Hello,
I've just released a new version of the audit daemon. It can be
downloaded from
http://people.redhat.com/sgrubb/audit. It will also be
in rawhide soon. The ChangeLog is:
- In auditd, release the async flush lock on stop
- Don't allow auditd to log directly into /var/log when log_group is non-zero
- Cleanup krb5 memory leaks on error paths
- Update auditd.cron to use auditctl --signal
- In auparse, if too many fields, realloc array bigger (Paul Wolneykien)
- In auparse, special case kernel module name interpretation
- If overflow_action is ignore, don't treat as an error
The main driver for this release is to update the kerberos code. It could
leak memory on certain error conditions. Also added in this release is
support for records with more than 36 fields. Auditing execve calls would be
the only way that it might have fell short. Now the field array is realloced
bigger on demand. And one last item is that the kernel module name was not
being interpreted correctly. Due to the field name being the same as a file
path, it was being processed like a path instead of an escaped name.
SHA256: fd9570444df1573a274ca8ba23590082298a083cfc0618138957f590e845bc78
Please let me know if you run across any problems with this release.
-Steve