audit 2.3.7 released

Burn Alting burn at swtf.dyndns.org
Mon Jun 9 03:21:41 UTC 2014 

Steve,

Please find a patch against 2.3.7 that, when check pointing, ausearch
will only use the recorded event time in the checkpoint file when
deciding what complete events to display. Basically, it will display all
complete events found after the event time found in the checkpoint file.

Normally, one would use check pointing in a periodic script that records
all 'new' audit events. Should certain errors occur, we need to recover
and continue to record 'new' audit events. This option allows use to do
a  'brute force' recovery by finding all events since the last recorded
time we have in the checkpoint file.

For example, the core of a periodic script may contain

  ausearch --checkpoint /usr/security/auditd_checkpoint.txt -i
  _aus=$?
  if test ${_aus} -eq 10 -o ${_aus} -eq 11 -o ${_aus} -eq 12
  then
    ausearch --checkpoint /usr/security/auditd_checkpoint.txt \
      --checkpoint-time-only -i
  fi


Rgds

 On Wed, 2014-06-04 at 17:47 -0400, Steve Grubb wrote:
> Hello,
> 
> I've just released a new version of the audit daemon. It can be downloaded 
> from http://people.redhat.com/sgrubb/audit. It will also be in rawhide  
> soon. The ChangeLog is:
> 
> - Limit number of options in a rule in libaudit
> - Auditctl cannot load rule with lots of syscalls (#1089713)
> - In ausearch, fix checkpointing when inode is reused by new log (Burn Alting)
> - Add PROCTITLE and FEATURE_CHANGE event types
> 
> Normally I'd wait a little longer to do a release but a couple things made me 
> want to keep this one short. The PROCTITLE event is showing up on people's 
> systems now and we need to support it. The other big change is that people 
> writing rules with lots of syscalls were getting an error such that the rule 
> would not load. It took two fixes to get it squared away.
> 
> Please let me know if you run across any problems with this release
> 
> Thanks,
> -Steve
> 
> --
> Linux-audit mailing list
> Linux-audit at redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit

-------------- next part --------------
A non-text attachment was scrubbed...
Name: audit-2.3.7_checkpoint_tonly.patch
Type: text/x-patch
Size: 6138 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20140609/6eb7151f/attachment.bin>

More information about the Linux-audit mailing list