From mboxrd@z Thu Jan  1 00:00:00 1970
From: Michael C Thompson <thompsmc@us.ibm.com>
Subject: Re: audit 1.2.2 released
Date: Wed, 17 May 2006 16:12:47 -0500
Message-ID: <446B91CF.5010604@us.ibm.com>
References: <200605121726.32952.sgrubb@redhat.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <200605121726.32952.sgrubb@redhat.com>
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: Steve Grubb <sgrubb@redhat.com>
Cc: Linux Audit <linux-audit@redhat.com>
List-Id: linux-audit@redhat.com

Steve Grubb wrote:
> Hi,
> 
> I've just released a new version of the audit daemon. It can be downloaded 
> from http://people.redhat.com/sgrubb/audit  It will also be in rawhide  
> tomorrow. The Changelog is:
> 
> - Updates for new glibc-kernheaders
> - Change auditctl to collect list of rules then delete them on -D
> - Update capp.rules and lspp.rules to comment out rules for the possible list
> - Add new message types
> - Support sigusr1 sender identity of newer kernels
> - Add support for ppid in auditctl and ausearch
> - fix auditctl to trim the '/' from watches
> - Move audit daemon config files to /etc/audit for better SE Linux protection
> 
> Beware !  This release has 2 changes to notice. It requires newer 
> glibc-kernheaders and it moves the audit configuration files to 
> the /etc/audit directory. The specfile should handle the transition 
> gracefully.
> 
> This release also supports new options in our current development kernels. It 
> adds support for filtering by ppid and searching for ppid in the logs. It 
> supports getting the signal info for senders of sigusr1. And completes the 
> fix for listing or deleting large amounts of syscall rules. Watches that have 
> a trailing '/' will now have it trimmed to make the kernel happier.
> 
> 2 new message types were added AUDIT_DEV_ALLOC and AUDIT_DEV_DEALLOC for LSPP 
> work. The capp & lspp rules were updated to not have "possible" as the list 
> action.
> 
> Please let me know if there are any problems with this release.

auditctl -a entry,always -S chmod -F "watch=/root/file"

This fails... how is one supposed to use the new 'watch' field filter?

Mike