Hi,
I've just released a new version of the audit daemon. It can be downloaded
from
http://people.redhat.com/sgrubb/audit. It will also be in rawhide
soon. The ChangeLog is:
- Put RefuseManualStop in the right systemd section (#969345)
- Add legacy restart scripts for systemd support
- Add more syscall argument interpretations
- Add 'unset' keyword for uid & gid values in auditctl
- In ausearch, parse obj in IPC records
- In ausearch, parse subj in DAEMON_ROTATE records
- Fix interpretation of MQ_OPEN and MQ_NOTIFY events
- In auditd, restart dispatcher on SIGHUP if it had previously exited
- In audispd, exit when no active plugins are detected on reconfigure
- In audispd, clear signal mask set by libev so that SIGHUP works again
- In audispd, track binary plugins and restart if binary was updated
- In audispd, make sure we send signals to the correct process
- In auditd, clear signal mask when spawning any child process
- In audispd, make builtin plugins respond to SIGHUP
- In auparse, interpret mode flags of open syscall if O_CREAT is passed
- In audisp-remote, don't make address lookup always a permanent failure
- In audisp-remote, remove EOE events more efficiently
- In auditd, log the reason when email account is not valid
- In audisp-remote, change default remote_ending action to reconnect
- Add support for Aarch64 processors
This release's main focus was some maintenance of the audispd program. It was
found to not be working as intended due to some changes to signal masks in
auditd a couple years ago.
Also in auditctl, you can now use 'unset' to mean a user id of 4294967295 or
-1. This should look nicer as:
-a always,exit -F arch=b64 -S open -S openat -F exit=-EACCES -F auid>=500 -F
auid!=4294967295 -k access
can now be:
-a always,exit -F arch=b64 -S open -S openat -F exit=-EACCES -F auid>=500 -F
auid!=unset -k access
Some work was done in audisp-remote so that getaddrinfo failures are not
permanent failures. Sometimes DNS lookup fails for various reasons. This makes
it more forgiving. Also, the way that EOE (End of Event) records are strippped
out was improved so that it should be more efficient time-wise.
It was found that ausearch couldn't match a couple fields IPC and DAEMON_ROTATE
events. These were fixed. And lastly, initial support was created for 64 bit
ARM processors.
Please let me know if you run across any problems with this release.
-Steve