2.0.4 - Make alpha processor support optional - Add support for the arm eabi processor - add a compatible regexp processing capability to auparse (Miloslav Trmač) - Fix regression in parsing user space originating records in aureport - Add tcp_max_per_addr option in auditd.conf to limit concurrent connections - Rearrange shutdown of auditd to allow DAEMON_END event more time 2.0.3 - In auditd, tell libev to stop processing a connection when idle timeout - In auditd, tell libev to stop processing a connection when shutting down - Interpret CAPSET records in ausearch/auparse 2.0.2 - If audisp-remote plugin has a queue at exit, use non-zero exit code - Fix autrace to use the exit filter - In audisp-remote, add a sigchld handler - In auditd, check for duplicate remote connections before accepting - Remove trailing ':' if any are at the end of acct fields in ausearch - Update remote logging code to do better sanity check of data - Fix audisp-prelude to prefer files if multiple path records are encountered - Add libaudit.conf man page - In auditd, disconnect idle clients 2.0.1 - Aulast now reads daemon_start events for the kernel version of reboot - Clarify the man pages for ausearch/report regarding locale and date formats - Fix getloginuid for python bindings - Disable the audispd af_unix plugin by default - Add a couple new init script actions for LSB 3.2 - In audisp-remote plugin, timeout network reads (#514090) - Make some error logging in audisp-remote plugin more prominent - Add audit.rules man page - Interpret the session field in audit events 2.0 - Remove system-config-audit - Get rid of () from userspace originating events - Removed old syscall rules API - not needed since 2.6.16 - Remove all use of the old rule structs from API - Fix uninitialized variable in auditd log rotation - Add libcap-ng support for audispd plugins - Removed ancient defines that are part of kernel 2.6.29 headers - Bump soname number for libaudit - In auditctl, deprecate the entry filter and move rules to exit filter - Parse integrity audit records in ausearch/report (Mimi Zohar) - Updated syscall table for 2.6.31 kernel - Remove support for the legacy negate syscall rule operator - In auditd reset syslog warnings if disk space becomes available 1.8 - In auditctl rules allow a0-a3 to be negative numbers - Add partial support for IMA integrity auditing - In s-c-audit, fix error handling with audit-1.7.12 and later - In s-c-audit, fix saving space_left_action - In s-c-audit, include many new translations - Aureport and ausearch do not need to stat the dispatcher - Make auparse handle empty AUSOURCE_FILE_ARRAY correctly (Miloslav Trmač) - Allow ausearch/report to specify multiple node names (Lenny Bruzenak) 1.7.13 - Disable libev asserts unless --with-debug passed to configure - Handle kernel 2.6.29's audit = 0 boot parameter better - Install audit.py file in arch specific python directory (Dan Walsh) - Fix problem with negative uids in audit rules on 32 bit systems - When file type is unknown, output octal for mode field (Miloslav Trmač) - Update tty keystroke interpretations (Miloslav Trmač) 1.7.12 - Add definitions for crypto events - Fix regression where msgtype couldn't be used as a range in audit rules - In libaudit, extend time spent checking reply - In acct events, prefer id over acct if given - In aulast, try id and acct in USER_LOGIN events - When in immutable mode, have auditctl tell user instead of sending rules - Add option to sysconfig to disable audit system on auditd stop - Add tcp_wrappers config option to auditd - Aulastlog can now take input from stdin - Update libaudit python bindings to throw exceptions on error - Adjust formatting of TTY data in libauparse to be like ausearch/report - Add more key mappings to TTY interpretations - Add internal queue to audisp-remote - Fix failure action code to allow executables in audisp-remote (Chu Li) - Fix memory leak when NOLOG log_format option given to auditd - Quieten some of the reconnect text being sent to syslog in audisp-remote - Apply some libev fixups to auditd - Cleanup shutdown sequence of auditd - Allow auditd log rotation via SIGUSR1 when NOLOG log format option given 1.7.11 - Don't error out in auditd when calling setsid - Reformat a couple auditd error