From: Steve Grubb <sgrubb@redhat.com>
To: Linux Audit <linux-audit@redhat.com>
Subject: audit 2.3.2 released
Date: Mon, 29 Jul 2013 18:14:15 -0400 [thread overview]
Message-ID: <8187379.Ilx1TsTszC@x2> (raw)
Hi,
I've just released a new version of the audit daemon. It can be downloaded
from http://people.redhat.com/sgrubb/audit. It will also be in rawhide
soon. The ChangeLog is:
- Put RefuseManualStop in the right systemd section (#969345)
- Add legacy restart scripts for systemd support
- Add more syscall argument interpretations
- Add 'unset' keyword for uid & gid values in auditctl
- In ausearch, parse obj in IPC records
- In ausearch, parse subj in DAEMON_ROTATE records
- Fix interpretation of MQ_OPEN and MQ_NOTIFY events
- In auditd, restart dispatcher on SIGHUP if it had previously exited
- In audispd, exit when no active plugins are detected on reconfigure
- In audispd, clear signal mask set by libev so that SIGHUP works again
- In audispd, track binary plugins and restart if binary was updated
- In audispd, make sure we send signals to the correct process
- In auditd, clear signal mask when spawning any child process
- In audispd, make builtin plugins respond to SIGHUP
- In auparse, interpret mode flags of open syscall if O_CREAT is passed
- In audisp-remote, don't make address lookup always a permanent failure
- In audisp-remote, remove EOE events more efficiently
- In auditd, log the reason when email account is not valid
- In audisp-remote, change default remote_ending action to reconnect
- Add support for Aarch64 processors
This release's main focus was some maintenance of the audispd program. It was
found to not be working as intended due to some changes to signal masks in
auditd a couple years ago.
Also in auditctl, you can now use 'unset' to mean a user id of 4294967295 or
-1. This should look nicer as:
-a always,exit -F arch=b64 -S open -S openat -F exit=-EACCES -F auid>=500 -F
auid!=4294967295 -k access
can now be:
-a always,exit -F arch=b64 -S open -S openat -F exit=-EACCES -F auid>=500 -F
auid!=unset -k access
Some work was done in audisp-remote so that getaddrinfo failures are not
permanent failures. Sometimes DNS lookup fails for various reasons. This makes
it more forgiving. Also, the way that EOE (End of Event) records are strippped
out was improved so that it should be more efficient time-wise.
It was found that ausearch couldn't match a couple fields IPC and DAEMON_ROTATE
events. These were fixed. And lastly, initial support was created for 64 bit
ARM processors.
Please let me know if you run across any problems with this release.
-Steve
reply other threads:[~2013-07-29 22:14 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=8187379.Ilx1TsTszC@x2 \
--to=sgrubb@redhat.com \
--cc=linux-audit@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox