audit 2.8 released
Steve Grubb
sgrubb at redhat.com
Tue Oct 10 22:35:32 UTC 2017
Hello,
I've just released a new version of the audit daemon. It can be downloaded
from http://people.redhat.com/sgrubb/audit. It will also be in rawhide
soon. The ChangeLog is:
- Add support for ambient capability fields (Richard Guy Briggs)
- Update auparse-normalizer to support TTY events
- Add auparse_normalize_object_primary2 API
- In ausearch text format, add 'to xxx' for mount operations
- In ausearch add new --extra-obj2 option for CSV output
- In auparse_normalize, pick up second file name for rename syscalls
- In auparse_normalize, pick up permission & ownership changes as obj2
- In auparse_normalize, pick up uid/gid for setuid/gid syscalls as obj2
- In auparse_normalize, pick up link for symlink syscalls as obj2
- In auparse_normalize, correct mount records based on success
- In auparse_normalize, correct object for USER_MGMT, ACCT_LOCK, & ACCT_UNLOCK
- Add default port to auditd.conf (#1455598)
- Fix auvirt to report AVC's (#982154)
- Add sockaddr accessor functions in auparse
- In ausearch, use auparse_interpret_sock_address for text mode output
- In remote logging, inform client auditd is suspended and please disconnect
- Auditd and audisp-remote now supports IPv6
- In auparse function auparse_goto_record_num, make it positioned on first
field
- In auparse_normalize, finish support for MAC_STATUS and MAC_CONFIG events
- Add support for filesystem filter type (Richard Guy Briggs)
- Add file system type table for fstype lookup
- Add command line option to auditd & audispd for config dir path (Dan Born)
- Fix auparse serial parsing of event when system time < 9 characters (kruvin)
- In auparse, allow non-equality comparisons for uid & gid fields (#1399314)
- In auparse_normalize, add support for USER_DEVICE events
- In audispd.conf, add new plugin_dir config item to customize plugin location
- Add support for FANOTIFY event
- Improve auparse_normalize support for SECCOMP events
- In auparse_normalize, pick up comm for successful memory allocations
This is a big release with a lot of code changes all over. There's too much to
give a detailed description of, so I'll summarize the major items.
Lots of updates for the auparse_normalizer to improve support on many events.
Added new object2 api to access a second object when available. Remote logging
now supports IPv6 and other remote logging improvements. Fix bugs in auvirt
that prevented locating AVC's for the VM. Add support for filesystem filter
type. Add command line option to auditd & audispd for config dir path. In
auparse, allow non-equality comparisons for uid & gid fields.
SHA256: b4012cbc21e34e53f26696e551d22b2dded07669207554ecb670ee082f0145a7
Please let me know if you run across any problems with this release.
-Steve
More information about the Linux-audit
mailing list