diff --git a/audit-1.6.8.tar.bz2 b/audit-1.6.8.tar.bz2 deleted file mode 100644 index d31330f..0000000 --- a/audit-1.6.8.tar.bz2 +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:675f08a4e32a4ccc4581fefcac3918bb6d8af2e1e318b16d7bbe27c654c53b1f -size 594531 diff --git a/audit-1.7.4.tar.bz2 b/audit-1.7.4.tar.bz2 new file mode 100644 index 0000000..997822e --- /dev/null +++ b/audit-1.7.4.tar.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:aeb9652be811b7f4a695031dfd115c6d2209fe08601335772e727a183d756b06 +size 626976 diff --git a/audit-bnc378725.patch b/audit-bnc378725.patch deleted file mode 100644 index ca2f91b..0000000 --- a/audit-bnc378725.patch +++ /dev/null @@ -1,29 +0,0 @@ -From: tonyj@suse.de -Subject: VUL-0: audit buffer overflow -References: BNC# 378725 -Upstream: auditd 1.7.2 - -Bugtraq ID: 28524 Linux Audit Daemon 'audit_log_user_command()' Local Buffer -Overflow Vulnerability. - -This problem was found in Fedora when sudo was modified to call -audit_log_user_command. - -Fix backported from auditd v1.7.2 - -diff -urp audit-1.6.5.orig/lib/audit_logging.c audit-1.6.5/lib/audit_logging.c ---- audit-1.6.5.orig/lib/audit_logging.c 2008-04-01 16:33:34.000000000 -0400 -+++ audit-1.6.5/lib/audit_logging.c 2008-04-01 16:34:12.000000000 -0400 -@@ -652,7 +652,11 @@ int audit_log_user_command(int audit_fd, - } - - p = cmd; -- strcpy(commname, cmd); -+ if (len >= PATH_MAX) { -+ cmd[PATH_MAX] = 0; -+ len = PATH_MAX-1; -+ } -+ strcpy(commname,cmd); - while (*p) { - if (*p == '"' || *p < 0x21 || (unsigned)*p > 0x7f) { - _audit_c2x(commname, cmd, len); diff --git a/audit-no_plugins.patch b/audit-no_plugins.patch index 81a07cb..a059baa 100644 --- a/audit-no_plugins.patch +++ b/audit-no_plugins.patch @@ -5,24 +5,24 @@ Upsteam: never Non builtin plugins is build as part of phase2 by audit-secondary.spec. Conf files for builtins are still installed ---- audit-1.6.8/docs/Makefile.am.orig 2008-03-21 00:13:00.085158000 +0100 -+++ audit-1.6.8/docs/Makefile.am 2008-03-21 00:13:42.551650000 +0100 -@@ -47,6 +47,5 @@ - ausearch_add_timestamp_item.3 ausearch_add_regex.3 ausearch_clear.3 \ - ausearch_next_event.3 ausearch_set_stop.3 \ - autrace.8 get_auditfail_action.3 set_aumessage_mode.3 \ --audispd.8 audispd.conf.5 audispd-zos-remote.8 zos-remote.conf.5 \ --audisp-prelude.8 -+audispd.8 audispd.conf.5 +--- audit-1.7.2/audisp/plugins/Makefile.am.orig 2008-04-22 17:20:29.022441000 +0200 ++++ audit-1.7.2/audisp/plugins/Makefile.am 2008-04-22 17:20:36.657804000 +0200 +@@ -22,7 +22,7 @@ ---- audit-1.6.8/audisp/plugins/Makefile.am.orig 2008-03-21 00:38:10.727001000 +0100 -+++ audit-1.6.8/audisp/plugins/Makefile.am 2008-03-21 00:38:34.320391000 +0100 -@@ -23,7 +23,7 @@ CONFIG_CLEAN_FILES = Makefile.in *.loT *.rej *.orig - #SUBDIRS = builtins zos-remote remote --SUBDIRS = builtins zos-remote -+SUBDIRS = builtins +-SUBDIRS = builtins zos-remote remote ++SUBDIRS = builtins + #SUBDIRS = builtins zos-remote if HAVE_PRELUDE SUBDIRS += prelude - endif + +--- audit-1.7.2/docs/Makefile.am.orig 2008-04-22 17:21:45.409978000 +0200 ++++ audit-1.7.2/docs/Makefile.am 2008-04-22 17:21:59.923451000 +0200 +@@ -49,5 +49,5 @@ + ausearch_clear.3 \ + ausearch_next_event.3 ausearch_set_stop.3 \ + autrace.8 get_auditfail_action.3 set_aumessage_mode.3 \ +-audispd.8 audispd.conf.5 audispd-zos-remote.8 zos-remote.conf.5 ++audispd.8 audispd.conf.5 + diff --git a/audit-no_python.patch b/audit-no_python.patch index 7c31799..69c0551 100644 --- a/audit-no_python.patch +++ b/audit-no_python.patch @@ -20,9 +20,9 @@ there you have it. fi AM_CONDITIONAL(HAVE_PRELUDE, test x$have_prelude = xyes) --AC_OUTPUT(Makefile lib/Makefile auparse/Makefile auparse/test/Makefile src/Makefile src/mt/Makefile swig/Makefile docs/Makefile init.d/Makefile audisp/Makefile audisp/plugins/Makefile audisp/plugins/builtins/Makefile audisp/plugins/prelude/Makefile audisp/plugins/remote/Makefile audisp/plugins/zos-remote/Makefile bindings/Makefile bindings/python/Makefile tools/Makefile tools/aulastlog/Makefile) +-AC_OUTPUT(Makefile lib/Makefile lib/test/Makefile auparse/Makefile auparse/test/Makefile src/Makefile src/mt/Makefile swig/Makefile docs/Makefile init.d/Makefile audisp/Makefile audisp/plugins/Makefile audisp/plugins/builtins/Makefile audisp/plugins/prelude/Makefile audisp/plugins/remote/Makefile audisp/plugins/zos-remote/Makefile bindings/Makefile bindings/python/Makefile tools/Makefile tools/aulastlog/Makefile tools/ausyscall/Makefile) +# SuSE: remove swig/Makefile + bindings/Makefile + bindings/python/Makefile -+AC_OUTPUT(Makefile lib/Makefile auparse/Makefile auparse/test/Makefile src/Makefile src/mt/Makefile docs/Makefile init.d/Makefile audisp/Makefile audisp/plugins/Makefile audisp/plugins/builtins/Makefile audisp/plugins/prelude/Makefile audisp/plugins/remote/Makefile audisp/plugins/zos-remote/Makefile tools/Makefile tools/aulastlog/Makefile) ++AC_OUTPUT(Makefile lib/Makefile lib/test/Makefile auparse/Makefile auparse/test/Makefile src/Makefile src/mt/Makefile docs/Makefile init.d/Makefile audisp/Makefile audisp/plugins/Makefile audisp/plugins/builtins/Makefile audisp/plugins/prelude/Makefile audisp/plugins/remote/Makefile audisp/plugins/zos-remote/Makefile tools/Makefile tools/aulastlog/Makefile tools/ausyscall/Makefile) echo . echo " diff --git a/audit-no_sca.patch b/audit-no_sca.patch index e285600..03ffc78 100644 --- a/audit-no_sca.patch +++ b/audit-no_sca.patch @@ -11,7 +11,7 @@ Disable system-config-audit. A Yast equivalent would be useful though. AM_CONDITIONAL(HAVE_PRELUDE, test x$have_prelude = xyes) -AC_CONFIG_SUBDIRS([system-config-audit]) - AC_OUTPUT(Makefile lib/Makefile auparse/Makefile auparse/test/Makefile src/Makefile src/mt/Makefile swig/Makefile docs/Makefile init.d/Makefile audisp/Makefile audisp/plugins/Makefile audisp/plugins/builtins/Makefile audisp/plugins/prelude/Makefile audisp/plugins/remote/Makefile audisp/plugins/zos-remote/Makefile bindings/Makefile bindings/python/Makefile tools/Makefile tools/aulastlog/Makefile) + AC_OUTPUT(Makefile lib/Makefile lib/test/Makefile auparse/Makefile auparse/test/Makefile src/Makefile src/mt/Makefile swig/Makefile docs/Makefile init.d/Makefile audisp/Makefile audisp/plugins/Makefile audisp/plugins/builtins/Makefile audisp/plugins/prelude/Makefile audisp/plugins/remote/Makefile audisp/plugins/zos-remote/Makefile bindings/Makefile bindings/python/Makefile tools/Makefile tools/aulastlog/Makefile tools/ausyscall/Makefile) echo . diff --git a/audit-plugins-path.patch b/audit-plugins-path.patch new file mode 100644 index 0000000..f0cada1 --- /dev/null +++ b/audit-plugins-path.patch @@ -0,0 +1,40 @@ +From: Tony Jones +Subject: Adjust location of plugins built by audit-secondary +Upsteam: never + +Adjust location of plugins built by audit-secondary. These should never have +been in /sbin plus some (for SuSE) require lib dependancies on /usr/lib + +--- audit-1.7.2/audisp/plugins/prelude/au-prelude.conf.orig 2008-04-23 11:56:11.946681000 +0200 ++++ audit-1.7.2/audisp/plugins/prelude/au-prelude.conf 2008-04-23 11:56:22.789827000 +0200 +@@ -5,7 +5,7 @@ + + active = no + direction = out +-path = /sbin/audisp-prelude ++path = /usr/sbin/audisp-prelude + type = always + #args = + format = string +--- audit-1.7.2/audisp/plugins/remote/au-remote.conf.orig 2008-04-23 11:56:11.976660000 +0200 ++++ audit-1.7.2/audisp/plugins/remote/au-remote.conf 2008-04-23 11:56:30.958657000 +0200 +@@ -5,7 +5,7 @@ + + active = no + direction = out +-path = /sbin/audisp-remote ++path = /usr/sbin/audisp-remote + type = always + #args = + format = string +--- audit-1.7.2/audisp/plugins/zos-remote/audispd-zos-remote.conf.orig 2008-04-23 11:56:11.993637000 +0200 ++++ audit-1.7.2/audisp/plugins/zos-remote/audispd-zos-remote.conf 2008-04-23 11:56:40.533070000 +0200 +@@ -8,7 +8,7 @@ + + active = no + direction = out +-path = /sbin/audispd-zos-remote ++path = /usr/sbin/audispd-zos-remote + type = always + args = /etc/audisp/zos-remote.conf + format = string diff --git a/audit-secondary.changes b/audit-secondary.changes index 1641f4e..7ffa485 100644 --- a/audit-secondary.changes +++ b/audit-secondary.changes @@ -1,3 +1,12 @@ +------------------------------------------------------------------- +Wed Jun 25 01:50:54 CEST 2008 - tonyj@suse.de + +- Update from 1.7.2 to 1.7.4 (see audit.changes for upstream change + history) + +- Update from 1.6.8 to 1.7.2 (see audit.changes for upstream change + history) + ------------------------------------------------------------------- Tue Jun 3 21:49:41 CEST 2008 - coolo@suse.de diff --git a/audit-secondary.spec b/audit-secondary.spec index d7017d0..72876c5 100644 --- a/audit-secondary.spec +++ b/audit-secondary.spec @@ -1,5 +1,5 @@ # -# spec file for package audit-secondary (Version 1.6.8) +# spec file for package audit-secondary (Version 1.7.4) # # Copyright (c) 2008 SUSE LINUX Products GmbH, Nuernberg, Germany. # This file and all modifications and additions to the pristine @@ -17,11 +17,12 @@ BuildRequires: audit audit-devel gcc-c++ openldap2-devel pkg-config python-deve Summary: Python Bindings for libaudit License: GPL v2 or later Group: System/Monitoring -Version: 1.6.8 -Release: 6 +Version: 1.7.4 +Release: 1 Url: http://people.redhat.com/sgrubb/audit/ Source0: audit-%{version}.tar.bz2 Patch0: audit-no_sca.patch +Patch1: audit-plugins-path.patch Requires: audit = %{version}-%{release} Requires: audit-libs = %{version}-%{release} BuildRoot: %{_tmppath}/%{name}-%{version}-build @@ -76,6 +77,7 @@ rm -rf audisp/plugins/zos-remote/policy rm -rf audisp/plugins/prelude %setup -q -n audit-%{version} %patch0 -p1 +%patch1 -p1 %build autoreconf -fi @@ -101,7 +103,8 @@ rm -f $RPM_BUILD_ROOT/%{_libdir}/python%{py_ver}/site-packages/_audit.la rm -f $RPM_BUILD_ROOT/%{_libdir}/python%{py_ver}/site-packages/auparse-1.0-py%{py_ver}.egg-info # Cleanup plugins # audispd-zos-remote uses ldap which is in /usr/lib so move to /usr/sbin -mv $RPM_BUILD_ROOT/sbin/audispd-zos-remote $RPM_BUILD_ROOT/usr/sbin/audispd-zos-remote +# audisp-remote shouldn't be in /sbin either, it's not 'essential' +mv $RPM_BUILD_ROOT/sbin/{audispd-zos-remote,audisp-remote} $RPM_BUILD_ROOT/usr/sbin # af_unix/syslog (builtin) is packaged by main spec file rm -f $RPM_BUILD_ROOT/etc/audisp/plugins.d/{af_unix,syslog}.conf # Just need selecteed man pages @@ -114,8 +117,8 @@ rm -rf $RPM_BUILD_ROOT %files -n audit-libs-python %defattr(-,root,root,-) -%{_libdir}/python%{py_ver}/site-packages/_audit.so -%{_libdir}/python%{py_ver}/site-packages/auparse.so +%attr(755,root,root) %{_libdir}/python%{py_ver}/site-packages/_audit.so +%attr(755,root,root) %{_libdir}/python%{py_ver}/site-packages/auparse.so %{_libdir}/python%{py_ver}/site-packages/audit.py* %files -n audit-audispd-plugins @@ -125,8 +128,18 @@ rm -rf $RPM_BUILD_ROOT %config(noreplace) %attr(640,root,root) /etc/audisp/plugins.d/audispd-zos-remote.conf %config(noreplace) %attr(640,root,root) /etc/audisp/zos-remote.conf %attr(750,root,root) /usr/sbin/audispd-zos-remote +%config(noreplace) %attr(640,root,root) /etc/audisp/audisp-remote.conf +%config(noreplace) %attr(640,root,root) /etc/audisp/plugins.d/au-remote.conf +%attr(750,root,root) /usr/sbin/audisp-remote +%attr(644,root,root) %{_mandir}/man5/audisp-remote.conf.5.gz +%attr(644,root,root) %{_mandir}/man8/audisp-remote.8.gz %changelog +* Wed Jun 25 2008 tonyj@suse.de +- Update from 1.7.2 to 1.7.4 (see audit.changes for upstream change + history) +- Update from 1.6.8 to 1.7.2 (see audit.changes for upstream change + history) * Tue Jun 03 2008 coolo@suse.de - avoid packaging a directory with different permissions (creating rpm -V output) diff --git a/audit.changes b/audit.changes index f87bb10..a113473 100644 --- a/audit.changes +++ b/audit.changes @@ -1,3 +1,80 @@ +------------------------------------------------------------------- +Wed Jun 25 01:50:54 CEST 2008 - tonyj@suse.de + +- Update from 1.7.2 to 1.7.4 +- Redhat changelog for 1.7.3 - 1.7.4 follows: + * Mon May 19 2008 Steve Grubb 1.7.4-1 + - Fix interpreting of keys in syscall records + - Interpret audit rule config change list fields + - Don't error on name=(null) PATH records in ausearch/report + - Add key report to aureport + - Fix --end today to be now + - Added python bindings for auparse_goto_record_num + - Update system-config-audit to 0.4.7 (Miloslav Trmac) + - Add support for the filetype field option in auditctl + - In audispd boost priority after starting children + + * Fri May 09 2008 Steve Grubb 1.7.3-1 + - Fix path processing in AVC records. + - auparse_find_field_next() wasn't resetting field ptr going to next record. + - auparse_find_field() wasn't checking current field before iterating + - cleanup some string handling in audisp-prelude plugin + - Update auditctl man page + - Fix output of keys in ausearch interpretted mode + - Fix ausearch/report --start now to not be reset to midnight + - Added auparse_goto_record_num function + - Prelude plugin now uses auparse_goto_record_num to avoid skipping a record + - audispd now has a priority boost config option + - Look for laddr in avcs reported via prelude + - Detect page 0 mmaps and alert via prelude + +- Update from 1.6.8 to 1.7.2 +- Complete fix for BNC# 378725 +- Redhat changelog for 1.6.9-1.7.2 follows: + * Wed Apr 09 2008 Steve Grubb 1.7.2-1 + - gen_table.c now includes IPC defines to avoid glibc-headers wild goose chase + - ausyscall program added for cross referencing syscall name and number info + - Add login session ID search capability to ausearch + + * Tue Apr 08 2008 Steve Grubb 1.7.1-1 + - Remove LSB headers info for init scripts + - Fix buffer overflow in audit_log_user_command, again (#438840) + - Fix memory leak in EOE code in auditd (#440075) + - In auditctl, don't use new operators in legacy rule format + - Made a couple corrections in alpha & x86_64 syscall tables (Miloslav Trmac) + - Add example STIG rules file + - Add string table lookup performance improvement patch (Miloslav Trmac) + - auparse_find_field_next performance improvement + + * Sun Mar 30 2008 Steve Grubb 1.7-1 + - Improve input error handling in audispd + - Improve end of event detection in auparse library + - Improve handling of abstract namespaces + - Add test mode for prelude plugin + - Handle user space avcs in prelude plugin + - Audit event serial number now recorded in idmef alert + - Add --just-one option to ausearch + - Fix watched account login detection for some failed login attempts + - Couple fixups in audit logging functions (Miloslav Trmac) + - Add support in auditctl