Hi, I've just released a new version of the audit daemon. It can be downloaded from http://people.redhat.com/sgrubb/audit It will also be in rawhide soon. The Changelog is:
- Add more errno strings for use with rules - Fix config parser to allow either 0640 or 0600 for audit logs (#427062) - Check for audit log being writable by owner in auditd - If auditd logging was suspended, it can be resumed with SIGUSR2 (#251639) - Updated CAPP, LSPP, and NISPOM rules for new capabilities - Added aulastlog utility This release fixes up a bug where the config parser was not allowing either 0640 or 0600 for the log file permissions. This was also fixed in auparse. A new capability was added. When the audit daemon suspends logging and the admin has taken steps to free disk space again, logging can now be resumed with SIGUSR2. If you are using the init scripts in the audit package, it would be usable as "service auditd resume". The CAPP, LSPP, and NISPOM sample rules have been updated to use the errno capability for exit codes and to use directory auditing when needing to audit many things in the same directory. For example, you do not need to watch each individual audit log. You can just watch /var/log/audit and it will pick up all changes to any audit log in that directory. This capability requires the kernel to support directory watches (2.6.24 vanilla for example). This release also adds a new tool, aulastlog. It displays login information like lastlog does. It uses the auparse library and its source code can be used to see how simple writing new audit based tool can be. Please let me know if you run across any problems with this release. -Steve -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
