From 559824bd5d37a64fad11fa07bf9075e58b622eff Mon Sep 17 00:00:00 2001 From: Steve Grubb Date: Tue, 25 Sep 2007 15:56:34 +0000 Subject: [PATCH] - Add support for searching by posix regular expressions in auparse - Route DEAMON events into rt interface - If event pipe is full, try again after doing local logging - Optionally add node/machine name to records in audit daemon - Update ausearch/aureport to specify nodes to search on - Fix segfault interpretting saddr fields in avcs --- .cvsignore | 1 + audit-1.6.1-event-host.patch | 545 ----------------------------------- audit.spec | 193 ++----------- sources | 2 +- 4 files changed, 21 insertions(+), 720 deletions(-) delete mode 100644 audit-1.6.1-event-host.patch diff --git a/.cvsignore b/.cvsignore index d4d8cf1..a7c80ae 100644 --- a/.cvsignore +++ b/.cvsignore @@ -79,3 +79,4 @@ audit-1.5.5.tar.gz audit-1.5.6.tar.gz audit-1.6.tar.gz audit-1.6.1.tar.gz +audit-1.6.2.tar.gz diff --git a/audit-1.6.1-event-host.patch b/audit-1.6.1-event-host.patch deleted file mode 100644 index f4b7d6a..0000000 --- a/audit-1.6.1-event-host.patch +++ /dev/null @@ -1,545 +0,0 @@ -diff -r -u audit-1.6.1.orig/auparse/auparse.c audit-1.6.1/auparse/auparse.c ---- audit-1.6.1.orig/auparse/auparse.c 2007-09-06 10:19:41.000000000 -0400 -+++ audit-1.6.1/auparse/auparse.c 2007-09-06 12:31:27.000000000 -0400 -@@ -574,6 +574,7 @@ - { - char *ptr, *tmp; - -+ e->host = NULL; // FIXME - tmp = strndupa(b, 80); - ptr = strtok(tmp, " "); - if (ptr) { -diff -r -u audit-1.6.1.orig/auparse/ellist.c audit-1.6.1/auparse/ellist.c ---- audit-1.6.1.orig/auparse/ellist.c 2007-09-06 10:19:41.000000000 -0400 -+++ audit-1.6.1/auparse/ellist.c 2007-09-06 10:21:14.000000000 -0400 -@@ -35,6 +35,7 @@ - l->e.milli = 0L; - l->e.sec = 0L; - l->e.serial = 0L; -+ l->e.host = NULL; - } - hidden_def(aup_list_create); - -@@ -258,6 +259,7 @@ - l->e.milli = 0L; - l->e.sec = 0L; - l->e.serial = 0L; -+ l->e.host = NULL; - } - hidden_def(aup_list_clear); - -@@ -269,6 +271,7 @@ - e->sec = l->e.sec; - e->milli = l->e.milli; - e->serial = l->e.serial; -+ e->host = l->e.host; - return 1; - } - hidden_def(aup_list_get_event); -@@ -281,6 +284,7 @@ - l->e.sec = e->sec; - l->e.milli = e->milli; - l->e.serial = e->serial; -+ l->e.host = e->host; - return 1; - } - hidden_def(aup_list_set_event); -diff -r -u audit-1.6.1.orig/auparse/test/auparse_test.c audit-1.6.1/auparse/test/auparse_test.c ---- audit-1.6.1.orig/auparse/test/auparse_test.c 2007-09-06 10:19:41.000000000 -0400 -+++ audit-1.6.1/auparse/test/auparse_test.c 2007-09-06 10:21:14.000000000 -0400 -@@ -42,7 +42,7 @@ - printf("Error getting timestamp - aborting\n"); - exit(1); - } -- printf(" event time: %u.%u:%lu\n", (unsigned)e->sec, e->milli, e->serial); -+ printf(" event time: %u.%u:%lu, host=%s\n", (unsigned)e->sec, e->milli, e->serial, e->host); - auparse_first_field(au); - do { - printf(" %s=%s (%s)\n", -@@ -80,7 +80,7 @@ - printf("Error getting timestamp - aborting\n"); - exit(1); - } -- printf(" event time: %u.%u:%lu\n", (unsigned)e->sec, e->milli, e->serial); -+ printf(" event time: %u.%u:%lu, host=%s\n", (unsigned)e->sec, e->milli, e->serial, e->host); - printf("\n"); - record_cnt++; - } while(auparse_next_record(au) > 0); -@@ -207,7 +207,7 @@ - if (e == NULL) { - return; - } -- printf(" event time: %u.