audit 2.7.4 released

[Steve Grubb]

Hello,

I've just released a new version of the audit daemon. It can be downloaded 
from http://people.redhat.com/sgrubb/audit. It will also be in rawhide
soon. The ChangeLog is:

- Fix python3 byte compile for libaudit bindings
- Add "boot" keyword to time parameters of ausearch/aureport
- In auparse normalizer, add memory object kind
- In auparse normalizer, handle a couple more file related syscalls
- In auparse normalizer, find the object for AVC's
- In ausearch/auparse mark KERNEL event as 1 record event
- Bump up the default value of the audispd q_depth setting to 250
- In auparse, allow '-' in field names for ausearch_add_expression()
- In auparse normalize, break change-file-attribute to permission and ownership
- Add python bindings for auparse normalizer
- Fix aureport's file report to not pick the parent path record in reports
- Document auparse normalize accessor functions with a man page
- In auparse normalizer, handle scheduler syscalls
- In auparse normalizer, find path record for file syscalls without cwd record
- Update the syscall table to the 4.11 kernel
- Fix auvirt time keywords to work properly (#1367703)
- In auditd, if any action is exec, close and reopen the logging descriptor

This is a big release in terms of the number of updates made during the 
development cycle. Most of the items listed above are to round out the 
normalizer support as I tested different kinds of records. There are now python 
bindings for the auparse normalizer.

Ausearch/report have a new time keyword, boot, which will use all events since 
the last boot. The libaudit syscall tables were updated for the new syscalls 
in the 4.11 linux kernel.

It was discovered that in the event that there are multiple path records, 
aureport was outputting the first one in the file report which was most likely a 
directory. Now it will choose the first non-parent record and output it.

The default q_depth setting for audispd was bumped up a little to prevent 
dropping events during bursts of activity.

And in auditd, if you specify an exec action item, auditd will now close the 
logging descriptor so that the called program can do anything it wants to the 
audit files. The called script/program must send SIGUSR2 to auditd to resume 
logging. (This has always been the case and is not new.) When auditd sees 
SIGUSR2, it will resume logging by re-opening the old file or create new 
audit.log file as needed.

This is the first release off of the github repo. There is a release listed on 
the project page. Its a raw release that has not been processed by automake/
autoconf. I will probably change the naming convention to distinguish raw 
github tar balls vs processed and ready to use tar balls.

Please let me know if you run across any problems with this release.

-Steve