import audit-3.0-0.13.20190507gitf58ec40.el8

.audit.metadata

@@ -1 +1 @@
-6968c30d9bb05d3f44413d1cd944ca8cbf3cf8c4 SOURCES/audit-3.0-alpha5.tar.gz
+5205dd634a26512d69d75ca27171c70b70f102f0 SOURCES/audit-3.0-alpha8.tar.gz

.gitignore

@@ -1 +1 @@
-SOURCES/audit-3.0-alpha5.tar.gz
+SOURCES/audit-3.0-alpha8.tar.gz

SOURCES/30-ospp-v42.rules

@@ -0,0 +1,140 @@
+## The purpose of these rules is to meet the requirements for Operating
+## System Protection Profile (OSPP)v4.2. These rules depends on having
+## 10-base-config.rules, 11-loginuid.rules, and 43-module-load.rules installed.
+
+## Successful/Unsuccessful file creation (open with O_CREAT)
+-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
+-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
+-a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
+-a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
+-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
+-a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
+-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
+-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
+-a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
+-a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
+-a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
+-a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
+-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create
+-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create
+-a always,exit -F arch=b32 -S open -F a1&0100 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create
+-a always,exit -F arch=b64 -S open -F a1&0100 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create
+-a always,exit -F arch=b32 -S creat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create
+-a always,exit -F arch=b64 -S creat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create
+
+## Successful/Unsuccessful file modifications (open for write or truncate)
+-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
+-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
+-a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
+-a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
+-a always,exit -F arch=b32 -S truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
+-a always,exit -F arch=b64 -S truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
+-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
+-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
+-a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
+-a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
+-a always,exit -F arch=b32 -S truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
+-a always,exit -F arch=b64 -S truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
+-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification
+-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification
+-a always,exit -F arch=b32 -S open -F a1&01003 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification
+-a always,exit -F arch=b64 -S open -F a1&01003 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification
+-a always,exit -F arch=b32 -S truncate,ftruncate -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification
+-a always,exit -F arch=b64 -S truncate,ftruncate -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification
+
+## Successful/Unsuccessful file access (any other opens) This has to go last.
+-a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-access
+-a always,exit -F arch=b64 -S open,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-access
+-a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-access
+-a always,exit -F arch=b64 -S open,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-access
+# These next two are likely to result in a whole lot of events
+-a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-access
+-a always,exit -F arch=b64 -S open,openat,open_by_handle_at -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-access
+
+## Successful/Unsuccessful file delete
+-a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
+-a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
+-a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
+-a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
+-a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-delete
+-a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-delete
+
+## Successful/Unsuccessful permission change
+-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-perm-change
+-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-perm-change
+-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-perm-change
+-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-perm-change
+-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-perm-change
+-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-perm-change
+
+## Successful/Unsuccessful ownership change
+-a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-perm-change
+-a always,exit -F arch=b64 -S lchown,fchown,chown,fchownat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-perm-change
+-a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-perm-change
+-a always,exit -F arch=b64 -S lchown,fchown,chown,fchownat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-perm-change
+-a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-perm-change
+-a always,exit -F arch=b64 -S lchown,fchown,chown,fchownat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-perm-change
+
+## User add delete modify. This is covered by pam. However, someone could
+## open a file and directly create or modify a user, so we'll watch passwd and
+## shadow for writes
+-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify
+-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify
+-a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify
+-a always,exit -F arch=b64 -S open -F a1&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify
+-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify
+-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify
+-a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify
+-a always,exit -F arch=b64 -S open -F a1&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify
+
+## User enable and disable. This is entirely handled by pam.
+
+## Group add delete modify. This is covered by pam. However, someone could
+## open a file and directly create or modify a user, so we'll watch group and
+## gshadow for writes
+-a always,exit -F path=/etc/passwd -F perm=wa -F auid>=1000 -F auid!=unset -F key=user-modify
+-a always,exit -F path=/etc/shadow -F perm=wa -F auid>=1000 -F auid!=unset -F key=user-modify
+-a always,exit -F path=/etc/group -F perm=wa -F auid>=1000 -F auid!=unset -F key=group-modify
+-a always,exit -F path=/etc/gshadow -F perm=wa -F auid>=1000 -F auid!=unset -F key=group-modify
+
+
+## Use of special rights for config changes. This would be use of setuid
+## programs that relate to user accts. This is not all setuid apps because
+## requirements are only for ones that affect system configuration.
+-a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
+-a always,exit -F path=/usr/sbin/usernetctl -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
+-a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
+-a always,exit -F path=/usr/sbin/seunshare -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
+-a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
+-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
+-a always,exit -F path=/usr/bin/newuidmap -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
+-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
+-a always,exit -F path=/usr/bin/newgidmap -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
+-a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
+-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
+-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
+-a always,exit -F path=/usr/bin/at -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
+
+## Privilege escalation via su or sudo. This is entirely handled by pam.
+
+## Audit log access
+-a always,exit -F dir=/var/log/audit/ -F perm=r -F auid>=1000 -F auid!=unset -F key=access-audit-trail
+## Attempts to Alter Process and Session Initiation Information
+-a always,exit -F path=/var/run/utmp -F perm=wa -F auid>=1000 -F auid!=unset -F key=session
+-a always,exit -F path=/var/log/btmp -F perm=wa -F auid>=1000 -F auid!=unset -F key=session
+-a always,exit -F path=/var/log/wtmp -F perm=wa -F auid>=1000 -F auid!=unset -F key=session
+
+## Attempts to modify MAC controls
+-a always,exit -F dir=/etc/selinux/ -F perm=wa -F auid>=1000 -F auid!=unset -F key=MAC-policy
+
+## Software updates. This is entirely handled by rpm.
+
+## System start and shutdown. This is entirely handled by systemd
+
+## Kernel Module loading. This is handled in 43-module-load.rules
+
+## Application invocation. The requirements list an optional requirement
+## FPT_SRP_EXT.1 Software Restriction Policies. This event is intended to
+## state results from that policy. This would be handled entirely by
+## that daemon.
+

