audit 1.7.6 released

audit 1.7.6 released

[Steve Grubb]

Hi,

I've just released a new version of the audit daemon. It can be downloaded 
from http://people.redhat.com/sgrubb/audit  It will also be in rawhide  
tomorrow. The Changelog is:

- Update event record list and aureport classifications (Yu Zhiguo/Peng 
Haitao)
- Add subject to audit daemon events (Chu Li)
- Fix parsing of acct & exe fields in user records (Peng Haitao)
- Make client error handling in audisp-remote robust (DJ Delorie)
- Do not list syscalls for rules on the exclude filter (Yu Zhiguo)
- Add tcp_wrappers support for auditd
- Updated syscall tables for 2.6.27 kernel
- Add heartbeat exchange to remote logging protocol (DJ Delorie)
- Apply man page update (Philipp Hahn)
- Audit connect/disconnect of remote clients
- In ausearch, collect pid from AVC records (Peng Haitao)
- Add auparse_get_field_type function to describe field's contents
- Add GSS/Kerberos encryption to the remote protocol (DJ Delorie)


Please let me know if you run across any problems with this release.

-Steve

Re: audit 1.7.6 released

[Steve Grubb]

On Thursday 11 September 2008 19:39:27 Steve Grubb wrote:
> I've just released a new version of the audit daemon.

There will be a 1.7.7 release early next week. It will include the GSSAPI 
patch sent yesterday and a fix to a tcp_wrappers problem reported today. Code 
review of GSSAPI support shows that we may need to make a couple more changes 
to it before people start widely deploying it. This should all be taken care 
of in 1.7.7 which I am hoping to be able to release soon.

Thanks,
-Steve

/sbin/auditd and GSS (was: audit 1.7.6 released)

[Tony Jones]

On Sat, Sep 13, 2008 at 02:32:54PM -0400, Steve Grubb wrote:
> On Thursday 11 September 2008 19:39:27 Steve Grubb wrote:
> > I've just released a new version of the audit daemon.
> 
> There will be a 1.7.7 release early next week. It will include the GSSAPI 
> patch sent yesterday and a fix to a tcp_wrappers problem reported today. Code 
> review of GSSAPI support shows that we may need to make a couple more changes 
> to it before people start widely deploying it. This should all be taken care 
> of in 1.7.7 which I am hoping to be able to release soon.

When I try to build here at SuSE our buildsystem flags the following:

binary /sbin/auditd is linked against libraries in /usr or /opt
        libgssapi_krb5.so.2 => /usr/lib/libgssapi_krb5.so.2 (0xb7f65000)
        libkrb5.so.3 => /usr/lib/libkrb5.so.3 (0xb7d75000)
        libk5crypto.so.3 => /usr/lib/libk5crypto.so.3 (0xb7d50000)
        libkrb5support.so.0 => /usr/lib/libkrb5support.so.0 (0xb7d43000)

You mentioned (on IRC) rsyslog being another /sbin executable which made use
of GSS but (at least for the package I had access to) the GSS dependancies are 
isolated to the rsyslog-module-gssapi module.   Modules are loaded by rsyslog
based on configuration file using dlopen().

Clearly this is a bit smoke-n-mirror ish but the direct ldd depenancy between 
auditd and GSS is kinda problematic. I assume GSS resides in /usr/lib for
Fedora/RHEL too?  Clearly one don't have to configure GSS support in.

Appreciate any comments.

Tony