audit-3.1.4

The main purpose of this release is to fix building on distributions where musl C is used. There are a couple more code cleanups, but no new features.

audit-4.0.1

Update TRUSTED_APP interpretation to look for known fields; in auditd plugins, allow variable amount of arguments; fix augenrules to work correctly when kernel is in immutable mode; add audisp-filter plugin; improve sorting speed of aureport --summary reports; and auditd & audit-rules.service pick up paths automatically.

audit-3.1.3

This release contains important patches backported from the main branch. See the git log for the complete list of changes.

audit-4.0

This is the next major release. One of the main features is the separation of loading rules and logging events into separate services, audit-rules.service and auditd.service. This release also drops support for python2 and SysVinit. The libaudit python bindings now only support logging events. The auvirt and autrace programs have been dropped. The nispom rules have been dropped. The legacy service functions have been rewritten in term of systemctl and new auditctl capabilities. The aureport --summary reports are now up to 5 times faster. File watches have been optimized to hook only the necessary syscalls instead of all which measurably improves whole system performance. The syscall and interpretation tables have been updated for the 6.8 kernel. And there have been many code cleanups, hardening, and refactoring.

audit-3.1.2

Various bugfixes, updated lookup tables for the 6.5 kernel, added some new python functions, and most important, change the python binding so that you cannot set audit rules from the python API due to a swig bug. No more workarounds are needed for this.

audit-3.1.1

The following are important changes in the new release:

• Add user friendly keywords for signals to auditctl
• In ausearch, parse up URINGOP and DM_CTRL records
• Harden auparse to better handle corrupt logs
• Move the audispd af_unix plugin to a standalone program

audit-3.1

Major features:

• Add new record types
• Add io_uring support
• Add support for new FANOTIFY record fields

audit-3.0.9

• In auditd, release the async flush lock on stop
• Don't allow auditd to log directly into /var/log when log_group is non-zero
• Cleanup krb5 memory leaks on error paths
• Update auditd.cron to use auditctl --signal
• In auparse, if too many fields, realloc array bigger (Paul Wolneykien)
• In auparse, special case kernel module name interpretation
• If overflow_action is ignore, don't treat as an error

audit-3.0.8

In auditd, change the reinitializing of the plugin queue. Fix path normalization in auparse. In libaudit, handle ECONNREFUSED for network uid/gid lookups. In audisp-remote, fix hang with disk_low_action=suspend. Drop ProtectHome from auditd.service as it interferes with rules.

audit-3.0.7

Add support for the OPENAT2 record type, update the capabilities and syscall lookup tables to match 5.16 kernel, and reduce dependency from initscripts to initscripts-service