%u:%lu\n", (unsigned)e->sec, e->milli, e->serial); -+ printf(" event time: %u.%u:%lu, host=%s\n", (unsigned)e->sec, e->milli, e->serial, e->host); - auparse_first_field(au); - do { - printf(" %s=%s (%s)\n", -diff -r -u audit-1.6.1.orig/auparse/test/auparse_test.py audit-1.6.1/auparse/test/auparse_test.py ---- audit-1.6.1.orig/auparse/test/auparse_test.py 2007-09-06 10:19:41.000000000 -0400 -+++ audit-1.6.1/auparse/test/auparse_test.py 2007-09-06 11:57:52.000000000 -0400 -@@ -10,12 +10,19 @@ - import sys - import time - load_path = '../../bindings/python/build/lib.linux-i686-2.4' --if True: -+if False: - sys.path.insert(0, load_path) - - import auparse - import audit - -+def none_to_null(s): -+ 'used so output matches C version' -+ if s is None: -+ return '(null)' -+ else: -+ return s -+ - def walk_test(au): - event_cnt = 1 - -@@ -39,7 +46,7 @@ - print "Error getting timestamp - aborting" - sys.exit(1) - -- print " event time: %d.%d:%d" % (event.sec, event.milli, event.serial) -+ print " event time: %d.%d:%d, host=%s" % (event.sec, event.milli, event.serial, none_to_null(event.host)) - au.first_field() - while True: - print " %s=%s (%s)" % (au.get_field_name(), au.get_field_str(), au.interpret_field()) -@@ -71,7 +78,7 @@ - print "Error getting timestamp - aborting" - sys.exit(1) - -- print " event time: %d.%d:%d" % (event.sec, event.milli, event.serial) -+ print " event time: %d.%d:%d, host=%s" % (event.sec, event.milli, event.serial, none_to_null(event.host)) - print - record_cnt += 1 - if not au.next_record(): break -@@ -131,7 +138,7 @@ - print "Error getting timestamp - aborting" - sys.exit(1) - -- print " event time: %d.%d:%d" % (event.sec, event.milli, event.serial) -+ print " event time: %d.%d:%d, host=%s" % (event.sec, event.milli, event.serial, none_to_null(event.host)) - au.first_field() - while True: - print " %s=%s (%s)" % (au.get_field_name(), au.get_field_str(), au.interpret_field()) -diff -r -u audit-1.6.1.orig/auparse/test/auparse_test.ref audit-1.6.1/auparse/test/auparse_test.ref ---- audit-1.6.1.orig/auparse/test/auparse_test.ref 2007-09-06 10:19:41.000000000 -0400 -+++ audit-1.6.1/auparse/test/auparse_test.ref 2007-09-06 13:01:19.000000000 -0400 -@@ -11,7 +11,7 @@ - event 1 has 1 records - record 1 of type 1006(LOGIN) has 5 fields - line=1 file=None -- event time: 1143146623.787:142 -+ event time: 1143146623.787:142, host=(null) - type=LOGIN (LOGIN) - pid=2027 (2027) - uid=0 (root) -@@ -21,7 +21,7 @@ - event 2 has 1 records - record 1 of type 1300(SYSCALL) has 24 fields - line=2 file=None -- event time: 1143146623.875:143 -+ event time: 1143146623.875:143, host=(null) - type=SYSCALL (SYSCALL) - arch=c000003e (x86_64) - syscall=188 (setxattr) -@@ -50,7 +50,7 @@ - event 3 has 1 records - record 1 of type 1112(USER_LOGIN) has 10 fields - line=3 file=None -- event time: 1143146623.879:146 -+ event time: 1143146623.879:146, host=(null) - type=USER_LOGIN (USER_LOGIN) - pid=2027 (2027) - uid=0 (root) -@@ -68,7 +68,7 @@ - event has 1 records - record 1 of type 1112(USER_LOGIN) has 10 fields - line=1 file=None -- event time: 1143146623.879:146 -+ event time: 1143146623.879:146, host=(null) - - Test 3 Done - -@@ -76,7 +76,7 @@ - event 1 has 4 records - record 1 of type 1400(AVC) has 11 fields - line=1 file=./test.log -- event time: 1170021493.977:293 -+ event time: 