diff options
Diffstat (limited to 'framework/src/audit/ChangeLog')
| -rw-r--r-- | framework/src/audit/ChangeLog | 396 |
1 files changed, 396 insertions, 0 deletions
diff --git a/framework/src/audit/ChangeLog b/framework/src/audit/ChangeLog new file mode 100644 index 00000000..f6f05b48 --- /dev/null +++ b/framework/src/audit/ChangeLog @@ -0,0 +1,396 @@ +2.4.4 +- Fix linked list correctness in ausearch/report +- Add more cross compile fixups (Clayton Shotwell) +- Update auparse python bindings +- Update libev to 4.20 +- Fix CVE-2015-5186 Audit: log terminal emulator escape sequences handling + +2.4.3 +- Add python3 support for libaudit +- Cleanup automake warnings +- Add AuParser_search_add_timestamp_item_ex to python bindings +- Add AuParser_get_type_name to python bindings +- Correct processing of obj_gid in auditctl (Aleksander Zdyb) +- Make plugin config file parsing more robust for long lines (#1235457) +- Make auditctl status print lost field as unsigned number +- Add interpretation mode for auditctl -s +- Add python3 support to auparse library +- Make --enable-zos-remote a build time configuration option (Clayton Shotwell) +- Updates for cross compiling (Clayton Shotwell) +- Add MAC_CHECK audit event type +- Add libauparse pkgconfig file (Aleksander Zdyb) + +2.4.2 +- Ausearch should parse exe field in SECCOMP events +- Improve output for short mode interpretations in auparse +- Add CRYPTO_IKE_SA and CRYPTO_IPSEC_SA events +- If auditctl is reading rules from a file, send messages to syslog (#1144252) +- Correct lookup of ppc64le when determining machine type +- Increase time buffer for wide character numbers in ausearch/report (#1200314) +- In aureport, add USER_TTY events to tty report +- In audispd, limit reporting of queue full messages (#1203810) +- In auditctl, don't segfault when invalid options passed (#1206516) +- In autrace, remove some older unimplemented syscalls for aarch64 (#1185892) +- In auditctl, correct lookup of aarch64 in arch field (#1186313) +- Update lookup tables for 4.1 kernel + +2.4.1 +- Make python3 support easier +- Add support for ppc64le (Tony Jones) +- Add some translations for a1 of ioctl system calls +- Add command & virtualization reports to aureport +- Update aureport config report for new events +- Add account modification summary report to aureport +- Add GRP_MGMT and GRP_CHAUTHTOK event types +- Correct aureport account change reports +- Add integrity event report to aureport +- Add config change summary report to aureport +- Adjust some syslogging level settings in audispd +- Improve parsing performance in everything +- When ausearch outputs a line, use the previously parsed values (Burn Alting) +- Improve searching and interpreting groups in events +- Fully interpret the proctitle field in auparse +- Correct libaudit and auditctl support for kernel features +- Add support for backlog_time_wait setting via auditctl +- Update syscall tables for the 3.18 kernel +- Ignore DNS failure for email validation in auditd (#1138674) +- Allow rotate as action for space_left and disk_full in auditd.conf +- Correct login summary report of aureport +- Auditctl syscalls can be comma separated list now +- Update rules for new subsystems and capabilities + +2.4 +- Optionally parse loginuids, (e)uids, & (e)gids in ausearch/report +- In auvirt, anomaly events don't have uuid (#1111448) +- Fix category handling in various records (#1120286) +- Fix ausearch handling of session id on 32 bit systems +- Set systemd startup to wait until systemd-tmpfiles-setup.service (#1097314) +- Interpret a0 of socketcall and ipccall syscalls +- Add pkgconfig file for libaudit +- Add go language bindings for limited use of libaudit +- Fix ausearch handling of exit code on 32 bit systems +- Fix bug in aureport string linked list handling +- Document week-ago time setting in ausearch/report man page +- Update tables for 3.16 kernel +- In aulast, on bad logins only record user_login proof and use it +- Add libaudit API for kernel features +- If audit=0 on kernel cmnd line, skip systemd activation (Cristian Rodríguez) +- Add checkpoint --start option to ausearch (Burn Alting) +- Fix arch matching in ausearch +- Add --loginuid-immutable option to auditctl +- Fix memory leak in auditd when log_format is set to NOLOG +- Update auditctl to display features in the status command +- Add ausearch_add_timestamp_item_ex() to auparse + +2.3.7 +- Limit number of options in a rule in libaudit +- Auditctl cannot load rule with lots of syscalls (#1089713) +- In ausearch, fix checkpointing when inode is reused by new log (Burn Alting) +- Add PROCTITLE and FEATURE_CHANGE event types + +2.3.6 +- Add an option to auditctl to interpret a0 - a3 of syscall rules when listing +- Improve ARM and AARCH64 support (AKASHI Takahiro) +- Add ausearch --checkpoint