System processes — that is processes with an audit id (auid) of -1 — are logged by the audit subsystem. However, if the ausearch utility was used to locate events where the auid was -1, it would display all events. In this update, under these circumstances, ausearch only returns events with an auid of -1. (BZ#670938)

A value of 'syslog' for the 'disk_error_action' parameter in 'auditd.conf' instructs auditd to issue a warning to syslog if an error is encountered when writing audit events to disk. If 'disk_error_action' was set to 'syslog', auditd always attempted to exec() a child process. Consequently, if a disk error was encountered (ie. a disk full error), auditd would attempt to exec() a null child process, and logging would not resume after the disk error was reported to syslog. In this update the child process is not called when the 'syslog' option is used, and logging continues as expected. (BZ#688664)

Previously if an audispd plug-in was restarted, the plug-in was not marked as active. Consequently, the remote logging plug-in (audisp-remote) was unable to bind to a privileged port on reconnect because all privileges had been dropped. In these updated packages, audispd plug-ins are marked as active after being restarted, and the audisp-remote plug-in functions as expected. (BZ#695605)

Previously, the "autrace -r" command on the IBM System z architecture attempted to audit network syscalls not available on IBM System z. Consequently, an error similar to the following might have been returned:

Error inserting audit rule for pid=13163

With this update, "autrace -r" is now aware of system calls not available on this architecture, which resolves this issue. (BZ#697463)

When an ignore directive was included in an audit.rules configuration file, the auditctl utility became unresponsive when attempting to load those rules. With this update, the issue is resolved. (BZ#640948)

Previously, the audit_encode_nv_string() function was not checking if the memory allocation (malloc) it was performing succeeded. Consequently, if the malloc operation encountered an out of memory (OOM) error, audit_encode_nv_string() crashed attempting to reference a NULL pointer. With this update, audit_encode_nv_string() checks if the malloc is successful, which resolves this issue. (BZ#647128)

Previously, the man page for the "audit_encode_nv_string" function incorrectly documented the return value type as an "int". The man page for "audit_encode_nv_string" now correctly displays return value type for the "audit_encode_nv_string" function as a "char *" (BZ#647131)

autrace now uses the correct syscalls on i386 systems

Added support for new event types related to virtualization, netfilter, the mmap syscall, key based authentication, and cryptographic session establishment.

Updated syscall tables for the 2.6.37 kernel.

Updated sample rules for new syscalls and packages.

The overflow_action configuration item was added to audisp-remote to allow configurable actions for remote logging queue overflows.

A new option in the audisp-syslog plug-in to send syslog audit events to local[0-7]