audit 2.7 released

public inbox for linux-audit@redhat.com
 help / color / mirror / Atom feed

* audit 2.7 released
@ 2016-12-16  3:22 Steve Grubb
  0 siblings, 0 replies; only message in thread
From: Steve Grubb @ 2016-12-16  3:22 UTC (permalink / raw)
  To: Linux Audit

Hello,

I've just released a new version of the audit daemon. It can be downloaded 
from http://people.redhat.com/sgrubb/audit. It will also be in rawhide
soon. The ChangeLog is:

- Remove config file permission checks in auparse
- Audisp-remote should detect normal socket close and mark remote_ended
- Allow auditctl to list rules if no capabilities but root euid
- In libaudit, use the last word of the syscall bit mask
- In auditd, write_logs option was not correctly handled (#1382397)
- In libaudit, allow filtering on new exclude filter fields (Richard Guy Briggs)
- In auditd, fix looping when checking active connections
- In auparse, the auparse_state_t pointer to keep escape_mode information
- In libaudit, add support for rules using sessionid (Richard Guy Briggs)
- Remove entry filter support
- Add auparse_destroy_ext function
- Improve ENRICHED logging format performance in auditd
- Fix regex rule file matching in augenrules (#1396792)
- Add numeric field/record accessors to auparse
- Fix auditd freeing in middle of reply buffer when nolog is used
- Switch auparse uid/gid cache to lru to limit growth
- Prevent ausearch from clobbering type field on loginuid search
- Add audit_get_session function to libaudit
- Add session and uid to most audit events
- Add auparse_classify code interface for subj, obj, action, results

The main goal of this update is to land the auparse_classify interface to 
auparse. This will unlock many new capabilities in subsequent releases of the 
2.7 series. If you are a programmer and do stuff with R or machine learning, 
let me know. This is aimed squarely at transforming data into knowledge.

Aside from that, this fixes remote logging, and logging with the nolog and 
write_logs = no option, it allows audit rules on the new exclude filter fields 
and rules that use sessionid.

The entry filter support has been dropped. It was deprecated a couple years 
ago. There are performance enhancements and correctness fixes.

Please let me know if you run across any problems with this release.

-Steve

^ permalink raw reply	[flat|nested] only message in thread

only message in thread, other threads:[~2016-12-16  3:22 UTC | newest]

Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2016-12-16  3:22 audit 2.7 released Steve Grubb

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox