All of lore.kernel.org
 help / color / mirror / Atom feed
* audit 2.7 released
@ 2016-12-16  3:22 Steve Grubb
  0 siblings, 0 replies; only message in thread
From: Steve Grubb @ 2016-12-16  3:22 UTC (permalink / raw)
  To: Linux Audit

Hello,

I've just released a new version of the audit daemon. It can be downloaded 
from http://people.redhat.com/sgrubb/audit. It will also be in rawhide
soon. The ChangeLog is:

- Remove config file permission checks in auparse
- Audisp-remote should detect normal socket close and mark remote_ended
- Allow auditctl to list rules if no capabilities but root euid
- In libaudit, use the last word of the syscall bit mask
- In auditd, write_logs option was not correctly handled (#1382397)
- In libaudit, allow filtering on new exclude filter fields (Richard Guy Briggs)
- In auditd, fix looping when checking active connections
- In auparse, the auparse_state_t pointer to keep escape_mode information
- In libaudit, add support for rules using sessionid (Richard Guy Briggs)
- Remove entry filter support
- Add auparse_destroy_ext function
- Improve ENRICHED logging format performance in auditd
- Fix regex rule file matching in augenrules (#1396792)
- Add numeric field/record accessors to auparse
- Fix auditd freeing in middle of reply buffer when nolog is used
- Switch auparse uid/gid cache to lru to limit growth
- Prevent ausearch from clobbering type field on loginuid search
- Add audit_get_session function to libaudit
- Add session and uid to most audit events
- Add auparse_classify code interface for subj, obj, action, results

The main goal of this update is to land the auparse_classify interface to 
auparse. This will unlock many new capabilities in subsequent releases of the 
2.7 series. If you are a programmer and do stuff with R or machine learning, 
let me know. This is aimed squarely at transforming data into knowledge.

Aside from that, this fixes remote logging, and logging with the nolog and 
write_logs = no option, it allows audit rules on the new exclude filter fields 
and rules that use sessionid.

The entry filter support has been dropped. It was deprecated a couple years 
ago. There are performance enhancements and correctness fixes.

Please let me know if you run across any problems with this release.

-Steve

^ permalink raw reply	[flat|nested] only message in thread
only message in thread, other threads:[~2016-12-16  3:22 UTC | newest]

Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2016-12-16  3:22 audit 2.7 released Steve Grubb

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.