audit 1.7.11 released

audit 1.7.11 released

[Steve Grubb]

Hi,

I've just released a new version of the audit daemon. It can be downloaded 
from http://people.redhat.com/sgrubb/audit  It will also be in rawhide  
soon. The Changelog is:

- Don't error out in auditd when calling setsid
- Reformat a couple auditd error messages (Oden Eriksson)
- If log rotate fails, leave the old log writable
- Fixed bug in setting up auditd event loop when listening
- Warn if on biarch machine and auditctl rules show a syscall mismatch
- Audisp-remote was not parsing some config options correctly
- In auparse, check for single key in addition to virtual keys
- When auditd shuts down, send AUDIT_RMW_TYPE_ENDING messages to clients
- Updated sample plugin code to use auparse
- Created reconnect option to remote ending setting of audisp-remote

This is mostly a bugfix release. When being started by init, auditd was dying 
when trying to set its session id since init already does this. When logs 
were rotated and failed for some reason, the original log was left in a 
readonly state, this has been corrected. I found several problems with remote 
logging and fixed them for the non-kerberos use case...I'll try to check the 
work for kerberos in the next release. And the sample audispd plugin code was 
updated to show how to use auparse library to make a plugin.

That leaves one item left to go over. People have discovered over time that 32 
and 64 bit syscalls can have a different syscall number. Auditctl in this 
version no issues a warning to stderr when it loads a syscall audit rules for 
64 bit machines where the 32 bit version has a syscall number mismatch. 
Hopefully, this will help educate people that they may not have all the 
syscalls they intended covered. But at the same time, some people might just 
consider this spamming the console. I would like feedback on this new warning 
and if its obtrusive and how you would suggest making it better.

Please let me know if you run across any problems with this release.

-Steve