[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

audit 1.7.9 released



Hi,

I've just released a new version of the audit daemon. It can be downloaded 
from http://people.redhat.com/sgrubb/audit  It will also be in rawhide  
soon. The Changelog is:

- Fix uninitialized variable in aureport causing segfault
- Quieten down the gssapi not supported messages
- Fix bug interpreting i386 logs on x86_64 machines
- If kernel is in immutable mode, auditd should not send enable command
- Fix ausearch/report recent and now time keyword lookups
- If hostname is empty string when logging, make it NULL
- Starting adding unit tests to src/test
- Created aulast program
- prelude plugin should pull auid for login alert from 2nd uid field
- Add system boot, shutdown, and run level change events
- Update audisp-prelude LDFLAGS
- Add max_restarts to audispd.conf to limit times a plugin is restarted
- Expand session detection in ausearch

This is mostly a bug fix release. Most of those should be self explanatory 
from the description.

This release also adds a new analytical tool, aulast. This is a 
re-implementation of the "last" and "lastb" programs based off of audit logs. 
the output is identical in format with those utmp based programs. To get the 
analysis to work correctly, I needed to introduce 3 new types: SYSTEM_BOOT, 
SYSTEM_SHUTDOWN, and SYSTEM_RUNLEVEL. I had to patch upstart to send the 
appropriate events, too. The patch against upstart 0.3.9 is here:

http://people.redhat.com/sgrubb/files/upstart/upstart-0.3.9-audit.patch

I will be porting the patch to 0.5 shortly and will post that patch to the 
same directory for anyone that needs it.

Because this is based off of audit logs and we may need to debug the analysis, 
I added a --proof and --extract option. The --proof option lists the audit 
event serial numbers that were used to determine the final state of the 
login/logout. This will let you go back and look at them in more detail if 
needed. The --extract option will output a condensed raw audit log to 
aulast.log in the current working directory that has the events used in 
creating the report.

Right now, aulast is not "node" aware. But if you have aggregated logs and 
want to use the program, you can pipe it with ausearch. Something like:

ausearch --start today --node test.machine --raw | aulast --stdin

Aulast also requires that the kernel support the session identifier in the 
user space originating audit records. I believe that means you need to be 
running kernel 2.6.25 or newer or have those patches backported.

Please let me know if you run across any problems with this release.

-Steve


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]