Hi, I've just released a new version of the audit daemon. It can be downloaded from http://people.redhat.com/sgrubb/audit. It will also be in rawhide soon. The ChangeLog is:
- Correct all rules for clock_settime - Fix possible segfault in auparse library - Handle malformed socket addresses better - Improve performance in audit_log_user_message() - Improve performance in writing to the log file in auditd - Syscall update for accept4 and recvmmsg - Update autrace resource usage mode syscall list - Improved sample rules for recent syscalls - Add some debug info to audidp-remote startup and shutdown - Make compiling with Python optional - In auditd, if disk_error_action is ignore, don't syslog anything - Fix some memory leaks - If audispd is stopping, don't restart children - Add support in auditctl for shell escaped filenames (Alexander) - Add search support for virt events (Marcelo Cerri) - Update interpretation tables - Sync auparse's auditd config parser with auditd's parser - In ausearch, also use cwd fields in file name searchs - In ausearch, parse cwd in USER_CMD events - In ausearch, correct parsing of uid in user space events - In ausearch, update parsing of integrity events - Apply some text cleanups from Debian (Russell Coker) - In auditd, relax some permission checks for external apps - Add ROLE_MODIFY event type - In auditctl, new -c option to continue through bad rules but with failed exit - Add auvirt program to do special reporting on virt events (Marcelo Cerri) - Add interfield comparison support to auditctl (Peter Moody) - Update auparse type intepretation for apparmor (Marcelo Cerri) - Increase tcp_max_per_addr maximum to 1024. This is a huge bugfix release. It has 2 new features worth calling attention to. The first is a new program, auvirt which produces a report about guest operating systems. The second is the addition of the -C directive for auditctl. This requires a kernel upgrade in order to use it. Its purpose is to be able to trigger on events that would otherwise take a mountain of events to find just the one occurance. For example, if you want to see if an admin is accessing files in user's home dirs, then you can write a rule like: -a always,exit -F dir=/home -C auid!=obj_uid -F key=admin-abuse Please let me know if you run across any problems with this release. -Steve -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