messages (Oden Eriksson) - If log rotate fails, leave the old log writable - Fixed bug in setting up auditd event loop when listening - Warn if on biarch machine and auditctl rules show a syscall mismatch - Audisp-remote was not parsing some config options correctly - In auparse, check for single key in addition to virtual keys - When auditd shuts down, send AUDIT_RMW_TYPE_ENDING messages to clients - Updated sample plugin code to use auparse - Created reconnect option to remote ending setting of audisp-remote 1.7.10 - Fix ausearch and aureport to handle out of order events - Add line-buffer option to ausearch & timeout pipe input (Tony Jones) - Add support in ausearch/report for tty data - Add interpretations for epoll_ctl, lseek, and sigaction to libauparse - In audisp-remote, allow the keyword "any" for local_port - Man page updates - Don't consider 0x7F to be a printable character - Tighten parsing for -m and -w options in auditctl - Add session query hint for aulast proof - Fix audisp-remote to tolerate krb5 config options when not supported - Created new aureport option for tty keystroke report - audispd should detect backup config files and not use them - When checking for ack in netlink interface, retry on EAGAIN a few times - Trim a trailing whitespace from audit event written to disk - In aureport, fix mods report to show acct acted upon 1.7.9 - Fix uninitialized variable in aureport causing segfault - Quieten down the gssapi not supported messages - Fix bug interpretting i386 logs on x86_64 machines - If kernel is in immutable mode, auditd should not send enable command - Fix ausearch/report recent and now time keyword lookups - If hostname is empty string when logging, make it NULL - Starting adding unit tests to src/test - Created aulast program - prelude plugin should pull auid for login alert from 2nd uid field - Add system boot, shutdown, and run level change events - Update audisp-prelude LDFLAGS - Add max_restarts to audispd.conf to limit times a plugin is restarted - Expand session detection in ausearch 1.7.8 - Fix strict aliasing compiler warnings - Interpret TTY audit data in auparse (Miloslav Trmač) - Extract terminal from USER_AVC events for ausearch/report (Peng Haitao) - Makefile cleanup (Philipp Hahn) - Add USER_AVCs to aureport's avc reporting (Peng Haitao) - Get auparse test suites working better - When apps started by audispd die, restart them if their type is always - Short circuit hostname resolution in libaudit if host is empty - Remove selinux policy for zos-remote - Update libauparse capabilities table - If log_group and user are not root, don't check dispatcher perms - Fix a bug when executing "ausearch -te today PM" - Add --exit search option to ausearch - Delete root user tests in auparse/test dir - Improve performance of ausearch/report and drop dead code - More code cleanups - Fix parsing config file when kerberos is disabled - Add new kernel capability event record types 1.7.7 - Bug fixes for gss code in remote logging (DJ Delorie) - Fix ausearch -i to keep the node field in the output - ausyscall now does strstr match on syscall names - Makefile cleanup (Philipp Hahn) - Add watched syscall support to audisp-prelude - Use the right define for tcp_wrappers in auditd - Expose encoding API for fields being logged from user space 1.7.6 - Update event record list and aureport classifications (Yu Zhiguo/Peng Haitao) - Add subject to audit daemon events (Chu Li) - Fix parsing of acct & exe fields in user records (Peng Haitao) - Make client error handling in audisp-remote robust (DJ Delorie) - Do not list syscalls for rules on the exclude filter (Yu Zhiguo) - Add tcp_wrappers support for auditd - Updated syscall tables for 2.6.27 kernel - Add heartbeat exchange to remote logging protocol (DJ Delorie) - Apply man page update (Philipp Hahn) - Audit connect/disconnect of remote clients - In ausearch, collect pid from AVC records (Peng Haitao) - Add auparse_get_field_type function to describe field's contents - Add GSS/Kerberos encryption to the remote protocol (DJ Delorie) 1.7.5 - Update system-config-audit to 0.4.8 (Miloslav Trmac) - Don't free const fcntl strings in auparse (Miloslav Trmac) - Fix priority_boost_parse and freq_parse functions INT_MAX compares (Chu Li) - Fix parsing