1170021493.977:293, host=(null) - type=AVC (AVC) - seresult=denied (denied) - seperms=read,write (read,write) -@@ -91,7 +91,7 @@ - - record 2 of type 1300(SYSCALL) has 26 fields - line=2 file=./test.log -- event time: 1170021493.977:293 -+ event time: 1170021493.977:293, host=(null) - type=SYSCALL (SYSCALL) - arch=c000003e (x86_64) - syscall=2 (open) -@@ -121,13 +121,13 @@ - - record 3 of type 1307(CWD) has 2 fields - line=3 file=./test.log -- event time: 1170021493.977:293 -+ event time: 1170021493.977:293, host=(null) - type=CWD (CWD) - cwd="/var/spool/postfix" (/var/spool/postfix) - - record 4 of type 1302(PATH) has 10 fields - line=4 file=./test.log -- event time: 1170021493.977:293 -+ event time: 1170021493.977:293, host=(null) - type=PATH (PATH) - item=0 (0) - name="maildrop" (maildrop) -@@ -142,7 +142,7 @@ - event 2 has 1 records - record 1 of type 1101(USER_ACCT) has 11 fields - line=5 file=./test.log -- event time: 1170021601.340:294 -+ event time: 1170021601.340:294, host=(null) - type=USER_ACCT (USER_ACCT) - pid=13015 (13015) - uid=0 (root) -@@ -158,7 +158,7 @@ - event 3 has 1 records - record 1 of type 1103(CRED_ACQ) has 11 fields - line=6 file=./test.log -- event time: 1170021601.342:295 -+ event time: 1170021601.342:295, host=(null) - type=CRED_ACQ (CRED_ACQ) - pid=13015 (13015) - uid=0 (root) -@@ -174,7 +174,7 @@ - event 4 has 1 records - record 1 of type 1006(LOGIN) has 5 fields - line=7 file=./test.log -- event time: 1170021601.343:296 -+ event time: 1170021601.343:296, host=(null) - type=LOGIN (LOGIN) - pid=13015 (13015) - uid=0 (root) -@@ -184,7 +184,7 @@ - event 5 has 1 records - record 1 of type 1105(USER_START) has 11 fields - line=8 file=./test.log -- event time: 1170021601.344:297 -+ event time: 1170021601.344:297, host=(null) - type=USER_START (USER_START) - pid=13015 (13015) - uid=0 (root) -@@ -200,7 +200,7 @@ - event 6 has 1 records - record 1 of type 1104(CRED_DISP) has 11 fields - line=9 file=./test.log -- event time: 1170021601.364:298 -+ event time: 1170021601.364:298, host=(null) - type=CRED_DISP (CRED_DISP) - pid=13015 (13015) - uid=0 (root) -@@ -216,7 +216,7 @@ - event 7 has 1 records - record 1 of type 1106(USER_END) has 11 fields - line=10 file=./test.log -- event time: 1170021601.366:299 -+ event time: 1170021601.366:299, host=(null) - type=USER_END (USER_END) - pid=13015 (13015) - uid=0 (root) -@@ -235,7 +235,7 @@ - event 1 has 4 records - record 1 of type 1400(AVC) has 11 fields - line=1 file=test.log -- event time: 1170021493.977:293 -+ event time: 1170021493.977:293, host=(null) - type=AVC (AVC) - seresult=denied (denied) - seperms=read,write (read,write) -@@ -250,7 +250,7 @@ - - record 2 of type 1300(SYSCALL) has 26 fields - line=2 file=test.log -- event time: 1170021493.977:293 -+ event time: 1170021493.977:293, host=(null) - type=SYSCALL (SYSCALL) - arch=c000003e (x86_64) - syscall=2 (open) -@@ -280,13 +280,13 @@ - - record 3 of type 1307(CWD) has 2 fields - line=3 file=test.log -- event time: 1170021493.977:293 -+ event time: 1170021493.977:293, host=(null) - type=CWD (CWD) - cwd="/var/spool/postfix" (/var/spool/postfix) - - record 4 of type 1302(PATH) has 10 fields - line=4 file=test.log -- event time: 1170021493.977:293 -+ event time: 1170021493.977:293, host=(null) - type=PATH (PATH) - item=0 (0) - name="maildrop" (maildrop) -@@ -301,7 +301,7 @@ - event 2 has 1 records - record 1 of type 1101(USER_ACCT) has 11 fields - line=5 file=test.log -- event time: 1170021601.340:294 -+ event time: 1170021601.340:294, host=(null) - type=USER_ACCT (USER_ACCT) - pid=13015 (13015) - uid=0 (root) -@@ -317,7 +317,7 @@ - event 3 has 1 records - record 1 of type 1103(CRED_ACQ) has 11 fields - line=6 file=test.log -- event time: 1170021601.342:295 -+ event time: 1170021601.342:295, host=(null) - type=CRED_ACQ (CRED_ACQ) - pid=13015 (13015) - uid=0 (root) -@@ -333,7 +333,7 @@ - event 4 has 1 records - record 1 of type 1006(LOGIN) has 5 fields - line=7 file=test.log -- event time: 1170021601.343:296 -+ event time: 1170021601.343:296, host=(null) - type=LOGIN (LOGIN) - pid=13015 (13015) - uid=0 (root) -@@ -343,7 +343,7 @@ - event 5 has 1 records - record 1 of type 1105(USER_START) has 11 fields - line=8 file=test.log -- event time: 1170021601.344:297 -+ event time: 1170021601.344:297, host=(null) - type=USER_START (USER_START) - pid=13015 (13015) - uid=0 (root) -@@ -359,7 +359,7 @@ - event 6 has 1 records - record 1 of type 1104(CRED_DISP) has 11 fields - line=9 file=test.log -- event time: 1170021601.364:298 -+ event time: 1170021601.364:298, host=(null) - type=CRED_DISP (CRED_DISP) - pid=13015 (13015) - uid=0 (root) -@@ -375,7 +375,7 @@ - event 7 has 1 records - record 1 of type 1106(USER_END) has 11 fields - line=10 file=test.log -- event time: 1170021601.366:299 -+ event time: 1170021601.366:299, host=(null) - type=USER_END (USER_END) - pid=13015 (13015) - uid=0 (root) -@@ -391,7 +391,7 @@ - event 8 has 4 records - record 1 of type 1400(AVC) has 11 fields - line=1 file=test2.log -- event time: 1170021493.977:293 -+ event time: 1170021493.977:293, host=(null) - type=AVC (AVC) - seresult=denied (denied) - seperms=read (read) -@@ -406,7 +406,7 @@ - - record 2 of type 1300(SYSCALL) has 26 fields - line=2 file=test2.log -- event time: 1170021493.977:293 -+ event time: 1170021493.977:293, host=(null) - type=SYSCALL (SYSCALL) - arch=c000003e (x86_64) - syscall=2 (open) -@@ -436,13 +436,13 @@ - - record 3 of type 1307(CWD) has 2 fields - line=3 file=test2.log -- event time: 1170021493.977:293 -+ event time: 1170021493.977:293, host=(null) - type=CWD (CWD) - cwd="/var/spool/postfix" (/var/spool/postfix) - - record 4 of type 1302(PATH) has 10 fields - line=4 file=test2.log -- event time: 1170021493.977:293 -+ event time: 1170021493.977:293, host=(null) - type=PATH (PATH) - item=0 (0) - name="maildrop" (maildrop) -@@ -457,7 +457,7 @@ - event 9 has 1 records - record 1 of type 1101(USER_ACCT) has 11 fields - line=5 file=test2.log -- event time: 1170021601.340:294 -+ event time: 1170021601.340:294, host=(null) - type=USER_ACCT (USER_ACCT) - pid=13015 (13015) - uid=0 (root) -@@ -473,7 +473,7 @@ - event 10 has 1 records - record 1 of type 1103(CRED_ACQ) has 11 fields - line=6 file=test2.log -- event time: 1170021601.342:295 -+ event time: 1170021601.342:295, host=(null) - type=CRED_ACQ (CRED_ACQ) - pid=13015 (13015) - uid=0 (root) -@@ -489,7 +489,7 @@ - event 11 has 1 records - record 1 of type 1006(LOGIN) has 5 fields - line=7 file=test2.log -- event time: 1170021601.343:296 -+ event time: 1170021601.343:296, host=(null) - type=LOGIN (LOGIN) - pid=13015 (13015) - uid=0 (root) -@@ -499,7 +499,7 @@ - event 