SOURCES/audit-3.0-af_unix-plugin.patch

@@ -1,244 +0,0 @@
-diff -urp audit-3.0.orig/audisp/audispd-builtins.c audit-3.0/audisp/audispd-builtins.c
---- audit-3.0.orig/audisp/audispd-builtins.c	2018-08-31 17:05:48.000000000 -0400
-+++ audit-3.0/audisp/audispd-builtins.c	2018-12-06 20:01:06.922443361 -0500
-@@ -35,12 +35,17 @@
- #include <sys/uio.h> // writev
- #include <fcntl.h>
- #include <stdio.h>
-+#include "ev.h"
- #include "audispd-pconfig.h"
- #include "audispd-builtins.h"
- 
-+// Global data
-+extern struct ev_loop *loop;
-+
- // Local data
- static volatile int sock = -1, conn = -1;
- static char *path = NULL;
-+static struct ev_io af_unix_watcher;
- 
- // Local prototypes
- static void init_af_unix(const plugin_conf_t *conf);
-@@ -63,21 +68,37 @@ void stop_builtin(plugin_conf_t *conf)
- 		syslog(LOG_ERR, "Unknown builtin %s", conf->path);
- }
- 
--static void af_unix_accept(int fd)
-+static int watching = 0;
-+static void stop_watching(void)
-+{
-+	if (watching) {
-+		ev_io_stop(loop, &af_unix_watcher);
-+		watching = 0;
-+	}
-+}
-+
-+static void af_unix_accept(struct ev_loop *l, struct ev_io *_io, int revents)
- {
- 	int cmd;
- 
- 	do {
--		conn = accept(fd, NULL, NULL);
-+		conn = accept(_io->fd, NULL, NULL);
- 	} while (conn < 0 && errno == EINTR);
- 
- 	// De-register since this is intended to be one listener
- 	if (conn >= 0)
--		remove_event(fd);
-+		stop_watching();
- 	cmd = fcntl(conn, F_GETFD);
- 	fcntl(conn, F_SETFD, cmd|FD_CLOEXEC);
- }
- 
-+static void start_watching(void)
-+{
-+	ev_io_init(&af_unix_watcher, af_unix_accept, sock, EV_READ);
-+	ev_io_start(loop, &af_unix_watcher);
-+	watching = 1;
-+}
-+
- static int create_af_unix_socket(const char *path, int mode)
- {
- 	struct sockaddr_un addr;
-@@ -122,8 +143,8 @@ static int create_af_unix_socket(const c
- 	// Make socket listening...won't block
- 	(void)listen(sock, 5);
- 
--	// Register socket with poll
--	add_event(sock, af_unix_accept);
-+	// Register socket with libev
-+	start_watching();
- 	return 0;
- }
- 
-@@ -213,7 +234,8 @@ void send_af_unix_string(const char *s,
- 		if (rc < 0 && errno == EPIPE) {
- 			close(conn);
- 			conn = -1;
--			add_event(sock, af_unix_accept);
-+			stop_watching();
-+			start_watching();
- 		}
- 	} 
- }
-@@ -237,7 +259,8 @@ void send_af_unix_binary(event_t *e)
- 		if (rc < 0 && errno == EPIPE) {
- 			close(conn);
- 			conn = -1;
--			add_event(sock, af_unix_accept);
-+			stop_watching();
-+			start_watching();
- 		}
- 	} 
- }
-@@ -250,10 +273,13 @@ void destroy_af_unix(void)
- 		conn = -1;
- 		did_something = 1;
- 	}
-+	stop_watching();
- 	if (sock >= 0) {
-+
- 		close(sock);
- 		sock = -1;
- 		did_something = 1;
-+		
- 	}
- 	if (path) {
- 		unlink(path);
-diff -urp audit-3.0.orig/audisp/audispd-builtins.h audit-3.0/audisp/audispd-builtins.h
---- audit-3.0.orig/audisp/audispd-builtins.h	2018-08-31 17:05:48.000000000 -0400
-+++ audit-3.0/audisp/audispd-builtins.h	2018-12-06 20:01:06.922443361 -0500
-@@ -33,10 +33,5 @@ void send_af_unix_string(const char *s,
- void send_af_unix_binary(event_t *e);
- void destroy_af_unix(void);
- 
--typedef void (*poll_callback_ptr)(int fd);
--int add_event(int fd, poll_callback_ptr cb);
--int remove_event(int fd);
--
--
- #endif
- 
-diff -urp audit-3.0.orig/audisp/audispd.c audit-3.0/audisp/audispd.c
---- audit-3.0.orig/audisp/audispd.c	2018-08-31 17:05:48.000000000 -0400
-+++ audit-3.0/audisp/audispd.c	2018-12-06 20:01:06.922443361 -0500
-@@ -31,7 +31,6 @@
- #include <pthread.h>
- #include <dirent.h>
- #include <fcntl.h>
--#include <sys/poll.h>
- #include <netdb.h>
- #include <arpa/inet.h>
- #include <limits.h>
-@@ -578,43 +577,6 @@ static int event_loop(void)
- 		return 1;
- }
- 
--static struct pollfd pfd[4];
--static poll_callback_ptr pfd_cb[4];
--static volatile int pfd_cnt=0;
--int add_event(int fd, poll_callback_ptr cb)
--{
--	if (pfd_cnt > 3)
--		return -1;
--
--	pfd[pfd_cnt].fd = fd;
--	pfd[pfd_cnt].events = POLLIN;
--	pfd[pfd_cnt].revents = 0;
--	pfd_cb[pfd_cnt] = cb;
--	pfd_cnt++;
--	return 0;
--}
--
--int remove_event(int fd)
--{
--	int start, i;
--	if (pfd_cnt == 0)
--		return -1;
--
--	for (start=0; start < pfd_cnt; start++) {
--		if (pfd[start].fd == fd)
--			break;
--	}
--	for (i=start; i<(pfd_cnt-1); i++) {
--		pfd[i].events = pfd[i+1].events;
--		pfd[i].revents = pfd[i+1].revents;
--		pfd[i].fd = pfd[i+1].fd;
--		pfd_cb[i] = pfd_cb[i+1];
--	}
--
--	pfd_cnt--;
--	return 0;
--}
--
- /* returns > 0 if plugins and 0 if none */
- int libdisp_active(void)
- {
-diff -urp audit-3.0.orig/audisp/Makefile.am audit-3.0/audisp/Makefile.am
---- audit-3.0.orig/audisp/Makefile.am	2018-08-31 17:05:48.000000000 -0400
-+++ audit-3.0/audisp/Makefile.am	2018-12-06 20:01:06.922443361 -0500
-@@ -22,7 +22,7 @@
- 
- SUBDIRS = plugins 
- CONFIG_CLEAN_FILES = *.rej *.orig
--AM_CPPFLAGS = -D_GNU_SOURCE -fPIC -DPIC -I${top_srcdir} -I${top_srcdir}/lib -I${top_srcdir}/src
-+AM_CPPFLAGS = -D_GNU_SOURCE -fPIC -DPIC -I${top_srcdir} -I${top_srcdir}/lib -I${top_srcdir}/src -I${top_srcdir}/src/libev
- LIBS = -L${top_builddir}/lib -laudit 
- LDADD = -lpthread
- 
-@@ -30,5 +30,6 @@ noinst_HEADERS = audispd-pconfig.h audis
- 	queue.h audispd-builtins.h libdisp.h
- libdisp_a_SOURCES = audispd.c audispd-pconfig.c queue.c \
- 	audispd-llist.c audispd-builtins.c
-+libdisp_a_CFLAGS = -fno-strict-aliasing
- noinst_LIBRARIES = libdisp.a
- 
-diff -urp audit-3.0.orig/src/auditd.c audit-3.0/src/auditd.c
---- audit-3.0.orig/src/auditd.c	2018-12-06 19:41:21.076570614 -0500
-+++ audit-3.0/src/auditd.c	2018-12-06 20:01:06.923443360 -0500
-@@ -580,6 +580,7 @@ static void close_pipes(void)
- 	close(pipefds[1]);
- }
- 
-+struct ev_loop *loop;
- int main(int argc, char *argv[])
- {
- 	struct sigaction sa;
-@@ -597,7 +598,6 @@ int main(int argc, char *argv[])
- 	enum startup_state opt_startup = startup_enable;
- 	extern char *optarg;
- 	extern int optind;
--	struct ev_loop *loop;
- 	struct ev_io netlink_watcher;
- 	struct ev_io pipe_watcher;
- 	struct ev_signal sigterm_watcher;
-@@ -748,14 +748,6 @@ int main(int argc, char *argv[])
- 		return 1;
- 	}
- 
--	if (init_dispatcher(&config)) {
--		if (pidfile)
--			unlink(pidfile);
--		tell_parent(FAILURE);
--		free_config(&config);
--		return 1;
--	}
--
- 	/* Get machine name ready for use */
- 	if (resolve_node(&config)) {
- 		if (pidfile)
-@@ -891,6 +883,14 @@ int main(int argc, char *argv[])
- 	/* Depending on value of opt_startup (-s) set initial audit state */
- 	loop = ev_default_loop (EVFLAG_NOENV);
- 
-+	if (init_dispatcher(&config)) {
-+		if (pidfile)
-+			unlink(pidfile);
-+		tell_parent(FAILURE);
-+		free_config(&config);
-+		return 1;
-+	}
-+
- 	if (!opt_aggregate_only) {
- 		ev_io_init (&netlink_watcher, netlink_handler, fd, EV_READ);
- 		ev_io_start (loop, &netlink_watcher);

SOURCES/audit-3.0-auditd-stop.patch

@@ -1,12 +0,0 @@
-diff -ur audit-3.0.orig/init.d/auditd.stop audit-3.0/init.d/auditd.stop
---- audit-3.0.orig/init.d/auditd.stop	2018-08-31 17:05:48.000000000 -0400
-+++ audit-3.0/init.d/auditd.stop	2018-12-08 17:15:59.916950477 -0500
-@@ -10,7 +10,7 @@
- . /etc/init.d/functions
- 
- printf "Stopping logging: "
--killproc $prog -TERM
-+killproc -d 1 $prog -TERM
- RETVAL=$?
- echo
- exit $RETVAL

SOURCES/audit-3.0-ausearch-buffer-fix.patch

@@ -1,21 +0,0 @@
-diff -urp audit-3.0.orig/src/ausearch-lol.c audit-3.0/src/ausearch-lol.c
---- audit-3.0.orig/src/ausearch-lol.c	2018-08-31 17:05:48.000000000 -0400
-+++ audit-3.0/src/ausearch-lol.c	2018-12-06 19:38:21.208589916 -0500
-@@ -277,7 +277,7 @@ int lol_add_record(lol *lo, char *buff)
- 			if (n.tlen > MAX_AUDIT_MESSAGE_LENGTH)
- 				n.tlen = MAX_AUDIT_MESSAGE_LENGTH;
- 		} else
--			n.tlen = MAX_AUDIT_MESSAGE_LENGTH;
-+			n.tlen = n.mlen;
- 		fmt = LF_ENRICHED;
- 	} else {
- 		ptr = strrchr(n.message, 0x0a);
-@@ -287,7 +287,7 @@ int lol_add_record(lol *lo, char *buff)
- 			if (n.mlen > MAX_AUDIT_MESSAGE_LENGTH)
- 				n.mlen = MAX_AUDIT_MESSAGE_LENGTH;
- 		} else
--			n.mlen = MAX_AUDIT_MESSAGE_LENGTH;
-+			n.mlen = strlen(n.message);
- 		n.interp = NULL;
- 		n.tlen = n.mlen;
- 		fmt = LF_RAW;

SOURCES/audit-3.0-cap_audit_read.patch

@@ -1,12 +0,0 @@
-diff -urp audit-3.0.orig/src/auditd.c audit-3.0/src/auditd.c
---- audit-3.0.orig/src/auditd.c	2018-08-31 17:05:48.000000000 -0400
-+++ audit-3.0/src/auditd.c	2018-12-06 19:41:21.076570614 -0500
-@@ -665,7 +665,7 @@ int main(int argc, char *argv[])
- #ifndef DEBUG
- 	/* Make sure we can do our job. Containers may not give you
- 	 * capabilities, so we revert to a uid check for that case. */
--	if (!audit_can_control() || !audit_can_read()) {
-+	if (!audit_can_control()) {
- 		if (!config.local_events && geteuid() == 0)
- 			;
- 		else {

SOURCES/audit-3.0-chkconfig.patch

@@ -0,0 +1,71 @@
+commit d1c80e0217a049441cdad42428254270904f8694
+Author: Steve Grubb <sgrubb@redhat.com>
+Date:   Fri Jul 5 12:58:03 2019 -0400
+
+    Remove dependency on chkconfig
+
+diff --git a/init.d/auditd.reload b/init.d/auditd.reload
+index b9c9c6c..9c30295 100644
+--- a/init.d/auditd.reload
++++ b/init.d/auditd.reload
+@@ -7,7 +7,7 @@ test $(id -u) = 0  ||  exit 4
+ 
+ PATH=/sbin:/bin:/usr/bin:/usr/sbin
+ prog="auditd"
+-. /etc/init.d/functions
++. /etc/rc.d/init.d/functions
+ 
+ printf "Reconfiguring: "
+ /sbin/augenrules --load
+diff --git a/init.d/auditd.resume b/init.d/auditd.resume
+index 8185cd1..f1d2157 100644
+--- a/init.d/auditd.resume
++++ b/init.d/auditd.resume
+@@ -7,7 +7,7 @@ test $(id -u) = 0  ||  exit 4
+ 
+ PATH=/sbin:/bin:/usr/bin:/usr/sbin
+ prog="auditd"
+-. /etc/init.d/functions
++. /etc/rc.d/init.d/functions
+ 
+ printf "Resuming logging: "
+ killproc $prog -USR2
+diff --git a/init.d/auditd.rotate b/init.d/auditd.rotate
+index a627a43..2b13cf7 100644
+--- a/init.d/auditd.rotate
++++ b/init.d/auditd.rotate
+@@ -7,7 +7,7 @@ test $(id -u) = 0  ||  exit 4
+ 
+ PATH=/sbin:/bin:/usr/bin:/usr/sbin
+ prog="auditd"
+-. /etc/init.d/functions
++. /etc/rc.d/init.d/functions
+ 
+ printf "Rotating logs: "
+ killproc $prog -USR1
+diff --git a/init.d/auditd.state b/init.d/auditd.state
+index 6e9e69e..c7e291e 100644
+--- a/init.d/auditd.state
++++ b/init.d/auditd.state
+@@ -8,7 +8,7 @@ test $(id -u) = 0  ||  exit 4
+ PATH=/sbin:/bin:/usr/bin:/usr/sbin
+ prog="auditd"
+ state_file="/var/run/auditd.state"
+-. /etc/init.d/functions
++. /etc/rc.d/init.d/functions
+ 
+ printf "Getting auditd internal state: "
+ killproc $prog -CONT
+diff --git a/init.d/auditd.stop b/init.d/auditd.stop
+index 6550fae..70aaeef 100644
+--- a/init.d/auditd.stop
++++ b/init.d/auditd.stop
+@@ -7,7 +7,7 @@ test $(id -u) = 0  ||  exit 4
+ 
+ PATH=/sbin:/bin:/usr/bin:/usr/sbin
+ prog="auditd"
+-. /etc/init.d/functions
++. /etc/rc.d/init.d/functions
+ pid="$(__pids_pidof "$prog")"
+ 
+ printf "Stopping logging: "

