The audit packages contain user-space utilities for storing and searching the audit records generated by the audit subsystem in the Linux 2.6 kernel.
These updated packages upgrade the auditd daemon and its utilities to the newer upstream version 1.7.7, which provides the following enhancements over the previous version:
* the auditctl program, which is used to control the behavior of the audit subsystem, now supports multiple keys in the audit rules.
* a new utility, ausyscall, which is used to cross-reference syscall name and number information, is now provided in these updated packages.
* the aureport program has been enhanced to provide reports about keys it sees in audit events.
* event log parsing for the ausearch and aureport programs has been improved.
* a sample STIG rules file, named "stig.rules", is newly provided in these updated packages. This file contains the auditctl rules which are loaded whenever the audit daemon is started by init scripts.
In addition to the listed enhancements, these updated audit packages also include a new feature to allow a server to aggregate the logs of remote systems. The following instructions can be followed to enable this feature:
1. The audispd-plugins package should be installed on all clients (but need not be installed on the server), and the parameters for "remote_server" and "port" should be set in the /etc/audisp/audisp-remote.conf configuration file.
2. On the server, which aggregates the logs, the "tcp_listen_port" parameter in the /etc/audit/auditd.conf file must be set to the same port number as the clients.
3. Because the auditd daemon is protected by SELinux, semanage (the SELinux policy management tool) must also have the same port listed in its database. If the server and client machines had all been configured to use port 1000, for example, then running this command would accomplish this:
semanage port -a -t audit_port_t -p tcp 1000
4. The final step in configuring remote log aggregation is to edit the /etc/hosts.allow configuration file to inform tcp_wrappers which machines or subnets the auditd daemon should allow connections from.
Users of audit are advised to upgrade to these updated packages, which add these enhancements.