audit 1.3 released

Steve Grubb sgrubb at redhat.com
Tue Nov 28 23:01:43 UTC 2006 

Hi,

I've just released a new version of the audit daemon. It can be downloaded 
from http://people.redhat.com/sgrubb/audit  It will also be in rawhide  
tomorrow. The Changelog is:

- ausearch & aureport implement uid/gid caching
- In ausearch & aureport, extract addr when hostname is unknown
- In ausearch & aureport, test audit log presence O_RDONLY
- New ausearch/aureport time keywords: recent, this-week, this-month, 
this-year
- Added --add & --delete option to aureport
- Update res parsing in config change events
- Increase the size on audit daemon buffers
- Parse avc_path records in ausearch/aureport
- Rework AVC processing in ausearch/aureport
- ausearch has new output mode, raw, for extracting events
- ausearch/aureport can now read stdin
- Added long options to ausearch and aureport
- new auditd commandline option, -l, to allow following symlinks for its 
config file.


This is a big update with several new things. The first three are performance 
improvement things. 

The next item introduces some new keywords for time ranges. recent means 10 
minutes ago, this-week means since day 0 of the week as determined by your 
locale, this-month means day 1 of the current month, and this-year means 1/1 
of the current year.

The next item adds 2 new command line options to aureport. This is intended to 
sort out things that are related to adding rules/users/groups vs deleting 
them. This can be handy to divide up config change reports.

The next 4 items are bug fixes.

ausearch has a new output mode, --raw. This means that the audit log entry is 
emitted with no interpretation and no changes. This is handy to extract 
portions of logs for use later or as the first stage of piping commands 
together. If you have a user you want to extract logs for, you can now do 
this:

ausearch -ts this-week -ul 500 > user.log

The next item in the new features is that ausearch/aureport can now take 
events from stdin. So, you can now do something like this:

ausearch -ts this-month -ul 500 --raw | aureport

The next item is that every commandline option in ausearch/aureport has a long 
option. This means that you can do this:

ausearch --start this-week --loginuid 500 --message avc --terminal tty1

or

aureport --start this-month --failed --event

The final item is a commandline option allowing auditd to follow symlinks to 
read its config file. I guess this might be useful for people doing stateless 
or live CD's where the writeable files are kept somewhere else.

If you see any issues with this release please let me know.

-Steve

More information about the Linux-audit mailing list