audit-2.2 released

public inbox for linux-audit@redhat.com
 help / color / mirror / Atom feed

* audit-2.2 released
@ 2012-03-01 20:02 Steve Grubb
  0 siblings, 0 replies; only message in thread
From: Steve Grubb @ 2012-03-01 20:02 UTC (permalink / raw)
  To: linux-audit

Hi,

I've just released a new version of the audit daemon. It can be downloaded 
from http://people.redhat.com/sgrubb/audit. It will also be in rawhide  
soon. The ChangeLog is:

- Correct all rules for clock_settime
- Fix possible segfault in auparse library
- Handle malformed socket addresses better
- Improve performance in audit_log_user_message() 
- Improve performance in writing to the log file in auditd
- Syscall update for accept4 and recvmmsg
- Update autrace resource usage mode syscall list
- Improved sample rules for recent syscalls
- Add some debug info to audidp-remote startup and shutdown
- Make compiling with Python optional
- In auditd, if disk_error_action is ignore, don't syslog anything
- Fix some memory leaks
- If audispd is stopping, don't restart children
- Add support in auditctl for shell escaped filenames (Alexander)
- Add search support for virt events (Marcelo Cerri)
- Update interpretation tables
- Sync auparse's auditd config parser with auditd's parser
- In ausearch, also use cwd fields in file name searchs
- In ausearch, parse cwd in USER_CMD events
- In ausearch, correct parsing of uid in user space events
- In ausearch, update parsing of integrity events
- Apply some text cleanups from Debian (Russell Coker)
- In auditd, relax some permission checks for external apps
- Add ROLE_MODIFY event type
- In auditctl, new -c option to continue through bad rules but with failed exit
- Add auvirt program to do special reporting on virt events (Marcelo Cerri)
- Add interfield comparison support to auditctl (Peter Moody)
- Update auparse type intepretation for apparmor (Marcelo Cerri)
- Increase tcp_max_per_addr maximum to 1024.

This is a huge bugfix release. It has 2 new features worth calling attention to. 
The first is a new program, auvirt which produces a report about guest operating 
systems.

The second is the addition of the -C directive for auditctl. This requires a 
kernel upgrade in order to use it. Its purpose is to be able to trigger on 
events that would otherwise take a mountain of events to find just the one 
occurance. For example, if you want to see if an admin is accessing files in 
user's home dirs, then you can write a rule like:

-a always,exit -F dir=/home -C auid!=obj_uid -F key=admin-abuse

Please let me know if you run across any problems with this release.

-Steve

^ permalink raw reply	[flat|nested] only message in thread

only message in thread, other threads:[~2012-03-01 20:03 UTC | newest]

Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2012-03-01 20:02 audit-2.2 released Steve Grubb

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox