Hi, I've just released a new version of the audit daemon. It can be downloaded from http://people.redhat.com/sgrubb/audit. It will also be in rawhide soon. The ChangeLog is:
- In audisp-remote, add a sigchld handler - In auditd, check for duplicate remote connections before accepting - Remove trailing ':' if any are at the end of acct fields in ausearch - Update remote logging code to do better sanity check of data - Fix audisp-prelude to prefer files if multiple path records are encountered Audisp-remote was leaving zombie processes when one of the _action config optins was set to exec. Auditd was also not checking for duplicate connections from the same machine before accepting. There were a couple networking packet length check problems reported by Sebastian Krahmer of Suse. The most serious issue was in the gssapi code. After checking with other distributions, none had enabled this code. So, likely this is not a problem for most people. If you roll your own package and enable gssapi support, it is recommended for you to upgrade. The main issue was that the packet length from the network packet itself was not sanitized before trusting. Its believed that this will eventually lead to a problem in the kerberos libraries. A few other places in the code were found to be trusting the packet length. Analysis found that nothing bad happens in these other places. They would all eventually lead to a read of 0 length and auditd will disconnect without logging the malicious event. It should be pointed out that if you use remote logging, you want to specify the tcp_client_ports to be < 1024 to make sure only processes with CAP_NET_BIND_SERVICE can send audit events. Ausearch now trims ':' from acct records in AUDIT_LOGIN events so that it can be interpreted correctly, and the audisp-prelude plugin was chosing the first audit record when multiple path records are in the same event. In many cases this would be a directory, but we now look for the record who's mode field indicates that the object is a file. Please let me know if you run across any problems with this release. -Steve -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
