audit 2.4.1 released

Steve Grubb sgrubb at redhat.com
Tue Oct 28 17:41:43 UTC 2014 

I've just released a new version of the audit daemon. It can be downloaded 
from http://people.redhat.com/sgrubb/audit. It will also be in rawhide
soon. The ChangeLog is:

- Make python3 support easier
- Add support for ppc64le (Tony Jones)
- Add some translations for a1 of ioctl system calls
- Add command & virtualization reports to aureport
- Update aureport config report for new events
- Add account modification summary report to aureport
- Add GRP_MGMT and GRP_CHAUTHTOK event types
- Correct aureport account change reports
- Add integrity event report to aureport
- Add config change summary report to aureport
- Adjust some syslogging level settings in audispd
- Improve parsing performance in everything
- When ausearch outputs a line, use the previously parsed values (Burn Alting)
- Improve searching and interpreting groups in events
- Fully interpret the proctitle field in auparse
- Correct libaudit and auditctl support for kernel features
- Add support for backlog_time_wait setting via auditctl
- Update syscall tables for the 3.18 kernel
- Ignore DNS failure for email validation in auditd (#1138674)
- Allow rotate as action for space_left and disk_full in auditd.conf
- Correct login summary report of aureport
- Auditctl syscalls can be comma separated list now
- Update rules for new subsystems and capabilities

This is a large set of features and bug fixes. There are new reports, updates 
for new kernels, updates for a new platform, improvements to translations, and 
searching speed has been improved.

One new feature is that "rotate" can be set as an action for space_left, 
admin_space_left, or disk_full states. A typical use for this might be that 
you want as much stored in the logging partition as possible. When you hit a 
threshold, then it frees up space by rotating the logs.

Another change in this release is that now syscalls can be given as a comma 
separated list. By way of example, in the old stig rules, you have this:

-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S 
removexattr -S lremovexattr -S fremovexattr

now is can be:

-a always,exit -F arch=b64 -S setxattr,lsetxattr,fsetxattr,removexattr, 
lremovexattr,fremovexattr

All example rules were swicthed over to use this new representation. The 
upshot of this is that with the 2.4.1 release, you can now use 

auditctl -l > audit.in-kernel
diff -u /etc/audit/audit.rules  audit.in-kernel

to see the difference between what's expected to be in place and what actually 
in place. One thing to note, auditctl outputs the syscalls from lowest number 
to highest. This means that you may need to use ausyscall occasionally to help 
figure out the order when switching over to this. Or, you can just use the 
auditctl listing to set the order.

Please let me know if you run across any problems with this release.

-Steve

More information about the Linux-audit mailing list