *using* auparse and thinks auparse should handle more EXECVE fields, let me know. I might switch to a hybrid model that uses a linked list after consuming all of the array. Next, auparse was switched from doing strtok/strdup to having one record and an array of pointers that point to a different segment of that record. On a typical test that I performed, ausearch -if /var/log/audit/audit.log.1 --format csv > /dev/null 2>&1 valgrind reports 55 million allocations. With this switch, valgrind now reports 5 million allocations. This speeds up auparse another 35%. All in all, the test I run above runs in half the time that audit-3.0.3 does. Because this is a big change in design, I spent a few days fuzzing ausearch/ report/auparse. I don't not want to fix everything a fuzzer makes because it won't happen in real life. For example, no record will have 10 comm= fields. But this found a significant number of issues in various places - which are now fixed. The audit libraries should now be more robust in the face of corrupt logs. Also, I noticed that auparse was leaking memory. This turned out to be a behavior change in glibc-2.33's realpath function. It was returning an error even though it succeeded. Therefore, auparse didn't process or free the allocated buffer. In looking at the source code for realpath, I found that it also calls stat and readlink. Neither of these should be needed for path normalization after the fact. So, a new function was created to handle path normalization. You may notice some changes in paths returned when interpretting. But they are correct now where glibc was unable to stat the file. Please test audit-3.0.4 carefully - it has big changes. SHA256: 8c5ae825b9d2837742b626fa93b86cb4a84d15530bf05b6cb42be3f304db8cf6 Please let me know if you run across any problems with this release. -Steve -- Linux-audit mailing list Linux-audit@redhat.com https://listman.redhat.com/mailman/listinfo/linux-audit