OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/audit?expand=0&rev=17

audit-1.6.8.tar.bz2

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:675f08a4e32a4ccc4581fefcac3918bb6d8af2e1e318b16d7bbe27c654c53b1f
-size 594531

audit-1.7.4.tar.bz2

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:aeb9652be811b7f4a695031dfd115c6d2209fe08601335772e727a183d756b06
+size 626976

audit-bnc378725.patch

@@ -1,29 +0,0 @@
-From: tonyj@suse.de
-Subject: VUL-0: audit buffer overflow
-References: BNC# 378725
-Upstream: auditd 1.7.2
-
-Bugtraq ID: 28524 Linux Audit Daemon 'audit_log_user_command()' Local Buffer 
-Overflow Vulnerability.  
-
-This problem was found in Fedora when sudo was modified to call 
-audit_log_user_command.
-
-Fix backported from auditd v1.7.2
-
-diff -urp audit-1.6.5.orig/lib/audit_logging.c audit-1.6.5/lib/audit_logging.c
---- audit-1.6.5.orig/lib/audit_logging.c	2008-04-01 16:33:34.000000000 -0400
-+++ audit-1.6.5/lib/audit_logging.c	2008-04-01 16:34:12.000000000 -0400
-@@ -652,7 +652,11 @@ int audit_log_user_command(int audit_fd,
- 	}
- 
- 	p = cmd;
--	strcpy(commname, cmd);
-+	if (len >= PATH_MAX) {
-+		cmd[PATH_MAX] = 0;
-+		len = PATH_MAX-1;
-+	}
-+	strcpy(commname,cmd);
- 	while (*p) {
- 		if (*p == '"' || *p < 0x21 || (unsigned)*p > 0x7f) {
- 			_audit_c2x(commname, cmd, len);

audit-no_plugins.patch

@@ -5,24 +5,24 @@ Upsteam: never
 Non builtin plugins is build as part of phase2 by audit-secondary.spec.
 Conf files for builtins are still installed
 
---- audit-1.6.8/docs/Makefile.am.orig	2008-03-21 00:13:00.085158000 +0100
+--- audit-1.7.2/audisp/plugins/Makefile.am.orig	2008-04-22 17:20:29.022441000 +0200
-+++ audit-1.6.8/docs/Makefile.am	2008-03-21 00:13:42.551650000 +0100
++++ audit-1.7.2/audisp/plugins/Makefile.am	2008-04-22 17:20:36.657804000 +0200
-@@ -47,6 +47,5 @@
+@@ -22,7 +22,7 @@
- ausearch_add_timestamp_item.3 ausearch_add_regex.3 ausearch_clear.3 \
- ausearch_next_event.3 ausearch_set_stop.3 \
- autrace.8 get_auditfail_action.3 set_aumessage_mode.3 \
--audispd.8 audispd.conf.5 audispd-zos-remote.8 zos-remote.conf.5 \
--audisp-prelude.8
-+audispd.8 audispd.conf.5 
  
---- audit-1.6.8/audisp/plugins/Makefile.am.orig	2008-03-21 00:38:10.727001000 +0100
-+++ audit-1.6.8/audisp/plugins/Makefile.am	2008-03-21 00:38:34.320391000 +0100
-@@ -23,7 +23,7 @@
  CONFIG_CLEAN_FILES = Makefile.in *.loT *.rej *.orig
  
- #SUBDIRS = builtins zos-remote remote
+-SUBDIRS = builtins zos-remote remote
--SUBDIRS = builtins zos-remote
++SUBDIRS = builtins
-+SUBDIRS = builtins 
+ #SUBDIRS = builtins zos-remote
  if HAVE_PRELUDE
  SUBDIRS += prelude
- endif
+
+--- audit-1.7.2/docs/Makefile.am.orig	2008-04-22 17:21:45.409978000 +0200
++++ audit-1.7.2/docs/Makefile.am	2008-04-22 17:21:59.923451000 +0200
+@@ -49,5 +49,5 @@
+ ausearch_clear.3 \
+ ausearch_next_event.3 ausearch_set_stop.3 \
+ autrace.8 get_auditfail_action.3 set_aumessage_mode.3 \
+-audispd.8 audispd.conf.5 audispd-zos-remote.8 zos-remote.conf.5 
++audispd.8 audispd.conf.5
+ 

audit-no_python.patch

@@ -20,9 +20,9 @@ there you have it.
  fi
  AM_CONDITIONAL(HAVE_PRELUDE, test x$have_prelude = xyes)
  
--AC_OUTPUT(Makefile lib/Makefile auparse/Makefile auparse/test/Makefile src/Makefile src/mt/Makefile swig/Makefile docs/Makefile init.d/Makefile audisp/Makefile audisp/plugins/Makefile audisp/plugins/builtins/Makefile audisp/plugins/prelude/Makefile audisp/plugins/remote/Makefile audisp/plugins/zos-remote/Makefile bindings/Makefile bindings/python/Makefile tools/Makefile tools/aulastlog/Makefile)
+-AC_OUTPUT(Makefile lib/Makefile lib/test/Makefile auparse/Makefile auparse/test/Makefile src/Makefile src/mt/Makefile swig/Makefile docs/Makefile init.d/Makefile audisp/Makefile audisp/plugins/Makefile audisp/plugins/builtins/Makefile audisp/plugins/prelude/Makefile audisp/plugins/remote/Makefile audisp/plugins/zos-remote/Makefile bindings/Makefile bindings/python/Makefile tools/Makefile tools/aulastlog/Makefile tools/ausyscall/Makefile)
 +# SuSE: remove swig/Makefile + bindings/Makefile + bindings/python/Makefile
-+AC_OUTPUT(Makefile lib/Makefile auparse/Makefile auparse/test/Makefile src/Makefile src/mt/Makefile docs/Makefile init.d/Makefile audisp/Makefile audisp/plugins/Makefile audisp/plugins/builtins/Makefile audisp/plugins/prelude/Makefile audisp/plugins/remote/Makefile audisp/plugins/zos-remote/Makefile tools/Makefile tools/aulastlog/Makefile)
++AC_OUTPUT(Makefile lib/Makefile lib/test/Makefile auparse/Makefile auparse/test/Makefile src/Makefile src/mt/Makefile docs/Makefile init.d/Makefile audisp/Makefile audisp/plugins/Makefile audisp/plugins/builtins/Makefile audisp/plugins/prelude/Makefile audisp/plugins/remote/Makefile audisp/plugins/zos-remote/Makefile tools/Makefile tools/aulastlog/Makefile tools/ausyscall/Makefile)
  
  echo .
  echo "

audit-no_sca.patch

@@ -11,7 +11,7 @@ Disable system-config-audit.  A Yast equivalent would be useful though.
  AM_CONDITIONAL(HAVE_PRELUDE, test x$have_prelude = xyes)
  
 -AC_CONFIG_SUBDIRS([system-config-audit])
- AC_OUTPUT(Makefile lib/Makefile auparse/Makefile auparse/test/Makefile src/Makefile src/mt/Makefile swig/Makefile docs/Makefile init.d/Makefile audisp/Makefile audisp/plugins/Makefile audisp/plugins/builtins/Makefile audisp/plugins/prelude/Makefile audisp/plugins/remote/Makefile audisp/plugins/zos-remote/Makefile bindings/Makefile bindings/python/Makefile tools/Makefile tools/aulastlog/Makefile)
+ AC_OUTPUT(Makefile lib/Makefile lib/test/Makefile auparse/Makefile auparse/test/Makefile src/Makefile src/mt/Makefile swig/Makefile docs/Makefile init.d/Makefile audisp/Makefile audisp/plugins/Makefile audisp/plugins/builtins/Makefile audisp/plugins/prelude/Makefile audisp/plugins/remote/Makefile audisp/plugins/zos-remote/Makefile bindings/Makefile bindings/python/Makefile tools/Makefile tools/aulastlog/Makefile tools/ausyscall/Makefile)
  
  echo .
 

audit-plugins-path.patch

@@ -0,0 +1,40 @@
+From: Tony Jones <tonyj@suse.de>
+Subject: Adjust location of plugins built by audit-secondary
+Upsteam: never
+
+Adjust location of plugins built by audit-secondary.  These should never have
+been in /sbin plus some (for SuSE) require lib dependancies on /usr/lib
+
+--- audit-1.7.2/audisp/plugins/prelude/au-prelude.conf.orig	2008-04-23 11:56:11.946681000 +0200
++++ audit-1.7.2/audisp/plugins/prelude/au-prelude.conf	2008-04-23 11:56:22.789827000 +0200
+@@ -5,7 +5,7 @@
+ 
+ active = no
+ direction = out
+-path = /sbin/audisp-prelude
++path = /usr/sbin/audisp-prelude
+ type = always
+ #args =
+ format = string
+--- audit-1.7.2/audisp/plugins/remote/au-remote.conf.orig	2008-04-23 11:56:11.976660000 +0200
++++ audit-1.7.2/audisp/plugins/remote/au-remote.conf	2008-04-23 11:56:30.958657000 +0200
+@@ -5,7 +5,7 @@
+ 
+ active = no
+ direction = out
+-path = /sbin/audisp-remote
++path = /usr/sbin/audisp-remote
+ type = always
+ #args =
+ format = string
+--- audit-1.7.2/audisp/plugins/zos-remote/audispd-zos-remote.conf.orig	2008-04-23 11:56:11.993637000 +0200
++++ audit-1.7.2/audisp/plugins/zos-remote/audispd-zos-remote.conf	2008-04-23 11:56:40.533070000 +0200
+@@ -8,7 +8,7 @@
+ 
+ active = no
+ direction = out
+-path = /sbin/audispd-zos-remote
++path = /usr/sbin/audispd-zos-remote
+ type = always 
+ args = /etc/audisp/zos-remote.conf
+ format = string

audit-secondary.changes

@@ -1,3 +1,12 @@
+-------------------------------------------------------------------
+Wed Jun 25 01:50:54 CEST 2008 - tonyj@suse.de
+
+- Update from 1.7.2 to 1.7.4 (see audit.changes for upstream change
+  history)
+
+- Update from 1.6.8 to 1.7.2 (see audit.changes for upstream change
+  history) 
+
 -------------------------------------------------------------------
 Tue Jun  3 21:49:41 CEST 2008 - coolo@suse.de
 

audit-secondary.spec

@@ -1,5 +1,5 @@
 #
-# spec file for package audit-secondary (Version 1.6.8)
+# spec file for package audit-secondary (Version 1.7.4)
 #
 # Copyright (c) 2008 SUSE LINUX Products GmbH, Nuernberg, Germany.
 # This file and all modifications and additions to the pristine
@@ -17,11 +17,12 @@ BuildRequires:  audit audit-devel gcc-c++ openldap2-devel pkg-config python-deve
 Summary:        Python Bindings for libaudit
 License:        GPL v2 or later
 Group:          System/Monitoring
-Version:        1.6.8
+Version:        1.7.4
-Release:        6
+Release:        1
 Url:            http://people.redhat.com/sgrubb/audit/
 Source0:        audit-%{version}.tar.bz2
 Patch0:         audit-no_sca.patch
+Patch1:         audit-plugins-path.patch
 Requires:       audit = %{version}-%{release}
 Requires:       audit-libs = %{version}-%{release}
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
@@ -76,6 +77,7 @@ rm -rf audisp/plugins/zos-remote/policy
 rm -rf audisp/plugins/prelude
 %setup -q -n audit-%{version}
 %patch0 -p1
+%patch1 -p1
 
 %build
 autoreconf -fi
@@ -101,7 +103,8 @@ rm -f $RPM_BUILD_ROOT/%{_libdir}/python%{py_ver}/site-packages/_audit.la
 rm -f $RPM_BUILD_ROOT/%{_libdir}/python%{py_ver}/site-packages/auparse-1.0-py%{py_ver}.egg-info
 # Cleanup plugins
 # audispd-zos-remote uses ldap which is in /usr/lib so move to /usr/sbin
-mv $RPM_BUILD_ROOT/sbin/audispd-zos-remote $RPM_BUILD_ROOT/usr/sbin/audispd-zos-remote
+# audisp-remote shouldn't be in /sbin either, it's not 'essential'
+mv $RPM_BUILD_ROOT/sbin/{audispd-zos-remote,audisp-remote} $RPM_BUILD_ROOT/usr/sbin
 # af_unix/syslog (builtin) is packaged by main spec file
 rm -f $RPM_BUILD_ROOT/etc/audisp/plugins.d/{af_unix,syslog}.conf
 # Just need selecteed man pages
@@ -114,8 +117,8 @@ rm -rf $RPM_BUILD_ROOT
 
 %files -n audit-libs-python
 %defattr(-,root,root,-)
-%{_libdir}/python%{py_ver}/site-packages/_audit.so
+%attr(755,root,root) %{_libdir}/python%{py_ver}/site-packages/_audit.so
-%{_libdir}/python%{py_ver}/site-packages/auparse.so
+%attr(755,root,root) %{_libdir}/python%{py_ver}/site-packages/auparse.so
 %{_libdir}/python%{py_ver}/site-packages/audit.py*
 
 %files -n audit-audispd-plugins
@@ -125,8 +128,18 @@ rm -rf $RPM_BUILD_ROOT
 %config(noreplace) %attr(640,root,root) /etc/audisp/plugins.d/audispd-zos-remote.conf
 %config(noreplace) %attr(640,root,root) /etc/audisp/zos-remote.conf
 %attr(750,root,root) /usr/sbin/audispd-zos-remote
+%config(noreplace) %attr(640,root,root) /etc/audisp/audisp-remote.conf
+%config(noreplace) %attr(640,root,root) /etc/audisp/plugins.d/au-remote.conf
+%attr(750,root,root) /usr/sbin/audisp-remote
+%attr(644,root,root) %{_mandir}/man5/audisp-remote.conf.5.gz
+%attr(644,root,root) %{_mandir}/man8/audisp-remote.8.gz
 
 %changelog
+* Wed Jun 25 2008 tonyj@suse.de
+- Update from 1.7.2 to 1.7.4 (see audit.changes for upstream change
+  history)
+- Update from 1.6.8 to 1.7.2 (see audit.changes for upstream change
+  history)
 * Tue Jun 03 2008 coolo@suse.de
 - avoid packaging a directory with different permissions (creating
   rpm -V output)

audit.changes

@@ -1,3 +1,80 @@
+-------------------------------------------------------------------
+Wed Jun 25 01:50:54 CEST 2008 - tonyj@suse.de
+
+- Update from 1.7.2 to 1.7.4
+- Redhat changelog for 1.7.3 - 1.7.4 follows:
+  * Mon May 19 2008 Steve Grubb <sgrubb@redhat.com> 1.7.4-1
+  - Fix interpreting of keys in syscall records
+  - Interpret audit rule config change list fields
+  - Don't error on name=(null) PATH records in ausearch/report
+  - Add key report to aureport
+  - Fix --end today to be now
+  - Added python bindings for auparse_goto_record_num
+  - Update system-config-audit to 0.4.7 (Miloslav Trmac)
+  - Add support for the filetype field option in auditctl
+  - In audispd boost priority after starting children
+  
+  * Fri May 09 2008 Steve Grubb <sgrubb@redhat.com> 1.7.3-1
+  - Fix path processing in AVC records.
+  - auparse_find_field_next() wasn't resetting field ptr going to next record.
+  - auparse_find_field() wasn't checking current field before iterating
+  - cleanup some string handling in audisp-prelude plugin
+  - Update auditctl man page
+  - Fix output of keys in ausearch interpretted mode
+  - Fix ausearch/report --start now to not be reset to midnight
+  - Added auparse_goto_record_num function
+  - Prelude plugin now uses auparse_goto_record_num to avoid skipping a record
+  - audispd now has a priority boost config option
+  - Look for laddr in avcs reported via prelude
+  - Detect page 0 mmaps and alert via prelude
+
+- Update from 1.6.8 to 1.7.2
+- Complete fix for BNC# 378725
+- Redhat changelog for 1.6.9-1.7.2 follows:
+  * Wed Apr 09 2008 Steve Grubb <sgrubb@redhat.com> 1.7.2-1
+  - gen_table.c now includes IPC defines to avoid glibc-headers wild goose chase
+  - ausyscall program added for cross referencing syscall name and number info
+  - Add login session ID search capability to ausearch
+  
+  * Tue Apr 08 2008 Steve Grubb <sgrubb@redhat.com> 1.7.1-1
+  - Remove LSB headers info for init scripts
+  - Fix buffer overflow in audit_log_user_command, again (#438840)
+  - Fix memory leak in EOE code in auditd (#440075)
+  - In auditctl, don't use new operators in legacy rule format
+  - Made a couple corrections in alpha & x86_64 syscall tables (Miloslav Trmac)
+  - Add example STIG rules file
+  - Add string table lookup performance improvement patch (Miloslav Trmac)
+  - auparse_find_field_next performance improvement
+  
+  * Sun Mar 30 2008 Steve Grubb <sgrubb@redhat.com> 1.7-1
+  - Improve input error handling in audispd
+  - Improve end of event detection in auparse library
+  - Improve handling of abstract namespaces
+  - Add test mode for prelude plugin
+  - Handle user space avcs in prelude plugin
+  - Audit event serial number now recorded in idmef alert
+  - Add --just-one option to ausearch
+  - Fix watched account login detection for some failed login attempts
+  - Couple fixups in audit logging functions (Miloslav Trmac)
+  - Add support in auditctl for virtual keys
+  - Added new type for user space MAC policy load events
+  - auparse_find_field_next was not iterating correctly, fixed it
+  - Add idmef alerts for access or execution of watched file
+  - Fix buffer overflow in audit_log_user_command
+  - Add basic remote logging plugin - only sends & no flow control
+  - Update ausearch with interpret fixes from auparse
+  
+  * Sun Mar 09 2008 Steve Grubb <sgrubb@redhat.com> 1.6.9-1
+  - Apply hidden attribute cleanup patch (Miloslav Trmac)
+  - Apply auparse expression interface patch (Miloslav Trmac)
+  - Fix potential memleak in audit event dispatcher
+  - Change default audispd queue depth to 80
+  - Update system-config-audit to version 0.4.6 (Miloslav Trmac)
+  - audisp-prelude alerts now controlled by config file
+  - Updated syscall table for 2.6.25 kernel
+  - Apply patch correcting acct field being misencoded (Miloslav Trmac)
+  - Added watched account login detection for prelude plugin
+
 -------------------------------------------------------------------
 Wed Apr 23 14:17:17 CEST 2008 - tonyj@suse.de
 

