Hello, I've just released a new version of the audit daemon. It can be downloaded from http://people.redhat.com/sgrubb/audit. It will also be in rawhide soon. The ChangeLog is:
- Apply performance speedups to auparse library - Optimize rule loading in auditctl - Fix an auparse memory leak caused by glibc-2.33 by replacing realpath - Update syscall table to the 5.14 kernel - Fixed various issues when dealing with corrupted logs The big change in this release is converting the lowest level data structure in the auparse library from a linked list to an array. Linked lists are not CPU cache friendly. This change brought about a 20% speed improvement for the library. The down side is that an array has a fixed size. This is controlled by the NFIELDS define in rnode.h, which is currently 36. SYSCALL events have the most normal fields. They currently have about 28. So, 36 should be a good safety margin going forward. The only records that potentially have more fields is the EXECVE record. For the audit-3.0.4 release, this is limited to 36 fields by auparse. This does not affect ausearch output. Ausearch uses an entirely different method to parse/disply events. If anyone is *using* auparse and thinks auparse should handle more EXECVE fields, let me know. I might switch to a hybrid model that uses a linked list after consuming all of the array. Next, auparse was switched from doing strtok/strdup to having one record and an array of pointers that point to a different segment of that record. On a typical test that I performed, ausearch -if /var/log/audit/audit.log.1 --format csv > /dev/null 2>&1 valgrind reports 55 million allocations. With this switch, valgrind now reports 5 million allocations. This speeds up auparse another 35%. All in all, the test I run above runs in half the time that audit-3.0.3 does. Because this is a big change in design, I spent a few days fuzzing ausearch/ report/auparse. I don't not want to fix everything a fuzzer makes because it won't happen in real life. For example, no record will have 10 comm= fields. But this found a significant number of issues in various places - which are now fixed. The audit libraries should now be more robust in the face of corrupt logs. Also, I noticed that auparse was leaking memory. This turned out to be a behavior change in glibc-2.33's realpath function. It was returning an error even though it succeeded. Therefore, auparse didn't process or free the allocated buffer. In looking at the source code for realpath, I found that it also calls stat and readlink. Neither of these should be needed for path normalization after the fact. So, a new function was created to handle path normalization. You may notice some changes in paths returned when interpretting. But they are correct now where glibc was unable to stat the file. Please test audit-3.0.4 carefully - it has big changes. SHA256: 8c5ae825b9d2837742b626fa93b86cb4a84d15530bf05b6cb42be3f304db8cf6 Please let me know if you run across any problems with this release. -Steve -- Linux-audit mailing list [email protected] https://listman.redhat.com/mailman/listinfo/linux-audit
