audit 1.2.2 released
Michael C Thompson
thompsmc at us.ibm.com
Mon May 15 19:57:20 UTC 2006
Steve Grubb wrote:
> Hi,
>
> I've just released a new version of the audit daemon. It can be downloaded
> from http://people.redhat.com/sgrubb/audit It will also be in rawhide
> tomorrow. The Changelog is:
>
> - Updates for new glibc-kernheaders
> - Change auditctl to collect list of rules then delete them on -D
> - Update capp.rules and lspp.rules to comment out rules for the possible list
> - Add new message types
> - Support sigusr1 sender identity of newer kernels
> - Add support for ppid in auditctl and ausearch
> - fix auditctl to trim the '/' from watches
> - Move audit daemon config files to /etc/audit for better SE Linux protection
>
> Beware ! This release has 2 changes to notice. It requires newer
> glibc-kernheaders and it moves the audit configuration files to
> the /etc/audit directory. The specfile should handle the transition
> gracefully.
>
> This release also supports new options in our current development kernels. It
> adds support for filtering by ppid and searching for ppid in the logs. It
> supports getting the signal info for senders of sigusr1. And completes the
> fix for listing or deleting large amounts of syscall rules. Watches that have
> a trailing '/' will now have it trimmed to make the kernel happier.
>
> 2 new message types were added AUDIT_DEV_ALLOC and AUDIT_DEV_DEALLOC for LSPP
> work. The capp & lspp rules were updated to not have "possible" as the list
> action.
>
> Please let me know if there are any problems with this release.
auditctl is still reporting the "error sending rule" problem. Here are
my auditctl and kernel versions:
auditctl version 1.2.2
2.6.16-1.2200.2.2_FC6.lspp.25
# auditctl -l
Error sending rule list request (Operation not permitted)
# auditctl -l
No rules
Thanks,
Mike
More information about the Linux-audit
mailing list