Hi,
I've just released a new version of the audit daemon. It can be downloaded
from
http://people.redhat.com/sgrubb/audit It will also be in rawhide
tomorrow. The Changelog is:
- Fix interpreting of keys in syscall records
- Interpret audit rule config change list fields
- Don't error on name=(null) PATH records in ausearch/report
- Add key report to aureport
- Fix --end today to be now
- Added python bindings for auparse_goto_record_num
- Update system-config-audit to 0.4.7 (Miloslav Trmac)
- Add support for the filetype field option in auditctl
- In audispd boost priority after starting children
This release is a mix of bug fixes and new features. The bug fixes are what is
driving the release earlier than what I'd like. I was doing some testing and
found that a lot of keys were not being interpreted correctly. I think many
were coming back as (null) which looks pretty normal if you don't use the
keys. Anyways, this is fixed.
I also found that ausearch/report were not processing some events correctly
when the PATH record's name field was (null). The result of this was that the
event was being discarded in search results.
With the new interest in keys, I added a key report to aureport. This presents
a listing of what keys & quantities have been found in a given time frame.
During testing of that, I found that "--end today" was not behaving as I
expected. I really think that when you do aureport --start yesterday --end
today, you should see events from yesterday at midnight until now.
I added an interpretation for the list in audit watch add/delete events. This
will now print the list's name like exit,entry, user, etc.
This release also adds support for a new rule field in he 2.6.26 kernel. If
you wanted to audit setting the execute bit via the chmod syscal, you would
normally write a rule something like this:
-a always,exit -S chmod -F a1&0111
but the problem is that this will trigger on chmod 0755 of directories which
is pretty common if you want the directory to be searchable. So we added a
new option to let you specify what the object's type is, filetype. The new
rule would look like this:
-a always,exit -S chmod -F a1&0111 -F filetype=file
filetype can be file, dir, socket, symlink, char, block, or fifo.
And last item I wanted to comment on was the change in priority boost for
audispd. I moved the call to nice() until after the child processes were
started. This is because audispd should not have to fight with its children
for time slices at the higher priority. It has an internal queue that can be
extended by admin configurable parameters. The children are now started with
the priority inherited from auditd.
Please let me know if you run across any problems with this release.
-Steve