Hi, I've just released a new version of the audit daemon. It can be downloaded from http://people.redhat.com/sgrubb/audit It will also be in rawhide soon. The Changelog is:
- Bug fixes for gss code in remote logging (DJ Delorie) - Fix ausearch -i to keep the node field in the output - ausyscall now does strstr match on syscall names - Makefile cleanup (Philipp Hahn) - Add watched syscall support to audisp-prelude - Use the right define for tcp_wrappers in auditd - Expose encoding API for fields being logged from user space Last time I did not provide release notes. I'll try to do that now. Since 1.7.5, we have added GSSAPI support to authenticate and encrypt events during transfer. There are some instructions in the man pages but I'll try to get a HOWTO put up on the main audit project page at some point. There is tcp_wrappers support for remote logging protection. you will need to put an entry in the server's /etc/hosts.allow file stating which host or subnet is allowed to connect. These are enabled by adding 2 options to the configure command, --with-libwrap --enable-gssapi-krb5. Connect/disconnect events are now audited in the server so that there are records of times & ip addresses for connections. Another thanks to the people at Fujitsu for sending several patches that went into 1.7.6. The syscall tables have been updated for the lastest prel-release kernel, 2.6.27. A new function was added to auparse that allows you to query information about the data type that is being held in the value portion of the record's fields. Notably, this allows you to know that you have a field that is escaped and needs to be interpretted to see something meaningful. New in 1.7.7... There are 3 new functions in libaudit for logging a field that may need encoding to prevent spaces or control characters from causing parsing problems. If you have a field that you know has the potential to be untrusted, user manipulated, or containing control characters or space, there is now a convenience function, audit_encode_nv_string. This function takes the name, value, and value length in bytes as the parameters and passes back a freshly malloc'ed memory buffer containing the formatted field. Another function was added to allow testing as to whether or not a field needs encoding, audit_value_needs_encoding. It takes the value and value length in bytes and replies with 1 or 0 depending on if it needs encoding or not. The last new function audit_encode_value performs a value encoding given a value and value length in bytes. The programmer is responsible for passing it a buffer that is 2 times the size of the value in bytes + 1. These last 2 are for people that need to take control over encoding but audit_encode_nv_string should be the main API people use. There was a bug in 1.7.6 wrt tcp_wrappers where the define had a typo in it. This means that 1.7.6 does not actually use tcp_wrappers. There were a couple bugs in remote logging for 64 bit platforms. These are now cleaned up. The ausyscall program now does substring matches by default and exact string matching by command line option. This was added after observing yet another dup syscall and another pipe syscall being added to the 2.6.27 kernel. You can now do ausyscall x86_64 dup and get all 3 syscall names and numbers. The prelude plugin now has a 4th type of watched audit event based on keys, sys. This came about after observing that many security targets need some rule that is syscall based and no good way to say what the event is based on the other 3 types. Please let me know if you run across any problems with this release. -Steve -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
