audit 2.0 released

Steve Grubb sgrubb at redhat.com
Tue Aug 11 17:40:23 UTC 2009 

Hi,

I've just released a new version of the audit daemon. It can be downloaded 
from http://people.redhat.com/sgrubb/audit. It will also be in rawhide  
soon. The Changelog is:

- Remove system-config-audit
- Get rid of () from userspace originating events
- Removed old syscall rules API - not needed since 2.6.16
- Remove all use of the old rule structs from API
- Fix uninitialized variable in auditd log rotation
- Add libcap-ng support for audispd plugins
- Removed ancient defines that are part of kernel 2.6.29 headers
- Bump soname number for libaudit
- In auditctl, deprecate the entry filter and move rules to exit filter
- Parse integrity audit records in ausearch/report (Mimi Zohar)
- Updated syscall table for 2.6.31 kernel
- Remove support for the legacy negate syscall rule operator
- In auditd reset syslog warnings if disk space becomes available

This release has some major changes that linux distros will want to take 
notice of. The first is that system-config-audit has been removed from the 
package. It can now be found here: 

https://fedorahosted.org/system-config-audit/

There were audit events that originate in user space that has this suffix added:
(hostname=?, addr=?, terminal=? res=failed)   The parenthesis have now been 
removed so that its purely name=value. Any program linked to libauparse will 
not notice any difference.

This release removes the old kernel API for sending audit rules to the kernel. 
This was only needed for kernels prior to 2.6.16. by now distros should be 
shipping something newer than that. This release also bumps the soname number 
so that we compile all packages in a distribution to make sure that the change 
in API does not cause a problem in a third party application. Svn has been 
branched and will be maintained for a little while so that distros that can't 
make the jump to 2.0 right now have a something with bug fixes in it.

Libcap-ng support has been added so that all audispd plugins drop all 
capabilities after staring up. If you don't have libcap-ng it still runs the 
way it used to.

While cleaning up, I removed all the superfluous defines that we had in place to 
allow compiling with much older kernels. The minimum kernel headers needed is 
2.6.29. Since 2.6.31 should be out soon, this should work fine with new OS 
releases under development.

As stated in an RFC much earlier in the year, we now move all audit rules to 
the exit filter to simplify rule writing. A warning is emitted if a rule is 
targeted for the entry filter. At some point in the future we will be able to 
remove the syscall entry filter in the kernel.

This release adds full support for integrity audit records and updates the 
kernel syscall table for the 2.6.31 kernel. And if low disk space actions have 
syslog as the action, we now reset that flag internally to auditd when we see 
that disk space has been freed up.

Big update...big changes. Might not see this in a distro right away. But 
please let me know if you run across any problems with this release.

-Steve

More information about the Linux-audit mailing list