in ausearch user records for acct field (Peng Haitao) - Allow only 1 add or delete operation per auditctl rule (Yu Zhiguo) - Delay freeing file path in auditd-config.c and audispd-pconfig.c (wangf) - Update IDMEF node classifications - Apply cleanup of auditctl.c main(). (Yu Zhiguo) - Fix parsing of exec options to some auditd actions (Chu Li) - Correct permission test on dispatcher and exe name (Chu Li) - Disallow using exit field on the entry filter (Zhang Xiliang) - Correct the calculation of nlmsg_len (Yu Zhiguo) - Fix parsing of CONFIG_CHANGE events so that search on keys work (Peng Haitao) - Fix parsing of filter,action in auditctl - Fix format string of audit status in auditctl (Yu Zhiguo) - Better checking of field & filter combinations (Zhang Xiliang) - Call prelude_deinit when shutting down prelude plugin - Make sure value is given after the operator in auditctl rules (Zhang Xiliang) - Error when rule require numeric value and one is not given (Zhang Xiliang) - Remove unnecessary base name code (Chu Li) - Cleanup checking of field name & operator (Zhang Xiliang) - Add audit_number_to_errmsg() function for error strings (Zhang Xiliang) - Reimplement auditd main loop using libev (DJ Delorie) - Update unknown uid/gid messages in audit rule parsing (Cai Xianchao) - Don't allow negative uid/gid in audtictl rules (Cai Xianchao) - Add TCP listener and managed remote protocol features (DJ Delorie) - Allow config_change audit records with no auid to parse in ausearch/report - Attempt to solve scheduler issue where queues overflow - Strip the newline off events converted to string in audispd 1.7.4 - Fix interpreting of keys in syscall records - Interpret audit rule config change list fields - Don't error on name=(null) PATH records in ausearch/report - Add key report to aureport - Fix --end today to be now - Added python bindings for auparse_goto_record_num - Update system-config-audit to 0.4.7 (Miloslav Trmac) - Add support for the filetype field option in auditctl - In audispd boost priority after starting children 1.7.3 - Fix path processing in AVC records. - auparse_find_field_next() wasn't resetting field ptr going to next record. - auparse_find_field() wasn't checking current field before iterating - cleanup some string handling in audisp-prelude plugin - Update auditctl man page - Fix output of keys in ausearch interpretted mode - Fix ausearch/report --start now to not be reset to midnight - Added auparse_goto_record_num function - Prelude plugin now uses auparse_goto_record_num to avoid skipping a record - audispd now has a priority boost config option - Look for laddr in avcs reported via prelude - Detect page 0 mmaps and alert via prelude 1.7.2 - gen_table.c now includes IPC defines to avoid kernel headers wild goose chase - ausyscall program added for cross referencing syscall name and number info - Add login session ID search capability to ausearch 1.7.1 - Remove LSB headers info for init scripts - Fix buffer overflow in audit_log_user_command, again (#438840) - Fix memory leak in EOE code in auditd (#440075) - In auditctl, don't use new operators in legacy rule format - Made a couple corrections in alpha & x86_64 syscall tables (Miloslav Trmac) - Add example STIG rules file - Add string table lookup performance improvement patch (Miloslav Trmac) - auparse_find_field_next performance improvement 1.7 - Improve input error handling in audispd - Improve end of event detection in auparse library - Improve handling of abstract namespaces - Add test mode for prelude plugin - Handle user space avcs in prelude plugin - Audit event serial number now recorded in idmef alert - Add --just-one option to ausearch - Fix watched account login detection for some failed login attempts - Couple fixups in audit logging functions (Miloslav Trmac) - Add support in auditctl for virtual keys - Added new type for user space MAC policy load events - auparse_find_field_next was not iterating correctly, fixed it - Add idmef alerts for access or execution of watched file - Fix buffer overflow in audit_log_user_command - Add basic remote logging plugin - only sends & no flow control - Update ausearch with interpret fixes from auparse 1.6.9 - Apply hidden attribute cleanup patch (Miloslav Trmac) - Apply auparse expression interface patch (Miloslav Trmac) - Fix potential memleak in audit event dispatcher - Change default audispd queue depth to 80 - Update system-config-audit to version 0.4.6 (Miloslav Trmac) - audisp-prelude alerts now controlled by config file - Updated syscall table for 2.6.25 kernel - Apply patch correcting acct field being misencoded (Miloslav Trmac) - Added watched account login detection for prelude plugin 1.6.8 - Update for gcc 4.3 - Cleanup descriptors in audispd before running plugin - Fix 'recent' keyword for aureport/search - Fix SE Linux policy for zos_remote plugin - Add event type for group password authentication attempts - Couple of updates to the translation tables - Add detection of failed group authentication to audisp-prelude 1.6.7 - In ausearch/report, prefer -if to stdin - In ausearch/report, add new command line option --input-logs (#428860) - Updated audisp-prelude based on feedback from prelude-devel - Added prelude alert for promiscuous socket being opened - Added prelude alert for SE Linux policy enforcement changes - Added prelude alerts for Forbidden Login Locations and Time - Applied patch to auparse fixing error handling of searching by interpreted value (Miloslav Trmac) 1.6.6 - Add prelude IDS plugin for IDMEF alerts - Add --user option to aulastlog command - Spec file cleanups 1.6.5 - Add more errno strings - Fix config parser to allow either 0640 or 0600 for audit logs (#427062) - Check for audit log being writable by owner in auditd - If auditd logging was suspended, it can be resumed with SIGUSR2 (#251639) - Updated CAPP, LSPP, and NISPOM rules for new capabilities - Added aulastlog utility 1.6.4 - fchmod of log file was on wrong variable (#426934) - Allow use of errno strings for exit codes in audit rules 1.6.3 - Add kernel release string to DEAMON_START events - Log warning if audit event from kernel is too big - Fix keep_logs when num_logs option disabled (#325561) - Auditd commandline option to decide whether to enable kernel auditing on startup (Tony Jones) - Fix auparse to handle node fields for syscall records - Updates for auparse to uninterpret text search values (Miloslav Trmac) - Update system-config-audit to version 0.4.5 (Miloslav Trmac) - Add keyword week-ago to aureport & ausearch start/end times - Fix audit log permissions on rotate. If group is root 0400, otherwise 0440 - Get "make check" working for auparse - Add RACF zos remote audispd plugin (Klaus Kiwi) - Add event queue overflow action to audispd - Make sure we are reading right amount of pipe in audispd 1.6.2 - Add support for searching by posix regular expressions in auparse - Route DEAMON events into rt interface - If event pipe is full, try again after doing local logging - Optionally add node/machine name to records in audit daemon - Update ausearch/aureport to specify nodes to search on - Fix segfault interpretting saddr fields in avcs 1.6.1 - External plugin support in place - Updated system-config-audit with some bug fixes. (Miloslav Trmac) - Add missing newline to string output of event dispatcher. - Fix reference counting in auparse python bindings (#263961) - Moved default af_unix plugin socket to /var/run/audispd_events 1.6 - Adding perm field should not set syscall added flag in auditctl - Fix segfault when aureport -if option is used - Fix auditctl to better check keys on rule lines - Add support for audit by TTY and other new event types - Auditd config option for group permission of audit logs - Swig messed up a variable in ppc's python bindings causing crashes. (#251327) - New audit event dispatcher - Update syscall tables for 2.6.23 kernel 1.5.6 - Fix potential buffer overflow in print clone flags of auparse - Add new App Armor types (John Johansen) - Adjust Menu Location for system-config-audit (Miloslav Trmac) - Fix python traceback parsing watches without perm statement (Miloslav Trmac) - Added databuf_strcat function to auparse (John Dennis) - Update auditctl to handle legacy kernels when putting a watch on a dir - Fix invalid free and memory leak on reload in auditd (Miloslav Trmac) - Fix clone flags in auparse (John Ramsdell) - Add interpretation for F_SETFL of fcntl (John Ramsdell) - Fix acct interpretation in auparse - Makefile cleanups (John Ramsdell) 1.5.5 - Add