audit 2.6 released

Steve Grubb sgrubb at redhat.com
Wed Jun 22 22:00:01 UTC 2016 

Hello,

I've just released a new version of the audit daemon. It can be downloaded 
from http://people.redhat.com/sgrubb/audit. It will also be in rawhide
soon. The ChangeLog is:

- Auditd support for enriched data: uid/gid, saddr splitting, arch, syscall
- Make all libraries and utilities support and use enriched events
- Define dispatcher protocol to version 2
- Standardize all saddr interpretations in auparse
- Fix another DST bug in ausearch time conversion (#1334772)
- In autrace, if rule count loop times out don't assume 0 rules (#1344268)
- In auditd, check space left a little more often (#1345854)

This release of the audit package contains among other things a major new 
piece of functionality. The audit daemon can now enrich events with 
interpretation information at the time that the event is logged. This means 
that if a user account is deleted, the uid can still be resolved to what it 
was at the time of the event.

In terms of central log aggregation, this means that aggregated logs can have 
the uid mapping of the remote machine for interpretations. To enable this 
functionality, you would want to edit the log_format setting in auditd.conf 
and set it to ENRICHED. Restart the audit daemon and that's all there is to 
it.

When the enriched logging format is active, the event is completely formatted 
in the audit daemon and passed to audispd.  This means that you do not need to 
also set name_format in audispd.conf if you set it in auditd.conf.

If you write audispd plugins that want format set to binary, then you need to 
be aware that enriched events are set with version set to AUDISP_PROTOCOL_VER2 
to signify that the raw event is different and you might need to change what 
you are doing. If the plugin uses string, then feed the event to auparse like 
always and auparse will know what to do with it.

There is a change in interpretation for sockaddr fields. Now all the 
information about the source and destination are available.

There were three bug fixes.

Please let me know if you run across any problems with this release.

-Steve

More information about the Linux-audit mailing list