feature (Burn Alting) +- Add --arch option to ausearch +- Improve too long config line in audispd, auditd, and auparse (#1071580) +- Fix aulast to accept the new AUDIT_LOGIN record format +- Remove clear_config symbol in auparse + +2.3.5 +- In CRYPTO_KEY_USER events, do not interpret the 'fp' field +- Change formatting of rules listing in auditctl to look like audit.rules +- Change auditctl to do all netlink comm and then print rules +- Add a debug option to ausearch to find skipped events +- Parse subject, auid, and ses in LOGIN events (3.14 kernel changed format) +- In auditd, when shifting logs, ignore the num_logs setting (#950158) +- Allow passing a directory as the input file for ausearch/report (LC Bruzenak) +- Interpret syscall fields in SECCOMP events +- Increase a couple buffers to handle longer input + +2.3.4 +- Parse path in CONFIG_CHANGE events +- In audisp-remote, fix retry logic for temporary network failures +- In auparse, add get_type_name function +- Add --no-config command option to aureport +- Fix interpretting MCS seliunx contexts in ausearch (#970675) +- In auparse, classify selinux contexts as MAC_LABEL field type +- In ausearch/report parse vm-ctx and img-ctx as selinux labels +- Update translation tables for the 3.14 kernel + +2.3.3 +- Documentation updates +- Add AUDIT_USER_MAC_CONFIG_CHANGE event for MAC policy changes +- Update interpreting scheduler policy names +- Update automake files to automake-1.13.4 +- Remove CAP_COMPROMISE_KERNEL interpretation +- Parse name field in AVC's (#1049916) +- Add missing typedef for auparse_type_t enumeration (#1053424) +- Fix parsing encoded filenames in records +- Parse SECCOMP events + +2.3.2 +- Put RefuseManualStop in the right systemd section (#969345) +- Add legacy restart scripts for systemd support +- Add more syscall argument interpretations +- Add 'unset' keyword for uid & gid values in auditctl +- In ausearch, parse obj in IPC records +- In ausearch, parse subj in DAEMON_ROTATE records +- Fix interpretation of MQ_OPEN and MQ_NOTIFY events +- In auditd, restart dispatcher on SIGHUP if it had previously exited +- In audispd, exit when no active plugins are detected on reconfigure +- In audispd, clear signal mask set by libev so that SIGHUP works again +- In audispd, track binary plugins and restart if binary was updated +- In audispd, make sure we send signals to the correct process +- In auditd, clear signal mask when spawning any child process +- In audispd, make builtin plugins respond to SIGHUP +- In auparse, interpret mode flags of open syscall if O_CREAT is passed +- In audisp-remote, don't make address lookup always a permanent failure +- In audisp-remote, remove EOE events more efficiently +- In auditd, log the reason when email account is not valid +- In audisp-remote, change default remote_ending action to reconnect +- Add support for Aarch64 processors + +2.3.1 +- Rearrange auditd setting enabled and pid to avoid a race (#910568) +- Interpret the ocomm field from OBJ_PID records +- Fix missing 'then' statement in sysvinit script +- Switch ausearch to use libauparse for interpretting fields +- In libauparse, interpret prctl arg0, sched_setscheduler arg1 +- In auparse, check source_list isn't NULL when opening next file (Liequan Che) +- In libauparse, interpret send* flags argument +- In libauparse, interpret level and name options for set/getsockopt +- In ausearch/report, don't flush events until last file (Burn Alting) +- Don't use systemctl to stop the audit daemon + +2.3 +- The clone(2) man page is really clone(3), fix interpretation of clone syscall +- Add systemd support for reload (#901533) +- Allow -F msgtype on the user filter +- Add legacy support for resuming logging under systemd (#830780) +- Add legacy support for rotating logs under systemd (#916611) +- In auditd, collect SIGUSR2 info for DAEMON_RESUME events +- Updated man pages +- Update libev to 4.15 +- Update syscall tables for 3.9 kernel +- Interpret MQ_OPEN events +- Add augenrules support (Burn Alting) +- Consume less stack sending audit events + +2.2.3 +- Code cleanups +- In spec file, don't own lib64/audit +- Update man pages +- Aureport no longer reads auditd.conf when stdin is used +- Don't let systemd kill auditd if auditctl errors out +- Update syscall table for 3.7 and 3.8 kernels +- Add interpretation for setns and unshare syscalls +- Code cleanup (Tyler Hicks) +- Documentation cleanups (Laurent Bigonville) +- Add dirfd interpretation to the *at functions +- Add termination signal to clone flags interpretation +- Update stig.rules +- In auditctl, when listing rules don't print numeric value of dir fields +- Add support for rng resource type in auvirt +- Fix aulast bad login output (#922508) +- In ausearch, allow negative numbers for session and auid searches +- In