Hello, I've just released a new version of the audit daemon. It can be downloaded from http://people.redhat.com/sgrubb/audit. It will also be in rawhide soon. The ChangeLog is:
- Non-active log files should be read only - In augenrules, restore the selinux context if restorecon is installed - Update gitignore file and remove ltmain.sh (Richard Guy Briggs) - Replace Group Separator with whitespace in syslog audispd plugin - In auditd, check for euid rather than capabilities when local_events = no - If events are piped from ausearch to audisp-remote, flush queue when done - In auditctl, correct handling of -F key so that key is not part of value - In auparse, move static variables to auparse_state_t This update is probably the last of the 2.6 series. New development will begin aiming new features towards a future 2.7 release. This update fixes the file permissions on non-active logs. Augenrules now restores the selinux context of the rules file. This is only an issue for MLS systems. The Group Separator used in enriched events has been replaced by a whitespace character for syslog. When auditd is run from some containers that does not support audit collection, it also runs auditd unprivileged. This makes auditd fail so it switches to doing euid checks for this scenario. It was also found that the very last record was not being sent when a file was cat'ed into audisp-remote for remote collection. It now handles this correctly. And it was found that a bug was introduced in the 2.6.6 release where support for multi-keys was fixed. It was also sending the field name into the kernel when doing syscall rules with keys. Please let me know if you run across any problems with this release. -Steve -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
