audit-2.2 released

Steve Grubb sgrubb at redhat.com
Thu Mar 1 20:02:23 UTC 2012


Hi,

I've just released a new version of the audit daemon. It can be downloaded 
from http://people.redhat.com/sgrubb/audit. It will also be in rawhide  
soon. The ChangeLog is:

- Correct all rules for clock_settime
- Fix possible segfault in auparse library
- Handle malformed socket addresses better
- Improve performance in audit_log_user_message() 
- Improve performance in writing to the log file in auditd
- Syscall update for accept4 and recvmmsg
- Update autrace resource usage mode syscall list
- Improved sample rules for recent syscalls
- Add some debug info to audidp-remote startup and shutdown
- Make compiling with Python optional
- In auditd, if disk_error_action is ignore, don't syslog anything
- Fix some memory leaks
- If audispd is stopping, don't restart children
- Add support in auditctl for shell escaped filenames (Alexander)
- Add search support for virt events (Marcelo Cerri)
- Update interpretation tables
- Sync auparse's auditd config parser with auditd's parser
- In ausearch, also use cwd fields in file name searchs
- In ausearch, parse cwd in USER_CMD events
- In ausearch, correct parsing of uid in user space events
- In ausearch, update parsing of integrity events
- Apply some text cleanups from Debian (Russell Coker)
- In auditd, relax some permission checks for external apps
- Add ROLE_MODIFY event type
- In auditctl, new -c option to continue through bad rules but with failed exit
- Add auvirt program to do special reporting on virt events (Marcelo Cerri)
- Add interfield comparison support to auditctl (Peter Moody)
- Update auparse type intepretation for apparmor (Marcelo Cerri)
- Increase tcp_max_per_addr maximum to 1024.

This is a huge bugfix release. It has 2 new features worth calling attention to. 
The first is a new program, auvirt which produces a report about guest operating 
systems.

The second is the addition of the -C directive for auditctl. This requires a 
kernel upgrade in order to use it. Its purpose is to be able to trigger on 
events that would otherwise take a mountain of events to find just the one 
occurance. For example, if you want to see if an admin is accessing files in 
user's home dirs, then you can write a rule like:

-a always,exit -F dir=/home -C auid!=obj_uid -F key=admin-abuse

Please let me know if you run across any problems with this release.

-Steve




More information about the Linux-audit mailing list