Hello,
I've just released a new version of the audit daemon. It can be downloaded
from
http://people.redhat.com/sgrubb/audit. It will also be in rawhide
soon. The ChangeLog is:
- Auditd support for enriched data: uid/gid, saddr splitting, arch, syscall
- Make all libraries and utilities support and use enriched events
- Define dispatcher protocol to version 2
- Standardize all saddr interpretations in auparse
- Fix another DST bug in ausearch time conversion (#1334772)
- In autrace, if rule count loop times out don't assume 0 rules (#1344268)
- In auditd, check space left a little more often (#1345854)
This release of the audit package contains among other things a major new
piece of functionality. The audit daemon can now enrich events with
interpretation information at the time that the event is logged. This means
that if a user account is deleted, the uid can still be resolved to what it
was at the time of the event.
In terms of central log aggregation, this means that aggregated logs can have
the uid mapping of the remote machine for interpretations. To enable this
functionality, you would want to edit the log_format setting in auditd.conf
and set it to ENRICHED. Restart the audit daemon and that's all there is to
it.
When the enriched logging format is active, the event is completely formatted
in the audit daemon and passed to audispd. This means that you do not need to
also set name_format in audispd.conf if you set it in auditd.conf.
If you write audispd plugins that want format set to binary, then you need to
be aware that enriched events are set with version set to AUDISP_PROTOCOL_VER2
to signify that the raw event is different and you might need to change what
you are doing. If the plugin uses string, then feed the event to auparse like
always and auparse will know what to do with it.
There is a change in interpretation for sockaddr fields. Now all the
information about the source and destination are available.
There were three bug fixes.
Please let me know if you run across any problems with this release.
-Steve