audit 2.4 released

Steve Grubb sgrubb at redhat.com
Sun Aug 24 17:51:07 UTC 2014 

I've just released a new version of the audit daemon. It can be downloaded 
from http://people.redhat.com/sgrubb/audit. It will also be in rawhide
soon. The ChangeLog is:

- Optionally parse loginuids, (e)uids, & (e)gids in ausearch/report
- In auvirt, anomaly events don't have uuid (#1111448)
- Fix category handling in various records (#1120286)
- Fix ausearch handling of session id on 32 bit systems
- Set systemd startup to wait until systemd-tmpfiles-setup.service (#1097314)
- Interpret a0 of socketcall and ipccall syscalls
- Add pkgconfig file for libaudit
- Add go language bindings for limited use of libaudit
- Fix ausearch handling of exit code on 32 bit systems
- Fix bug in aureport string linked list handling
- Document week-ago time setting in ausearch/report man page
- Update tables for 3.16 kernel
- In aulast, on bad logins only record user_login proof and use it
- Add libaudit API for kernel features
- If audit=0 on kernel cmnd line, skip systemd activation (Cristian Rodríguez)
- Add checkpoint --start option to ausearch (Burn Alting)
- Fix arch matching in ausearch
- Add --loginuid-immutable option to auditctl
- Fix memory leak in auditd when log_format is set to NOLOG
- Update auditctl to display features in the status command
- Add ausearch_add_timestamp_item_ex() to auparse

This release has a couple new capabilities added. We can now set the
loginuid-immutable feature with an auditctl command. The status listing
has been reformatted with one status item per line. At the end it lists the
features and their values. It turns out there is a bug in the Linux kernel
that sends the status back instead of the feature values. So, until that
gets fixed and everyone uses new kernels, auditctl will appear to list
the status items twice.

This release also adds a limited audit-libs binding for golang and a
package-config file for the audit libraries. This release also updates the
interpretation tables for the 3.16 kernel. And a new --start option was
added to ausearch for checkpointed files.

Besides that, there were quite a few bugs fixed.

Please let me know if you run across any problems with this release.

-Steve

More information about the Linux-audit mailing list