Re: audit 2.8 released
On Tuesday, October 10, 2017 6:35:32 PM EDT Steve Grubb wrote:
Hello,
I've just released a new version of the audit daemon. It can be downloaded
from http://people.redhat.com/sgrubb/audit. It will also be in rawhide
soon. The ChangeLog is:
- Add support for ambient capability fields (Richard Guy Briggs)
- Update auparse-normalizer to support TTY events
- Add auparse_normalize_object_primary2 API
- In ausearch text format, add 'to xxx' for mount operations
- In ausearch add new --extra-obj2 option for CSV output
- In auparse_normalize, pick up second file name for rename syscalls
- In auparse_normalize, pick up permission & ownership changes as obj2
- In auparse_normalize, pick up uid/gid for setuid/gid syscalls as obj2
- In auparse_normalize, pick up link for symlink syscalls as obj2
- In auparse_normalize, correct mount records based on success
- In auparse_normalize, correct object for USER_MGMT, ACCT_LOCK, &
ACCT_UNLOCK - Add default port to auditd.conf (#1455598)
- Fix auvirt to report AVC's (#982154)
- Add sockaddr accessor functions in auparse
- In ausearch, use auparse_interpret_sock_address for text mode output
- In remote logging, inform client auditd is suspended and please disconnect
- Auditd and audisp-remote now supports IPv6
- In auparse function auparse_goto_record_num, make it positioned on first
field
- In auparse_normalize, finish support for MAC_STATUS and MAC_CONFIG events
- Add support for filesystem filter type (Richard Guy Briggs)
- Add file system type table for fstype lookup
- Add command line option to auditd & audispd for config dir path (Dan Born)
There is a NULL pointer dereference in this code. I've unpushed all new
packages in Fedora. I would advise holding off on upgrading until I release
audit-2.8.1. In the mean time, if anyone has spotted any other problem that
should go into 2.8.1, please let me know. I should have a new release in a
couple of hours.
-Steve
- Fix auparse serial parsing of event when system time < 9
characters
(kruvin) - In auparse, allow non-equality comparisons for uid & gid fields
(#1399314) - In auparse_normalize, add support for USER_DEVICE events
- In audispd.conf, add new plugin_dir config item to customize plugin
location - Add support for FANOTIFY event
- Improve auparse_normalize support for SECCOMP events
- In auparse_normalize, pick up comm for successful memory allocations
This is a big release with a lot of code changes all over. There's too much
to give a detailed description of, so I'll summarize the major items.
Lots of updates for the auparse_normalizer to improve support on many
events. Added new object2 api to access a second object when available.
Remote logging now supports IPv6 and other remote logging improvements. Fix
bugs in auvirt that prevented locating AVC's for the VM. Add support for
filesystem filter type. Add command line option to auditd & audispd for
config dir path. In auparse, allow non-equality comparisons for uid & gid
fields.
SHA256: b4012cbc21e34e53f26696e551d22b2dded07669207554ecb670ee082f0145a7
Please let me know if you run across any problems with this release.
-Steve
--
Linux-audit mailing list
Linux-audit(a)redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit