From mboxrd@z Thu Jan 1 00:00:00 1970 From: Steve Grubb Subject: audit-2.2 released Date: Thu, 1 Mar 2012 15:02:23 -0500 Message-ID: <201203011502.23335.sgrubb@redhat.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: Received: from x2.localnet (vpn-238-44.phx2.redhat.com [10.3.238.44]) by int-mx10.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id q21K3MEN014908 for ; Thu, 1 Mar 2012 15:03:22 -0500 List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit@redhat.com List-Id: linux-audit@redhat.com Hi, I've just released a new version of the audit daemon. It can be downloaded from http://people.redhat.com/sgrubb/audit. It will also be in rawhide soon. The ChangeLog is: - Correct all rules for clock_settime - Fix possible segfault in auparse library - Handle malformed socket addresses better - Improve performance in audit_log_user_message() - Improve performance in writing to the log file in auditd - Syscall update for accept4 and recvmmsg - Update autrace resource usage mode syscall list - Improved sample rules for recent syscalls - Add some debug info to audidp-remote startup and shutdown - Make compiling with Python optional - In auditd, if disk_error_action is ignore, don't syslog anything - Fix some memory leaks - If audispd is stopping, don't restart children - Add support in auditctl for shell escaped filenames (Alexander) - Add search support for virt events (Marcelo Cerri) - Update interpretation tables - Sync auparse's auditd config parser with auditd's parser - In ausearch, also use cwd fields in file name searchs - In ausearch, parse cwd in USER_CMD events - In ausearch, correct parsing of uid in user space events - In ausearch, update parsing of integrity events - Apply some text cleanups from Debian (Russell Coker) - In auditd, relax some permission checks for external apps - Add ROLE_MODIFY event type - In auditctl, new -c option to continue through bad rules but with failed exit - Add auvirt program to do special reporting on virt events (Marcelo Cerri) - Add interfield comparison support to auditctl (Peter Moody) - Update auparse type intepretation for apparmor (Marcelo Cerri) - Increase tcp_max_per_addr maximum to 1024. This is a huge bugfix release. It has 2 new features worth calling attention to. The first is a new program, auvirt which produces a report about guest operating systems. The second is the addition of the -C directive for auditctl. This requires a kernel upgrade in order to use it. Its purpose is to be able to trigger on events that would otherwise take a mountain of events to find just the one occurance. For example, if you want to see if an admin is accessing files in user's home dirs, then you can write a rule like: -a always,exit -F dir=/home -C auid!=obj_uid -F key=admin-abuse Please let me know if you run across any problems with this release. -Steve