for virtual keys + - Added new type for user space MAC policy load events + - auparse_find_field_next was not iterating correctly, fixed it + - Add idmef alerts for access or execution of watched file + - Fix buffer overflow in audit_log_user_command + - Add basic remote logging plugin - only sends & no flow control + - Update ausearch with interpret fixes from auparse + + * Sun Mar 09 2008 Steve Grubb 1.6.9-1 + - Apply hidden attribute cleanup patch (Miloslav Trmac) + - Apply auparse expression interface patch (Miloslav Trmac) + - Fix potential memleak in audit event dispatcher + - Change default audispd queue depth to 80 + - Update system-config-audit to version 0.4.6 (Miloslav Trmac) + - audisp-prelude alerts now controlled by config file + - Updated syscall table for 2.6.25 kernel + - Apply patch correcting acct field being misencoded (Miloslav Trmac) + - Added watched account login detection for prelude plugin + ------------------------------------------------------------------- Wed Apr 23 14:17:17 CEST 2008 - tonyj@suse.de diff --git a/audit.spec b/audit.spec index 4b7699b..73744f9 100644 --- a/audit.spec +++ b/audit.spec @@ -1,5 +1,5 @@ # -# spec file for package audit (Version 1.6.8) +# spec file for package audit (Version 1.7.4) # # Copyright (c) 2008 SUSE LINUX Products GmbH, Nuernberg, Germany. # This file and all modifications and additions to the pristine @@ -14,8 +14,8 @@ Name: audit BuildRequires: gcc-c++ Summary: User Space Tools for 2.6 Kernel Auditing -Version: 1.6.8 -Release: 20 +Version: 1.7.4 +Release: 1 License: GPL v2 or later Group: System/Monitoring Url: http://people.redhat.com/sgrubb/audit/ @@ -25,7 +25,6 @@ Source2: auditd.sysconfig Patch0: audit-no_sca.patch Patch1: audit-no_python.patch Patch2: audit-no_plugins.patch -Patch3: audit-bnc378725.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build Requires: %{name}-libs = %{version}-%{release} PreReq: %insserv_prereq %fillup_prereq @@ -78,7 +77,6 @@ Authors: %patch0 -p1 %patch1 -p1 %patch2 -p1 -%patch3 -p1 %build autoreconf -fi @@ -163,10 +161,11 @@ fi %{_includedir}/auparse.h %{_includedir}/auparse-defs.h %{_mandir}/man3/* +%{_mandir}/man5/ausearch-expression.5.gz %files %defattr(-,root,root,-) -%doc README COPYING ChangeLog contrib/capp.rules contrib/nispom.rules contrib/lspp.rules init.d/auditd.cron +%doc README COPYING ChangeLog contrib/capp.rules contrib/nispom.rules contrib/lspp.rules contrib/stig.rules init.d/auditd.cron %attr(644,root,root) %{_mandir}/man8/audispd.8.gz %attr(644,root,root) %{_mandir}/man8/auditctl.8.gz %attr(644,root,root) %{_mandir}/man8/auditd.8.gz @@ -174,6 +173,7 @@ fi %attr(644,root,root) %{_mandir}/man8/ausearch.8.gz %attr(644,root,root) %{_mandir}/man8/autrace.8.gz %attr(644,root,root) %{_mandir}/man8/aulastlog.8.gz +%attr(644,root,root) %{_mandir}/man8/ausyscall.8.gz %attr(644,root,root) %{_mandir}/man5/auditd.conf.5.gz %attr(644,root,root) %{_mandir}/man5/audispd.conf.5.gz %attr(750,root,root) /sbin/auditctl @@ -182,7 +182,8 @@ fi %attr(750,root,root) /sbin/rcauditd %attr(750,root,root) /sbin/autrace %attr(750,root,root) /sbin/audispd -%attr(750,root,root) /sbin/aulastlog +%attr(750,root,root) /usr/bin/aulastlog +%attr(755,root,root) /usr/bin/ausyscall %attr(755,root,root) /sbin/aureport /etc/init.d/auditd %dir %attr(750,root,root) /etc/audit @@ -198,8 +199,78 @@ fi /var/adm/fillup-templates/sysconfig.auditd %dir %attr(700,root,root) /var/log/audit %ghost %config(noreplace) /var/log/audit/audit.log +%attr(755,root,root) /usr/bin/ausyscall %changelog +* Wed Jun 25 2008 tonyj@suse.de +- Update from 1.7.2 to 1.7.4 +- Redhat changelog for 1.7.3 - 