12 has 1 records - record 1 of type 1105(USER_START) has 11 fields - line=8 file=test2.log -- event time: 1170021601.344:297 -+ event time: 1170021601.344:297, host=(null) - type=USER_START (USER_START) - pid=13015 (13015) - uid=0 (root) -@@ -515,7 +515,7 @@ - event 13 has 1 records - record 1 of type 1104(CRED_DISP) has 11 fields - line=9 file=test2.log -- event time: 1170021601.364:298 -+ event time: 1170021601.364:298, host=(null) - type=CRED_DISP (CRED_DISP) - pid=13015 (13015) - uid=0 (root) -@@ -531,7 +531,7 @@ - event 14 has 1 records - record 1 of type 1106(USER_END) has 11 fields - line=10 file=test2.log -- event time: 1170021601.366:299 -+ event time: 1170021601.366:299, host=(null) - type=USER_END (USER_END) - pid=13015 (13015) - uid=0 (root) -@@ -572,7 +572,7 @@ - event 1 has 1 records - record 1 of type 1006(LOGIN) has 5 fields - line=1 file=None -- event time: 1143146623.787:142 -+ event time: 1143146623.787:142, host=(null) - type=LOGIN (LOGIN) - pid=2027 (2027) - uid=0 (root) -@@ -582,7 +582,7 @@ - event 2 has 1 records - record 1 of type 1300(SYSCALL) has 24 fields - line=2 file=None -- event time: 1143146623.875:143 -+ event time: 1143146623.875:143, host=(null) - type=SYSCALL (SYSCALL) - arch=c000003e (x86_64) - syscall=188 (setxattr) -@@ -611,7 +611,7 @@ - event 3 has 1 records - record 1 of type 1112(USER_LOGIN) has 10 fields - line=3 file=None -- event time: 1143146623.879:146 -+ event time: 1143146623.879:146, host=(null) - type=USER_LOGIN (USER_LOGIN) - pid=2027 (2027) - uid=0 (root) -@@ -629,7 +629,7 @@ - event 1 has 4 records - record 1 of type 1400(AVC) has 11 fields - line=1 file=None -- event time: 1170021493.977:293 -+ event time: 1170021493.977:293, host=(null) - type=AVC (AVC) - seresult=denied (denied) - seperms=read,write (read,write) -@@ -644,7 +644,7 @@ - - record 2 of type 1300(SYSCALL) has 26 fields - line=2 file=None -- event time: 1170021493.977:293 -+ event time: 1170021493.977:293, host=(null) - type=SYSCALL (SYSCALL) - arch=c000003e (x86_64) - syscall=2 (open) -@@ -674,13 +674,13 @@ - - record 3 of type 1307(CWD) has 2 fields - line=3 file=None -- event time: 1170021493.977:293 -+ event time: 1170021493.977:293, host=(null) - type=CWD (CWD) - cwd="/var/spool/postfix" (/var/spool/postfix) - - record 4 of type 1302(PATH) has 10 fields - line=4 file=None -- event time: 1170021493.977:293 -+ event time: 1170021493.977:293, host=(null) - type=PATH (PATH) - item=0 (0) - name="maildrop" (maildrop) -@@ -695,7 +695,7 @@ - event 2 has 1 records - record 1 of type 1101(USER_ACCT) has 11 fields - line=5 file=None -- event time: 1170021601.340:294 -+ event time: 1170021601.340:294, host=(null) - type=USER_ACCT (USER_ACCT) - pid=13015 (13015) - uid=0 (root) -@@ -711,7 +711,7 @@ - event 3 has 1 records - record 1 of type 1103(CRED_ACQ) has 11 fields - line=6 file=None -- event time: 1170021601.342:295 -+ event time: 1170021601.342:295, host=(null) - type=CRED_ACQ (CRED_ACQ) - pid=13015 (13015) - uid=0 (root) -@@ -727,7 +727,7 @@ - event 4 has 1 records - record 1 of type 1006(LOGIN) has 5 fields - line=7 file=None -- event time: 1170021601.343:296 -+ event time: 1170021601.343:296, host=(null) - type=LOGIN (LOGIN) - pid=13015 (13015) - uid=0 (root) -@@ -737,7 +737,7 @@ - event 5 has 1 records - record 1 of type 1105(USER_START) has 11 fields - line=8 file=None -- event time: 1170021601.344:297 -+ event time: 1170021601.344:297, host=(null) - type=USER_START (USER_START) - pid=13015 (13015) - uid=0 (root) -@@ -753,7 +753,7 @@ - event 6 has 1 records - record 1 of type 1104(CRED_DISP) has 11 fields - line=9 file=None -- event time: 1170021601.364:298 -+ event time: 1170021601.364:298, host=(null) - type=CRED_DISP (CRED_DISP) - pid=13015 (13015) - uid=0 (root) -@@ -769,7 +769,7 @@ - event 7 has 1 records - record 1 of type 1106(USER_END) has 11 fields - line=10 file=None -- event time: 1170021601.366:299 -+ event time: 1170021601.366:299, host=(null) - type=USER_END (USER_END) - pid=13015 (13015) - uid=0 (root) diff --git a/audit.spec b/audit.spec index 09c23dc..4255c66 100644 --- a/audit.spec +++ b/audit.spec @@ -1,15 +1,14 @@ %define sca_version 0.4.3 -%define sca_release 4 +%define sca_release 5 Summary: User space tools for 2.6 kernel auditing Name: audit -Version: 1.6.1 -Release: 2%{?dist} +Version: 1.6.2 +Release: 1%{?dist} License: GPLv2+ Group: System Environment/Daemons URL: http://people.redhat.com/sgrubb/audit/ Source0: %{name}-%{version}.tar.gz -Patch1: audit-1.6.1-event-host.patch BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) BuildRequires: gettext-devel intltool libtool swig python-devel BuildRequires: kernel-headers >= 2.6.18 @@ -68,7 +67,6 @@ An utility for editing audit configuration. %prep %setup -q -%patch1 -p1 %build (cd system-config-audit; ./autogen.sh) @@ -112,6 +110,11 @@ touch -r ./audit.spec $RPM_BUILD_ROOT/etc/libaudit.conf %find_lang system-config-audit +# Remove the plugin stuff for now +rm -f $RPM_BUILD_ROOT/etc/audisp/plugins.d/au-ids.conf +rm -f $RPM_BUILD_ROOT/etc/audisp/plugins.d/remote.conf +rm -f $RPM_BUILD_ROOT/sbin/audisp-ids + %clean rm -rf $RPM_BUILD_ROOT @@ -174,7 +177,7 @@ fi %files %defattr(-,root,root,-) -%doc README COPYING ChangeLog sample.rules contrib/capp.rules contrib/nispom.rules contrib/lspp.rules init.d/auditd.cron +%doc README COPYING ChangeLog contrib/capp.rules contrib/nispom.rules contrib/lspp.rules init.d/auditd.cron %attr(0644,root,root) %{_mandir}/man8/* %attr(0644,root,root) %{_mandir}/man5/* %attr(750,root,root) /sbin/auditctl @@ -193,7 +196,8 @@ fi %config(noreplace) %attr(640,root,root) /etc/audit/audit.rules %config(noreplace) %attr(640,root,root) /etc/sysconfig/auditd %config(noreplace) %attr(640,root,root) /etc/audisp/audispd.conf -%attr(640,root,root) /etc/audisp/plugins.d/* +%attr(640,root,root) /etc/audisp/plugins.d/af_unix.conf +%attr(640,root,root) /etc/audisp/plugins.d/syslog.conf %files -n system-config-audit -f system-config-audit.lang %defattr(-,root,root,-) @@ -211,6 +215,14 @@ fi %config(noreplace) %{_sysconfdir}/security/console.apps/system-config-audit-server %changelog +* Tue Sep 25 2007 Steve Grubb 1.6.2-1 +- Add support for searching by posix regular expressions in auparse +- Route DEAMON events into rt interface +- If event pipe is full, try again after doing local logging +- Optionally add node/machine name to records in audit daemon +- Update ausearch/aureport to specify nodes to search on +- Fix segfault interpretting saddr fields in avcs + * Thu Sep 6 2007 Steve Grubb 1.6.1-2 - Fix uninitialized variable in auparse (John Dennis) @@ -376,170 +388,3 @@ fi - Remove watches from aureport since FS_WATCH is deprecated - Add audit_log_avc back temporarily (#208152) -* Mon Sep 18 2006 Steve Grubb 1.2.7-2 -- Fix logging messages to use addr if passed. -- Apply patches from Tony Jones correcting no kernel support messages -- Updated syscall tables for 2.6.18 kernel -- Remove deprecated functions: audit_log, audit_log_avc, audit_log_if_enabled -- Disallow syscall auditing on exclude list -- Improve time handling in ausearch and aureport (#191394) -- Attempt to reconstruct full path from relative for searching - -* Wed Aug 30 2006 Steve Grubb 1.2.6-3 -- Rename audit event socket - -* Mon Aug 28 2006 Steve Grubb 1.2.6-2 -- Another minor update to auditctl -p option - -* Sat Aug 26 2006 Steve Grubb 1.2.6-1 -- Apply updates to dispatcher -- Fix a couple bugs regarding MLS labels -- Resurrect -p option -- Tighten rules with exclude filter -- Fix parsing issue which lead to segfault in some cases -- Fix option parsing to ignore malformed lines - -* Fri Aug 18 2006 Jesse Keating - 1.2.5-8 -- rebuilt with latest binutils to pick up 64K -z commonpagesize on ppc* - (#203001) - -* Wed Aug 8 2006 Dan Walsh 1.2.5-7 -- Remove debug lines from dispatcher - -* Wed Aug 2 2006 Dan Walsh 1.2.5-6 -- Change audisp to use a named pipe - -* Fri Jul 21 2006 Dan Walsh 1.2.5-5 -- Fix dispatcher to handle sigchld -- Fix library location for 64 bit -- Add Prereq - -* Fri Jul 21 2006 Dan Walsh 1.2.5-4 -- Eliminate avc package from audisp - -* Wed Jul 19 2006 Dan Walsh 1.2.5-3 -- More fixes for setroubleshoot to handle failing plugin - -* Fri Jul 14 2006 Dan Walsh 1.2.5-2 -- Fixes for setroubleshoot - -* Thu Jul 13 2006 Steve Grubb 1.2.5-1 -- Switch out dispatcher -- Fix bug upgrading rule types - -* Wed Jul 12 2006 Jesse Keating - 1.2.4-1.1 -- rebuild - -* Fri Jun 30 2006 Steve Grubb 1.2.4-1 -- Add support for the new filter key -- Update syscall tables for 2.6.17 -- Add audit failure query function -- Switch out gethostbyname call with getaddrinfo -- Add audit by obj capability for 2.6.18 kernel -- Ausearch & aureport now fail if no args to -te -- New auditd.conf option to choose blocking/non-blocking dispatcher comm -- Ausearch improved search by label - -* Fri May 25 2006 Steve Grubb 1.2.3-1 -- Apply patch to ensure watches only associate with exit filter -- Apply patch to correctly show new operators when new listing format is used -- Apply patch to pull kernel's audit.h into python bindings -- Collect signal sender's context - -* Tue May 16 2006 David Woodhouse 1.2.2-2 -- Require kernel-headers, not glibc-kernheaders. Again. - -* Fri May 12 2006 Steve Grubb 1.2.2-1 -- Updates for new glibc-kernheaders -- Change auditctl to collect list of rules then delete them on -D -- Update capp.rules and lspp.rules to comment out rules for the possible list -- Add new message types -- Support sigusr1 sender identity of newer kernels -- Add support for ppid in auditctl and ausearch -- fix auditctl to trim the '/' from watches -- Move audit daemon config files to /etc/audit for better SE Linux protection - -* Wed Apr 25 2006 David Woodhouse 1.2.1-2 -- Require kernel-headers, not glibc-kernheaders -- Fix redefinition of audit_rule_data with new kernel headers -- Remove abuse of __KERNEL__ in lookup_table.c - -* Sun Apr 16 2006 Steve Grubb 1.2.1-1 -- New message type for trusted apps -- Add new