SHA256
1
0
forked from pool/audit
OBS User unknown 2009-06-05 20:36:33 +00:00 committed by Git OBS Bridge
parent 867ed2b559
commit 97cd17092d
10 changed files with 183 additions and 233 deletions

3
audit-1.7.13.tar.bz2 Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:053ebd92c6b8c1dac67f6cde59073798eb365c97bb73281b18b09b1b8bee5682
size 905282

View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:bd635c98f200d0b436e69fb2cb074386dd9f557ca7e2479e1de0cb0f7b2eea6d
size 934496

View File

@ -1,117 +0,0 @@
docs/ausearch.8 | 3 +++
src/ausearch-options.c | 9 ++++++++-
src/ausearch-options.h | 1 +
src/ausearch.c | 10 ++++++----
4 files changed, 18 insertions(+), 5 deletions(-)
--- audit-1.7.7/docs/ausearch.8
+++ audit-1.7.7/docs/ausearch.8
@@ -54,6 +54,9 @@
.BR \-k ,\ \-\-key \ \fIkey-string\fP
Search for an event based on the given \fIkey string\fP.
.TP
+.BR \-l ,\ \-\-line-buffered
+Flush output on every line. Most useful when stdout is connected to a pipe and the default block buffering strategy is undesirable. May impose a performance penalty.
+.TP
.BR \-m ,\ \-\-message \ \fImessage-type\fP\ |\ \fIcomma-sep-message-type-list\fP
Search for an event matching the given \fImessage type\fP. You may also enter a \fIcomma separated list of message types\fP. There is an \fBALL\fP message type that doesn't exist in the actual logs. It allows you to get all messages in the system. The list of valid messages types is long. The program will display the list whenever no message type is passed with this parameter. The message type can be either text or numeric. If you enter a list, there can be only commas and no spaces separating the list.
.TP
--- audit-1.7.7/src/ausearch-options.c
+++ audit-1.7.7/src/ausearch-options.c
@@ -50,6 +50,7 @@
int event_ua = 0, event_ga = 0, event_se = 0;
int just_one = 0;
int event_session_id = -1;
+int line_buffered = 0;
const char *event_key = NULL;
const char *event_node = NULL;
const char *event_filename = NULL;
@@ -71,7 +72,7 @@
S_HOSTNAME, S_INTERP, S_INFILE, S_MESSAGE_TYPE, S_PID, S_SYSCALL, S_OSUCCESS,
S_TIME_END, S_TIME_START, S_TERMINAL, S_ALL_UID, S_EFF_UID, S_UID, S_LOGINID,
S_VERSION, S_EXACT_MATCH, S_EXECUTABLE, S_CONTEXT, S_SUBJECT, S_OBJECT,
-S_PPID, S_KEY, S_RAW, S_NODE, S_IN_LOGS, S_JUST_ONE, S_SESSION };
+S_PPID, S_KEY, S_RAW, S_NODE, S_IN_LOGS, S_JUST_ONE, S_SESSION, S_LINEBUFFERED };
static struct nv_pair optiontab[] = {
{ S_EVENT, "-a" },
@@ -98,6 +99,8 @@
{ S_JUST_ONE, "--just-one" },
{ S_KEY, "-k" },
{ S_KEY, "--key" },
+ { S_LINEBUFFERED, "-l" },
+ { S_LINEBUFFERED, "--line-buffered" },
{ S_MESSAGE_TYPE, "-m" },
{ S_MESSAGE_TYPE, "--message" },
{ S_NODE, "-n" },
@@ -169,6 +172,7 @@
"\t--input-logs\t\t\tUse the logs even if stdin is a pipe\n"
"\t--just-one\t\t\tEmit just one event\n"
"\t-k,--key <key string>\t\tsearch based on key field\n"
+ "\t-l, --line-buffered\t\tFlush output on every line\n"
"\t-m,--message <Message type>\tsearch based on message type\n"
"\t-n,--node <Node name>\t\tsearch based on machine's name\n"
"\t-o,--object <SE Linux Object context> search based on context of object\n"
@@ -954,6 +958,9 @@
c++;
}
break;
+ case S_LINEBUFFERED:
+ line_buffered = 1;
+ break;
default:
fprintf(stderr, "%s is an unsupported option\n",
vars[c]);
--- audit-1.7.7/src/ausearch-options.h
+++ audit-1.7.7/src/ausearch-options.h
@@ -36,6 +36,7 @@
extern const char *event_object;
extern int event_se;
extern int just_one;
+extern int line_buffered;
extern pid_t event_ppid;
extern int event_session_id;
--- audit-1.7.7/src/ausearch.c
+++ audit-1.7.7/src/ausearch.c
@@ -43,7 +43,6 @@
static FILE *log_fd = NULL;
static int found = 0;
-static int pipe_mode = 0;
static int process_logs(void);
static int process_log_fd(void);
static int process_stdin(void);
@@ -58,11 +57,12 @@
extern int match(llist *l);
extern void output_record(llist *l);
-static int input_is_pipe(void)
+static int is_pipe(int fd)
{
struct stat st;
+ int pipe_mode = 0;
- if (fstat(0, &st) == 0) {
+ if (fstat(fd, &st) == 0) {
if (S_ISFIFO(st.st_mode))
pipe_mode = 1;
}
@@ -92,7 +92,7 @@
rc = process_file(user_file);
else if (force_logs)
rc = process_logs();
- else if (input_is_pipe())
+ else if (is_pipe(0))
rc = process_stdin();
else
rc = process_logs();
@@ -190,6 +190,8 @@
list_clear(&entries);
break;
}
+ if (line_buffered)
+ fflush(stdout);
}
list_clear(&entries);
} while (ret == 0);

View File

@ -1,88 +0,0 @@
---
ausearch.c | 31 +++++++++++++++++++++++++++----
1 file changed, 27 insertions(+), 4 deletions(-)
Index: trunk/src/ausearch.c
===================================================================
--- audit-1.7.7/src/ausearch.c.orig 2008-11-26 22:39:25.736364000 +0100
+++ audit-1.7.7/src/ausearch.c 2008-11-27 00:21:32.801448000 +0100
@@ -34,6 +34,7 @@
#include <sys/resource.h>
#include <sys/stat.h>
#include <locale.h>
+#include <signal.h>
#include "libaudit.h"
#include "auditd-config.h"
#include "ausearch-options.h"
@@ -43,6 +44,8 @@
static FILE *log_fd = NULL;
static int found = 0;
+static int input_is_pipe = 0;
+static int timeout_interval = 5; /* timeout in seconds */
static int process_logs(void);
static int process_log_fd(void);
static int process_stdin(void);
@@ -200,9 +203,19 @@
return 0;
}
+static void alarm_handler(int signal)
+{
+ /* will interrupt current syscall */
+}
+
static int process_stdin(void)
{
log_fd = stdin;
+ input_is_pipe=1;
+
+ if (signal(SIGALRM, alarm_handler) == SIG_ERR ||
+ siginterrupt(SIGALRM, 1) == -1)
+ return -1;
return process_log_fd();
}
@@ -236,6 +249,7 @@
char *rc;
char *buff = NULL;
int first_time = 1;
+ int timer_running = 0;
while (1) {
if (saved_buff) {
@@ -248,11 +262,20 @@
if (!buff)
return -1;
}
- // FIXME: In pipe mode, if there is a waiting buffer
- // and 5 seconds has elapsed, go ahead and process
- // the buffer - nothings coming that's related.
+
+ if (input_is_pipe && !first_time) {
+ timer_running = 1;
+ alarm(timeout_interval);
+ }
+
rc = fgets_unlocked(buff, MAX_AUDIT_MESSAGE_LENGTH,
log_fd);
+
+ if (timer_running) {
+ /* timer may have fired but thats ok */
+ timer_running = 0;
+ alarm(0);
+ }
}
if (rc) {
lnode n;
@@ -282,7 +305,9 @@
}
} else {
free(buff);
- if (feof(log_fd))
+ if (ferror(log_fd) && errno == EINTR)
+ return 0;
+ else if (feof(log_fd))
return 1;
else
return -1;

View File

@ -17,12 +17,12 @@ there you have it.
m4_include([src/libev/libev.m4])
libev_LIBS="$LIBS"
@@ -195,7 +195,8 @@
AC_SUBST(LIBWRAP_LIBS)
AC_SUBST(libev_LIBS)
AC_SUBST(LIBPRELUDE_CFLAGS)
AC_SUBST(LIBPRELUDE_LDFLAGS)
-AC_OUTPUT(Makefile lib/Makefile lib/test/Makefile auparse/Makefile auparse/test/Makefile src/Makefile src/mt/Makefile src/libev/Makefile swig/Makefile docs/Makefile init.d/Makefile audisp/Makefile audisp/plugins/Makefile audisp/plugins/builtins/Makefile audisp/plugins/prelude/Makefile audisp/plugins/remote/Makefile audisp/plugins/zos-remote/Makefile audisp/plugins/zos-remote/policy/Makefile bindings/Makefile bindings/python/Makefile tools/Makefile tools/aulastlog/Makefile tools/ausyscall/Makefile)
-AC_OUTPUT(Makefile lib/Makefile lib/test/Makefile auparse/Makefile auparse/test/Makefile src/Makefile src/mt/Makefile src/libev/Makefile src/test/Makefile swig/Makefile docs/Makefile init.d/Makefile audisp/Makefile audisp/plugins/Makefile audisp/plugins/builtins/Makefile audisp/plugins/prelude/Makefile audisp/plugins/remote/Makefile audisp/plugins/zos-remote/Makefile bindings/Makefile bindings/python/Makefile tools/Makefile tools/aulast/Makefile tools/aulastlog/Makefile tools/ausyscall/Makefile)
+# SuSE: remove swig/Makefile + bindings/Makefile + bindings/python/Makefile
+AC_OUTPUT(Makefile lib/Makefile lib/test/Makefile auparse/Makefile auparse/test/Makefile src/Makefile src/mt/Makefile src/libev/Makefile docs/Makefile init.d/Makefile audisp/Makefile audisp/plugins/Makefile audisp/plugins/builtins/Makefile audisp/plugins/prelude/Makefile audisp/plugins/remote/Makefile audisp/plugins/zos-remote/Makefile audisp/plugins/zos-remote/policy/Makefile tools/Makefile tools/aulastlog/Makefile tools/ausyscall/Makefile)
+AC_OUTPUT(Makefile lib/Makefile lib/test/Makefile auparse/Makefile auparse/test/Makefile src/Makefile src/mt/Makefile src/libev/Makefile src/test/Makefile docs/Makefile init.d/Makefile audisp/Makefile audisp/plugins/Makefile audisp/plugins/builtins/Makefile audisp/plugins/prelude/Makefile audisp/plugins/remote/Makefile audisp/plugins/zos-remote/Makefile tools/Makefile tools/aulast/Makefile tools/aulastlog/Makefile tools/ausyscall/Makefile)
echo .
echo "

View File

@ -7,12 +7,12 @@ Disable system-config-audit. A Yast equivalent would be useful though.
--- audit-1.7.7/configure.ac.orig 2008-09-23 00:59:29.976782000 +0200
+++ audit-1.7.7/configure.ac 2008-09-23 01:19:31.984128000 +0200
@@ -195,7 +195,6 @@
AC_SUBST(LIBWRAP_LIBS)
AC_SUBST(libev_LIBS)
AC_SUBST(LIBPRELUDE_CFLAGS)
AC_SUBST(LIBPRELUDE_LDFLAGS)
-AC_CONFIG_SUBDIRS([system-config-audit])
AC_OUTPUT(Makefile lib/Makefile lib/test/Makefile auparse/Makefile auparse/test/Makefile src/Makefile src/mt/Makefile src/libev/Makefile swig/Makefile docs/Makefile init.d/Makefile audisp/Makefile audisp/plugins/Makefile audisp/plugins/builtins/Makefile audisp/plugins/prelude/Makefile audisp/plugins/remote/Makefile audisp/plugins/zos-remote/Makefile audisp/plugins/zos-remote/policy/Makefile bindings/Makefile bindings/python/Makefile tools/Makefile tools/aulastlog/Makefile tools/ausyscall/Makefile)
AC_OUTPUT(Makefile lib/Makefile lib/test/Makefile auparse/Makefile auparse/test/Makefile src/Makefile src/mt/Makefile src/libev/Makefile src/test/Makefile swig/Makefile docs/Makefile init.d/Makefile audisp/Makefile audisp/plugins/Makefile audisp/plugins/builtins/Makefile audisp/plugins/prelude/Makefile audisp/plugins/remote/Makefile audisp/plugins/zos-remote/Makefile bindings/Makefile bindings/python/Makefile tools/Makefile tools/aulast/Makefile tools/aulastlog/Makefile tools/ausyscall/Makefile)
echo .
--- audit-1.7.7/Makefile.am.orig 2008-09-23 01:20:05.010072000 +0200
+++ audit-1.7.7/Makefile.am 2008-09-23 01:20:10.039036000 +0200

View File

@ -1,3 +1,9 @@
-------------------------------------------------------------------
Mon May 11 17:19:50 CEST 2009 - tonyj@suse.de
- Update from 1.7.7 to 1.7.13 (see audit.changes for upstream change
history)
-------------------------------------------------------------------
Fri Sep 26 23:27:36 CEST 2008 - tonyj@suse.de

View File

@ -1,5 +1,5 @@
#
# spec file for package audit-secondary (Version 1.7.7)
# spec file for package audit-secondary (Version 1.7.13)
#
# Copyright (c) 2009 SUSE LINUX Products GmbH, Nuernberg, Germany.
#
@ -25,8 +25,8 @@ BuildRequires: audit audit-devel gcc-c++ openldap2-devel pkg-config python-deve
Summary: Python Bindings for libaudit
License: GPL v2 or later
Group: System/Monitoring
Version: 1.7.7
Release: 6
Version: 1.7.13
Release: 1
Url: http://people.redhat.com/sgrubb/audit/
Source0: audit-%{version}.tar.bz2
Patch0: audit-no_sca.patch
@ -92,9 +92,6 @@ autoreconf -fi
export CFLAGS="%{optflags} -fno-strict-aliasing"
export CXXFLAGS="$CFLAGS"
./configure --prefix=%{_prefix} --sbindir=/sbin --mandir=%{_mandir} --libdir=/%{_lib} --sysconfdir=/etc --with-apparmor
pushd src/mt
make libaudit.h
popd
make
%install
@ -150,6 +147,9 @@ rm -rf $RPM_BUILD_ROOT
%attr(644,root,root) %{_mandir}/man8/audisp-remote.8.gz
%changelog
* Mon May 11 2009 tonyj@suse.de
- Update from 1.7.7 to 1.7.13 (see audit.changes for upstream change
history)
* Fri Sep 26 2008 tonyj@suse.de
- Update from 1.7.4 to 1.7.7 (see audit.changes for upstream change
history)

View File

@ -1,4 +1,85 @@
-------------------------------------------------------------------
Mon May 11 17:20:28 CEST 2009 - tonyj@suse.de
- Update from 1.7.7 to 1.7.13.
- Redhat changelog for 1.7.8 - 1.7.13 follows:
* Tue Apr 21 2009 Steve Grubb <sgrubb@redhat.com> 1.7.13-1
- Disable libev asserts unless --with-debug passed to configure
- Handle kernel 2.6.29's audit = 0 boot parameter better
- Install audit.py file in arch specific python directory (Dan Walsh)
- Fix problem with negative uids in audit rules on 32 bit systems
- When file type is unknown, output octal for mode field (Miloslav Trmač)
- Update tty keystroke interpretations (Miloslav Trmač)
* Tue Feb 24 2009 Steve Grubb <sgrubb@redhat.com> 1.7.12-1
- Add definitions for crypto events
- Fix regression where msgtype couldn't be used as a range in audit rules
- In libaudit, extend time spent checking reply
- In acct events, prefer id over acct if given
- In aulast, try id and acct in USER_LOGIN events
- When in immutable mode, have auditctl tell user instead of sending rules
- Add option to sysconfig to disable audit system on auditd stop
- Add tcp_wrappers config option to auditd
- Aulastlog can now take input from stdin
- Update libaudit python bindings to throw exceptions on error
- Adjust formatting of TTY data in libauparse to be like ausearch/report
- Add more key mappings to TTY interpretations
- Add internal queue to audisp-remote
- Fix failure action code to allow executables in audisp-remote (Chu Li)
- Fix memory leak when NOLOG log_format option given to auditd
- Quieten some of the reconnect text being sent to syslog in audisp-remote
- Apply some libev fixups to auditd
- Cleanup shutdown sequence of auditd
- Allow auditd log rotation via SIGUSR1 when NOLOG log format option given
* Sat Jan 10 2009 Steve Grubb <sgrubb@redhat.com> 1.7.11-1
- Don't error out in auditd when calling setsid
- Reformat a couple auditd error messages (Oden Eriksson)
- If log rotate fails, leave the old log writable
- Fixed bug in setting up auditd event loop when listening
- Warn if on biarch machine and auditctl rules show a syscall mismatch
- Audisp-remote was not parsing some config options correctly
- In auparse, check for single key in addition to virtual keys
- When auditd shuts down, send AUDIT_RMW_TYPE_ENDING messages to clients
- Created reconnect option to remote ending setting of audisp-remote
* Sat Dec 13 2008 Steve Grubb <sgrubb@redhat.com> 1.7.10-1
- Fix ausearch and aureport to handle out of order events
- Add line-buffer option to ausearch & timeout pipe input (Tony Jones)
- Add support in ausearch/report for tty data
- In audisp-remote, allow the keyword "any" for local_port
- Tighten parsing for -m and -w options in auditctl
- Add session query hint for aulast proof
- Fix audisp-remote to tolerate krb5 config options when not supported
- Created new aureport option for tty keystroke report
- audispd should detect backup config files and not use them
- When checking for ack in netlink interface, retry on EAGAIN a few times
- In aureport, fix mods report to show acct acted upon
* Wed Nov 05 2008 Steve Grubb <sgrubb@redhat.com> 1.7.9-1
- Fix uninitialized variable in aureport causing segfault
- Quieten down the gssapi not supported messages
- Fix bug interpretting i386 logs on x86_64 machines
- If kernel is in immutable mode, auditd should not send enable command
- Fix ausearch/report recent and now time keyword lookups
- Created aulast program
- prelude plugin should pull auid for login alert from 2nd uid field
- Add system boot, shutdown, and run level change events
- Add max_restarts to audispd.conf to limit times a plugin is restarted
- Expand session detection in ausearch
* Wed Oct 22 2008 Steve Grubb <sgrubb@redhat.com> 1.7.8-1
- Interpret TTY audit data in auparse (Miloslav Trmač)
- Extract terminal from USER_AVC events for ausearch/report (Peng Haitao)
- Add USER_AVCs to aureport's avc reporting (Peng Haitao)
- Short circuit hostname resolution in libaudit if host is empty
- If log_group and user are not root, don't check dispatcher perms
- Fix a bug when executing "ausearch -te today PM"
- Add --exit search option to ausearch
- Fix parsing config file when kerberos is disabled
-------------------------------------------------------------------
Tue Apr 14 14:52:39 CEST 2009 - dmueller@suse.de
- refresh patches

