audit 1.7.12 released

Steve Grubb sgrubb at redhat.com
Tue Feb 24 23:10:33 UTC 2009 

Hi,

I've just released a new version of the audit daemon. It can be downloaded 
from http://people.redhat.com/sgrubb/audit  It will also be in rawhide  
soon. The Changelog is:

- Add definitions for crypto events
- Fix regression where msgtype couldn't be used as a range in audit rules
- In libaudit, extend time spent checking reply
- In acct events, prefer id over acct if given
- In aulast, try id and acct in USER_LOGIN events
- When in immutable mode, have auditctl tell user instead of sending rules
- Add option to sysconfig to disable audit system on auditd stop
- Add tcp_wrappers config option to auditd
- Aulastlog can now take input from stdin
- Update libaudit python bindings to throw exceptions on error
- Adjust formatting of TTY data in libauparse to be like ausearch/report
- Add more key mappings to TTY interpretations
- Add internal queue to audisp-remote
- Fix failure action code to allow executables in audisp-remote (Chu Li)
- Fix memory leak when NOLOG log_format option given to auditd
- Quieten some of the reconnect text being sent to syslog in audisp-remote
- Apply some libev fixups to auditd
- Cleanup shutdown sequence of auditd
- Allow auditd log rotation via SIGUSR1 when NOLOG log format option given

This is mostly a bugfix release. There was a regression introduced into 
auditctl where the msgtype field was no longer able to be used for a range of 
audit records. There was also a bug where a heavily loaded system or one not 
getting much runtime due to virtualization would not get a netlink reply 
(EAGAIN) and this caused pamified services to not work. Now in immutable 
mode, auditctl will output something to stderr to let you know that you can't 
change the audit rules. The init scripts now have a new option to configure 
in /etc/sysconfig/audit that determines whether or not to leave the audit 
system enabled during shutdown.

In the remote logging category, there is a new option to auditd to 
enable/disable tcp_wrappers at runtime. An internal queue was added to the 
remote logger so that if the remote server goes down, events will be queued 
in memory in hopes of being able to transfer them when the connection is 
re-established. Failure action in the remote loggers now accept paths to 
executables. When the NOLOG option is given, a memory has been fixed. Further 
review of NOLOG found that sigusr1 commands were not having any effect when 
NOLOG option was given.

On the TTY audit front, libauparse was updated to match the output of ausearch 
and new keystroke mappings were added.

Please let me know if you run across any problems with this release.

-Steve

More information about the Linux-audit mailing list