audit 2.3.6 released

Burn Alting burn at swtf.dyndns.org
Sun Apr 13 01:51:45 UTC 2014 

Steve,

I have identified an edge case with checkpointing where the recorded
inode is still a valid inode for one of the /var/log/audit.log* files
but the recorded event is not in the identified file.

This is reproduced by performing an ausearch with checkpoint, then
generate sufficient audit events such that all the events in
the /var/log/audit.log* files are more recent than the checkpointed
event. Quite often, one of the audit.log* files will have the same inode
as initially recorded in the ausearch checkpoint file.

A patch is attached that addresses this.

Essentially the modification 
- notices if we identify an audit.log file to use but we do not find the
recorded audit event in that log file and so report an error (to stderr)
and return a new exit code (12)
- allows checkpointing to only use the recorded time from the checkpoint
file for comparisons.

You will note that the patch also contains changes to swig/audit.py.
Although this file is automatically generated, it is part of the 2.3.6
release ... should it be? I also note that a lot of Makefile.in's are
also part of the release. Again, should these automatically generated
files be part of the release?


Rgds

On Fri, 2014-04-11 at 17:17 -0400, Steve Grubb wrote:
> I've just released a new version of the audit daemon. It can be downloaded 
> from http://people.redhat.com/sgrubb/audit. It will also be in rawhide  
> soon. The ChangeLog is:
> 
> - Add an option to auditctl to interpret a0 - a3 of syscall rules when listing
> - Improve ARM and AARCH64 support (AKASHI Takahiro)
> - Add ausearch --checkpoint feature (Burn Alting)
> - Add --arch option to ausearch
> - Improve too long config line in audispd, auditd, and auparse (#1071580)
> - Fix aulast to accept the new AUDIT_LOGIN record format
> - Remove clear_config symbol in auparse
> 
> I decided to go ahead and release this one because of some concern about an 
> unintended symbol popping up in the auparse ABI.
> 
> This release include a bunch of new stuff. You can now add a '-i' to the 
> listing command of auditctl and it will interpret a0-a3 if they are included 
> in any rules.
> 
> There is new support for arm as mentioned in an email a few weeks ago. If you 
> were compiling --with-armeb, you now need to change to --with-arm. Cross 
> compile support is not yet in place.
> 
> There is a new checkpoint feature to ausearch. What it does is give you all 
> the events that have occurred since the last checkpoint.
> 
> Ausearch now has a --arch search option just in case you needed to find i386 
> events on a x86_64 machine.
> 
> There were a number of cleanups to the code as well.
> 
> Please let me know if you run across any problems with this release.
> 
> -Steve
> 
> --
> Linux-audit mailing list
> Linux-audit at redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit

-------------- next part --------------
A non-text attachment was scrubbed...
Name: audit-2.3.6_checkpoint_mods.patch
Type: text/x-patch
Size: 56408 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20140413/1ee62b67/attachment.bin>

More information about the Linux-audit mailing list