audit 1.7.7 released

[Steve Grubb]

Hi,

I've just released a new version of the audit daemon. It can be downloaded 
from http://people.redhat.com/sgrubb/audit  It will also be in rawhide  
soon. The Changelog is:

- Bug fixes for gss code in remote logging (DJ Delorie)
- Fix ausearch -i to keep the node field in the output
- ausyscall now does strstr match on syscall names
- Makefile cleanup (Philipp Hahn)
- Add watched syscall support to audisp-prelude
- Use the right define for tcp_wrappers in auditd
- Expose encoding API for fields being logged from user space

Last time I did not provide release notes. I'll try to do that now.

Since 1.7.5, we have added GSSAPI support to authenticate and encrypt events 
during transfer. There are some instructions in the man pages but I'll try to 
get a HOWTO put up on the main audit project page at some point. There is 
tcp_wrappers support for remote logging protection. you will need to put an 
entry in the server's /etc/hosts.allow file stating which host or subnet is 
allowed to connect. These are enabled by adding 2 options to the configure 
command, --with-libwrap --enable-gssapi-krb5. Connect/disconnect events are 
now audited in the server so that there are records of times & ip addresses 
for connections.

Another thanks to the people at Fujitsu for sending several patches that went 
into 1.7.6. The syscall tables have been updated for the lastest prel-release 
kernel, 2.6.27. 

A new function was added to auparse that allows you to query information about 
the data type that is being held in the value portion of the record's fields. 
Notably, this allows you to know that you have a field that is escaped and 
needs to be interpretted to see something meaningful.

New in 1.7.7...

There are 3 new functions in libaudit for logging a field that may need 
encoding to prevent spaces or control characters from causing parsing 
problems. If you have a field that you know has the potential to be 
untrusted, user manipulated, or containing control characters or space, there 
is now a convenience function, audit_encode_nv_string. This function takes 
the name, value, and value length in bytes as the parameters and passes back 
a freshly malloc'ed memory buffer containing the formatted field. Another 
function was added to allow testing as to whether or not a field needs 
encoding, audit_value_needs_encoding. It takes the value and value length in 
bytes and replies with 1 or 0 depending on if it needs encoding or not. The 
last new function audit_encode_value performs a value encoding given a value 
and value length in bytes. The programmer is responsible for passing it a 
buffer that is 2 times the size of the value in bytes + 1. These last 2 are 
for people that need to take control over encoding but audit_encode_nv_string 
should be the main API people use.

There was a bug in 1.7.6 wrt tcp_wrappers where the define had a typo in it. 
This means that 1.7.6 does not actually use tcp_wrappers.

There were a couple bugs in remote logging for 64 bit platforms. These are now 
cleaned up.

The ausyscall program now does substring matches by default and exact string 
matching by command line option. This was added after observing yet another 
dup syscall and another pipe syscall being added to the 2.6.27 kernel. You 
can now do ausyscall x86_64 dup and get all 3 syscall names and numbers.

The prelude plugin now has a 4th type of watched audit event based on keys, 
sys. This came about after observing that many security targets need some 
rule that is syscall based and no good way to say what the event is based on 
the other 3 types.


Please let me know if you run across any problems with this release.

-Steve