audit-2.1 released

audit-2.1 released

[Steve Grubb]

Hi,

I've just released a new version of the audit daemon. It can be downloaded 
from http://people.redhat.com/sgrubb/audit. It will also be in rawhide  
soon. The ChangeLog is:

- Update auditctl man page for new field on user filter
- Fix crash in aulast when auid is foreign to the system
- Code cleanups
- Add store and forward model to audispd-remote (Mirek Trmac)
- Free memory on failed startups in audisp-prelude
- Fix memory leak in aureport
- Fix parsing state problem in libauparse
- Improve the robustness of libaudit field encoding functions
- Update capability tables
- In auditd, make failure action config checking consistent 
- In auditd, check that NULL is not being passed to safe_exec
- In audisp-remote, overflow_action wasn't suspending if that action was chosen
- Update interpretations for virt events
- Improve remote logging warning and error messages
- Add interpretations for netfilter events

This release adds a new majot feature. The remote audit logging now has a store and 
forward option. This means that when the client end gets an event, its written to disk 
and then sent across the network. This means that if the remote server goes down, 
events will be queued to disk for eventual transmission to the aggregating server.

This release also fixes many, many bugs. One of the most important is the memory leak 
in aureport. it was losing 200 bytes per event parsed. If you have logs with a million 
events, then the app had leaked 200 Mb of memory. This slows performance down a lot. 
This new version runs in about 60% of the time that 2.0.6 took.

This release updates some of the interpretation tables to include the new capability 
introduced in the latest kernel. It adds interpretations for virtualization events and 
the netfilter events.

Also, it was found that in the disk_err_action for auditd, it chose exec no matter 
what the admin had put in. This release corrects the action to be what the admin 
selected.

Please let me know if you run across any problems with this release.

-Steve

Re: audit-2.1 released

[Stephen John Smoogen]

On Tue, Mar 29, 2011 at 18:04, Steve Grubb <sgrubb@redhat.com> wrote:
> Hi,
>
> I've just released a new version of the audit daemon. It can be downloaded
> from http://people.redhat.com/sgrubb/audit. It will also be in rawhide
> soon. The ChangeLog is:

What versions of Red Hat/Fedora Linux would this work with? In case
people were checking it out.




-- 
Stephen J Smoogen.
"The core skill of innovators is error recovery, not failure avoidance."
Randy Nelson, President of Pixar University.
"Let us be kind, one to another, for most of us are fighting a hard
battle." -- Ian MacLaren

Re: audit-2.1 released

[Steve Grubb]

On Tuesday, March 29, 2011 09:02:10 pm Stephen John Smoogen wrote:
> On Tue, Mar 29, 2011 at 18:04, Steve Grubb <sgrubb@redhat.com> wrote:
> > Hi,
> > 
> > I've just released a new version of the audit daemon. It can be
> > downloaded from http://people.redhat.com/sgrubb/audit. It will also be
> > in rawhide
> 
> > soon. The ChangeLog is:
>
> What versions of Red Hat/Fedora Linux would this work with? In case
> people were checking it out.

I compiled it for F14->rawhide and submitted updates for each. You can pick it out of 
koji if you are in a hurry. I think it would even be viable for F13 if that were still 
supported. In the RHEL world, this is aimed at RHEL 6.

I am doing a big sync of trunk with the 1.8 branch to pick up as many of these bug 
fixes as possible for one last big maintenance push on the 1.8 branch. The 1.8 branch 
is what RHEL 5 and other older OS uses. There should be a 1.8 release sometime soon 
for these older OS that still use it. After this next 1.8 release, I will update 
anything important on that branch. But distros should start thinking that branch is in 
deep maintenance mode and move to something newer if the kernel is 2.6.31 or newer. 
There may or may not be a 1.8.1 release. Time will tell.

-Steve