Hello, I've just released a new major version of the audit daemon. It can be downloaded from http://people.redhat.com/sgrubb/audit. It will also be in rawhide soon. The ChangeLog is:
- Drop python2 support - Drop auvirt and autrace programs - Drop SysVinit support - Require the use of the 5.0 or later kernel headers - New README.md file - Rewrite legacy service functions in terms of systemctl - Consolidate and update end of event detection to a common function - Split off rule loading from auditd.service into audit-rules.service - Refactor libaudit.h to split out logging functions and record numbers - Speed up aureport --summary reports - Limit libaudit python bindings to logging functions - Add a metrics function for auparse - Change auditctl to use pidfd_send_signal for signaling auditd - Adjust watches to optimize syscalls hooked when watch file access - Drop nispom rules - Add intepretations for fsconfig, fsopen, fsmount, & move_mount - Many code fixups (cgzones) - Update syscall and interpretation tables to the 6.8 kernel One of the main features is the separation of loading rules and logging events into separate services, audit-rules.service and auditd.service. Don't expect distributions to have this release out right away, they likely have to submit a request to gatekeepers or oversight committee to ask for a new systemd preset so that audit-rules.service is automatically enabled. There are also tricky dependencies to solve so that it works like the old setup. However, the benefit is that the rules load sooner than auditd which is good because some auditable events occur before auditd and they get missed. The other benefit is that maybe you are happy with events in journald because you send them off to a SIEM. In that case, you do not need to install the audit package. Of course, that means you have limited searching and reporting locally. This package will show up in Fedora rawhide soon. I have to wait for a new version of the systemd presets to land first. The spec file in the github site should give packagers a few ideas how to package this up. This release also drops support for python2 and SysVinit. The libaudit python bindings now only support logging events. The auvirt and autrace programs have been dropped. The nispom rules have been dropped. The aureport --summary reports are now up to 5 times faster. File watches have been optimized to hook only the necessary syscalls instead of all which measurably improves whole system performance. The syscall and interpretation tables have been updated for the 6.8 kernel. And there have been many code cleanups, hardening, and refactoring. This release makes extensive use of gcc function attributes to try to ensure gcc hardens things as much as possible. These function attributes will also now produce warnings during package build when users of libaudit/auparse do something wrong. This helps ensure code correctness of other packages using audit libraries. The legacy service functions have been rewritten in term of systemctl and new auditctl capabilities. This removes a dependency on procps-ng. SHA256: bf422d4126ab77a92a4c3ac39de5473f278dc3de35724d2518a48c7be15d54d8 _______________________________________________ Linux-audit mailing list -- linux-audit@lists.linux-audit.osci.io To unsubscribe send an email to linux-audit-le...@lists.linux-audit.osci.io
