audit 1.7.1 released

audit 1.7.1 released

[Steve Grubb]

Hi,

I've just released a new version of the audit daemon. It can be downloaded 
from http://people.redhat.com/sgrubb/audit  It will also be in rawhide  
soon. The Changelog is:

- Remove LSB headers info for init scripts
- Re-fix buffer overflow in audit_log_user_command (#438840)
- Fix memory leak in EOE code in auditd (#440075)
- In auditctl, don't use new operators in legacy rule format
- Made a couple corrections in alpha & x86_64 syscall tables (Miloslav Trmac)
- Add example STIG rules file
- Add string table lookup performance improvement patch (Miloslav Trmac)
- auparse_find_field_next performance improvement

The overflow fix in 1.7 for audit_log_user_command was incomplete. this 
release should have it nailed. A memory leak was found on EOE records in the 
audit daemon. You only get EOE records from the 2.6.25 kernel which is not 
released. Anyone that will be running 2.6.25 should update to this release to 
avoid problems. It was also found that rules having '>=' were getting 
translated to '!=' when listed back out. The fix is to use the new (2.6.16 
and later) rule format for more cases. We should start migrating off the old 
rule format since 2.6.15 and lower kernels are not likely to be running the 
current audit package.

The release also has some improvements in performance. The lookup tables in 
libaudit and auparse were converted over to bsearch from brute force 
iterating. This improves lookups by anywhere from 5% to 5000% depending on 
the table size and element's placement in that table.  The external API has 
not changed for this. Also the auparse_find_field_next function in libauparse 
was iterating a few times more than necessary whenever a search item missed 
in the current record.

This release also contains a sample implementation of the Linux STIG rules.

Please let me know if you run across any problems with this release.

-Steve