Hi, I've just released a new version of the audit daemon. It can be downloaded from http://people.redhat.com/sgrubb/audit It will also be in rawhide tomorrow. The Changelog is:
- ausearch & aureport implement uid/gid caching - In ausearch & aureport, extract addr when hostname is unknown - In ausearch & aureport, test audit log presence O_RDONLY - New ausearch/aureport time keywords: recent, this-week, this-month, this-year - Added --add & --delete option to aureport - Update res parsing in config change events - Increase the size on audit daemon buffers - Parse avc_path records in ausearch/aureport - Rework AVC processing in ausearch/aureport - ausearch has new output mode, raw, for extracting events - ausearch/aureport can now read stdin - Added long options to ausearch and aureport - new auditd commandline option, -l, to allow following symlinks for its config file. This is a big update with several new things. The first three are performance improvement things. The next item introduces some new keywords for time ranges. recent means 10 minutes ago, this-week means since day 0 of the week as determined by your locale, this-month means day 1 of the current month, and this-year means 1/1 of the current year. The next item adds 2 new command line options to aureport. This is intended to sort out things that are related to adding rules/users/groups vs deleting them. This can be handy to divide up config change reports. The next 4 items are bug fixes. ausearch has a new output mode, --raw. This means that the audit log entry is emitted with no interpretation and no changes. This is handy to extract portions of logs for use later or as the first stage of piping commands together. If you have a user you want to extract logs for, you can now do this: ausearch -ts this-week -ul 500 > user.log The next item in the new features is that ausearch/aureport can now take events from stdin. So, you can now do something like this: ausearch -ts this-month -ul 500 --raw | aureport The next item is that every commandline option in ausearch/aureport has a long option. This means that you can do this: ausearch --start this-week --loginuid 500 --message avc --terminal tty1 or aureport --start this-month --failed --event The final item is a commandline option allowing auditd to follow symlinks to read its config file. I guess this might be useful for people doing stateless or live CD's where the writeable files are kept somewhere else. If you see any issues with this release please let me know. -Steve -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
