What's new in audit daemon 2.4.3
Jul 27, 2015
- Add python3 support for libaudit
- Cleanup automake warnings
- Add AuParser_search_add_timestamp_item_ex to python bindings
- Add AuParser_get_type_name to python bindings
- Correct processing of obj_gid in auditctl (Aleksander Zdyb)
- Make plugin config file parsing more robust for long lines (#1235457)
- Make auditctl status print lost field as unsigned number
- Add interpretation mode for auditctl -s
- Add python3 support to auparse library
- Make --enable-zos-remote a build time configuration option (Clayton Shotwell)
- Updates for cross compiling (Clayton Shotwell)
- Add MAC_CHECK audit event type
- Add libauparse pkgconfig file (Aleksander Zdyb)
New in audit daemon 2.4.1 (Jan 15, 2015)
- Make python3 support easier
- Add support for ppc64le (Tony Jones)
- Add some translations for a1 of ioctl system calls
- Add command & virtualization reports to aureport
- Update aureport config report for new events
- Add account modification summary report to aureport
- Add GRP_MGMT and GRP_CHAUTHTOK event types
- Correct aureport account change reports
- Add integrity event report to aureport
- Add config change summary report to aureport
- Adjust some syslogging level settings in audispd
- Improve parsing performance in everything
- When ausearch outputs a line, use the previously parsed values (Burn Alting)
- Improve searching and interpreting groups in events
- Fully interpret the proctitle field in auparse
- Correct libaudit and auditctl support for kernel features
- Add support for backlog_time_wait setting via auditctl
- Update syscall tables for the 3.18 kernel
- Ignore DNS failure for email validation in auditd (#1138674)
- Allow rotate as action for space_left and disk_full in auditd.conf
- Correct login summary report of aureport
- Auditctl syscalls can be comma separated list now
- Update rules for new subsystems and capabilities
New in audit daemon 2.3.2 (Dec 13, 2013)
- Put RefuseManualStop in the right systemd section (#969345)
- Add legacy restart scripts for systemd support
- Add more syscall argument interpretations
- Add 'unset' keyword for uid & gid values in auditctl
- In ausearch, parse obj in IPC records
- In ausearch, parse subj in DAEMON_ROTATE records
- Fix interpretation of MQ_OPEN and MQ_NOTIFY events
- In auditd, restart dispatcher on SIGHUP if it had previously exited
- In audispd, exit when no active plugins are detected on reconfigure
- In audispd, clear signal mask set by libev so that SIGHUP works again
- In audispd, track binary plugins and restart if binary was updated
- In audispd, make sure we send signals to the correct process
- In auditd, clear signal mask when spawning any child process
- In audispd, make builtin plugins respond to SIGHUP
- In auparse, interpret mode flags of open syscall if O_CREAT is passed
- In audisp-remote, don't make address lookup always a permanent failure
- In audisp-remote, remove EOE events more efficiently
- In auditd, log the reason when email account is not valid
- In audisp-remote, change default remote_ending action to reconnect
- Add support for Aarch64 processors
New in audit daemon 2.2.1 (Mar 24, 2012)
- Add more interpretations in auparse for syscall parameters
- Add some interpretations to ausearch for syscall parameters
- In ausearch/report and auparse, allocate extra space for node names
- Update syscall tables for the 3.3.0 kernel
- Update libev to 4.0.4
- Reduce the size of some applications
- In auditctl, check usage against euid rather than uid
New in audit daemon 2.1.1 (Apr 21, 2011)
- When ausearch is interpretting, output "as is" if no = is found
- Correct socket setup in remote logging
- Adjusted a couple default settings for remote logging and init script
- Audispd was not marking restarted plugins as active
- Audisp-remote should keep a capability if local_port < 1024
- When audispd restarts plugin, send event in its preferred format
- In audisp-remote, make all I/O asynchronous
- In audisp-remote, add sigusr1 handler to dump internal state
- Fix autrace to use correct syscalls on s390 and s390x systems
- Add shutdown syscall to remote logging teardowns
- Correct autrace rule for 32 bits systems
New in audit daemon 2.1 (Mar 30, 2011)
- Update auditctl man page for new field on user filter
- Fix crash in aulast when auid is foreign to the system
- Code cleanups
- Add store and forward model to audispd-remote (Mirek Trmac)
- Free memory on failed startups in audisp-prelude
- Fix memory leak in aureport
- Fix parsing state problem in libauparse
- Improve the robustness of libaudit field encoding functions
- Update capability tables
- In auditd, make failure action config checking consistent
- In auditd, check that NULL is not being passed to safe_exec
- In audisp-remote, overflow_action wasn't suspending if that action was chosen
- Update interpretations for virt events
- Improve remote logging warning and error messages
- Add interpretations for netfilter events
New in audit daemon 2.0.6 (Feb 8, 2011)
- ausearch/report performance improvements
- Synchronize all sample syscall rules to use action,list
- If program name provided to audit_log_acct_message, escape it
- Fix man page for the audit_encode_nv_string function (#647131)
- If value is NULL, don't segfault (#647128)
- Fix simple event parsing to not assume session id can't be last (Peng Haitao)
- Add support for new mmap audit event type
- Add ability for audispd syslog plugin to choose facility local0-7 (#593340)
- Fix autrace to use correct syscalls on i386 systems (Peng Haitao)
- On startup and reconfig, check for excess logs and unlink them
- Add a couple missing parser debug messages
- Fix error output resolving numeric address and update man page
- Add netfilter event types
- Fix spelling error in audit.rules man page (#667845)
- Improve warning in auditctl regarding immutable mode (#654883)
- Update syscall tables for the 2.6.37 kernel
- In ausearch, allow searching for auid -1
- Add queue overflow_action to audisp-remote to control queue overflows
- Update sample rules for new syscalls and packages
New in audit daemon 2.0.5 (Sep 24, 2010)
- A couple of fixes were made for 32-bit systems when using an inode field in rules.
