audit 1.2.2 released

[Michael C Thompson]

Steve Grubb wrote:
> Hi,
> 
> I've just released a new version of the audit daemon. It can be downloaded 
> from http://people.redhat.com/sgrubb/audit  It will also be in rawhide  
> tomorrow. The Changelog is:
> 
> - Updates for new glibc-kernheaders
> - Change auditctl to collect list of rules then delete them on -D
> - Update capp.rules and lspp.rules to comment out rules for the possible list
> - Add new message types
> - Support sigusr1 sender identity of newer kernels
> - Add support for ppid in auditctl and ausearch
> - fix auditctl to trim the '/' from watches
> - Move audit daemon config files to /etc/audit for better SE Linux protection
> 
> Beware !  This release has 2 changes to notice. It requires newer 
> glibc-kernheaders and it moves the audit configuration files to 
> the /etc/audit directory. The specfile should handle the transition 
> gracefully.
> 
> This release also supports new options in our current development kernels. It 
> adds support for filtering by ppid and searching for ppid in the logs. It 
> supports getting the signal info for senders of sigusr1. And completes the 
> fix for listing or deleting large amounts of syscall rules. Watches that have 
> a trailing '/' will now have it trimmed to make the kernel happier.
> 
> 2 new message types were added AUDIT_DEV_ALLOC and AUDIT_DEV_DEALLOC for LSPP 
> work. The capp & lspp rules were updated to not have "possible" as the list 
> action.
> 
> Please let me know if there are any problems with this release.

auditctl is still reporting the "error sending rule" problem. Here are 
my auditctl and kernel versions:

auditctl version 1.2.2
2.6.16-1.2200.2.2_FC6.lspp.25

# auditctl -l
Error sending rule list request (Operation not permitted)
# auditctl -l
No rules

Thanks,
Mike