View File

@ -1,5 +1,5 @@
#
# spec file for package audit (Version 1.7.7)
# spec file for package audit (Version 1.7.13)
#
# Copyright (c) 2009 SUSE LINUX Products GmbH, Nuernberg, Germany.
#
@ -21,8 +21,8 @@
Name: audit
BuildRequires: gcc-c++ tcpd-devel
Summary: User Space Tools for 2.6 Kernel Auditing
Version: 1.7.7
Release: 6
Version: 1.7.13
Release: 1
License: GPL v2 or later
Group: System/Monitoring
Url: http://people.redhat.com/sgrubb/audit/
@ -33,8 +33,6 @@ Patch0: audit-no_sca.patch
Patch1: audit-no_python.patch
Patch2: audit-no_plugins.patch
Patch3: audit-no-gss.patch
Patch4: audit-445353-1.patch
Patch5: audit-445353-2.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
Requires: %{name}-libs = %{version}-%{release}
PreReq: %insserv_prereq %fillup_prereq
@ -93,17 +91,13 @@ Authors:
%patch1 -p1
%patch2 -p1
%patch3 -p1
%patch4 -p1
%patch5 -p1
%build
autoreconf -fi
export CFLAGS="%{optflags} -fno-strict-aliasing"
export CXXFLAGS="$CFLAGS"
# no krb support (omit --enable-gssapi-krb5=yes), see audit-no-gss.patch
./configure --prefix=%{_prefix} --sbindir=/sbin --mandir=%{_mandir} --libdir=/%{_lib} --sysconfdir=/etc --libexecdir=%{_prefix}/lib/%{name} --with-apparmor --with-libwrap
pushd src/mt
make libaudit.h
popd
make
%install
@ -192,6 +186,7 @@ fi
%attr(644,root,root) %{_mandir}/man8/aureport.8.gz
%attr(644,root,root) %{_mandir}/man8/ausearch.8.gz
%attr(644,root,root) %{_mandir}/man8/autrace.8.gz
%attr(644,root,root) %{_mandir}/man8/aulast.8.gz
%attr(644,root,root) %{_mandir}/man8/aulastlog.8.gz
%attr(644,root,root) %{_mandir}/man8/ausyscall.8.gz
%attr(644,root,root) %{_mandir}/man5/auditd.conf.5.gz
@ -203,7 +198,8 @@ fi
%attr(750,root,root) /sbin/rcauditd
%attr(750,root,root) /sbin/autrace
%attr(750,root,root) /sbin/audispd
%attr(750,root,root) /usr/bin/aulastlog
%attr(755,root,root) /usr/bin/aulast
%attr(755,root,root) /usr/bin/aulastlog
%attr(755,root,root) /usr/bin/ausyscall
%attr(755,root,root) /sbin/aureport
/etc/init.d/auditd
@ -223,6 +219,78 @@ fi
%attr(755,root,root) /usr/bin/ausyscall
%changelog
* Mon May 11 2009 tonyj@suse.de
- Update from 1.7.7 to 1.7.13.
- Redhat changelog for 1.7.8 - 1.7.13 follows:
* Tue Apr 21 2009 Steve Grubb <sgrubb@redhat.com> 1.7.13-1
- Disable libev asserts unless --with-debug passed to configure
- Handle kernel 2.6.29's audit = 0 boot parameter better
- Install audit.py file in arch specific python directory (Dan Walsh)
- Fix problem with negative uids in audit rules on 32 bit systems
- When file type is unknown, output octal for mode field (Miloslav Trmač)
- Update tty keystroke interpretations (Miloslav Trmač)
* Tue Feb 24 2009 Steve Grubb <sgrubb@redhat.com> 1.7.12-1
- Add definitions for crypto events
- Fix regression where msgtype couldn't be used as a range in audit rules
- In libaudit, extend time spent checking reply
- In acct events, prefer id over acct if given
- In aulast, try id and acct in USER_LOGIN events
- When in immutable mode, have auditctl tell user instead of sending rules
- Add option to sysconfig to disable audit system on auditd stop
- Add tcp_wrappers config option to auditd
- Aulastlog can now take input from stdin
