Hi,
I've just released a new version of the audit daemon. It can be downloaded
from
http://people.redhat.com/sgrubb/audit It will also be in rawhide
soon. The Changelog is:
- Update system-config-audit to 0.4.8 (Miloslav Trmac)
- Don't free const fcntl strings in auparse (Miloslav Trmac)
- Fix priority_boost_parse and freq_parse functions INT_MAX compares (Chu Li)
- Fix parsing in ausearch user records for acct field (Peng Haitao)
- Allow only 1 add or delete operation per auditctl rule (Yu Zhiguo)
- Delay freeing file path in auditd-config.c and audispd-pconfig.c (wangf)
- Update IDMEF node classifications
- Apply cleanup of auditctl.c main(). (Yu Zhiguo)
- Fix parsing of exec options to some auditd actions (Chu Li)
- Correct permission test on dispatcher and exe name (Chu Li)
- Disallow using exit field on the entry filter (Zhang Xiliang)
- Correct the calculation of nlmsg_len (Yu Zhiguo)
- Fix parsing of CONFIG_CHANGE events so that search on keys work (Peng
Haitao)
- Fix parsing of filter,action in auditctl
- Fix format string of audit status in auditctl (Yu Zhiguo)
- Better checking of field & filter combinations (Zhang Xiliang)
- Call prelude_deinit when shutting down prelude plugin
- Make sure value is given after the operator in auditctl rules (Zhang
Xiliang)
- Error when rule require numeric value and one is not given (Zhang Xiliang)
- Remove unnecessary base name code (Chu Li)
- Cleanup checking of field name & operator (Zhang Xiliang)
- Add audit_number_to_errmsg() function for error strings (Zhang Xiliang)
- Reimplement auditd main loop using libev (DJ Delorie)
- Update unknown uid/gid messages in audit rule parsing (Cai Xianchao)
- Don't allow negative uid/gid in audtictl rules (Cai Xianchao)
- Add TCP listener and managed remote protocol features (DJ Delorie)
- Allow config_change audit records with no auid to parse in ausearch/report
- Attempt to solve scheduler issue where queues overflow
- Strip the newline off events converted to string in audispd
This is a huge changelog and is probably one of the more significant code
cleanups in very long time. Thanks to the Fujitsu people for submitting all
the patches!
The other significant item in this release is the receive code for the remote
audit logging. See this email thread for details:
https://www.redhat.com/archives/linux-audit/2008-August/msg00118.html
I will probably follow this release up with another release in about 2-3 weeks
that finishes the remote logging and updates the syscall tables for the
2.6.27 kernel.
Please let me know if you run across any problems with this release.
-Steve