audit 2.3.5 released
Steve Grubb
sgrubb at redhat.com
Mon Mar 17 22:28:52 UTC 2014
Hi,
I've just released a new version of the audit daemon. It can be downloaded
from http://people.redhat.com/sgrubb/audit. It will also be in rawhide
soon. The ChangeLog is:
- In CRYPTO_KEY_USER events, do not interpret the 'fp' field
- Change formatting of rules listing in auditctl to look like audit.rules
- Change auditctl to do all netlink comm and then print rules
- Add a debug option to ausearch to find skipped events
- Parse subject, auid, and ses in LOGIN events (3.14 kernel changed format)
- In auditd, when shifting logs, ignore the num_logs setting (#950158)
- Allow passing a directory as the input file for ausearch/report (LC Bruzenak)
- Interpret syscall fields in SECCOMP events
- Increase a couple buffers to handle longer input
This release cleans up parsing and interpreting a couple events. There is now
a --debug option to ausearch which will output to stderr any events that
ausearch cannot parse correctly. If anyone finds events using this option, I'd
really like to hear about it.
A big change in this release is that listing rules with auditctl now formats
the output to look like audit.rules.
One other feature to call out is that when aureport/search is passed a file
using the -if option, you can now pass a directory which will allow searching
multiple files. The files still need to have the same numbering scheme that is
currently expected. Thanks goes to Lenny Bruzenak for this.
Please let me know if you run across any problems with this release.
-Steve
More information about the Linux-audit
mailing list