4.7. audit

When the auditd daemon was in immutable mode and was restarted, the following message appeared: "The audit system is in immutable mode, no rules loaded". This message was not clear and was misleading. The message has been therefore improved to "The audit system is in immutable mode, no changes allowed".

The audit.rules(7) and auditctl(8) manual pages were not consistent in the order of the "action" and "list" fields for the "-a" option. The auditctl(8) manual page has been modified to inform users that the fields can be used in either order.

Previously, the autrace utility was not aware of system calls being not available on certain architectures. As a consequence, running the "autrace -r" command on the IBM System z, 64-bit PowerPC, and 32-bit Intel architectures failed to insert audit rules. With this update, autrace is aware of system calls not being available on the aforementioned architectures, and audit rules are now successfully inserted.

System processes, this means processes with an audit id (auid) of -1, are logged by the audit subsystem. However, if the ausearch utility was used to locate events where the auid was -1, all events were displayed. With this update, the ausearch utility now correctly returns only events with an auid of -1.

This update adds a new option to the configuration of the audisp syslog plug-in, which allows the plug-in to send syslog audit events to local syslog facilities.