- Change auditctl to collect list of rules then delete them on -D
- Update capp.rules and lspp.rules to comment out rules for the possible
list
- Add new message types
- Support sigusr1 sender identity of newer kernels
- Add support for ppid in auditctl and ausearch
- fix auditctl to trim the '/' from watches
- Move audit daemon config files to /etc/audit for better SE Linux
protection
- Add new keywords today, yesterday, now for ausearch and aureport
- Make audit_log_user_avc_message really send to syslog on error
- Updated syscall tables in auditctl
- Deprecated the 'possible' action for syscall rules in auditctl
- Update watch code to use file syscalls instead of 'all' in auditctl
- In aureport, add class between syscall and permission in avc report
- Fix bug where fsync is called in debug mode
- Add optional support for tty in SYSCALL records for ausearch/aureport
- Reinstate legacy rule operator support
- Add man pages
- Auditd ignore most signals
support
- Add syslog message to auditd saying what program was started for
dispatcher
- Remove audit_send_user from public api
- Fix bug in USER_LOGIN messages where ausearch does not translate
msg='uid=500: into acct name (#178102).
- Change comm with dispatcher to socketpair from pipe
- Change auditd to use custom daemonize to avoid race in init scripts
- Update error message when deleting a rule that doesn't exist (#176239)
- Call shutdown_dispatcher when auditd stops
- Add new logging function audit_log_semanage_message
- Add error checking of year for aureport & ausearh
- Treat af_unix sockets as files for searching and reporting
- Update capp & lspp rules to combine syscalls for higher performance
- Adjusted the chkconfig line for auditd to start a little earlier
- Added skeleton program to docs for people to write their own dispatcher
with
- Apply patch from Ulrich Drepper that optimizes resource utilization
- Change ausearch and aureport to unlocked IO
- Fix auditd reconfig to change mail accts, too
- Fix stray pointer in sorting of aureport
- Added new message type
- Add results to all DAEMON messages
reports
- Add --summary to get totals of reported objects
- Add ability to force log rotation by sending sigusr1 to auditd
- Add -i flag to auditctl to ignore errors when reading rules from a file
- Reformat aureports so date & time are always given
- Add cron script for log rotation to docs
- Added a couple more message types
- Added new standard logging format function
- Update default config
- Make ausearch -m take a list of message types
- Add email alert for admin_space_left in auditd
- Aureport cleanups
- Add anomaly & response to anomaly reports to aureport
- Summary report runs by default in aureport
- Updated syscall number tables
- added watch report to aureport
- added interpreting mode to aureport
- added user space avc standard message to libaudit
- aureport & ausearch now use builtin log locations when bad config file
- add email alert to low disk space warning actions in auditd
- added aureport program to analyse logs
- aureport added report option for each log's start and end time
- increased random number selected for initial seq number in auditd
- add new user space defines to libaudit.h
- add add standard logging functions to libaudit
- In auditctl, if -F arch is given with -t option, don't require list
- Update auditd man page
- Add size check to audit_send
- Update message for audit_open failure when kernel doesn't support audit
- fix 2 memory leaks and an out of bounds access in auditd
- fix case where auditd was closing netlink descriptor too early
- fix watch rules not to take field arguments in auditctl
- fix bug where inode, devmajor, devminor, exit, and success fields in
auditctl rules were not getting the correct value stored
- Remove warning for trimming file path in auditctl
- Make auditctl tolerate duplicate rule and watches
- auditd has new option so it doesn't overwrite log files
- Fixed bug in autrace that was reporting bad descriptor
- Fix auditctl blank line handling
- Trim trailing '/' from file system watches in auditctl
- Catch cases where parameter was passed without option being given to
auditctl
- Add CAPP sample configuration
- Add some unlinks of the pid file in a couple error exits
- Make some options of auditctl not expect a reply
- Update support for user and watch filter lists
- Handle user space audit events in more uniform way
- Update all parsers for more robustness with new kernel changes
- Create quiet mode for error messages
- Make rotated logs readonly
- Get -f & -hn working in ausearch
- Added search by terminal, exe, and syscall to ausearch program
- Added -w parameter to match whole word in ausearch
- Raise rlimits for file size & cpu usage
- Added new disk_error_action config item to auditd.conf
- Rework memory management of event buffer
- Handled all errors in event logging thread
- Remove the read status during init
- Change to using pthreads sync mechanism for stopping system
- Worker thread should ignore all signals
- Change main loop to use select for inbound event handling
- Gave pam_loginuid a "failok" option for testing
- Added write_pid function to auditd
- Added audit_log to libaudit
- Don't check file length in foreground mode of auditd
- Added *if_enabled functions to send messages only if audit system is
enabled
- If syscall name is unknown when printing rules, use the syscall number
- Rework the build system to produce singly threaded public libraries
- Create a multithreaded version of libaudit for the audit daemon's use
- Add R option to auditctl to allow reading rules from file.
- Do not allow task creation list to have syscall auditing
- Add D option to allow deleting all rules with 1 command
- Added pam_audit man page & sample.rules
- Mod initscript to call auditctl to load rules at start-up
- Write message to log file for daemon start up
- Write message that daemon is shutting down
- Modify auditd shutdown to wait until logger thread is finished
- Add sample rule file to docs