audit 2.3.1 released

[Steve Grubb]

Hi,

I've just released a new version of the audit daemon. It can be downloaded 
from http://people.redhat.com/sgrubb/audit. It will also be in rawhide  
soon. The ChangeLog is:

- Rearrange auditd setting enabled and pid to avoid a race (#910568)
- Interpret the ocomm field from OBJ_PID records 
- Fix missing 'then' statement in sysvinit script
- Switch ausearch to use libauparse for interpretting fields
- In libauparse, interpret prctl arg0, sched_setscheduler arg1
- In auparse, check source_list isn't NULL when opening next file (Liequan Che)
- In libauparse, interpret send* flags argument
- In libauparse, interpret level and name options for set/getsockopt
- In ausearch/report, don't flush events until last file (Burn Alting)
- Don't use systemctl to stop the audit daemon

The main feature in this release is switching ausearch over to the auparse 
library for interpretations. This allows for better interpretation of syscall 
arguments and since the output is visible, auparse's interpretations have been 
aligned with the old ausearch output.

There is one item to note, though, for systemd based machines. The way that 
systemctl works when a user asks it to stop the audit daemon is that it sends 
a dbus message to systemd. Systemd then sends a sigterm signal to auditd. 
Auditd then asks the kernel who sent it because we must record that for common 
criteria. Under systemd we get -1, which is unset, for the auid. This scenario 
differs from the sysvinit style where you run the service command and the auid 
of the admin is recorded because a process in the admin's context sends the 
signal. 

This update adds a configuration option where systemd is told to refuse to send 
a stop signal by the admin. Instead, a script was added to the service 
command's legacy support area. The audit daemon should be controlled by the 
service command just like before systemd.

Please let me know if you run across any problems with this release.

-Steve