Hi, I've just released a new version of the audit daemon. It can be downloaded from http://people.redhat.com/sgrubb/audit. It will also be in rawhide soon. The Changelog is:
- Remove system-config-audit - Get rid of () from userspace originating events - Removed old syscall rules API - not needed since 2.6.16 - Remove all use of the old rule structs from API - Fix uninitialized variable in auditd log rotation - Add libcap-ng support for audispd plugins - Removed ancient defines that are part of kernel 2.6.29 headers - Bump soname number for libaudit - In auditctl, deprecate the entry filter and move rules to exit filter - Parse integrity audit records in ausearch/report (Mimi Zohar) - Updated syscall table for 2.6.31 kernel - Remove support for the legacy negate syscall rule operator - In auditd reset syslog warnings if disk space becomes available This release has some major changes that linux distros will want to take notice of. The first is that system-config-audit has been removed from the package. It can now be found here: https://fedorahosted.org/system-config-audit/ There were audit events that originate in user space that has this suffix added: (hostname=?, addr=?, terminal=? res=failed) The parenthesis have now been removed so that its purely name=value. Any program linked to libauparse will not notice any difference. This release removes the old kernel API for sending audit rules to the kernel. This was only needed for kernels prior to 2.6.16. by now distros should be shipping something newer than that. This release also bumps the soname number so that we compile all packages in a distribution to make sure that the change in API does not cause a problem in a third party application. Svn has been branched and will be maintained for a little while so that distros that can't make the jump to 2.0 right now have a something with bug fixes in it. Libcap-ng support has been added so that all audispd plugins drop all capabilities after staring up. If you don't have libcap-ng it still runs the way it used to. While cleaning up, I removed all the superfluous defines that we had in place to allow compiling with much older kernels. The minimum kernel headers needed is 2.6.29. Since 2.6.31 should be out soon, this should work fine with new OS releases under development. As stated in an RFC much earlier in the year, we now move all audit rules to the exit filter to simplify rule writing. A warning is emitted if a rule is targeted for the entry filter. At some point in the future we will be able to remove the syscall entry filter in the kernel. This release adds full support for integrity audit records and updates the kernel syscall table for the 2.6.31 kernel. And if low disk space actions have syslog as the action, we now reset that flag internally to auditd when we see that disk space has been freed up. Big update...big changes. Might not see this in a distro right away. But please let me know if you run across any problems with this release. -Steve -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
