Steve Grubb
2018-03-11 09:38:10 UTC
Hello,
I wanted to take a few minutes to chat about the future audit roadmap.
The release of audit-2.8.3 represents a breaking point. Its time for
changes. Some of these changes are going to modify configuration files.
And new things that may not be compatible with the old will be
introduced. So, I have created a 2.8_maintenance branch on github. This
will be a lightly maintained branch that preserves the old way. I don't
know if there will ever be an audit-2.8.4 release. But if there is, it
will be from this branch.
Looking towards the future, here's what to expect. The next release
will be called audit-3.0. This is to reflect a break with the old. The
first new thing under development is a TLS transport mechanism for
remote logging. Next, performance improvements will looked into to see
if we can get auparse running more efficiently. Also look for container
support to land in the near future. And another big change...audispd
will be going away. Its functionality will be done by auditd directly.
This will eliminate one place where events get dropped and also speed
up the time between event arrival and a plugin seeing it. This will be
important because there is a new IDS/IPS plugin that is under
development. (Some of you may have seen it in action at DevConf 2018.)
It will need events faster, more reliably, and a faster performing
auparse library.
I expect these to roll out over several releases. I would not expect
these features to land in any stable distro. I would expect these to
show up in the development and new versions of distros because of the
breakage. I look to have all of this work completed by sometime this
summer. Who knows...maybe sooner.
Thoughts?
-Steve
I wanted to take a few minutes to chat about the future audit roadmap.
The release of audit-2.8.3 represents a breaking point. Its time for
changes. Some of these changes are going to modify configuration files.
And new things that may not be compatible with the old will be
introduced. So, I have created a 2.8_maintenance branch on github. This
will be a lightly maintained branch that preserves the old way. I don't
know if there will ever be an audit-2.8.4 release. But if there is, it
will be from this branch.
Looking towards the future, here's what to expect. The next release
will be called audit-3.0. This is to reflect a break with the old. The
first new thing under development is a TLS transport mechanism for
remote logging. Next, performance improvements will looked into to see
if we can get auparse running more efficiently. Also look for container
support to land in the near future. And another big change...audispd
will be going away. Its functionality will be done by auditd directly.
This will eliminate one place where events get dropped and also speed
up the time between event arrival and a plugin seeing it. This will be
important because there is a new IDS/IPS plugin that is under
development. (Some of you may have seen it in action at DevConf 2018.)
It will need events faster, more reliably, and a faster performing
auparse library.
I expect these to roll out over several releases. I would not expect
these features to land in any stable distro. I would expect these to
show up in the development and new versions of distros because of the
breakage. I look to have all of this work completed by sometime this
summer. Who knows...maybe sooner.
Thoughts?
-Steve