- Update libaudit python bindings to throw exceptions on error
- Adjust formatting of TTY data in libauparse to be like ausearch/report
- Add more key mappings to TTY interpretations
- Add internal queue to audisp-remote
- Fix failure action code to allow executables in audisp-remote (Chu Li)
- Fix memory leak when NOLOG log_format option given to auditd
- Quieten some of the reconnect text being sent to syslog in audisp-remote
- Apply some libev fixups to auditd
- Cleanup shutdown sequence of auditd
- Allow auditd log rotation via SIGUSR1 when NOLOG log format option given
* Sat Jan 10 2009 Steve Grubb <sgrubb@redhat.com> 1.7.11-1
- Don't error out in auditd when calling setsid
- Reformat a couple auditd error messages (Oden Eriksson)
- If log rotate fails, leave the old log writable
- Fixed bug in setting up auditd event loop when listening
- Warn if on biarch machine and auditctl rules show a syscall mismatch
- Audisp-remote was not parsing some config options correctly
- In auparse, check for single key in addition to virtual keys
- When auditd shuts down, send AUDIT_RMW_TYPE_ENDING messages to clients
- Created reconnect option to remote ending setting of audisp-remote
* Sat Dec 13 2008 Steve Grubb <sgrubb@redhat.com> 1.7.10-1
- Fix ausearch and aureport to handle out of order events
- Add line-buffer option to ausearch & timeout pipe input (Tony Jones)
- Add support in ausearch/report for tty data
- In audisp-remote, allow the keyword "any" for local_port
- Tighten parsing for -m and -w options in auditctl
- Add session query hint for aulast proof
- Fix audisp-remote to tolerate krb5 config options when not supported
- Created new aureport option for tty keystroke report
- audispd should detect backup config files and not use them
- When checking for ack in netlink interface, retry on EAGAIN a few times
- In aureport, fix mods report to show acct acted upon
* Wed Nov 05 2008 Steve Grubb <sgrubb@redhat.com> 1.7.9-1
- Fix uninitialized variable in aureport causing segfault
- Quieten down the gssapi not supported messages
- Fix bug interpretting i386 logs on x86_64 machines
- If kernel is in immutable mode, auditd should not send enable command
- Fix ausearch/report recent and now time keyword lookups
- Created aulast program
- prelude plugin should pull auid for login alert from 2nd uid field
- Add system boot, shutdown, and run level change events
- Add max_restarts to audispd.conf to limit times a plugin is restarted
- Expand session detection in ausearch
* Wed Oct 22 2008 Steve Grubb <sgrubb@redhat.com> 1.7.8-1
- Interpret TTY audit data in auparse (Miloslav Trmač)
- Extract terminal from USER_AVC events for ausearch/report (Peng Haitao)
- Add USER_AVCs to aureport's avc reporting (Peng Haitao)
- Short circuit hostname resolution in libaudit if host is empty
- If log_group and user are not root, don't check dispatcher perms
- Fix a bug when executing "ausearch -te today PM"
- Add --exit search option to ausearch
- Fix parsing config file when kerberos is disabled
* Tue Apr 14 2009 dmueller@suse.de
- refresh patches
* Wed Dec 10 2008 olh@suse.de