audit 1.7.10 released

Hi, I've just released a new version of the audit daemon. It can be downloaded from http://people.redhat.com/sgrubb/audit It will also be in rawhide soon. The Changelog is: - Fix ausearch and aureport to handle out of order events - Add line-buffer option to ausearch & timeout pipe input (Tony Jones) - Add support in ausearch/report for tty data - Add interpretations for epoll_ctl, lseek, and sigaction to libauparse - In audisp-remote, allow the keyword "any" for local_port - Man page updates - Don't consider 0x7F to be a printable character - Tighten parsing for -m and -w options in auditctl - Add session query hint for aulast proof - Fix audisp-remote to tolerate krb5 config options when not supported - Created new aureport option for tty keystroke report - audispd should detect backup config files and not use them - When checking for ack in netlink interface, retry on EAGAIN a few times - Trim a trailing whitespace from audit event written to disk - In aureport, fix mods report to show acct acted upon This release finally fixes the longstanding problem of grouping interlaced audit records correctly for ausearch and aureport. Auparse still has the problem. It turns out that the kernel does not serialize audit event records that go together. Records from two unrelated events can be intermingled. Previously, ausearch/report just used a change in timestamp + serial number to distinguish the end of an event. In the process of fixing this problem, I discovered a way to make ausearch/report run faster. My testing shows about a 25% performance improvement...but your usage may have different results. Ausearch is now smarter about taking input from a pipe thanks to a patch from Tony Jones. You can now do "tail -f /var/log/audit/audit.log | ausearch -i" and it should output events based on wall clock timeout or event completion rather than when it sees an event complete. Perhaps the biggest improvement in this release is TTY auditing is now fully integrated. Ausearch can interpret TTY data fields. Aureport now has a --tty option to see TTY data as a report. The aulast program can now tell you the ausearch command to retrieve audit events for a specific session when you give it the --proof option. In aureport, the account modification report was not showing the actual account that was modified. It now does. And lastly, I found that all audit events written to disk had a trailing space character at the end of each record. That is now removed so that each record is 1 byte shorter to save disk space. Please let me know if you run across any problems with this release. -Steve