From mboxrd@z Thu Jan  1 00:00:00 1970
From: Steve Grubb <sgrubb@redhat.com>
Subject: audit 2.5.2 released
Date: Fri, 29 Apr 2016 12:57:32 -0400
Message-ID: <1654494.Du9XCcDB0l@x2>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
Received: from x2.localnet (vpn-57-41.rdu2.redhat.com [10.10.57.41])
	by int-mx09.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP
	id u3TGvWEp021946
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO)
	for <linux-audit@redhat.com>; Fri, 29 Apr 2016 12:57:32 -0400
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

Hello,

I've just released a new version of the audit daemon. It can be downloaded 
from http://people.redhat.com/sgrubb/audit. It will also be in rawhide
soon. The ChangeLog is:

- Fix memory leak caused by unneeded reference in auparse python bindings
- Revise function hiding technique to better protect audit ABI
- Interpret old-auid, exit syscall parameters
- Create local_events config option to auditd
- Create write_logs option for auditd and deprecate NOLOG log_format option

This release is mostly to get an updated auparse library in circulation that 
does not have the memory leak in the get_timestamp function. Offhand I don't 
know of any problems besides the one bug report. The bug has been there for 
about 8 years with no other reports so it might not affect much. But, I'd 
rather be safe than sorry. 

The other things that people should be aware of is 2 new auditd configuration 
options. In the last release there was an unannounced command line config 
option to auditd, -a. This enabled an aggregate only mode. I decided long term 
it might be better as a auditd.conf option. Its now the local_events option. 
The default is "yes". If it's set to "no", then it only logs daemon and 
network originating events. This allows the audit daemon to be put into a 
container for the sole purpose of aggregating events from other systems.

The other new auditd.conf config option is write_logs. In working on the audit 
event enrichment option, I found that we need to decouple an overused idiom in 
the log_format option. There was a NOLOG option there that decides if we want 
to write events to disk. But it turns out that we might not want to write 
events to disk but we do want to enrich events for the plugins or remote 
logging. That presents a conflict where we need to separate them. If you 
currently have log_format = NOLOG, the you should now set write_logs = no. You 
can then put log_format = raw and it won't do any harm. For the time being, a 
NOLOG log_format setting will override write_logs to "no" so that its 
backwards compatible.

Please let me know if you run across any problems with this release.

-Steve