SOURCES/audit-3.0-docs.patch

@@ -1,104 +0,0 @@
-diff -ur audit-3.0.orig/docs/auparse_normalize.3 audit-3.0/docs/auparse_normalize.3
---- audit-3.0.orig/docs/auparse_normalize.3	2018-08-31 17:05:48.000000000 -0400
-+++ audit-3.0/docs/auparse_normalize.3	2018-12-06 19:27:33.636659407 -0500
-@@ -25,7 +25,8 @@
- 
- .SH "SEE ALSO"
- 
--.BR 
-+.BR auparse_normalize_subject_primary (3) ,
-+.BR auparse_normalize_object_primary (3).
- 
- .SH AUTHOR
- Steve Grubb
-diff -ur audit-3.0.orig/rules/30-ospp-v42.rules audit-3.0/rules/30-ospp-v42.rules
---- audit-3.0.orig/rules/30-ospp-v42.rules	2018-08-31 17:05:48.000000000 -0400
-+++ audit-3.0/rules/30-ospp-v42.rules	2018-12-06 19:27:33.656659405 -0500
-@@ -3,20 +3,28 @@
- ## 10-base-config.rules, 11-loginuid.rules, and 43-module-load.rules installed.
- 
- ## Unsuccessful file creation (open with O_CREAT)
---a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
---a always,exit -F arch=b64 -S open,openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
---a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
---a always,exit -F arch=b64 -S open,openat,open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-+-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-+-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-+-a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-+-a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-+-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-+-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-+-a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
-+-a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
- -a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
- -a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
- -a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
- -a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-create
- 
- ## Unsuccessful file modifications (open for write or truncate)
---a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
---a always,exit -F arch=b64 -S open,openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
---a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
---a always,exit -F arch=b64 -S open,openat,open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-+-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-+-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-+-a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-+-a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-+-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-+-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-+-a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-+-a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
- -a always,exit -F arch=b32 -S truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
- -a always,exit -F arch=b64 -S truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
- -a always,exit -F arch=b32 -S truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-@@ -47,16 +55,30 @@
- -a always,exit -F arch=b64 -S lchown,fchown,chown,fchownat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
- 
- ## User add delete modify. This is covered by pam. However, someone could
--## open a file and directly create a user, so we'll watch passwd for writes
---a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify
---a always,exit -F arch=b64 -S open,openat,open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify
-+## open a file and directly create or modify a user, so we'll watch passwd and
-+## shadow for writes
-+-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify
-+-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify
-+-a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify
-+-a always,exit -F arch=b64 -S open -F a1&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify
-+-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify
-+-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify
-+-a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify
-+-a always,exit -F arch=b64 -S open -F a1&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify
- 
- ## User enable and disable. This is entirely handled by pam.
- 
- ## Group add delete modify. This is covered by pam. However, someone could
--## open a file and directly create a user, so we'll watch group for writes
---a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F a2&03 -F path=/etc/group -F auid>=1000 -F auid!=unset -F key=group-modify
---a always,exit -F arch=b64 -S open,openat,open_by_handle_at -F a2&03 -F path=/etc/group -F auid>=1000 -F auid!=unset -F key=group-modify
-+## open a file and directly create or modify a user, so we'll watch group and
-+## gshadow for writes
-+-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&03 -F path=/etc/group -F auid>=1000 -F auid!=unset -F key=group-modify
-+-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&03 -F path=/etc/group -F auid>=1000 -F auid!=unset -F key=group-modify
-+-a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/group -F auid>=1000 -F auid!=unset -F key=group-modify
-+-a always,exit -F arch=b64 -S open -F a1&03 -F path=/etc/group -F auid>=1000 -F auid!=unset -F key=group-modify
-+-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&03 -F path=/etc/gshadow -F auid>=1000 -F auid!=unset -F key=group-modify
-+-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&03 -F path=/etc/gshadow -F auid>=1000 -F auid!=unset -F key=group-modify
-+-a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/gshadow -F auid>=1000 -F auid!=unset -F key=group-modify
-+-a always,exit -F arch=b64 -S open -F a1&03 -F path=/etc/gshadow -F auid>=1000 -F auid!=unset -F key=group-modify
- 
- ## Use of special rights for config changes. This would be use of setuid
- ## programs that relate to user accts. This is not all setuid apps because
-diff -ur audit-3.0.orig/rules/30-pci-dss-v31.rules audit-3.0/rules/30-pci-dss-v31.rules
---- audit-3.0.orig/rules/30-pci-dss-v31.rules	2018-08-31 17:05:48.000000000 -0400
-+++ audit-3.0/rules/30-pci-dss-v31.rules	2018-12-06 19:27:33.656659405 -0500
-@@ -41,8 +41,8 @@
- ##   ausearch --start today -m user_auth,user_chauthtok -i
- 
- ## 10.2.5.b All elevation of privileges is logged
---a always,exit -F arch=b64 -S setuid -Fa0=0 -F exe=/usr/bin/su -F key=10.2.5.b-elevated-privs-session
---a always,exit -F arch=b32 -S setuid -Fa0=0 -F exe=/usr/bin/su -F key=10.2.5.b-elevated-privs-session
-+-a always,exit -F arch=b64 -S setuid -F a0=0 -F exe=/usr/bin/su -F key=10.2.5.b-elevated-privs-session
-+-a always,exit -F arch=b32 -S setuid -F a0=0 -F exe=/usr/bin/su -F key=10.2.5.b-elevated-privs-session
- -a always,exit -F arch=b64 -S setresuid -F a0=0 -F exe=/usr/bin/sudo -F key=10.2.5.b-elevated-privs-session
- -a always,exit -F arch=b32 -S setresuid -F a0=0 -F exe=/usr/bin/sudo -F key=10.2.5.b-elevated-privs-session
- -a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -F key=10.2.5.b-elevated-privs-setuid

SOURCES/audit-3.0-krb-remote-fixup.patch

@@ -0,0 +1,63 @@
+diff -urp audit-3.0.orig/audisp/plugins/remote/audisp-remote.c audit-3.0/audisp/plugins/remote/audisp-remote.c
+--- audit-3.0.orig/audisp/plugins/remote/audisp-remote.c	2019-06-07 17:08:36.000000000 -0400
++++ audit-3.0/audisp/plugins/remote/audisp-remote.c	2019-07-13 11:37:45.000000000 -0400
+@@ -1,5 +1,5 @@
+ /* audisp-remote.c --
+- * Copyright 2008-2012,2016,2018 Red Hat Inc., Durham, North Carolina.
++ * Copyright 2008-2012,2016,2018,2019 Red Hat Inc., Durham, North Carolina.
+  * All Rights Reserved.
+  *
+  * This program is free software; you can redistribute it and/or modify
+@@ -98,7 +98,7 @@ static int ar_write (int, const void *,
+    credentials.  These are the ones we talk to the server with.  */
+ gss_ctx_id_t my_context;
+ 
+-#define KEYTAB_NAME "/etc/audisp/audisp-remote.key"
++#define KEYTAB_NAME "/etc/audit/audisp-remote.key"
+ #define CCACHE_NAME "MEMORY:audisp-remote"
+ 
+ #define REQ_FLAGS GSS_C_MUTUAL_FLAG | GSS_C_REPLAY_FLAG | GSS_C_INTEG_FLAG | GSS_C_CONF_FLAG
+@@ -978,7 +989,14 @@ static int negotiate_credentials (void)
+ 
+ static int stop_sock(void)
+ {
++	
+ 	if (sock >= 0) {
++		if (USE_GSS) {
++			OM_uint32 minor_status;
++			gss_delete_sec_context(&minor_status, &my_context,
++						GSS_C_NO_BUFFER);
++			my_context = GSS_C_NO_CONTEXT;
++		}
+ 		shutdown(sock, SHUT_RDWR);
+ 		close(sock);
+ 	}
+@@ -995,11 +1013,8 @@ static int stop_transport(void)
+ 	switch (config.transport)
+ 	{
+ 		case T_TCP:
+-			rc = stop_sock();
+-			break;
+ 		case T_KRB5:
+-			// FIXME: shutdown kerberos
+-			rc = -1;
++			rc = stop_sock();
+ 			break;
+ 		default:
+ 			rc = -1;
+@@ -1142,6 +1157,7 @@ static int init_transport(void)
+ 	switch (config.transport)
+ 	{
+ 		case T_TCP:
++		case T_KRB5:
+ 			rc = init_sock();
+ 			// We set this so that it will retry the connection
+ 			if (rc == ET_TEMPORARY)
+@@ -1589,6 +1605,7 @@ static int relay_event(const char *s, si
+ 	switch (config.transport)
+ 	{
+ 		case T_TCP:
++		case T_KRB5:
+ 			rc = relay_sock(s, len);
+ 			break;
+ 		default:

SOURCES/audit-3.0-libev-remove-cold.patch

@@ -1,12 +0,0 @@
-diff -urp audit-3.0.orig/src/libev/ev.c audit-3.0/src/libev/ev.c
---- audit-3.0.orig/src/libev/ev.c	2019-01-03 12:25:16.000000000 -0500
-+++ audit-3.0/src/libev/ev.c	2019-01-09 10:58:20.437560972 -0500
-@@ -901,7 +901,7 @@ typedef int ecb_bool;
- #if ECB_GCC_VERSION(4,3)
-   #define ecb_artificial ecb_attribute ((__artificial__))
-   #define ecb_hot        ecb_attribute ((__hot__))
--  #define ecb_cold       ecb_attribute ((__cold__))
-+  #define ecb_cold
- #else
-   #define ecb_artificial
-   #define ecb_hot

