From mboxrd@z Thu Jan 1 00:00:00 1970 From: Steve Grubb Subject: audit 1.7.4 released Date: Mon, 19 May 2008 14:50:05 -0400 Message-ID: <200805191450.06153.sgrubb@redhat.com> Mime-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit Return-path: Received: from mail.boston.redhat.com (mail.boston.redhat.com [10.16.255.12]) by int-mx1.corp.redhat.com (8.13.1/8.13.1) with ESMTP id m4JIoNgA027337 for ; Mon, 19 May 2008 14:50:23 -0400 Received: from vpn-10-3.bos.redhat.com (vpn-10-3.bos.redhat.com [10.16.10.3]) by mail.boston.redhat.com (8.13.1/8.13.1) with ESMTP id m4JIoHqo019474 for ; Mon, 19 May 2008 14:50:23 -0400 Content-Disposition: inline List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: Linux Audit List-Id: linux-audit@redhat.com Hi, I've just released a new version of the audit daemon. It can be downloaded from http://people.redhat.com/sgrubb/audit It will also be in rawhide tomorrow. The Changelog is: - Fix interpreting of keys in syscall records - Interpret audit rule config change list fields - Don't error on name=(null) PATH records in ausearch/report - Add key report to aureport - Fix --end today to be now - Added python bindings for auparse_goto_record_num - Update system-config-audit to 0.4.7 (Miloslav Trmac) - Add support for the filetype field option in auditctl - In audispd boost priority after starting children This release is a mix of bug fixes and new features. The bug fixes are what is driving the release earlier than what I'd like. I was doing some testing and found that a lot of keys were not being interpreted correctly. I think many were coming back as (null) which looks pretty normal if you don't use the keys. Anyways, this is fixed. I also found that ausearch/report were not processing some events correctly when the PATH record's name field was (null). The result of this was that the event was being discarded in search results. With the new interest in keys, I added a key report to aureport. This presents a listing of what keys & quantities have been found in a given time frame. During testing of that, I found that "--end today" was not behaving as I expected. I really think that when you do aureport --start yesterday --end today, you should see events from yesterday at midnight until now. I added an interpretation for the list in audit watch add/delete events. This will now print the list's name like exit,entry, user, etc. This release also adds support for a new rule field in he 2.6.26 kernel. If you wanted to audit setting the execute bit via the chmod syscal, you would normally write a rule something like this: -a always,exit -S chmod -F a1&0111 but the problem is that this will trigger on chmod 0755 of directories which is pretty common if you want the directory to be searchable. So we added a new option to let you specify what the object's type is, filetype. The new rule would look like this: -a always,exit -S chmod -F a1&0111 -F filetype=file filetype can be file, dir, socket, symlink, char, block, or fifo. And last item I wanted to comment on was the change in priority boost for audispd. I moved the call to nice() until after the child processes were started. This is because audispd should not have to fight with its children for time slices at the higher priority. It has an internal queue that can be extended by admin configurable parameters. The children are now started with the priority inherited from auditd. Please let me know if you run across any problems with this release. -Steve