audit.spec

@@ -1,5 +1,5 @@
 #
-# spec file for package audit (Version 1.6.8)
+# spec file for package audit (Version 1.7.4)
 #
 # Copyright (c) 2008 SUSE LINUX Products GmbH, Nuernberg, Germany.
 # This file and all modifications and additions to the pristine
@@ -14,8 +14,8 @@
 Name:           audit
 BuildRequires:  gcc-c++
 Summary:        User Space Tools for 2.6 Kernel Auditing
-Version:        1.6.8
+Version:        1.7.4
-Release:        20
+Release:        1
 License:        GPL v2 or later
 Group:          System/Monitoring
 Url:            http://people.redhat.com/sgrubb/audit/
@@ -25,7 +25,6 @@ Source2:        auditd.sysconfig
 Patch0:         audit-no_sca.patch
 Patch1:         audit-no_python.patch
 Patch2:         audit-no_plugins.patch
-Patch3:         audit-bnc378725.patch
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 Requires:       %{name}-libs = %{version}-%{release}
 PreReq:         %insserv_prereq %fillup_prereq
@@ -78,7 +77,6 @@ Authors:
 %patch0 -p1
 %patch1 -p1
 %patch2 -p1
-%patch3 -p1
 
 %build
 autoreconf -fi
@@ -163,10 +161,11 @@ fi
 %{_includedir}/auparse.h
 %{_includedir}/auparse-defs.h
 %{_mandir}/man3/*
+%{_mandir}/man5/ausearch-expression.5.gz
 
 %files
 %defattr(-,root,root,-)
-%doc  README COPYING ChangeLog contrib/capp.rules contrib/nispom.rules contrib/lspp.rules init.d/auditd.cron
+%doc  README COPYING ChangeLog contrib/capp.rules contrib/nispom.rules contrib/lspp.rules contrib/stig.rules init.d/auditd.cron
 %attr(644,root,root) %{_mandir}/man8/audispd.8.gz
 %attr(644,root,root) %{_mandir}/man8/auditctl.8.gz
 %attr(644,root,root) %{_mandir}/man8/auditd.8.gz
@@ -174,6 +173,7 @@ fi
 %attr(644,root,root) %{_mandir}/man8/ausearch.8.gz
 %attr(644,root,root) %{_mandir}/man8/autrace.8.gz
 %attr(644,root,root) %{_mandir}/man8/aulastlog.8.gz
+%attr(644,root,root) %{_mandir}/man8/ausyscall.8.gz
 %attr(644,root,root) %{_mandir}/man5/auditd.conf.5.gz
 %attr(644,root,root) %{_mandir}/man5/audispd.conf.5.gz
 %attr(750,root,root) /sbin/auditctl
@@ -182,7 +182,8 @@ fi
 %attr(750,root,root) /sbin/rcauditd
 %attr(750,root,root) /sbin/autrace
 %attr(750,root,root) /sbin/audispd
-%attr(750,root,root) /sbin/aulastlog
+%attr(750,root,root) /usr/bin/aulastlog
+%attr(755,root,root) /usr/bin/ausyscall
 %attr(755,root,root) /sbin/aureport
 /etc/init.d/auditd
 %dir %attr(750,root,root) /etc/audit
@@ -198,8 +199,78 @@ fi
 /var/adm/fillup-templates/sysconfig.auditd
 %dir %attr(700,root,root) /var/log/audit
 %ghost %config(noreplace) /var/log/audit/audit.log
+%attr(755,root,root) /usr/bin/ausyscall
 
