Discussion:
Audit roadmap and new development
(too old to reply)
Steve Grubb
2018-03-11 09:38:10 UTC
Permalink
Hello,

I wanted to take a few minutes to chat about the future audit roadmap.
The release of audit-2.8.3 represents a breaking point. Its time for
changes. Some of these changes are going to modify configuration files.
And new things that may not be compatible with the old will be
introduced. So, I have created a 2.8_maintenance branch on github. This
will be a lightly maintained branch that preserves the old way. I don't
know if there will ever be an audit-2.8.4 release. But if there is, it
will be from this branch.

Looking towards the future, here's what to expect. The next release
will be called audit-3.0. This is to reflect a break with the old. The
first new thing under development is a TLS transport mechanism for
remote logging. Next, performance improvements will looked into to see
if we can get auparse running more efficiently. Also look for container
support to land in the near future. And another big change...audispd
will be going away. Its functionality will be done by auditd directly.
This will eliminate one place where events get dropped and also speed
up the time between event arrival and a plugin seeing it. This will be
important because there is a new IDS/IPS plugin that is under
development. (Some of you may have seen it in action at DevConf 2018.)
It will need events faster, more reliably, and a faster performing
auparse library.

I expect these to roll out over several releases. I would not expect
these features to land in any stable distro. I would expect these to
show up in the development and new versions of distros because of the
breakage. I look to have all of this work completed by sometime this
summer. Who knows...maybe sooner.

Thoughts?

-Steve
Paul Moore
2018-03-11 17:07:51 UTC
Permalink
Post by Steve Grubb
Hello,
I wanted to take a few minutes to chat about the future audit roadmap.
The release of audit-2.8.3 represents a breaking point ...
Just a quick note that Steve is talking about the audit userspace
which he maintains, the work for the Linux Kernel's audit subsystem is
tracked via GitHub (link below). This includes both bug reports *and*
new feature requests. If you would like to add to that list, feel
free to do so. If you want to help out and contribute, definitely
feel free to do so! ;)

* https://github.com/linux-audit/audit-kernel/issues
--
paul moore
www.paul-moore.com
F Rafi
2018-03-11 17:44:39 UTC
Permalink
So container support can be addressed by userspace changes alone Or will it
require kernel audit subsystem updates as well?

Thanks
Farhan
Post by Paul Moore
Post by Steve Grubb
Hello,
I wanted to take a few minutes to chat about the future audit roadmap.
The release of audit-2.8.3 represents a breaking point ...
Just a quick note that Steve is talking about the audit userspace
which he maintains, the work for the Linux Kernel's audit subsystem is
tracked via GitHub (link below). This includes both bug reports *and*
new feature requests. If you would like to add to that list, feel
free to do so. If you want to help out and contribute, definitely
feel free to do so! ;)
* https://github.com/linux-audit/audit-kernel/issues
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
https://www.redhat.com/mailman/listinfo/linux-audit
Paul Moore
2018-03-11 19:24:19 UTC
Permalink
Post by F Rafi
So container support can be addressed by userspace changes alone Or will it
require kernel audit subsystem updates as well?
In order to associate container identifiers with kernel generated
audit events, kernel changes are required. You may have seen
discussion threads about this on the list, and more recently a partial
RFC patchset from Richard Guy Briggs on this list as well. Of course
there will likely be some additions to Steve's userspace tools to make
sense of, and interpret, the additional container identifiers in the
audit log, but I expect the bulk of changes to happen in the kernel.

There are a handful of issues in the GitHub audit-kernel issue tracker
related to this work.
Post by F Rafi
Post by Paul Moore
Post by Steve Grubb
Hello,
I wanted to take a few minutes to chat about the future audit roadmap.
The release of audit-2.8.3 represents a breaking point ...
Just a quick note that Steve is talking about the audit userspace
which he maintains, the work for the Linux Kernel's audit subsystem is
tracked via GitHub (link below). This includes both bug reports *and*
new feature requests. If you would like to add to that list, feel
free to do so. If you want to help out and contribute, definitely
feel free to do so! ;)
* https://github.com/linux-audit/audit-kernel/issues
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
https://www.redhat.com/mailman/listinfo/linux-audit
--
paul moore
www.paul-moore.com
Steve Grubb
2018-03-11 20:15:02 UTC
Permalink
On Sun, 11 Mar 2018 17:44:39 +0000
Post by F Rafi
So container support can be addressed by userspace changes alone
Nope.
Post by F Rafi
Or will it require kernel audit subsystem updates as well?
The kernel does all the heavy lifting. What this is indicating is that
user space will pick up support to use the kernel's container auditing.
You may have seen a set of patches posted by Richard in the last 2
weeks. That is for the kernel side. There will need to be corresponding
user space code to interface to it. This is probably going to change
events enough that it's again a good reason to break with the old.

-Steve
Post by F Rafi
Post by Paul Moore
Post by Steve Grubb
Hello,
I wanted to take a few minutes to chat about the future audit
roadmap. The release of audit-2.8.3 represents a breaking
point ...
Just a quick note that Steve is talking about the audit userspace
which he maintains, the work for the Linux Kernel's audit subsystem
is tracked via GitHub (link below). This includes both bug reports
*and* new feature requests. If you would like to add to that list,
feel free to do so. If you want to help out and contribute,
definitely feel free to do so! ;)
* https://github.com/linux-audit/audit-kernel/issues
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
https://www.redhat.com/mailman/listinfo/linux-audit
Loading...