Hello,
I've just released a new version of the audit daemon. It can be downloaded
from
http://people.redhat.com/sgrubb/audit. It will also be in rawhide
soon. The ChangeLog is:
- Remove config file permission checks in auparse
- Audisp-remote should detect normal socket close and mark remote_ended
- Allow auditctl to list rules if no capabilities but root euid
- In libaudit, use the last word of the syscall bit mask
- In auditd, write_logs option was not correctly handled (#1382397)
- In libaudit, allow filtering on new exclude filter fields (Richard Guy Briggs)
- In auditd, fix looping when checking active connections
- In auparse, the auparse_state_t pointer to keep escape_mode information
- In libaudit, add support for rules using sessionid (Richard Guy Briggs)
- Remove entry filter support
- Add auparse_destroy_ext function
- Improve ENRICHED logging format performance in auditd
- Fix regex rule file matching in augenrules (#1396792)
- Add numeric field/record accessors to auparse
- Fix auditd freeing in middle of reply buffer when nolog is used
- Switch auparse uid/gid cache to lru to limit growth
- Prevent ausearch from clobbering type field on loginuid search
- Add audit_get_session function to libaudit
- Add session and uid to most audit events
- Add auparse_classify code interface for subj, obj, action, results
The main goal of this update is to land the auparse_classify interface to
auparse. This will unlock many new capabilities in subsequent releases of the
2.7 series. If you are a programmer and do stuff with R or machine learning,
let me know. This is aimed squarely at transforming data into knowledge.
Aside from that, this fixes remote logging, and logging with the nolog and
write_logs = no option, it allows audit rules on the new exclude filter fields
and rules that use sessionid.
The entry filter support has been dropped. It was deprecated a couple years
ago. There are performance enhancements and correctness fixes.
Please let me know if you run across any problems with this release.
-Steve