From mboxrd@z Thu Jan  1 00:00:00 1970
From: Steve Grubb <sgrubb@redhat.com>
Subject: audit 1.7.3 released
Date: Fri, 9 May 2008 16:13:15 -0400
Message-ID: <200805091613.15759.sgrubb@redhat.com>
Mime-Version: 1.0
Content-Type: text/plain;
  charset="utf-8"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
Received: from mail.boston.redhat.com (mail.boston.redhat.com [10.16.255.12])
	by int-mx1.corp.redhat.com (8.13.1/8.13.1) with ESMTP id
	m49KDuKV019552
	for <linux-audit@redhat.com>; Fri, 9 May 2008 16:13:56 -0400
Received: from vpn-14-65.rdu.redhat.com (vpn-14-65.rdu.redhat.com
	[10.11.14.65])
	by mail.boston.redhat.com (8.13.1/8.13.1) with ESMTP id m49KDosq019001
	for <linux-audit@redhat.com>; Fri, 9 May 2008 16:13:55 -0400
Content-Disposition: inline
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: Linux Audit <linux-audit@redhat.com>
List-Id: linux-audit@redhat.com

Hi,

I've just released a new version of the audit daemon. It can be downloaded 
from http://people.redhat.com/sgrubb/audit  It will also be in rawhide  
soon. The Changelog is:

- Fix path processing in AVC records.
- auparse_find_field_next() wasn't resetting field ptr going to next record.
- auparse_find_field() wasn't checking current field before iterating
- cleanup some string handling in audisp-prelude plugin
- Update auditctl man page
- Fix output of keys in ausearch interpretted mode
- Fix ausearch/report --start now to not be reset to midnight
- Added auparse_goto_record_num function
- Prelude plugin now uses auparse_goto_record_num to avoid skipping a record
- audispd now has a priority boost config option
- Look for laddr in avcs reported via prelude
- Detect page 0 mmaps and alert via prelude

This is mostly a bug fix release. The prelude work has been showing a few 
problems in libauparse. They are cleaned up now. The string handling in the 
prelude plugin was not as robust as it could have been. That's now working 
better.

The auparse library got a new function. You can now seek to a specific record 
in addition to just iterating to them. This was needed because the analysis 
part of the prelude plugin could sometimes cause part of an event to not be 
examined for a particular problem.

It also turns out that we are starting to have some issues where the audit 
event dispatcher is not getting enough time slices to handle all the events 
that it needs to. The solution was to add another config option where it can 
get a priority boost above the audit daemon's so that it can keep things 
empty. The default boost for the audit daemon was increased also.

I also added detection of page 0 mmaps via SE Linux AVCs to the prelude 
plugin.

Please let me know if you run across any problems with this release.

-Steve