Hello, I've just released a new version of the audit daemon. It can be downloaded from http://people.redhat.com/sgrubb/audit. It will also be in rawhide soon. The ChangeLog is:
- Update syscall table to the 5.11 kernel - Add new --eoe-timeout option to ausearch and aureport (Burn Alting) - Only enable periodic timers when listening on the network - Upgrade libev to 4.33 - Add auparse_new_buffer function to auparse library - Use the select libev backend unless aggregating events - Add sudoers to some base audit rules - Update the auparse normalizer for some new syscalls and event types This release features 2 new experimental plugins. The statsd plugin should be ready to try out. The other IDS plugin is more of a long term work in progress. No timeline for it's development, either. (There is a known bug where the ids plugin fails to build in some environments. There is a brand new commit in github fixing this. Grab it if it fails to build.) During the work for statsd, I found that the audit daemon is a little more active than it should be. This was because it was enabling periodic timers that are used to detect dead network connections when the daemon is configured to be an aggregator. This is fixed and libev was updated to the latest release. While I was in the libev section of code I did some testing betweek using select and epoll as the event backend. Turns out select is about 4 ms faster. So, as long as auditd is not receiving network events, it will use select. If it does receive network events, then it will continue to use epoll in case it needs a lot of descriptors. Ausearch/report now have a new command line option to --eoe-timeout to help gather event records into the right event if they were slow getting output. Auditd also has a setting that could be considered the eoe_timeout default setting. Libauparse automatically tries to read this if it has the permissions. SHA256: 994c4250d8fd43f3087a3c2ce73461832e30f1e9b278bf5bb03c3e07091155a5 Please let me know if you run across any problems with this release. -Steve -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
