From: Steve Grubb <sgrubb@redhat.com>
To: linux-audit@redhat.com
Subject: audit-2.1 released
Date: Tue, 29 Mar 2011 20:04:47 -0400 [thread overview]
Message-ID: <201103292004.47862.sgrubb@redhat.com> (raw)
Hi,
I've just released a new version of the audit daemon. It can be downloaded
from http://people.redhat.com/sgrubb/audit. It will also be in rawhide
soon. The ChangeLog is:
- Update auditctl man page for new field on user filter
- Fix crash in aulast when auid is foreign to the system
- Code cleanups
- Add store and forward model to audispd-remote (Mirek Trmac)
- Free memory on failed startups in audisp-prelude
- Fix memory leak in aureport
- Fix parsing state problem in libauparse
- Improve the robustness of libaudit field encoding functions
- Update capability tables
- In auditd, make failure action config checking consistent
- In auditd, check that NULL is not being passed to safe_exec
- In audisp-remote, overflow_action wasn't suspending if that action was chosen
- Update interpretations for virt events
- Improve remote logging warning and error messages
- Add interpretations for netfilter events
This release adds a new majot feature. The remote audit logging now has a store and
forward option. This means that when the client end gets an event, its written to disk
and then sent across the network. This means that if the remote server goes down,
events will be queued to disk for eventual transmission to the aggregating server.
This release also fixes many, many bugs. One of the most important is the memory leak
in aureport. it was losing 200 bytes per event parsed. If you have logs with a million
events, then the app had leaked 200 Mb of memory. This slows performance down a lot.
This new version runs in about 60% of the time that 2.0.6 took.
This release updates some of the interpretation tables to include the new capability
introduced in the latest kernel. It adds interpretations for virtualization events and
the netfilter events.
Also, it was found that in the disk_err_action for auditd, it chose exec no matter
what the admin had put in. This release corrects the action to be what the admin
selected.
Please let me know if you run across any problems with this release.
-Steve
next reply other threads:[~2011-03-30 0:04 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-03-30 0:04 Steve Grubb [this message]
2011-03-30 1:02 ` audit-2.1 released Stephen John Smoogen
2011-03-30 2:53 ` Steve Grubb
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=201103292004.47862.sgrubb@redhat.com \
--to=sgrubb@redhat.com \
--cc=linux-audit@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox