audit-2.1 released

Hi, I've just released a new version of the audit daemon. It can be downloaded from http://people.redhat.com/sgrubb/audit. It will also be in rawhide soon. The ChangeLog is: - Update auditctl man page for new field on user filter - Fix crash in aulast when auid is foreign to the system - Code cleanups - Add store and forward model to audispd-remote (Mirek Trmac) - Free memory on failed startups in audisp-prelude - Fix memory leak in aureport - Fix parsing state problem in libauparse - Improve the robustness of libaudit field encoding functions - Update capability tables - In auditd, make failure action config checking consistent - In auditd, check that NULL is not being passed to safe_exec - In audisp-remote, overflow_action wasn't suspending if that action was chosen - Update interpretations for virt events - Improve remote logging warning and error messages - Add interpretations for netfilter events This release adds a new majot feature. The remote audit logging now has a store and forward option. This means that when the client end gets an event, its written to disk and then sent across the network. This means that if the remote server goes down, events will be queued to disk for eventual transmission to the aggregating server. This release also fixes many, many bugs. One of the most important is the memory leak in aureport. it was losing 200 bytes per event parsed. If you have logs with a million events, then the app had leaked 200 Mb of memory. This slows performance down a lot. This new version runs in about 60% of the time that 2.0.6 took. This release updates some of the interpretation tables to include the new capability introduced in the latest kernel. It adds interpretations for virtualization events and the netfilter events. Also, it was found that in the disk_err_action for auditd, it chose exec no matter what the admin had put in. This release corrects the action to be what the admin selected. Please let me know if you run across any problems with this release. -Steve