audit 2.6.1 released

[Steve Grubb]

Hello,

I've just released a new version of the audit daemon. It can be downloaded 
from http://people.redhat.com/sgrubb/audit. It will also be in rawhide
soon. The ChangeLog is:

- Do capabilities check rather than uid
- Auditd fixup directory and file permissions on startup
- Add some missing config items to auditd reconfigure
- In audisp-remote add warn_once and warn_once_continue action handlers
- In audisp-remote only emit 1 warning when disk_full or error is reached.
- Aulast now searches on user name as a string for enriched events
- Ausearch now searches on user name as a string for enriched events
- Create audit-stop.rules to clean up audit subsystem on stop
- Adjust LDFLAGS for cross compiled helper utilities (Laurent Bigonville)
- Fix event formatting issue in audispd
- Fix bug causing ack to not be sent from auditd to audisp-remote


This release follows the last one quickly because its a bugfix release. The 
last release had a lot of code churn and debug and testing was not 100% 
complete. The biggest issue was that during the creation of the protocol 2 
format handler in auditspd, some newlines got stripped from the formatting. 
This caused problems for any protocol 1 events. The likely effect is audispd 
plugins not working correctly.

There was also a bug in auditd due to refactoring the code to retry sending 
events to the dispatcher. The effect of the bug was to zero out the ack 
function when receiving remote events. This caused audisp-remote to retry 
sending the event over and over because it timed out thinking the server was 
have comm problems.

It was also pointed out that some people don't want audit events of any kind 
going to syslog when the audit daemon was stopped. This update adds a new file, 
audit-stop.rules, which gets loaded when the audit daemon stops. The current 
rules disables the audit subsystem and deletes all rules.

The conversion to enriched events was not complete in 2.6. The ausearch and 
aulast program needed to use the user name as a string to search for events.

audisp-remote was reworked to only emit 1 warning when disk_full or error is 
reached. New config options were added to help accomplish this. There is now  
warn_once and warn_once_continue options for failures. It acts like the syslog 
option except it only sends one. Read the man page for more details.

It was also found that not all config options were being loaded when the audit 
daemon received SIGHUP.

The audit daemon will now fix logging directory ownership and mode during 
restart or config reload. This will help everyone who sets the log access group 
because it will restore the config after an upgrade.

Almost every place that uid was checked for root has been updated to do a 
capability check instead.

Please let me know if you run across any problems with this release.

-Steve