audisp-remote, if disk_full_action is stop then stop sending (#908977) + +2.2.2 +- In auditd, tcp_max_per_addr was allowing 1 more connection than specified +- In ausearch, fix matching of object records +- Auditctl was returning -1 when listing rules filtered on a key field +- Add interpretations for CAP_BLOCK_SUSPEND and CAP_COMPROMISE_KERNEL +- Add armv5tejl, armv5tel, armv6l and armv7l machine types (Nathaniel Husted) +- Updates for the 3.6 kernel +- Add auparse_feed_has_data function to libauparse +- Update audisp-prelude to use auparse_feed_has_data +- Add support to conditionally build auditd network listener (Tyler Hicks) +- In auditd, reset a flag after receiving USR1 signal info when rotating logs +- Add optional systemd init script support +- Add support for SECCOMP event type +- Don't interpret aN_len field in EXECVE records (#869555) +- In audisp-remote, do better job of draining queue +- Fix capability parsing in ausearch/auparse +- Interpret BPRM_FCAPS capability fields +- Add ANOM_LINK event type + +2.2.1 +- Add more interpretations in auparse for syscall parameters +- Add some interpretations to ausearch for syscall parameters +- In ausearch/report and auparse, allocate extra space for node names +- Update syscall tables for the 3.3.0 kernel +- Update libev to 4.0.4 +- Reduce the size of some applications +- In auditctl, check usage against euid rather than uid + +2.2 +- Correct all rules for clock_settime +- Fix possible segfault in auparse library +- Handle malformed socket addresses better +- Improve performance in audit_log_user_message() +- Improve performance in writing to the log file in auditd +- Syscall update for accept4 and recvmmsg +- Update autrace resource usage mode syscall list +- Improved sample rules for recent syscalls +- Add some debug info to audisp-remote startup and shutdown +- Make compiling with Python optional +- In auditd, if disk_error_action is ignore, don't syslog anything +- Fix some memory leaks +- If audispd is stopping, don't restart children +- Add support in auditctl for shell escaped filenames (Alexander) +- Add search support for virt events (Marcelo Cerri) +- Update interpretation tables +- Sync auparse's auditd config parser with auditd's parser +- In ausearch, also use cwd fields in file name searchs +- In ausearch, parse cwd in USER_CMD events +- In ausearch, correct parsing of uid in user space events +- In ausearch, update parsing of integrity events +- Apply some text cleanups from Debian (Russell Coker) +- In auditd, relax some permission checks for external apps +- Add ROLE_MODIFY event type +- In auditctl, new -c option to continue through bad rules but with failed exit +- Add auvirt program to do special reporting on virt events (Marcelo Cerri) +- Add interfield comparison support to auditctl (Peter Moody) +- Update auparse type intepretation for apparmor (Marcelo Cerri) +- Increase tcp_max_per_addr maximum to 1024. + +2.1.3 +- Fix parsing of EXECVE records to not escape argc field +- If auditd's disk is full, send the right reason to client (#715315) +- Add CAP_WAKE_ALARM to interpretations +- Some updates to audisp-remote's remote-fgets function (Mirek Trmac) +- Add detection of TTY events to audisp-prelude (Matteo Sessa) +- Updated syscall tables for the 3.0 kernel +- Update linker flags for better relro support +- Make default size of logs bigger (#727310) +- Extract obj from NETFILTER_PKT events +- Disable 2 kerberos config options in audisp-remote.conf + +2.1.2 +- In ausearch/report, fix a segfault caused by MAC_POLICY_LOAD records +- In ausearch/report, add and update parsers +- In auditd, cleanup DAEMON_ACCEPT and DAEMON_CLOSE addr fields +- In ausearch/report, parse addr field of DAEMON_ACCEPT & DAEMON_CLOSE records +- In auditd, move startup success to after events are registered +- If auditd shutsdown due to failed tcp init, write a DAEMON_ABORT event +- Update auditd to avoid the oom killer in new kernels (Andreas Jaeger) +- Parse and interpret NETFILTER_PKT events correctly +- Return error if auditctl -l fails (#709345) +- In audisp-remote, replace glibc's fgets with custom implementation + +2.1.1 +- When ausearch is interpretting, output "as is" if no = is found +- Correct socket setup in remote logging +- Adjusted a couple default settings for remote logging and init script +- Audispd was not marking restarted plugins as active +- Audisp-remote should keep a capability if local_port < 1024 +- When audispd restarts plugin, send event in its preferred format +- In audisp-remote, make all I/O asynchronous +- In audisp-remote, add sigusr1 handler to dump internal state +- Fix autrace to use correct syscalls on s390 and s390x systems +- Add shutdown syscall to remote logging teardowns +- Correct autrace rule for 32 bits systems + +2.1 +- Update auditctl man page