From mboxrd@z Thu Jan  1 00:00:00 1970
From: Steve Grubb <sgrubb@redhat.com>
Subject: audit 1.7.8 released
Date: Wed, 22 Oct 2008 16:18:50 -0400
Message-ID: <200810221618.50940.sgrubb@redhat.com>
Mime-Version: 1.0
Content-Type: text/plain;
  charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Return-path: <linux-audit-bounces@redhat.com>
Received: from vpn-13-109.rdu.redhat.com (vpn-13-109.rdu.redhat.com
	[10.11.13.109])
	by ns3.rdu.redhat.com (8.13.8/8.13.8) with ESMTP id m9MKIo0W017503
	for <linux-audit@redhat.com>; Wed, 22 Oct 2008 16:18:50 -0400
Content-Disposition: inline
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: Linux Audit <linux-audit@redhat.com>
List-Id: linux-audit@redhat.com

Hi,

I've just released a new version of the audit daemon. It can be downloade=
d=20
from http://people.redhat.com/sgrubb/audit  It will also be in rawhide =20
soon. The Changelog is:

- Fix strict aliasing compiler warnings
- Interpret TTY audit data in auparse (Miloslav Trma=C3=84=C2=8D)
- Extract terminal from USER_AVC events for ausearch/report (Peng Haitao)
- Makefile cleanup (Philipp Hahn)
- Add USER_AVCs to aureport's avc reporting (Peng Haitao)
- Get auparse test suites working better
- When apps started by audispd die, restart them if their type is always
- Short circuit hostname resolution in libaudit if host is empty
- Remove selinux policy for zos-remote
- Update libauparse capabilities table
- If log_group and user are not root, don't check dispatcher perms
- Fix a bug when executing "ausearch -te today PM"
- Add --exit search option to ausearch
- Delete root user tests in auparse/test dir
- Improve performance of ausearch/report and drop dead code
- More code cleanups
- Fix parsing config file when kerberos is disabled
- Add new kernel capability event record types

This release fixes a bunch of little bugs in the Makefile, test suites, a=
nd=20
programs. A couple bug fixes to call out are, when you use log_group as=20
non-root user, it tried to open and fstat the event dispatcher, but if yo=
u=20
are non root, that is usually EPERM and if you have audit rules for EPERM=
,=20
you create audit events everytime you use ausearch.

When GSSAPI support was disabled, it was not able to parse the given conf=
ig=20
file, so that was fixed to parse but ignore the settings.

The performance of ausearch/report should be better now. I think my testi=
ng=20
showed about 5%-10% improvement. This needs careful testing, though.

And lastly, I added a new option to ausearch to look for exit codes. If f=
or=20
example, you needed to find any syscall with EPERM exit, you can now=20
do "ausearch --start today --exit -EPERM".

Please let me know if you run across any problems with this release.

-Steve