Steve Grubb wrote:
Hi,
I've just released a new version of the audit daemon. It can be downloaded
from http://people.redhat.com/sgrubb/audit It will also be in rawhide
tomorrow. The Changelog is:
- Updates for new glibc-kernheaders
- Change auditctl to collect list of rules then delete them on -D
- Update capp.rules and lspp.rules to comment out rules for the possible list
- Add new message types
- Support sigusr1 sender identity of newer kernels
- Add support for ppid in auditctl and ausearch
- fix auditctl to trim the '/' from watches
- Move audit daemon config files to /etc/audit for better SE Linux protection
Beware ! This release has 2 changes to notice. It requires newer
glibc-kernheaders and it moves the audit configuration files to
the /etc/audit directory. The specfile should handle the transition
gracefully.
This release also supports new options in our current development kernels. It
adds support for filtering by ppid and searching for ppid in the logs. It
supports getting the signal info for senders of sigusr1. And completes the
fix for listing or deleting large amounts of syscall rules. Watches that have
a trailing '/' will now have it trimmed to make the kernel happier.
2 new message types were added AUDIT_DEV_ALLOC and AUDIT_DEV_DEALLOC for LSPP
work. The capp & lspp rules were updated to not have "possible" as the list
action.
Please let me know if there are any problems with this release.
auditctl is still reporting the "error sending rule" problem. Here are
my auditctl and kernel versions:
auditctl version 1.2.2
2.6.16-1.2200.2.2_FC6.lspp.25
# auditctl -l
Error sending rule list request (Operation not permitted)
# auditctl -l
No rules
Thanks,
Mike
--
Linux-audit mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/linux-audit
