Releases: linux-audit/audit-userspace
audit-4.1.2
This update is primarily to fix various bugs and to give everyone a much improved performance in recent search with big or lots of logs. A major algorithm change should make ausearch/report faster searching anything recent. This update adds anomaly, response, and crypto reports to aureport. The af_unix plugin got a lot of attention and should be working better than ever.
But there is one big change that distribution packagers should be aware of. The audit.pid file, the directory where everything is stored has potentially been changed. The location is now based off of --runstatedir passed to configure. On modern linux systems, this is /run. Legacy systems would have this as /var/run. If the distribution uses MAC, this change needs to be updated in the MAC security policy. Be sure to check that you set this appropriately.
audit-4.1.1
This release cleans up a number of problems discovered in the last release. New in this release:
- Add libauplugin example program and improve its documentation
- Add bash completions for ausearch, aureport, auditctl, and augenrules
- Add support for file_getattr and file_setattr syscalls
Fixed in this release:
- Function attributes for MUSLC
- auditctl -A option was deleting - now prepends like it used to
- Adjust af_unix and dispatcher to send exact record size in binary mode
- ausearch/aureport: allow symlinked config
audit-4.1.0
The main focus of this release is the introduction of the new libauplugin library, which modernizes how plugins integrate with the dispatcher. Alongside this, numerous bug fixes and performance improvements have been added:
- libauplugin library: The dispatcher now uses libauplugin to power the filter, ids, and statsd plugins, enabling a more flexible and consistent plugin framework.
- auditd improvements: auditd can safely reconfigure its TCP listener after receiving a SIGHUP signal.
- Custom log rotation actions: The max_log_file_action option now supports a new “exec” action, allowing custom scripts to run during log rotation.
- Thread-safe auparse: The auparse library has been refactored for multi-thread safety and now uses a memory pool to reduce memory allocations and improve performance.
- Robust plugin handling: Plugins now ignore unsolicited SIGTERM signals, and the dispatcher synchronizes plugin restarts more reliably.
- Persistent queue support with metrics helpers and timer service callbacks for the plugin feed API.
- Support for loading plugin configuration files from symlinks, and protection against blocking on special files during config opening.
- The test suite is machine independent, it does not require certain user IDs and group IDs to be present.
audit-4.0.5
This release is primarily to add a missing delete command in auditctl. This was discovered after the last release went out. A major update to plugins is the reworking of the audisp queue to be lockless. Auditd also now allows plus addresses (rfc5233) to auditd email. Another big change to auditd is the addition of a configurable recurring state report in auditd. This can be used with the statsd plugin for metrics collection.
audit-4.0.4
This release updates internal lookup tables for io_uring and syscalls to the 6.15 kernel. Fixes audisp-remote segfault on connection error (#446). Improves locating last event if ausearch is using checkpointing. Fixed string mode support in the af_unix plugin. Added various updates to the experimental ids plugin. And added glibc memory statistics to auditd state report.
audit-4.0.4 beta
This is a beta release for testing purposes. There are changes that could affect plugins. Please report anything wrong with them. Current changes are:
- auditctl: update io_uring operations table
- update syscall table for 6.15
- auditd.cron.5: Describe time-based log rotation setup
- auditd: Broadcast a warning on startup if a system halt is possible (#435)
- Fix audisp-remote segfault on connection error (#446)
- Improve locating last event if ausearch is using checkpointing
- af_unix plugin: fix string mode support
- Remove const from audit_rule_fieldpair_data & audit_rule_interfield_comp_data
audit-4.0.3
The 4.0.3 release brings important fixes and enhancements to auditd and related tools. It updates syscall tables and addresses potential segmentation faults when handling relative paths. Plugin configuration handling is improved by skipping files without a .conf suffix. Runlevel changes are now logged to the console during boot, and support for RISC-V architectures has been added. Python bindings for enabling and disabling audit are restored. The release also ensures /var/log/audit is created by default and simplifies auditd service dependencies. For the full list of changes, see Changelog or commit history.
audit-4.0.2
Fix musl C builds, Many code cleanups, Dont rotate audit logs when auditd is in debug mode, Correct output when displaying rules with exe/path/dir, and Update auparse normalizer for recent syscalls.
audit-3.1.5
This release fixes a couple important bugs that prevent building on some distributions. Besides that there are a variety of updates. Look at the audit-3.1-maint commit logs to see the changes.
audit-3.1.4
The main purpose of this release is to fix building on distributions where musl C is used. There are a couple more code cleanups, but no new features.