From mboxrd@z Thu Jan  1 00:00:00 1970
From: Steve Grubb <sgrubb@redhat.com>
Subject: audit 2.7.6 released
Date: Wed, 19 Apr 2017 10:04:08 -0400
Message-ID: <1756667.82hqzCpAl9@x2>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
Received: from x2.localnet (ovpn-120-165.rdu2.redhat.com [10.10.120.165])
	by smtp.corp.redhat.com (Postfix) with ESMTPS id 098A57DB7F
	for <linux-audit@redhat.com>; Wed, 19 Apr 2017 14:04:08 +0000 (UTC)
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

Hello,

I've just released a new version of the audit daemon. It can be downloaded 
from http://people.redhat.com/sgrubb/audit. It will also be in rawhide
soon. The ChangeLog is:

- In auparse_nomalize, assign user-login as the event kind for AUDIT_LOGIN
- In auparse_normalize, move GRP_AUTH to its own event kind, group-change
- In auparse_normalize, assign obj_kind values for some group events
- In auparse_normalize, assign obj_kind values to some MAC events
- In auparse_normalize, try harder to find object for CONFIG_CHANGE events
- In auparse_normalize, correct the primary subject field for USER_LOGIN 
events
- In auparse_normalize, correct the primary object field for USER_LOGIN events
- Make string lookup tables more robust against bad input
- In auparse, make printing lists more robust against bad input
- In auparse, make unescaping more robust against bad input
- Make ausearch/report a little more robust to bad input
- Fix a memory leak in auparse when extracting a buggy date
- In ausearch --format mode, load interpretations for enriched events
- In auparse, load interpretations for feed events
- In audisp-remote, check for stop if stdin is a pipe (#1443107)

This release continues adjusting the normalizer mappings. I also spent some 
time fuzzing the logs and making the utilities more robust. This in theory 
should never be a problem because the logs are supposed to be well formed from 
the beginning. But just in case...its batter now.

I did find a problem where events that were coming in through the feed API of 
auparse were not getting the enriched event information loaded. That is now 
fixed. And we had a report of the audisp-remote plugin getting into an 
infinite loop if the remote server filled its disk and the remote plugin was 
supposed to stop on disk full.

SHA256: fa65289cffdc95a25bfbdba541f43ee1b12c707090a38fd027dcf9354b9014e7

Please let me know if you run across any problems with this release.

-Steve