SOURCES/audit-3.0-network-orig-events.patch

@@ -1,232 +0,0 @@
-diff -urp audit-3.0.orig/src/auditd.c audit-3.0/src/auditd.c
---- audit-3.0.orig/src/auditd.c	2018-12-06 20:01:06.923443360 -0500
-+++ audit-3.0/src/auditd.c	2018-12-06 20:17:19.030339043 -0500
-@@ -214,24 +214,35 @@ static void cont_handler(struct ev_loop
- 
- static int extract_type(const char *str)
- {
--	const char *tptr, *ptr2, *ptr = str;
-+	char tmp, *ptr2, *ptr = str;
-+	int type;
- 	if (*str == 'n') {
- 		ptr = strchr(str+1, ' ');
- 		if (ptr == NULL)
- 			return -1; // Malformed - bomb out
- 		ptr++;
- 	}
-+
- 	// ptr should be at 't'
- 	ptr2 = strchr(ptr, ' ');
--	// get type=xxx in a buffer
--	tptr = strndupa(ptr, ptr2 - ptr);
-+
- 	// find =
--	str = strchr(tptr, '=');
--	if (str == NULL)
-+	str = strchr(ptr, '=');
-+	if (str == NULL || str >= ptr2)
- 		return -1; // Malformed - bomb out
-+
- 	// name is 1 past
- 	str++;
--	return audit_name_to_msg_type(str);
-+
-+	// Save character & terminate string
-+	tmp = *ptr2;
-+	*ptr2 = 0;
-+
-+	type = audit_name_to_msg_type(str);
-+
-+	*ptr2 = tmp; // Restore character
-+
-+	return type;
- }
- 
- void distribute_event(struct auditd_event *e)
-@@ -250,18 +261,22 @@ void distribute_event(struct auditd_even
- 			route = 0;
- 		else {	// We only need the original type if its being routed
- 			e->reply.type = extract_type(e->reply.message);
--			char *p = strchr(e->reply.message,
--					AUDIT_INTERP_SEPARATOR);
--			if (p)
--				proto = AUDISP_PROTOCOL_VER2;
--			else
--				proto = AUDISP_PROTOCOL_VER;
- 
-+			// Treat everything from the network as VER2
-+			// because they are already formatted. This is
-+			// important when it gets to the dispatcher which
-+			// can strip node= when its VER1.
-+			proto = AUDISP_PROTOCOL_VER2;
- 		}
--	} else if (e->reply.type != AUDIT_DAEMON_RECONFIG)
--		// All other events need formatting
-+	} else if (e->reply.type != AUDIT_DAEMON_RECONFIG) {
-+		// All other local events need formatting
- 		format_event(e);
--	else
-+
-+		// If the event has been formatted with node, upgrade
-+		// to VER2 so that the dispatcher honors the formatting
-+		if (config.node_name_format != N_NONE)
-+			proto = AUDISP_PROTOCOL_VER2;
-+	} else
- 		route = 0; // Don't DAEMON_RECONFIG events until after enqueue
- 
- 	/* End of Event is for realtime interface - skip local logging of it */
-@@ -748,6 +763,17 @@ int main(int argc, char *argv[])
- 		return 1;
- 	}
- 
-+	/* Startup libev and dispatcher */
-+	loop = ev_default_loop(EVFLAG_NOENV);
-+	if (init_dispatcher(&config)) {
-+		if (pidfile)
-+			unlink(pidfile);
-+		tell_parent(FAILURE);
-+		free_config(&config);
-+		ev_default_destroy();
-+		return 1;
-+	}
-+
- 	/* Get machine name ready for use */
- 	if (resolve_node(&config)) {
- 		if (pidfile)
-@@ -755,6 +781,7 @@ int main(int argc, char *argv[])
- 		shutdown_dispatcher();
- 		tell_parent(FAILURE);
- 		free_config(&config);
-+		ev_default_destroy();
- 		return 1;
- 	}
- 
-@@ -766,6 +793,7 @@ int main(int argc, char *argv[])
- 		shutdown_dispatcher();
- 		tell_parent(FAILURE);
- 		free_config(&config);
-+		ev_default_destroy();
- 		return 1;
- 	}
- 	fcntl(pipefds[0], F_SETFD, FD_CLOEXEC);
-@@ -785,6 +813,7 @@ int main(int argc, char *argv[])
- 			tell_parent(FAILURE);
- 			close_pipes();
- 			free_config(&config);
-+			ev_default_destroy();
- 			return 1;
- 		}
- 		if (getsubj(subj))
-@@ -811,6 +840,7 @@ int main(int argc, char *argv[])
- 			tell_parent(FAILURE);
- 			close_pipes();
- 			free_config(&config);
-+			ev_default_destroy();
- 			return 1;
- 		}
- 	}
-@@ -821,6 +851,7 @@ int main(int argc, char *argv[])
