Softpedia >Linux >System >Monitoring >audit daemon >  Changelog

audit daemon Changelog

What's new in audit daemon 2.4.3

Jul 27, 2015
  • Add python3 support for libaudit
  • Cleanup automake warnings
  • Add AuParser_search_add_timestamp_item_ex to python bindings
  • Add AuParser_get_type_name to python bindings
  • Correct processing of obj_gid in auditctl (Aleksander Zdyb)
  • Make plugin config file parsing more robust for long lines (#1235457)
  • Make auditctl status print lost field as unsigned number
  • Add interpretation mode for auditctl -s
  • Add python3 support to auparse library
  • Make --enable-zos-remote a build time configuration option (Clayton Shotwell)
  • Updates for cross compiling (Clayton Shotwell)
  • Add MAC_CHECK audit event type
  • Add libauparse pkgconfig file (Aleksander Zdyb)

New in audit daemon 2.4.1 (Jan 15, 2015)

  • Make python3 support easier
  • Add support for ppc64le (Tony Jones)
  • Add some translations for a1 of ioctl system calls
  • Add command & virtualization reports to aureport
  • Update aureport config report for new events
  • Add account modification summary report to aureport
  • Add GRP_MGMT and GRP_CHAUTHTOK event types
  • Correct aureport account change reports
  • Add integrity event report to aureport
  • Add config change summary report to aureport
  • Adjust some syslogging level settings in audispd
  • Improve parsing performance in everything
  • When ausearch outputs a line, use the previously parsed values (Burn Alting)
  • Improve searching and interpreting groups in events
  • Fully interpret the proctitle field in auparse
  • Correct libaudit and auditctl support for kernel features
  • Add support for backlog_time_wait setting via auditctl
  • Update syscall tables for the 3.18 kernel
  • Ignore DNS failure for email validation in auditd (#1138674)
  • Allow rotate as action for space_left and disk_full in auditd.conf
  • Correct login summary report of aureport
  • Auditctl syscalls can be comma separated list now
  • Update rules for new subsystems and capabilities

New in audit daemon 2.3.2 (Dec 13, 2013)

  • Put RefuseManualStop in the right systemd section (#969345)
  • Add legacy restart scripts for systemd support
  • Add more syscall argument interpretations
  • Add 'unset' keyword for uid & gid values in auditctl
  • In ausearch, parse obj in IPC records
  • In ausearch, parse subj in DAEMON_ROTATE records
  • Fix interpretation of MQ_OPEN and MQ_NOTIFY events
  • In auditd, restart dispatcher on SIGHUP if it had previously exited
  • In audispd, exit when no active plugins are detected on reconfigure
  • In audispd, clear signal mask set by libev so that SIGHUP works again
  • In audispd, track binary plugins and restart if binary was updated
  • In audispd, make sure we send signals to the correct process
  • In auditd, clear signal mask when spawning any child process
  • In audispd, make builtin plugins respond to SIGHUP
  • In auparse, interpret mode flags of open syscall if O_CREAT is passed
  • In audisp-remote, don't make address lookup always a permanent failure
  • In audisp-remote, remove EOE events more efficiently
  • In auditd, log the reason when email account is not valid
  • In audisp-remote, change default remote_ending action to reconnect
  • Add support for Aarch64 processors

New in audit daemon 2.2.1 (Mar 24, 2012)

  • Add more interpretations in auparse for syscall parameters
  • Add some interpretations to ausearch for syscall parameters
  • In ausearch/report and auparse, allocate extra space for node names
  • Update syscall tables for the 3.3.0 kernel
  • Update libev to 4.0.4
  • Reduce the size of some applications
  • In auditctl, check usage against euid rather than uid

New in audit daemon 2.1.1 (Apr 21, 2011)

  • When ausearch is interpretting, output "as is" if no = is found
  • Correct socket setup in remote logging
  • Adjusted a couple default settings for remote logging and init script
  • Audispd was not marking restarted plugins as active
  • Audisp-remote should keep a capability if local_port < 1024
  • When audispd restarts plugin, send event in its preferred format
  • In audisp-remote, make all I/O asynchronous
  • In audisp-remote, add sigusr1 handler to dump internal state
  • Fix autrace to use correct syscalls on s390 and s390x systems
  • Add shutdown syscall to remote logging teardowns
  • Correct autrace rule for 32 bits systems

New in audit daemon 2.1 (Mar 30, 2011)

  • Update auditctl man page for new field on user filter
  • Fix crash in aulast when auid is foreign to the system
  • Code cleanups
  • Add store and forward model to audispd-remote (Mirek Trmac)
  • Free memory on failed startups in audisp-prelude
  • Fix memory leak in aureport
  • Fix parsing state problem in libauparse
  • Improve the robustness of libaudit field encoding functions
  • Update capability tables
  • In auditd, make failure action config checking consistent
  • In auditd, check that NULL is not being passed to safe_exec
  • In audisp-remote, overflow_action wasn't suspending if that action was chosen
  • Update interpretations for virt events
  • Improve remote logging warning and error messages
  • Add interpretations for netfilter events

New in audit daemon 2.0.6 (Feb 8, 2011)

