Hello,
I've just released a new version of the audit daemon. It can be downloaded
from
http://people.redhat.com/sgrubb/audit. It will also be in rawhide
soon. The ChangeLog is:
- Rename whole auparse classifier subsystem to normalizer
- Add documentation about networking and systemd
- Adjust text in auparse normalizer
- In ausearch, fix parsing of kernel anomaly events
- Add filesystem object to the auparse normalizer
- Add basic support for formatted output in ausearch
- Add 'extra' options for csv output in ausearch
- Add event kind metadata to the auparse normalizer
- Add event kind metadata to the ausearch csv format
- Add auparse normalizer support to some anomaly events
- In libaudit logging functions, fill in hostname if we have real tty
- Add new virtualization events
- Fix compile time feature detection in auditctl
In the 2.7.x releases is a big new feature that I have not talked very much
about. Starting with this release I'll start talking about it. The audit logs
can now be normalized. This means we can do lots of new things around
analytics. So much so, that I will send a separate email discussing this new
feature. I'll also start posting to a blog to explain all the things that you
can now do. If you have the ability to compile the sources, do it and try
ausearch --start today --format text
Besides this, the release fixes a bug in parsing of kernel anaomaly events for
ausearch/report and we added types for some new virtualization events.
I will try to get a 2.7.3 release out in a little under 2 weeks. This is to
get one last release off of the svn site before it goes away. Testing and
feedback around the normalizer would be greatly appreciated. As mentioned,
I'll start another thread to discuss it.
Please let me know if you run across any problems with this release.
-Steve