audit 2.7.1 released

Steve Grubb sgrubb at redhat.com
Fri Jan 13 16:53:23 UTC 2017 

Hello,

I've just released a new version of the audit daemon. It can be downloaded 
from http://people.redhat.com/sgrubb/audit. It will also be in rawhide
soon. The ChangeLog is:

- In auparse_classify, handle simple SYSCALL events
- In auparse_classify, correct identification of execve object
- In auparse, load interpretations when auparse_find_field_next changes record
- In auparse_classify, collect some new object data on some syscalls
- In auparse_classify, make sure session is cleared on each new event
- In ausearch, only add the separator for enriched events (#1406328)
- In auparse_classify, add more syscalls to action map
- In auparse_classify, fix mode conversion so file object classification works
- Do not let libev process SIGCHLD
- In auditd, install temporary SIGCHLD handler until libev starts
- Fix signal handling in audispd so that it responds faster
- In auditd, fix descriptor setup when initializing the dispatcher
- In auparse_classify, only collect syscall subj attributes when asked
- Add auparse_classify_key function to auparse
- In auparse_classify, handle more common interpreters
- Add support in auditctl to reset the lost record counter

The main goal of this update is to cleanup the auparse_classify interface to 
auparse. It should now be in good shape. I will be explaining what this is for 
and how it can be used in the near future.

Aside from this a bug was fixed in the descriptor handling when start audispd. 
If anyone has their own dispatcher, you might want to carefully test before 
moving to this release. Another bug was fixed in how audispd responds to 
signals. Shutdown and reconfigure should be much faster now.

The one other feature in this release is the addition of a new auditctl 
command, --reset-lost. If you run auditctl -s it reports how many lost records 
have occured. If you like to track this on a daily basis, you can now issue 
the --reset-lost command and if the kernel supports this, it will reset the 
number to 0.

Please let me know if you run across any problems with this release.

-Steve

More information about the Linux-audit mailing list