audit 2.3.2 released

Steve Grubb sgrubb at redhat.com
Mon Jul 29 22:14:15 UTC 2013 

Hi,

I've just released a new version of the audit daemon. It can be downloaded 
from http://people.redhat.com/sgrubb/audit. It will also be in rawhide  
soon. The ChangeLog is:

- Put RefuseManualStop in the right systemd section (#969345)
- Add legacy restart scripts for systemd support
- Add more syscall argument interpretations
- Add 'unset' keyword for uid & gid values in auditctl
- In ausearch, parse obj in IPC records
- In ausearch, parse subj in DAEMON_ROTATE records
- Fix interpretation of MQ_OPEN and MQ_NOTIFY events
- In auditd, restart dispatcher on SIGHUP if it had previously exited
- In audispd, exit when no active plugins are detected on reconfigure
- In audispd, clear signal mask set by libev so that SIGHUP works again
- In audispd, track binary plugins and restart if binary was updated
- In audispd, make sure we send signals to the correct process
- In auditd, clear signal mask when spawning any child process
- In audispd, make builtin plugins respond to SIGHUP
- In auparse, interpret mode flags of open syscall if O_CREAT is passed
- In audisp-remote, don't make address lookup always a permanent failure
- In audisp-remote, remove EOE events more efficiently
- In auditd, log the reason when email account is not valid
- In audisp-remote, change default remote_ending action to reconnect
- Add support for Aarch64 processors

This release's main focus was some maintenance of the audispd program. It was 
found to not be working as intended due to some changes to signal masks in 
auditd a couple years ago.

Also in auditctl, you can now use 'unset' to mean a user id of 4294967295 or 
-1. This should look nicer as:

-a always,exit -F arch=b64 -S open -S openat -F exit=-EACCES -F auid>=500 -F 
auid!=4294967295 -k access

can now be:
-a always,exit -F arch=b64 -S open -S openat -F exit=-EACCES -F auid>=500 -F 
auid!=unset -k access

Some work was done in audisp-remote so that getaddrinfo failures are not 
permanent failures. Sometimes DNS lookup fails for various reasons. This makes 
it more forgiving. Also, the way that EOE (End of Event) records are strippped 
out was improved so that it should be more efficient time-wise.

It was found that ausearch couldn't match a couple fields IPC and DAEMON_ROTATE  
events. These were fixed. And lastly, initial support was created for 64 bit 
ARM processors.

Please let me know if you run across any problems with this release.

-Steve

More information about the Linux-audit mailing list