Hello, I've just released a new version of the audit daemon. It can be downloaded from http://people.redhat.com/sgrubb/audit. It will also be in rawhide soon. The ChangeLog is:
- Auditd support for enriched data: uid/gid, saddr splitting, arch, syscall - Make all libraries and utilities support and use enriched events - Define dispatcher protocol to version 2 - Standardize all saddr interpretations in auparse - Fix another DST bug in ausearch time conversion (#1334772) - In autrace, if rule count loop times out don't assume 0 rules (#1344268) - In auditd, check space left a little more often (#1345854) This release of the audit package contains among other things a major new piece of functionality. The audit daemon can now enrich events with interpretation information at the time that the event is logged. This means that if a user account is deleted, the uid can still be resolved to what it was at the time of the event. In terms of central log aggregation, this means that aggregated logs can have the uid mapping of the remote machine for interpretations. To enable this functionality, you would want to edit the log_format setting in auditd.conf and set it to ENRICHED. Restart the audit daemon and that's all there is to it. When the enriched logging format is active, the event is completely formatted in the audit daemon and passed to audispd. This means that you do not need to also set name_format in audispd.conf if you set it in auditd.conf. If you write audispd plugins that want format set to binary, then you need to be aware that enriched events are set with version set to AUDISP_PROTOCOL_VER2 to signify that the raw event is different and you might need to change what you are doing. If the plugin uses string, then feed the event to auparse like always and auparse will know what to do with it. There is a change in interpretation for sockaddr fields. Now all the information about the source and destination are available. There were three bug fixes. Please let me know if you run across any problems with this release. -Steve -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
