Re: audit 2.3.7 released
Steve,
Please find a patch against 2.3.7 that, when check pointing, ausearch
will only use the recorded event time in the checkpoint file when
deciding what complete events to display. Basically, it will display all
complete events found after the event time found in the checkpoint file.
Normally, one would use check pointing in a periodic script that records
all 'new' audit events. Should certain errors occur, we need to recover
and continue to record 'new' audit events. This option allows use to do
a 'brute force' recovery by finding all events since the last recorded
time we have in the checkpoint file.
For example, the core of a periodic script may contain
ausearch --checkpoint /usr/security/auditd_checkpoint.txt -i
_aus=$?
if test ${_aus} -eq 10 -o ${_aus} -eq 11 -o ${_aus} -eq 12
then
ausearch --checkpoint /usr/security/auditd_checkpoint.txt \
--checkpoint-time-only -i
fi
Rgds
On Wed, 2014-06-04 at 17:47 -0400, Steve Grubb wrote:
Hello,
I've just released a new version of the audit daemon. It can be downloaded
from http://people.redhat.com/sgrubb/audit. It will also be in rawhide
soon. The ChangeLog is:
- Limit number of options in a rule in libaudit
- Auditctl cannot load rule with lots of syscalls (#1089713)
- In ausearch, fix checkpointing when inode is reused by new log (Burn Alting)
- Add PROCTITLE and FEATURE_CHANGE event types
Normally I'd wait a little longer to do a release but a couple things made me
want to keep this one short. The PROCTITLE event is showing up on people's
systems now and we need to support it. The other big change is that people
writing rules with lots of syscalls were getting an error such that the rule
would not load. It took two fixes to get it squared away.
Please let me know if you run across any problems with this release
Thanks,
-Steve
--
Linux-audit mailing list
Linux-audit(a)redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
Attachments:
- audit-2.3.7_checkpoint_tonly.patch (text/x-patch — 6.0 KB)