audit 1.7.10 released

Steve Grubb sgrubb at redhat.com
Sat Dec 13 14:08:20 UTC 2008


Hi,

I've just released a new version of the audit daemon. It can be downloaded 
from http://people.redhat.com/sgrubb/audit  It will also be in rawhide  
soon. The Changelog is:

- Fix ausearch and aureport to handle out of order events
- Add line-buffer option to ausearch & timeout pipe input (Tony Jones)
- Add support in ausearch/report for tty data
- Add interpretations for epoll_ctl, lseek, and sigaction to libauparse
- In audisp-remote, allow the keyword "any" for local_port
- Man page updates
- Don't consider 0x7F to be a printable character
- Tighten parsing for -m and -w options in auditctl
- Add session query hint for aulast proof
- Fix audisp-remote to tolerate krb5 config options when not supported
- Created new aureport option for tty keystroke report
- audispd should detect backup config files and not use them
- When checking for ack in netlink interface, retry on EAGAIN a few times
- Trim a trailing whitespace from audit event written to disk
- In aureport, fix mods report to show acct acted upon

This release finally fixes the longstanding problem of grouping interlaced 
audit records correctly for ausearch and aureport. Auparse still has the 
problem. It turns out that the kernel does not serialize audit event records 
that go together. Records from two unrelated events can be intermingled. 
Previously, ausearch/report just used a change in timestamp + serial number 
to distinguish the end of an event. In the process of fixing this problem, I 
discovered a way to make ausearch/report run faster. My testing shows about a 
25% performance improvement...but your usage may have different results.

Ausearch is now smarter about taking input from a pipe thanks to a patch from 
Tony Jones. You can now do "tail -f /var/log/audit/audit.log | ausearch -i" 
and it should output events based on wall clock timeout or event completion 
rather than when it sees an event complete.

Perhaps the biggest improvement in this release is TTY auditing is now fully 
integrated. Ausearch can interpret TTY data fields. Aureport now has a --tty 
option to see TTY data as a report.

The aulast program can now tell you the ausearch command to retrieve audit 
events for a specific session when you give it the --proof option.

In aureport, the account modification report was not showing the actual 
account that was modified. It now does.

And lastly, I found that all audit events written to disk had a trailing space 
character at the end of each record. That is now removed so that each record 
is 1 byte shorter to save disk space.

Please let me know if you run across any problems with this release.

-Steve




More information about the Linux-audit mailing list