keywords today, yesterday, now for ausearch and aureport -- Make audit_log_user_avc_message really send to syslog on error -- Updated syscall tables in auditctl -- Deprecated the 'possible' action for syscall rules in auditctl -- Update watch code to use file syscalls instead of 'all' in auditctl - -* Fri Apr 7 2006 Steve Grubb 1.2-1 -- Add support for new file system auditing kernel subsystem - -* Thu Apr 6 2006 Steve Grubb 1.1.6-1 -- New message types -- Support new rule format found in 2.6.17 and later kernels -- Add support for audit by role, clearance, type, sensitivity - -* Wed Mar 6 2006 Steve Grubb 1.1.5-1 -- Changed audit_log_semanage_message to take new params -- In aureport, add class between syscall and permission in avc report -- Fix bug where fsync is called in debug mode -- Add optional support for tty in SYSCALL records for ausearch/aureport -- Reinstate legacy rule operator support -- Add man pages -- Auditd ignore most signals - -* Fri Feb 10 2006 Jesse Keating - 1.1.4-5.1 -- bump again for double-long bug on ppc(64) - -* Fri Feb 10 2006 Steve Grubb 1.1.4-5 -- Change audit_log_semanage_message to check strlen as well as NULL. - -* Thu Feb 9 2006 Steve Grubb 1.1.4-3 -- Change audit_log_semanage_message to take new params. - -* Wed Feb 8 2006 Steve Grubb 1.1.4-1 -- Fix bug in autrace where it didn't run on kernels without file watch support -- Add syslog message to auditd saying what program was started for dispatcher -- Remove audit_send_user from public api -- Fix bug in USER_LOGIN messages where ausearch does not translate - msg='uid=500: into acct name (#178102). -- Change comm with dispatcher to socketpair from pipe -- Change auditd to use custom daemonize to avoid race in init scripts -- Update error message when deleting a rule that doesn't exist (#176239) -- Call shutdown_dispatcher when auditd stops -- Add new logging function audit_log_semanage_message - -* Tue Feb 07 2006 Jesse Keating - 1.1.3-1.1 -- rebuilt for new gcc4.1 snapshot and glibc changes - -* Thu Jan 5 2006 Steve Grubb 1.1.3-1 -- Add timestamp to daemon_config messages (#174865) -- Add error checking of year for aureport & ausearch -- Treat af_unix sockets as files for searching and reporting -- Update capp & lspp rules to combine syscalls for higher performance -- Adjusted the chkconfig line for auditd to start a little earlier -- Added skeleton program to docs for people to write their own dispatcher with -- Apply patch from Ulrich Drepper that optimizes resource utilization -- Change ausearch and aureport to unlocked IO - -* Thu Dec 5 2005 Steve Grubb 1.1.2-1 -- Add more message types - -* Wed Nov 30 2005 Steve Grubb 1.1.1-1 -- Add support for alpha processors -- Update the audisp code -- Add locale code in ausearch and aureport -- Add new rule operator patch -- Add exclude filter patch -- Cleanup make files -- Add python bindings - -* Wed Nov 9 2005 Steve Grubb 1.1-1 -- Add initial version of audisp. Just a placeholder at this point -- Remove -t from auditctl - -* Mon Nov 7 2005 Steve Grubb 1.0.12-1 -- Add 2 more summary reports -- Add 2 more message types - diff --git a/sources b/sources index 0e3f8bb..0aab50f 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -ce393ed76e25dd95f2d54ae27e7a25be audit-1.6.1.tar.gz +a95dbfa22e65669e4449f3accbe84aef audit-1.6.2.tar.gz