1.7.4 follows: + * Mon May 19 2008 Steve Grubb 1.7.4-1 + - Fix interpreting of keys in syscall records + - Interpret audit rule config change list fields + - Don't error on name=(null) PATH records in ausearch/report + - Add key report to aureport + - Fix --end today to be now + - Added python bindings for auparse_goto_record_num + - Update system-config-audit to 0.4.7 (Miloslav Trmac) + - Add support for the filetype field option in auditctl + - In audispd boost priority after starting children + * Fri May 09 2008 Steve Grubb 1.7.3-1 + - Fix path processing in AVC records. + - auparse_find_field_next() wasn't resetting field ptr going to next record. + - auparse_find_field() wasn't checking current field before iterating + - cleanup some string handling in audisp-prelude plugin + - Update auditctl man page + - Fix output of keys in ausearch interpretted mode + - Fix ausearch/report --start now to not be reset to midnight + - Added auparse_goto_record_num function + - Prelude plugin now uses auparse_goto_record_num to avoid skipping a record + - audispd now has a priority boost config option + - Look for laddr in avcs reported via prelude + - Detect page 0 mmaps and alert via prelude +- Update from 1.6.8 to 1.7.2 +- Complete fix for BNC# 378725 +- Redhat changelog for 1.6.9-1.7.2 follows: + * Wed Apr 09 2008 Steve Grubb 1.7.2-1 + - gen_table.c now includes IPC defines to avoid glibc-headers wild goose chase + - ausyscall program added for cross referencing syscall name and number info + - Add login session ID search capability to ausearch + * Tue Apr 08 2008 Steve Grubb 1.7.1-1 + - Remove LSB headers info for init scripts + - Fix buffer overflow in audit_log_user_command, again (#438840) + - Fix memory leak in EOE code in auditd (#440075) + - In auditctl, don't use new operators in legacy rule format + - Made a couple corrections in alpha & x86_64 syscall tables (Miloslav Trmac) + - Add example STIG rules file + - Add string table lookup performance improvement patch (Miloslav Trmac) + - auparse_find_field_next performance improvement + * Sun Mar 30 2008 Steve Grubb 1.7-1 + - Improve input error handling in audispd + - Improve end of event detection in auparse library + - Improve handling of abstract namespaces + - Add test mode for prelude plugin + - Handle user space avcs in prelude plugin + - Audit event serial number now recorded in idmef alert + - Add --just-one option to ausearch + - Fix watched account login detection for some failed login attempts + - Couple fixups in audit logging functions (Miloslav Trmac) + - Add support in auditctl for virtual keys + - Added new type for user space MAC policy load events + - auparse_find_field_next was not iterating correctly, fixed it + - Add idmef alerts for access or execution of watched file + - Fix buffer overflow in audit_log_user_command + - Add basic remote logging plugin - only sends & no flow control + - Update ausearch with interpret fixes from auparse + * Sun Mar 09 2008 Steve Grubb 1.6.9-1 + - Apply hidden attribute cleanup patch (Miloslav Trmac) + - Apply auparse expression interface patch (Miloslav Trmac) + - Fix potential memleak in audit event dispatcher + - Change default audispd queue depth to 80 + - Update system-config-audit to version 0.4.6 (Miloslav Trmac) + - audisp-prelude alerts now controlled by config file + - Updated syscall table for 2.6.25 kernel + - Apply patch correcting acct field being misencoded (Miloslav Trmac) + - Added watched account login detection for prelude plugin * Wed Apr 23 2008 tonyj@suse.de - Fix for bnc#378725 VUL-0: audit buffer overflow * Thu Apr 10 2008 ro@suse.de