- 	/* let config manager init */
- 	init_config_manager();
- 
-+	/* Depending on value of opt_startup (-s) set initial audit state */
- 	if (opt_startup != startup_nochange && !opt_aggregate_only &&
- 			(audit_is_enabled(fd) < 2) &&
- 			audit_set_enabled(fd, (int)opt_startup) < 0) {
-@@ -849,6 +880,7 @@ int main(int argc, char *argv[])
- 		tell_parent(FAILURE);
- 		close_pipes();
- 		free_config(&config);
-+		ev_default_destroy();
- 		return 1;
- 	}
- 
-@@ -877,20 +909,11 @@ int main(int argc, char *argv[])
- 		tell_parent(FAILURE);
- 		close_pipes();
- 		free_config(&config);
-+		ev_default_destroy();
- 		return 1;
- 	}
- 
--	/* Depending on value of opt_startup (-s) set initial audit state */
--	loop = ev_default_loop (EVFLAG_NOENV);
--
--	if (init_dispatcher(&config)) {
--		if (pidfile)
--			unlink(pidfile);
--		tell_parent(FAILURE);
--		free_config(&config);
--		return 1;
--	}
--
-+	/* Start up all the handlers */
- 	if (!opt_aggregate_only) {
- 		ev_io_init (&netlink_watcher, netlink_handler, fd, EV_READ);
- 		ev_io_start (loop, &netlink_watcher);
-diff -urp audit-3.0.orig/src/auditd-dispatch.c audit-3.0/src/auditd-dispatch.c
---- audit-3.0.orig/src/auditd-dispatch.c	2018-08-31 17:05:48.000000000 -0400
-+++ audit-3.0/src/auditd-dispatch.c	2018-12-06 20:17:09.769340037 -0500
-@@ -70,6 +70,7 @@ int dispatch_event(const struct audit_re
- 	if (!libdisp_active())
- 		return 0;
- 
-+	// Translate event into dispatcher format
- 	e = malloc(sizeof(event_t));
- 	if (e == NULL)
- 		return -1;
-@@ -78,6 +79,7 @@ int dispatch_event(const struct audit_re
- 	e->hdr.hlen = sizeof(struct audit_dispatcher_header);
- 	e->hdr.type = rep->type;
- 
-+	// Network originating events have data at rep->message
- 	if (protocol_ver == AUDISP_PROTOCOL_VER) {
- 		e->hdr.size = rep->msg.nlh.nlmsg_len;
- 		memcpy(e->data, (void*)rep->msg.data, e->hdr.size);
-diff -urp audit-3.0.orig/src/auditd-event.c audit-3.0/src/auditd-event.c
---- audit-3.0.orig/src/auditd-event.c	2018-08-31 17:05:48.000000000 -0400
-+++ audit-3.0/src/auditd-event.c	2018-12-06 20:17:09.769340037 -0500
-@@ -225,8 +225,10 @@ static void replace_event_msg(struct aud
- 			e->reply.message = strndup(buf, MAX_AUDIT_MESSAGE_LENGTH-1);
- 			len = MAX_AUDIT_MESSAGE_LENGTH;
- 		}
--		e->reply.msg.nlh.nlmsg_len = e->reply.len;
--		e->reply.len = len;
-+		// For network originating events, len should be used
-+		if (!from_network(e)) // V1 protocol msg size
-+			e->reply.msg.nlh.nlmsg_len = e->reply.len;
-+		e->reply.len = len; // V2 protocol msg size
- 	}
- }
- 
-@@ -500,7 +502,7 @@ struct auditd_event *create_event(char *
- 	e->sequence_id = sequence_id;
- 
- 	/* Network originating events need things adjusted to mimic netlink. */
--	if (e->ack_func)
-+	if (from_network(e))
- 		replace_event_msg(e, msg);
- 
- 	return e;
-@@ -570,7 +572,7 @@ void handle_event(struct auditd_event *e
- static void send_ack(const struct auditd_event *e, int ack_type,
- 			const char *msg)
- {
--	if (e->ack_func) {
-+	if (from_network(e)) {
- 		unsigned char header[AUDIT_RMW_HEADER_SIZE];
- 
- 		AUDIT_RMW_PACK_HEADER(header, 0, ack_type, strlen(msg),
-diff -urp audit-3.0.orig/src/auditd-event.h audit-3.0/src/auditd-event.h
---- audit-3.0.orig/src/auditd-event.h	2018-08-31 17:05:48.000000000 -0400
-+++ audit-3.0/src/auditd-event.h	2018-12-06 20:17:09.769340037 -0500
-@@ -36,6 +36,9 @@ struct auditd_event {
- 	unsigned long sequence_id;
- };
- 
-+static inline int from_network(const struct auditd_event *e) 
-+{ if (e && e->ack_func) return 1; return 0; };
-+
- #include "auditd-config.h"
- 
- int dispatch_network_events(void);

