I've just released a new version of the audit daemon. It can be downloaded
from
http://people.redhat.com/sgrubb/audit. It will also be in rawhide
soon. The ChangeLog is:
- Make python3 support easier
- Add support for ppc64le (Tony Jones)
- Add some translations for a1 of ioctl system calls
- Add command & virtualization reports to aureport
- Update aureport config report for new events
- Add account modification summary report to aureport
- Add GRP_MGMT and GRP_CHAUTHTOK event types
- Correct aureport account change reports
- Add integrity event report to aureport
- Add config change summary report to aureport
- Adjust some syslogging level settings in audispd
- Improve parsing performance in everything
- When ausearch outputs a line, use the previously parsed values (Burn Alting)
- Improve searching and interpreting groups in events
- Fully interpret the proctitle field in auparse
- Correct libaudit and auditctl support for kernel features
- Add support for backlog_time_wait setting via auditctl
- Update syscall tables for the 3.18 kernel
- Ignore DNS failure for email validation in auditd (#1138674)
- Allow rotate as action for space_left and disk_full in auditd.conf
- Correct login summary report of aureport
- Auditctl syscalls can be comma separated list now
- Update rules for new subsystems and capabilities
This is a large set of features and bug fixes. There are new reports, updates
for new kernels, updates for a new platform, improvements to translations, and
searching speed has been improved.
One new feature is that "rotate" can be set as an action for space_left,
admin_space_left, or disk_full states. A typical use for this might be that
you want as much stored in the logging partition as possible. When you hit a
threshold, then it frees up space by rotating the logs.
Another change in this release is that now syscalls can be given as a comma
separated list. By way of example, in the old stig rules, you have this:
-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S
removexattr -S lremovexattr -S fremovexattr
now is can be:
-a always,exit -F arch=b64 -S setxattr,lsetxattr,fsetxattr,removexattr,
lremovexattr,fremovexattr
All example rules were swicthed over to use this new representation. The
upshot of this is that with the 2.4.1 release, you can now use
auditctl -l > audit.in-kernel
diff -u /etc/audit/audit.rules audit.in-kernel
to see the difference between what's expected to be in place and what actually
in place. One thing to note, auditctl outputs the syscalls from lowest number
to highest. This means that you may need to use ausyscall occasionally to help
figure out the order when switching over to this. Or, you can just use the
auditctl listing to set the order.
Please let me know if you run across any problems with this release.
-Steve