Hello,
I've just released a new version of the audit daemon. It can be downloaded
from
http://people.redhat.com/sgrubb/audit The Changelog is:
- Check log file size on start up
- Added priority_boost config item
- Reworked arch support
- Reworked how run level is changed
- Make allowances for ECONNREFUSED.
The program was not checking the logfile size on startup which could make it
add a record before deciding to perform the log file size action.
In order to help solve the lost records problem, I've added a priority boost
option to auditd.conf. The default is 3. you should probably check
you /etc/auditd.conf file to see that you have the new option.
The arch support has been reworked. Thanks to Debbie Velarde for helping
gather the syscall tables. Please give this feature a try. I think it should
be working (except for "both"). Please report any bugs with this soon and
I'll release a 0.6.12 to fix any problems.
The way that the run level is changed was reworked to make SE Linux policy
better. It was invoking system() now it does execve().
People that are rolling their own kernels and not including the audit system
were being stopped from logging by pam. I made an exception that if
ECONNREFUSED is detected during sendto, they are using a modified kernel and
we'll bypass logging. ECONNREFUSED means the kernel isn't listening on the
audit netlink socket....so I think this exception is safe.
Please give it some testing and report any problems.
-Steve