From mboxrd@z Thu Jan  1 00:00:00 1970
From: Steve Grubb <sgrubb@redhat.com>
Subject: audit 2.7.2 released
Date: Mon, 13 Feb 2017 10:32:18 -0500
Message-ID: <1996093.VO5rSWzXSG@x2>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
Received: from x2.localnet (vpn-60-45.rdu2.redhat.com [10.10.60.45])
	by int-mx09.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP
	id v1DFWGl6004230
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256
	verify=NO)
	for <linux-audit@redhat.com>; Mon, 13 Feb 2017 10:32:16 -0500
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: Linux Audit <linux-audit@redhat.com>
List-Id: linux-audit@redhat.com

Hello,

I've just released a new version of the audit daemon. It can be downloaded 
from http://people.redhat.com/sgrubb/audit. It will also be in rawhide
soon. The ChangeLog is:

- Rename whole auparse classifier subsystem to normalizer
- Add documentation about networking and systemd
- Adjust text in auparse normalizer
- In ausearch, fix parsing of kernel anomaly events
- Add filesystem object to the auparse normalizer
- Add basic support for formatted output in ausearch
- Add 'extra' options for csv output in ausearch
- Add event kind metadata to the auparse normalizer
- Add event kind metadata to the ausearch csv format
- Add auparse normalizer support to some anomaly events
- In libaudit logging functions, fill in hostname if we have real tty
- Add new virtualization events
- Fix compile time feature detection in auditctl

In the 2.7.x releases is a big new feature that I have not talked very much 
about. Starting with this release I'll start talking about it. The audit logs 
can now be normalized. This means we can do lots of new things around 
analytics. So much so, that I will send a separate email discussing this new 
feature. I'll also start posting to a blog to explain all the things that you 
can now do. If you have the ability to compile the sources, do it and try 

ausearch --start today --format text

Besides this, the release fixes a bug in parsing of kernel anaomaly events for 
ausearch/report and we added types for some new virtualization events.

I will try to get a 2.7.3 release out in a little under 2 weeks. This is to 
get one last release off of the svn site before it goes away. Testing and 
feedback around the normalizer would be greatly appreciated. As mentioned, 
I'll start another thread to discuss it.

Please let me know if you run across any problems with this release.

-Steve