system-config-audit (Miloslav Trmac) - Correct bug in audit_make_equivalent function (Al Viro) 1.5.4 - Add feed interface to auparse library (John Dennis) - Apply patch to libauparse for unresolved symbols (#241178) - Apply patch to add line numbers for file events in libauparse (John Dennis) - Change seresults to seresult in libauparse (John Dennis) - Add unit32_t definition to swig (#244210) - Add support for directory auditing - Update acct field to be escaped 1.5.3 - Change buffer size to prevent truncation of DAEMON events with large labels - Fix memory leaks in auparse (John Dennis) - Update syscall tables for 2.6.21 kernel - Update capp & lspp rules - New python bindings for libauparse (John Dennis) - Fix file permission tests (#237358) - Fix init script config tests (#237788) 1.5.2 - Totally re-written event dispatcher (James Antill) - Apply patches fixing man pages and Makefile.am (Philipp Hahn) - Apply patch correcting python libs permissions (Philipp Hahn) - Fix auditd segfault on reload - Add support for segfault anomaly message type - Fix bug in auparse library for file pointers and descriptors - Extract subject information out of daemon events for ausearch 1.5.1 - Updated autrace to monitor *at syscalls - Add support in libaudit for AUDIT_BIT_TEST(&=) and AUDIT_MASK_TEST (&) - Finish reworking auditd config parser - In auparse, interpret open, fcntl, and clone flags - In auparse, when interpreting execve record types, run args through unencode - Add support for OBJ_PID message type - Event dispatcher updates 1.5 - NEW audit dispatcher program & plugin framework - Correct hidden variables in libauparse - Added NISPOM sample rules - Verify accessibility of files passed in auparse_init - Fix bug in parser library interpreting socketcalls - Add support for stdio FILE pointer in auparse_init - Adjust init script to allow anyone to status auditd (#230626) 1.4.2 - Add man pages - Reduce text relocations in parser library - Add -n option to auditd for no fork - Add exec option to space_left, admin_space_left, disk_full, and disk_error - eg EXEC /usr/local/script 1.4.1 - updated audit_rule_fieldpair_data to handle perm correctly (#226780) - Finished search options for audit parsing library - Fix ausearch -se to work correctly - Fix auditd init script for /usr on netdev (#228528) - Parse avc seperms better when there are more than one 1.4 - New report about authentication attempts - Updates for python 2.5 - update autrace to have resource usage mode - update auditctl to support immutable config - added audit_log_user_command function to api - interpret capabilities - added audit event parsing library - updates for 2.6.20 kernel 1.3.1 - Fix a couple parsing problems (#217952) - Add tgkill to S390* syscall tables (#218484) - Fix error messages in ausearch/aureport command options 1.3 - ausearch & aureport implement uid/gid caching - In ausearch & aureport, extract addr when hostname is unknown - In ausearch & aureport, test audit log presence O_RDONLY - New ausearch/aureport time keywords: recent, this-week, this-month, this-year - Added --add & --delete option to aureport - Update res parsing in config change events - Increase the size on audit daemon buffers - Parse avc_path records in ausearch/aureport - ausearch has new output mode, raw, for extracting events - ausearch/aureport can now read stdin - Rework AVC processing in ausearch/aureport - Added long options to ausearch and aureport 1.2.9 - In auditd if num_logs is zero, don't rotate on SIGUSR1 (#208834) - Fix some defines in libaudit.h - Some auditd config strings were not initialized in aureport (#211443) - Updated man pages - Add Netlabel event types to libaudit - Update aureports to current audit event types - Update autrace a little - Deprecated all the old audit_rule functions from public API - Drop auparse library for the moment 1.2.8 - Make internal auditd buffers bigger for context info - Correct address resolving of hostname in logging functions - Do not allow multiple msgtypes in same audit rule in auditctl (#207666) - Only =, != operators for arch & inode fields in auditctl (#206427) - Add disp_qos & dispatcher to auditd reconfigure - Send sighup to child when no change in dispatcher during auditd reconfigure - Cleanup file descriptor handling