All of lore.kernel.org
 help / color / mirror / Atom feed
From: Steve Grubb <sgrubb@redhat.com>
To: Linux Audit <linux-audit@redhat.com>
Subject: audit 2.7 released
Date: Thu, 15 Dec 2016 22:22:24 -0500	[thread overview]
Message-ID: <2763711.lXAhFyIeRV@x2> (raw)

Hello,

I've just released a new version of the audit daemon. It can be downloaded 
from http://people.redhat.com/sgrubb/audit. It will also be in rawhide
soon. The ChangeLog is:

- Remove config file permission checks in auparse
- Audisp-remote should detect normal socket close and mark remote_ended
- Allow auditctl to list rules if no capabilities but root euid
- In libaudit, use the last word of the syscall bit mask
- In auditd, write_logs option was not correctly handled (#1382397)
- In libaudit, allow filtering on new exclude filter fields (Richard Guy Briggs)
- In auditd, fix looping when checking active connections
- In auparse, the auparse_state_t pointer to keep escape_mode information
- In libaudit, add support for rules using sessionid (Richard Guy Briggs)
- Remove entry filter support
- Add auparse_destroy_ext function
- Improve ENRICHED logging format performance in auditd
- Fix regex rule file matching in augenrules (#1396792)
- Add numeric field/record accessors to auparse
- Fix auditd freeing in middle of reply buffer when nolog is used
- Switch auparse uid/gid cache to lru to limit growth
- Prevent ausearch from clobbering type field on loginuid search
- Add audit_get_session function to libaudit
- Add session and uid to most audit events
- Add auparse_classify code interface for subj, obj, action, results

The main goal of this update is to land the auparse_classify interface to 
auparse. This will unlock many new capabilities in subsequent releases of the 
2.7 series. If you are a programmer and do stuff with R or machine learning, 
let me know. This is aimed squarely at transforming data into knowledge.

Aside from that, this fixes remote logging, and logging with the nolog and 
write_logs = no option, it allows audit rules on the new exclude filter fields 
and rules that use sessionid.

The entry filter support has been dropped. It was deprecated a couple years 
ago. There are performance enhancements and correctness fixes.

Please let me know if you run across any problems with this release.

-Steve

                 reply	other threads:[~2016-12-16  3:22 UTC|newest]

Thread overview: [no followups] expand[flat|nested]  mbox.gz  Atom feed

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=2763711.lXAhFyIeRV@x2 \
    --to=sgrubb@redhat.com \
    --cc=linux-audit@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.