audit 1.7.4 released

Steve Grubb sgrubb at redhat.com
Mon May 19 18:50:05 UTC 2008 

Hi,

I've just released a new version of the audit daemon. It can be downloaded 
from http://people.redhat.com/sgrubb/audit  It will also be in rawhide  
tomorrow. The Changelog is:

- Fix interpreting of keys in syscall records
- Interpret audit rule config change list fields
- Don't error on name=(null) PATH records in ausearch/report
- Add key report to aureport
- Fix --end today to be now
- Added python bindings for auparse_goto_record_num
- Update system-config-audit to 0.4.7 (Miloslav Trmac)
- Add support for the filetype field option in auditctl
- In audispd boost priority after starting children

This release is a mix of bug fixes and new features. The bug fixes are what is 
driving the release earlier than what I'd like. I was doing some testing and 
found that a lot of keys were not being interpreted correctly. I think many 
were coming back as (null) which looks pretty normal if you don't use the 
keys. Anyways, this is fixed. 

I also found that ausearch/report were not processing some events correctly 
when the PATH record's name field was (null). The result of this was that the 
event was being discarded in search results.

With the new interest in keys, I added a key report to aureport. This presents 
a listing of what keys & quantities have been found in a given time frame. 
During testing of that, I found that "--end today" was not behaving as I 
expected. I really think that when you do aureport --start yesterday --end 
today, you should see events from yesterday at midnight until now.

I added an interpretation for the list in audit watch add/delete events. This 
will now print the list's name like exit,entry, user, etc.

This release also adds support for a new rule field in he 2.6.26 kernel. If 
you wanted to audit setting the execute bit via the chmod syscal, you would 
normally write a rule something like this:

-a always,exit -S chmod -F a1&0111

but the problem is that this will trigger on chmod 0755 of directories which 
is pretty common if you want the directory to be searchable. So we added a 
new option to let you specify what the object's type is, filetype. The new 
rule would look like this:

-a always,exit -S chmod -F a1&0111 -F filetype=file

filetype can be file, dir, socket, symlink, char, block, or fifo.

And last item I wanted to comment on was the change in priority boost for 
audispd. I moved the call to nice() until after the child processes were 
started. This is because audispd should not have to fight with its children 
for time slices at the higher priority. It has an internal queue that can be 
extended by admin configurable parameters. The children are now started with 
the priority inherited from auditd.

Please let me know if you run across any problems with this release.

-Steve

More information about the Linux-audit mailing list