audit 1.7.8 released

audit 1.7.8 released

[Steve Grubb]

Hi,

I've just released a new version of the audit daemon. It can be downloaded 
from http://people.redhat.com/sgrubb/audit  It will also be in rawhide  
soon. The Changelog is:

- Fix strict aliasing compiler warnings
- Interpret TTY audit data in auparse (Miloslav Trmač)
- Extract terminal from USER_AVC events for ausearch/report (Peng Haitao)
- Makefile cleanup (Philipp Hahn)
- Add USER_AVCs to aureport's avc reporting (Peng Haitao)
- Get auparse test suites working better
- When apps started by audispd die, restart them if their type is always
- Short circuit hostname resolution in libaudit if host is empty
- Remove selinux policy for zos-remote
- Update libauparse capabilities table
- If log_group and user are not root, don't check dispatcher perms
- Fix a bug when executing "ausearch -te today PM"
- Add --exit search option to ausearch
- Delete root user tests in auparse/test dir
- Improve performance of ausearch/report and drop dead code
- More code cleanups
- Fix parsing config file when kerberos is disabled
- Add new kernel capability event record types

This release fixes a bunch of little bugs in the Makefile, test suites, and 
programs. A couple bug fixes to call out are, when you use log_group as 
non-root user, it tried to open and fstat the event dispatcher, but if you 
are non root, that is usually EPERM and if you have audit rules for EPERM, 
you create audit events everytime you use ausearch.

When GSSAPI support was disabled, it was not able to parse the given config 
file, so that was fixed to parse but ignore the settings.

The performance of ausearch/report should be better now. I think my testing 
showed about 5%-10% improvement. This needs careful testing, though.

And lastly, I added a new option to ausearch to look for exit codes. If for 
example, you needed to find any syscall with EPERM exit, you can now 
do "ausearch --start today --exit -EPERM".

Please let me know if you run across any problems with this release.

-Steve

Re: audit 1.7.8 released

[LC Bruzenak]

On Wed, 2008-10-22 at 16:18 -0400, Steve Grubb wrote:
> Hi,
> 
> I've just released a new version of the audit daemon. It can be downloaded 
> from http://people.redhat.com/sgrubb/audit  It will also be in rawhide  
> soon. The Changelog is:
...
> - When apps started by audispd die, restart them if their type is always
...

Steve, 

Is there a new parameter to support this option (or a link to more info)?
What happens if there is a startup error - a tight loop? Or is there a safety timeout?

I believe when I was testing in enforcing mode I had audisp-remote die
right away from the connection policy issues. Possibly audisp-prelude as
well from the labeling on the spool files...needed due to connection
issues. :)

I will be trying to get back there ASAP and can confirm, once the policy
pieces are patched.

Thx,
LCB.

-- 
LC (Lenny) Bruzenak
lenny@magitekltd.com

Re: audit 1.7.8 released

[Steve Grubb]

On Friday 24 October 2008 15:17:30 LC Bruzenak wrote:
> Is there a new parameter to support this option (or a link to more info)?
> What happens if there is a startup error - a tight loop? Or is there a
> safety timeout?

It looks like it will try once for each record in the pipeline. I'll add 
something to configure a limit on # of retries.

-Steve