- Syscall table updates were made for recent kernels.
- New events were added for service start/stop and virtualization.
- The handling of the ignore directive in auditctl was fixed.
New in audit daemon 2.0.3 (Oct 19, 2009)
- Many remote logging fixups were done, including a potential security problem if gssapi was enabled.
New in audit daemon 2.0.1 (Sep 29, 2009)
- getloginuid was fixed for Python bindings.
- The audispd af_unix plugin was disabled by default.
- A bug in remote logging was fixed.
- The init script was updated.
- The man page was updated.
New in audit daemon 2.0 (Aug 12, 2009)
- Remove system-config-audit
- Get rid of () from userspace originating events
- Removed old syscall rules API
- not needed since 2.6.16
- Remove all use of the old rule structs from API
- Fix uninitialized variable in auditd log rotation
- Add libcap-ng support for audispd plugins
- Removed ancient defines that are part of kernel 2.6.29 headers
- Bump soname number for libaudit
- In auditctl, deprecate the entry filter and move rules to exit filter
- Parse integrity audit records in ausearch/report (Mimi Zohar)
- Updated syscall table for 2.6.31 kernel
- Remove support for the legacy negate syscall rule operator
- In auditd reset syslog warnings if disk space becomes available
New in audit daemon 1.7.13 (Apr 22, 2009)
- Disable libev asserts unless --with-debug passed to configure
- Handle kernel 2.6.29's audit = 0 boot parameter better
- Install audit.py file in arch specific python directory (Dan Walsh)
- Fix problem with negative uids in audit rules on 32 bit systems
- When file type is unknown, output octal for mode field (Miloslav Trmač)
- Update tty keystroke interpretations (Miloslav Trmač)
New in audit daemon 1.7.12 (Feb 25, 2009)
- A memory leak when the NOLOG log format was specified in auditd was fixed.
- tcp_wrappers can now be enabled or disabled at runtime.
- An internal queue was added to the remote logger to hold events when the remote server is down.
- More key mappings were added to TTY audit reports.
- Various other bugs were fixed.
New in audit daemon 1.7.11 (Jan 11, 2009)
- This release fixes several bugs in remote logging. auditd now leaves the old log writable if rotation fails.
- On kernels with both 64-bit and 32-bit syscalls, auditctl will now warn if a syscall rule attempts to cover both and the 64/32-bit syscall numbers do not match.
- A bug was fixed in the auparse library where it was not including single key fields in the audit records.
New in audit daemon 1.7.10 (Dec 14, 2008)
- Serialization of records was fixed in ausearch.
- Audit of TTY input is now fully supported. aulast can now provide a search command to retrieve records of a particular login session.
- The account modification report in aureport now shows the account that was modified.
New in audit daemon 1.7.9 (Nov 5, 2008)
- Improved support for kernel audit system immutable mode.
- A limit on restarts of crashed audispd plugins. Improved handling of audit events from PAM.
- Improved support for session association in ausearch.
- This release introduces the aulast command, which is similar to the utmp-based "last" command.
New in audit daemon 1.7.8 (Oct 22, 2008)
- TTY audit updates.
- An update of capabilities interpretation.
- Non-root search has been improved to not cause access problems.
- A new exit code search option has been added to ausearch.
- There are performance improvements for ausearch.
- Config file parsing when GSSAPI support is disabled has been fixed.
New in audit daemon 1.7.7 (Sep 18, 2008)
- This release fixes a tcp_wrappers bug, has improved GSSAPI support, and adds a new watched syscall option for the prelude plugin.
New in audit daemon 1.7.6 (Sep 12, 2008)
- tcp_wrappers support for auditd.
- The remote logging protocol has been made robust.
- GSSAPI auth/encryption has been added to remote logging.
- Syscall tables have been updated for the 2.6.27 kernel.
- Connection/disconnection of remote clients.