  • ausearch/report performance improvements
  • Synchronize all sample syscall rules to use action,list
  • If program name provided to audit_log_acct_message, escape it
  • Fix man page for the audit_encode_nv_string function (#647131)
  • If value is NULL, don't segfault (#647128)
  • Fix simple event parsing to not assume session id can't be last (Peng Haitao)
  • Add support for new mmap audit event type
  • Add ability for audispd syslog plugin to choose facility local0-7 (#593340)
  • Fix autrace to use correct syscalls on i386 systems (Peng Haitao)
  • On startup and reconfig, check for excess logs and unlink them
  • Add a couple missing parser debug messages
  • Fix error output resolving numeric address and update man page
  • Add netfilter event types
  • Fix spelling error in audit.rules man page (#667845)
  • Improve warning in auditctl regarding immutable mode (#654883)
  • Update syscall tables for the 2.6.37 kernel
  • In ausearch, allow searching for auid -1
  • Add queue overflow_action to audisp-remote to control queue overflows
  • Update sample rules for new syscalls and packages

New in audit daemon 2.0.5 (Sep 24, 2010)

  • A couple of fixes were made for 32-bit systems when using an inode field in rules.
  • Syscall table updates were made for recent kernels.
  • New events were added for service start/stop and virtualization.
  • The handling of the ignore directive in auditctl was fixed.

New in audit daemon 2.0.3 (Oct 19, 2009)

  • Many remote logging fixups were done, including a potential security problem if gssapi was enabled.

New in audit daemon 2.0.1 (Sep 29, 2009)

  • getloginuid was fixed for Python bindings.
  • The audispd af_unix plugin was disabled by default.
  • A bug in remote logging was fixed.
  • The init script was updated.
  • The man page was updated.

New in audit daemon 2.0 (Aug 12, 2009)

  • Remove system-config-audit
  • Get rid of () from userspace originating events
  • Removed old syscall rules API
  • not needed since 2.6.16
  • Remove all use of the old rule structs from API
  • Fix uninitialized variable in auditd log rotation
  • Add libcap-ng support for audispd plugins
  • Removed ancient defines that are part of kernel 2.6.29 headers
  • Bump soname number for libaudit
  • In auditctl, deprecate the entry filter and move rules to exit filter
  • Parse integrity audit records in ausearch/report (Mimi Zohar)
  • Updated syscall table for 2.6.31 kernel
  • Remove support for the legacy negate syscall rule operator
  • In auditd reset syslog warnings if disk space becomes available

New in audit daemon 1.7.13 (Apr 22, 2009)

  • Disable libev asserts unless --with-debug passed to configure
  • Handle kernel 2.6.29's audit = 0 boot parameter better
  • Install audit.py file in arch specific python directory (Dan Walsh)
  • Fix problem with negative uids in audit rules on 32 bit systems
  • When file type is unknown, output octal for mode field (Miloslav Trmač)
  • Update tty keystroke interpretations (Miloslav Trmač)

New in audit daemon 1.7.12 (Feb 25, 2009)

  • A memory leak when the NOLOG log format was specified in auditd was fixed.
  • tcp_wrappers can now be enabled or disabled at runtime.
  • An internal queue was added to the remote logger to hold events when the remote server is down.
  • More key mappings were added to TTY audit reports.
  • Various other bugs were fixed.

New in audit daemon 1.7.11 (Jan 11, 2009)

  • This release fixes several bugs in remote logging. auditd now leaves the old log writable if rotation fails.
  • On kernels with both 64-bit and 32-bit syscalls, auditctl will now warn if a syscall rule attempts to cover both and the 64/32-bit syscall numbers do not match.
  • A bug was fixed in the auparse library where it was not including single key fields in the audit records.

New in audit daemon 1.7.10 (Dec 14, 2008)

  • Serialization of records was fixed in ausearch.
  • Audit of TTY input is now fully supported. aulast can now provide a search command to retrieve records of a particular login session.
  • The account modification report in aureport now shows the account that was modified.

New in audit daemon 1.7.9 (Nov 5, 2008)

  • Improved support for kernel audit system immutable mode.
  • A limit on restarts of crashed audispd plugins. Improved handling of audit events from PAM.
  • Improved support for session association in ausearch.
  • This release introduces the aulast command, which is similar to the utmp-based "last" command.

New in audit daemon 1.7.8 (Oct 22, 2008)

  • TTY audit updates.
  • An update of capabilities interpretation.
  • Non-root search has been improved to not cause access problems.
  • A new exit code search option has been added to ausearch.
  • There are performance improvements for ausearch.
  • Config file parsing when GSSAPI support is disabled has been fixed.

New in audit daemon 1.7.7 (Sep 18, 2008)

  • This release fixes a tcp_wrappers bug, has improved GSSAPI support, and adds a new watched syscall option for the prelude plugin.

New in audit daemon 1.7.6 (Sep 12, 2008)

  • tcp_wrappers support for auditd.
  • The remote logging protocol has been made robust.
  • GSSAPI auth/encryption has been added to remote logging.
  • Syscall tables have been updated for the 2.6.27 kernel.
  • Connection/disconnection of remote clients.