Hi,
I've just released a new version of the audit daemon. It can be downloaded
from
http://people.redhat.com/sgrubb/audit It will also be in rawhide
tomorrow. The Changelog is:
- ausearch & aureport implement uid/gid caching
- In ausearch & aureport, extract addr when hostname is unknown
- In ausearch & aureport, test audit log presence O_RDONLY
- New ausearch/aureport time keywords: recent, this-week, this-month,
this-year
- Added --add & --delete option to aureport
- Update res parsing in config change events
- Increase the size on audit daemon buffers
- Parse avc_path records in ausearch/aureport
- Rework AVC processing in ausearch/aureport
- ausearch has new output mode, raw, for extracting events
- ausearch/aureport can now read stdin
- Added long options to ausearch and aureport
- new auditd commandline option, -l, to allow following symlinks for its
config file.
This is a big update with several new things. The first three are performance
improvement things.
The next item introduces some new keywords for time ranges. recent means 10
minutes ago, this-week means since day 0 of the week as determined by your
locale, this-month means day 1 of the current month, and this-year means 1/1
of the current year.
The next item adds 2 new command line options to aureport. This is intended to
sort out things that are related to adding rules/users/groups vs deleting
them. This can be handy to divide up config change reports.
The next 4 items are bug fixes.
ausearch has a new output mode, --raw. This means that the audit log entry is
emitted with no interpretation and no changes. This is handy to extract
portions of logs for use later or as the first stage of piping commands
together. If you have a user you want to extract logs for, you can now do
this:
ausearch -ts this-week -ul 500 > user.log
The next item in the new features is that ausearch/aureport can now take
events from stdin. So, you can now do something like this:
ausearch -ts this-month -ul 500 --raw | aureport
The next item is that every commandline option in ausearch/aureport has a long
option. This means that you can do this:
ausearch --start this-week --loginuid 500 --message avc --terminal tty1
or
aureport --start this-month --failed --event
The final item is a commandline option allowing auditd to follow symlinks to
read its config file. I guess this might be useful for people doing stateless
or live CD's where the writeable files are kept somewhere else.
If you see any issues with this release please let me know.
-Steve