for new field on user filter +- Fix crash in aulast when auid is foreign to the system +- Code cleanups +- Add store and forward model to audispd-remote (Mirek Trmac) +- Free memory on failed startups in audisp-prelude +- Fix memory leak in aureport +- Fix parsing state problem in libauparse +- Improve the robustness of libaudit field encoding functions +- Update capability tables +- In auditd, make failure action config checking consistent +- In auditd, check that NULL is not being passed to safe_exec +- In audisp-remote, overflow_action wasn't suspending if that action was chosen +- Update interpretations for virt events +- Improve remote logging warning and error messages +- Add interpretations for netfilter events + +2.0.6 +- ausearch/report performance improvements +- Synchronize all sample syscall rules to use action,list +- If program name provided to audit_log_acct_message, escape it +- Fix man page for the audit_encode_nv_string function (#647131) +- If value is NULL, don't segfault (#647128) +- Fix simple event parsing to not assume session id can't be last (Peng Haitao) +- Add support for new mmap audit event type +- Add ability for audispd syslog plugin to choose facility local0-7 (#593340) +- Fix autrace to use correct syscalls on i386 systems (Peng Haitao) +- On startup and reconfig, check for excess logs and unlink them +- Add a couple missing parser debug messages +- Fix error output resolving numeric address and update man page +- Add netfilter event types +- Fix spelling error in audit.rules man page (#667845) +- Improve warning in auditctl regarding immutable mode (#654883) +- Update syscall tables for the 2.6.37 kernel +- In ausearch, allow searching for auid -1 +- Add queue overflow_action to audisp-remote to control queue overflows +- Update sample rules for new syscalls and packages + +2.0.5 +- Make auparse handle empty AUSOURCE_FILE_ARRAY correctly (Miloslav Trmač) +- On i386, audit rules do not work on inode's with a large number (#554553) +- Fix displaying of inode values to be unsigned integers when listing rules +- Correct Makefile install of audispd (Jason Tang) +- Syscall table updates for 2.6.34 kernel +- Add definitions for service start and stop +- Fix handling of ignore errors in auditctl +- Fix gssapi support to build with new linker options +- Add virtualization event types +- Update aureport program help and man pages to show all options + +2.0.4 +- Make alpha processor support optional +- Add support for the arm eabi processor +- add a compatible regexp processing capability to auparse (Miloslav Trmač) +- Fix regression in parsing user space originating records in aureport +- Add tcp_max_per_addr option in auditd.conf to limit concurrent connections +- Rearrange shutdown of auditd to allow DAEMON_END event more time + +2.0.3 +- In auditd, tell libev to stop processing a connection when idle timeout +- In auditd, tell libev to stop processing a connection when shutting down +- Interpret CAPSET records in ausearch/auparse + +2.0.2 +- If audisp-remote plugin has a queue at exit, use non-zero exit code +- Fix autrace to use the exit filter +- In audisp-remote, add a sigchld handler +- In auditd, check for duplicate remote connections before accepting +- Remove trailing ':' if any are at the end of acct fields in ausearch +- Update remote logging code to do better sanity check of data +- Fix audisp-prelude to prefer files if multiple path records are encountered +- Add libaudit.conf man page +- In auditd, disconnect idle clients + +2.0.1 +- Aulast now reads daemon_start events for the kernel version of reboot +- Clarify the man pages for ausearch/report regarding locale and date formats +- Fix getloginuid for python bindings +- Disable the audispd af_unix plugin by default +- Add a couple new init script actions for LSB 3.2 +- In audisp-remote plugin, timeout network reads (#514090) +- Make some error logging in audisp-remote plugin more prominent +- Add audit.rules man page +- Interpret the session field in audit events + +2.0 +- Remove system-config-audit +- Get rid of () from userspace originating events +- Removed old syscall rules API - not needed since 2.6.16 +- Remove all use of the old rule structs from API +- Fix uninitialized variable in auditd log rotation +- Add libcap-ng support for audispd plugins +- Removed ancient defines that are part of kernel 2.6.29 headers +- Bump soname number for libaudit +- In auditctl, deprecate the entry filter and move rules to exit filter +- Parse integrity audit records in ausearch/report (Mimi Zohar) +- Updated syscall table for 2.6.31 kernel +- Remove support for the legacy negate syscall rule operator +- In auditd reset syslog warnings if disk space becomes available + +<see audit-1.8 for 1.X change history> +<see audit-1.0.12 for 1.0 change history> |