audit 2.5.2 released

Steve Grubb sgrubb at redhat.com
Fri Apr 29 16:57:32 UTC 2016 

Hello,

I've just released a new version of the audit daemon. It can be downloaded 
from http://people.redhat.com/sgrubb/audit. It will also be in rawhide
soon. The ChangeLog is:

- Fix memory leak caused by unneeded reference in auparse python bindings
- Revise function hiding technique to better protect audit ABI
- Interpret old-auid, exit syscall parameters
- Create local_events config option to auditd
- Create write_logs option for auditd and deprecate NOLOG log_format option

This release is mostly to get an updated auparse library in circulation that 
does not have the memory leak in the get_timestamp function. Offhand I don't 
know of any problems besides the one bug report. The bug has been there for 
about 8 years with no other reports so it might not affect much. But, I'd 
rather be safe than sorry. 

The other things that people should be aware of is 2 new auditd configuration 
options. In the last release there was an unannounced command line config 
option to auditd, -a. This enabled an aggregate only mode. I decided long term 
it might be better as a auditd.conf option. Its now the local_events option. 
The default is "yes". If it's set to "no", then it only logs daemon and 
network originating events. This allows the audit daemon to be put into a 
container for the sole purpose of aggregating events from other systems.

The other new auditd.conf config option is write_logs. In working on the audit 
event enrichment option, I found that we need to decouple an overused idiom in 
the log_format option. There was a NOLOG option there that decides if we want 
to write events to disk. But it turns out that we might not want to write 
events to disk but we do want to enrich events for the plugins or remote 
logging. That presents a conflict where we need to separate them. If you 
currently have log_format = NOLOG, the you should now set write_logs = no. You 
can then put log_format = raw and it won't do any harm. For the time being, a 
NOLOG log_format setting will override write_logs to "no" so that its 
backwards compatible.

Please let me know if you run across any problems with this release.

-Steve

More information about the Linux-audit mailing list