From: Steve Grubb <sgrubb@redhat.com>
To: linux-audit@redhat.com
Subject: audit 2.6.1 released
Date: Tue, 28 Jun 2016 21:39:28 -0400 [thread overview]
Message-ID: <2934211.vnrKr2Caq5@x2> (raw)
Hello,
I've just released a new version of the audit daemon. It can be downloaded
from http://people.redhat.com/sgrubb/audit. It will also be in rawhide
soon. The ChangeLog is:
- Do capabilities check rather than uid
- Auditd fixup directory and file permissions on startup
- Add some missing config items to auditd reconfigure
- In audisp-remote add warn_once and warn_once_continue action handlers
- In audisp-remote only emit 1 warning when disk_full or error is reached.
- Aulast now searches on user name as a string for enriched events
- Ausearch now searches on user name as a string for enriched events
- Create audit-stop.rules to clean up audit subsystem on stop
- Adjust LDFLAGS for cross compiled helper utilities (Laurent Bigonville)
- Fix event formatting issue in audispd
- Fix bug causing ack to not be sent from auditd to audisp-remote
This release follows the last one quickly because its a bugfix release. The
last release had a lot of code churn and debug and testing was not 100%
complete. The biggest issue was that during the creation of the protocol 2
format handler in auditspd, some newlines got stripped from the formatting.
This caused problems for any protocol 1 events. The likely effect is audispd
plugins not working correctly.
There was also a bug in auditd due to refactoring the code to retry sending
events to the dispatcher. The effect of the bug was to zero out the ack
function when receiving remote events. This caused audisp-remote to retry
sending the event over and over because it timed out thinking the server was
have comm problems.
It was also pointed out that some people don't want audit events of any kind
going to syslog when the audit daemon was stopped. This update adds a new file,
audit-stop.rules, which gets loaded when the audit daemon stops. The current
rules disables the audit subsystem and deletes all rules.
The conversion to enriched events was not complete in 2.6. The ausearch and
aulast program needed to use the user name as a string to search for events.
audisp-remote was reworked to only emit 1 warning when disk_full or error is
reached. New config options were added to help accomplish this. There is now
warn_once and warn_once_continue options for failures. It acts like the syslog
option except it only sends one. Read the man page for more details.
It was also found that not all config options were being loaded when the audit
daemon received SIGHUP.
The audit daemon will now fix logging directory ownership and mode during
restart or config reload. This will help everyone who sets the log access group
because it will restore the config after an upgrade.
Almost every place that uid was checked for root has been updated to do a
capability check instead.
Please let me know if you run across any problems with this release.
-Steve
reply other threads:[~2016-06-29 1:39 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2934211.vnrKr2Caq5@x2 \
--to=sgrubb@redhat.com \
--cc=linux-audit@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox