audit-2.1.1 released

Steve Grubb sgrubb at redhat.com
Wed Apr 20 21:16:41 UTC 2011


Hi,

I've just released a new version of the audit daemon. It can be downloaded 
from http://people.redhat.com/sgrubb/audit. It will also be in rawhide  
soon. The ChangeLog is:

- When ausearch is interpretting, output "as is" if no = is found
- Correct socket setup in remote logging
- Adjusted a couple default settings for remote logging and init script
- Audispd was not marking restarted plugins as active
- Audisp-remote should keep a capability if local_port < 1024
- When audispd restarts plugin, send event in its preferred format
- In audisp-remote, make all I/O asynchronous
- In audisp-remote, add sigusr1 handler to dump internal state
- Fix autrace to use correct syscalls on s390 and s390x systems
- Add shutdown syscall to remote logging teardowns
- Correct autrace rule for 32 bits systems

The main focus of this release is making the remote logging more robust. We found and 
fixed several problems related to all aspects of remote logging. Audispd was not 
marking restarted plugins as active and even when it did that, it sent the plugin data 
in the non-string format the first time which generally results in missed events. There 
was a problem where we dropped all privs in the remote plugin, but if the port was 
privileged, reconnecting on a broken connection would fail. A sigusr1 handler was 
added so that you can make the remote logging plugin dump some info about its internal 
state for troubleshooting.

Aside from that, there was a little work on autrace to correct i386/686 and s390's so 
that it works as intended.

Please let me know if you run across any problems with this release.

-Steve




More information about the Linux-audit mailing list