audit 1.7 released

Steve Grubb sgrubb at
Sun Mar 30 20:23:24 UTC 2008


I've just released a new version of the audit daemon. It can be downloaded 
from  It will also be in rawhide  
soon. The Changelog is:

- Improve input error handling in audispd
- Improve end of event detection in auparse library
- Improve handling of abstract namespaces
- Add test mode for prelude plugin
- Handle user space avcs in prelude plugin
- Audit event serial number now recorded in idmef alert
- Add --just-one option to ausearch
- Fix watched account login detection for some failed login attempts
- Couple fixups in audit logging functions (Miloslav Trmac)
- Add support for virtual keys
- Added new type for user space MAC policy load events
- auparse_find_field_next was not iterating correctly, fixed it
- Add idmef alerts for access or execution of watched file
- Fix buffer overflow in audit_log_user_command
- Add basic remote logging plugin - only sends & no flow control
- Update ausearch with interpret fixes from auparse

This release has a lot of changes. There are a lot of bugs fixed in this 
update. Besides pure bug fixing, this release adds a test mode for the 
audisp-prelude plugin. It can now take a file input to stdin and output to 
stdout what it would like to do.

The audisp-prelude plugin also has a big change in the configuration file. It 
now takes separate enablers and actions to decide if a certain detection 
should be run and what to do if something is found. Right now, the only 
action is to send an idmef event. But this allows for future actions that can 
protect the machine.

IDMEF events were added for watched files or execution of watched programs. 
This requires a specific key format to work.

Ausearch was given a new option, --just-one. This tells it to emit just one 
event during the search. This is handy if you are searching for a specific 
event by its serial number and time.

Virtual key support was added throughout the utilities and libraries. With it, 
admins can now express more than one key in an auditctl rule. The size limit 
was left at 32, but we'll bump it up when kernel 2.6.26 is starting to take 

A buffer overflow in audit_log_user_command was fixed. This was preventing 
sudo from running when it had a large number of arguments. For now, we are 
truncating the event's argument list. But I'll try to work something out 
around continuation records so that it can be fully pieced together.

Lastly, a remote logging plugin makes its debut. Right now it sends only and 
has no flow control. I made a quick and dirty program that runs off of xinetd 
that just appends records to a file to verify it working. Anyone that wants 
to use it will need to do nearly the same at this point. The next release 
will include a recieve capability with no flow control. And then in another 
release after that I'll add the flow control between sender and receiver.

Please let me know if you run across any problems with this release.


More information about the Linux-audit mailing list