in auditd - Updated audit message type table - Remove watches from aureport since FS_WATCH is deprecated - Add audit_log_avc back temporarily (#208152) 1.2.7 - Fix logging messages to use addr if passed. - Apply patches from Tony Jones correcting no kernel support messages - Updated syscall tables for 2.6.18 kernel - Remove deprecated functions: audit_log, audit_log_avc, audit_log_if_enabled - Disallow syscall auditing on exclude list - Improve time handling in ausearch and aureport (#191394) - Attempt to reconstruct full path from relative for searching 1.2.6 - Apply updates to dispatcher - Fix a couple bugs regarding MLS labels - Resurrect -p option - Tighten rules with exclude filter - Fix parsing issue which lead to segfault in some cases - Fix option parsing to ignore malformed lines 1.2.5 - Switch out dispatcher - Fix bug upgrading rule types 1.2.4 - Add support for the new filter key - Update syscall tables for 2.6.17 - Add audit failure query function - Switch out gethostbyname call with getaddrinfo - Add audit by obj capability for 2.6.18 kernel - Ausearch & aureport now fail if no args to -te - New auditd.conf option to choose blocking/non-blocking dispatcher comm - Ausearch improved search by label 1.2.3 - Apply patch to ensure watches only associate with exit filter - Apply patch to correctly show new operators when new listing format is used - Apply patch to pull kernel's audit.h into python bindings - Collect signal sender's context 1.2.2 - Updates for new glibc-kernheaders - Change auditctl to collect list of rules then delete them on -D - Update capp.rules and lspp.rules to comment out rules for the possible list - Add new message types - Support sigusr1 sender identity of newer kernels - Add support for ppid in auditctl and ausearch - fix auditctl to trim the '/' from watches - Move audit daemon config files to /etc/audit for better SE Linux protection 1.2.1 - New message type for trusted apps - Add new keywords today, yesterday, now for ausearch and aureport - Make audit_log_user_avc_message really send to syslog on error - Updated syscall tables in auditctl - Deprecated the 'possible' action for syscall rules in auditctl - Update watch code to use file syscalls instead of 'all' in auditctl 1.2 - Add support for new file system auditing kernel subsystem 1.1.6 - New message types - Support new rule format found in 2.6.17 and later kernels - Add support for audit by role, clearance, type, sensitivity 1.1.5 - Changed audit_log_semanage_message to take new params - In aureport, add class between syscall and permission in avc report - Fix bug where fsync is called in debug mode - Add optional support for tty in SYSCALL records for ausearch/aureport - Reinstate legacy rule operator support - Add man pages - Auditd ignore most signals 1.1.4 - Fix bug in autrace where it didn't run on kernels without file watch support - Add syslog message to auditd saying what program was started for dispatcher - Apply patch for AppArmor message type - Remove audit_send_user from public api - Fix bug in USER_LOGIN messages where ausearch does not translate msg='uid=500: into acct name (#178102). - Change comm with dispatcher to socketpair from pipe - Change auditd to use custom daemonize to avoid race in init scripts - Update error message when deleting a rule that doesn't exist (#176239) - Call shutdown_dispatcher when auditd stops - Add new logging function audit_log_semanage_message 1.1.3 - Add timestamp to daemon_config messages (#174865) - Add error checking of year for aureport & ausearch - Treat af_unix sockets as files for searching and reporting - Update capp & lspp rules to combine syscalls for higher performance - Adjusted the chkconfig line for auditd to start a little earlier - Added skeleton program to docs for people to write their own dispatcher with - Apply patch from Ulrich Drepper that optimizes resource utilization - Change ausearch and aureport to unlocked IO 1.1.2 - Add more message types 1.1.1 - Add support for alpha processors - Update the audisp code - Add locale code in ausearch and aureport - Add new rule operator patch - Add exclude filter patch - Cleanup make files - Add python bindings 1.1 - Add initial version of audisp. Just a placeholder at this point - Remove -t from auditctl