audit-4.0.3

The 4.0.3 release brings important fixes and enhancements to auditd and related tools. It updates syscall tables and addresses potential segmentation faults when handling relative paths. Plugin configuration handling is improved by skipping files without a .conf suffix. Runlevel changes are now logged to the console during boot, and support for RISC-V architectures has been added. Python bindings for enabling and disabling audit are restored. The release also ensures /var/log/audit is created by default and simplifies auditd service dependencies. For the full list of changes, see Changelog or commit history.

audit-4.0.2

Fix musl C builds, Many code cleanups, Dont rotate audit logs when auditd is in debug mode, Correct output when displaying rules with exe/path/dir, and Update auparse normalizer for recent syscalls.

audit-3.1.5

This release fixes a couple important bugs that prevent building on some distributions. Besides that there are a variety of updates. Look at the audit-3.1-maint commit logs to see the changes.

audit-3.1.4

The main purpose of this release is to fix building on distributions where musl C is used. There are a couple more code cleanups, but no new features.

audit-4.0.1

Update TRUSTED_APP interpretation to look for known fields; in auditd plugins, allow variable amount of arguments; fix augenrules to work correctly when kernel is in immutable mode; add audisp-filter plugin; improve sorting speed of aureport --summary reports; and auditd & audit-rules.service pick up paths automatically.

audit-3.1.3

This release contains important patches backported from the main branch. See the git log for the complete list of changes.

audit-4.0

This is the next major release. One of the main features is the separation of loading rules and logging events into separate services, audit-rules.service and auditd.service. This release also drops support for python2 and SysVinit. The libaudit python bindings now only support logging events. The auvirt and autrace programs have been dropped. The nispom rules have been dropped. The legacy service functions have been rewritten in term of systemctl and new auditctl capabilities. The aureport --summary reports are now up to 5 times faster. File watches have been optimized to hook only the necessary syscalls instead of all which measurably improves whole system performance. The syscall and interpretation tables have been updated for the 6.8 kernel. And there have been many code cleanups, hardening, and refactoring.

audit-3.1.2

Various bugfixes, updated lookup tables for the 6.5 kernel, added some new python functions, and most important, change the python binding so that you cannot set audit rules from the python API due to a swig bug. No more workarounds are needed for this.

audit-3.1.1

The following are important changes in the new release:

• Add user friendly keywords for signals to auditctl
• In ausearch, parse up URINGOP and DM_CTRL records
• Harden auparse to better handle corrupt logs
• Move the audispd af_unix plugin to a standalone program

audit-3.1

Major features:

• Add new record types
• Add io_uring support
• Add support for new FANOTIFY record fields