 %changelog
+* Wed Jun 25 2008 tonyj@suse.de
+- Update from 1.7.2 to 1.7.4
+- Redhat changelog for 1.7.3 - 1.7.4 follows:
+  * Mon May 19 2008 Steve Grubb <sgrubb@redhat.com> 1.7.4-1
+  - Fix interpreting of keys in syscall records
+  - Interpret audit rule config change list fields
+  - Don't error on name=(null) PATH records in ausearch/report
+  - Add key report to aureport
+  - Fix --end today to be now
+  - Added python bindings for auparse_goto_record_num
+  - Update system-config-audit to 0.4.7 (Miloslav Trmac)
+  - Add support for the filetype field option in auditctl
+  - In audispd boost priority after starting children
+  * Fri May 09 2008 Steve Grubb <sgrubb@redhat.com> 1.7.3-1
+  - Fix path processing in AVC records.
+  - auparse_find_field_next() wasn't resetting field ptr going to next record.
+  - auparse_find_field() wasn't checking current field before iterating
+  - cleanup some string handling in audisp-prelude plugin
+  - Update auditctl man page
+  - Fix output of keys in ausearch interpretted mode
+  - Fix ausearch/report --start now to not be reset to midnight
+  - Added auparse_goto_record_num function
+  - Prelude plugin now uses auparse_goto_record_num to avoid skipping a record
+  - audispd now has a priority boost config option
+  - Look for laddr in avcs reported via prelude
+  - Detect page 0 mmaps and alert via prelude
+- Update from 1.6.8 to 1.7.2
+- Complete fix for BNC# 378725
+- Redhat changelog for 1.6.9-1.7.2 follows:
+  * Wed Apr 09 2008 Steve Grubb <sgrubb@redhat.com> 1.7.2-1
+  - gen_table.c now includes IPC defines to avoid glibc-headers wild goose chase
+  - ausyscall program added for cross referencing syscall name and number info
+  - Add login session ID search capability to ausearch
+  * Tue Apr 08 2008 Steve Grubb <sgrubb@redhat.com> 1.7.1-1
+  - Remove LSB headers info for init scripts
+  - Fix buffer overflow in audit_log_user_command, again (#438840)
+  - Fix memory leak in EOE code in auditd (#440075)
+  - In auditctl, don't use new operators in legacy rule format
+  - Made a couple corrections in alpha & x86_64 syscall tables (Miloslav Trmac)
+  - Add example STIG rules file
+  - Add string table lookup performance improvement patch (Miloslav Trmac)
+  - auparse_find_field_next performance improvement
+  * Sun Mar 30 2008 Steve Grubb <sgrubb@redhat.com> 1.7-1
+  - Improve input error handling in audispd
+  - Improve end of event detection in auparse library
+  - Improve handling of abstract namespaces
+  - Add test mode for prelude plugin
+  - Handle user space avcs in prelude plugin
+  - Audit event serial number now recorded in idmef alert
+  - Add --just-one option to ausearch
+  - Fix watched account login detection for some failed login attempts
+  - Couple fixups in audit logging functions (Miloslav Trmac)
+  - Add support in auditctl for virtual keys
+  - Added new type for user space MAC policy load events
+  - auparse_find_field_next was not iterating correctly, fixed it
+  - Add idmef alerts for access or execution of watched file
+  - Fix buffer overflow in audit_log_user_command
+  - Add basic remote logging plugin - only sends & no flow control
+  - Update ausearch with interpret fixes from auparse
+  * Sun Mar 09 2008 Steve Grubb <sgrubb@redhat.com> 1.6.9-1
+  - Apply hidden attribute cleanup patch (Miloslav Trmac)
+  - Apply auparse expression interface patch (Miloslav Trmac)
+  - Fix potential memleak in audit event dispatcher
+  - Change default audispd queue depth to 80
+  - Update system-config-audit to version 0.4.6 (Miloslav Trmac)
+  - audisp-prelude alerts now controlled by config file
+  - Updated syscall table for 2.6.25 kernel
+  - Apply patch correcting acct field being misencoded (Miloslav Trmac)
+  - Added watched account login detection for prelude plugin
 * Wed Apr 23 2008 tonyj@suse.de
 - Fix for bnc#378725 VUL-0: audit buffer overflow
 * Thu Apr 10 2008 ro@suse.de