Hi,
I've just released a new version of the audit daemon. It can be downloaded
from
http://people.redhat.com/sgrubb/audit It will also be in rawhide
soon. The Changelog is:
- Bug fixes for gss code in remote logging (DJ Delorie)
- Fix ausearch -i to keep the node field in the output
- ausyscall now does strstr match on syscall names
- Makefile cleanup (Philipp Hahn)
- Add watched syscall support to audisp-prelude
- Use the right define for tcp_wrappers in auditd
- Expose encoding API for fields being logged from user space
Last time I did not provide release notes. I'll try to do that now.
Since 1.7.5, we have added GSSAPI support to authenticate and encrypt events
during transfer. There are some instructions in the man pages but I'll try to
get a HOWTO put up on the main audit project page at some point. There is
tcp_wrappers support for remote logging protection. you will need to put an
entry in the server's /etc/hosts.allow file stating which host or subnet is
allowed to connect. These are enabled by adding 2 options to the configure
command, --with-libwrap --enable-gssapi-krb5. Connect/disconnect events are
now audited in the server so that there are records of times & ip addresses
for connections.
Another thanks to the people at Fujitsu for sending several patches that went
into 1.7.6. The syscall tables have been updated for the lastest prel-release
kernel, 2.6.27.
A new function was added to auparse that allows you to query information about
the data type that is being held in the value portion of the record's fields.
Notably, this allows you to know that you have a field that is escaped and
needs to be interpretted to see something meaningful.
New in 1.7.7...
There are 3 new functions in libaudit for logging a field that may need
encoding to prevent spaces or control characters from causing parsing
problems. If you have a field that you know has the potential to be
untrusted, user manipulated, or containing control characters or space, there
is now a convenience function, audit_encode_nv_string. This function takes
the name, value, and value length in bytes as the parameters and passes back
a freshly malloc'ed memory buffer containing the formatted field. Another
function was added to allow testing as to whether or not a field needs
encoding, audit_value_needs_encoding. It takes the value and value length in
bytes and replies with 1 or 0 depending on if it needs encoding or not. The
last new function audit_encode_value performs a value encoding given a value
and value length in bytes. The programmer is responsible for passing it a
buffer that is 2 times the size of the value in bytes + 1. These last 2 are
for people that need to take control over encoding but audit_encode_nv_string
should be the main API people use.
There was a bug in 1.7.6 wrt tcp_wrappers where the define had a typo in it.
This means that 1.7.6 does not actually use tcp_wrappers.
There were a couple bugs in remote logging for 64 bit platforms. These are now
cleaned up.
The ausyscall program now does substring matches by default and exact string
matching by command line option. This was added after observing yet another
dup syscall and another pipe syscall being added to the 2.6.27 kernel. You
can now do ausyscall x86_64 dup and get all 3 syscall names and numbers.
The prelude plugin now has a 4th type of watched audit event based on keys,
sys. This came about after observing that many security targets need some
rule that is syscall based and no good way to say what the event is based on
the other 3 types.
Please let me know if you run across any problems with this release.
-Steve