SOURCES/audit-3.0-queue-report.patch

@@ -1,21 +0,0 @@
-diff -urp audit-3.0.orig/audisp/queue.c audit-3.0/audisp/queue.c
---- audit-3.0.orig/audisp/queue.c	2018-08-31 17:05:48.000000000 -0400
-+++ audit-3.0/audisp/queue.c	2018-12-06 20:21:22.184312950 -0500
-@@ -231,11 +231,12 @@ void increase_queue_depth(unsigned int s
- 
- void write_queue_state(FILE *f)
- {
--	fprintf(f, "current queue depth = %u\n", currently_used);
--	fprintf(f, "max queue depth used = %u\n", max_used);
--	fprintf(f, "queue size = %u\n", q_depth);
--	fprintf(f, "queue overflow detected = %s\n",overflowed ? "yes" : "no");
--	fprintf(f, "queueing suspended = %s\n",
-+	fprintf(f, "current plugin queue depth = %u\n", currently_used);
-+	fprintf(f, "max plugin queue depth used = %u\n", max_used);
-+	fprintf(f, "plugin queue size = %u\n", q_depth);
-+	fprintf(f, "plugin queue overflow detected = %s\n",
-+				overflowed ? "yes" : "no");
-+	fprintf(f, "plugin queueing suspended = %s\n",
- 				processing_suspended ? "yes" : "no");
- }
- 

SOURCES/audit-3.0-saddr_fam-doc.patch

@@ -0,0 +1,14 @@
+diff --git a/docs/auditctl.8 b/docs/auditctl.8
+index 2c970cf..043a9d6 100644
+--- a/docs/auditctl.8
++++ b/docs/auditctl.8
+@@ -210,6 +210,9 @@ Process ID
+ .B ppid
+ Parent's Process ID
+ .TP
++.B saddr_fam
++Address family number as found in /usr/include/bits/socket.h. For example, IPv4 would be 2 and IPv6 would be 10.
++.TP
+ .B sessionid
+ User's login session ID
+ .TP

SOURCES/audit-3.0-user_avc.patch

@@ -1,97 +0,0 @@
-diff -ur audit-3.0.orig/src/aureport-options.c audit-3.0/src/aureport-options.c
---- audit-3.0.orig/src/aureport-options.c	2018-08-31 17:05:48.000000000 -0400
-+++ audit-3.0/src/aureport-options.c	2018-12-06 19:31:26.945634371 -0500
-@@ -85,7 +85,8 @@
- 	R_AVCS, R_SYSCALLS, R_PIDS, R_EVENTS, R_ACCT_MODS,  
- 	R_INTERPRET, R_HELP, R_ANOMALY, R_RESPONSE, R_SUMMARY_DET, R_CRYPTO,
- 	R_MAC, R_FAILED, R_SUCCESS, R_ADD, R_DEL, R_AUTH, R_NODE, R_IN_LOGS,
--	R_KEYS, R_TTY, R_NO_CONFIG, R_COMM, R_VIRT, R_INTEG, R_ESCAPE };
-+	R_KEYS, R_TTY, R_NO_CONFIG, R_COMM, R_VIRT, R_INTEG, R_ESCAPE,
-+	R_DEBUG };
- 
- static struct nv_pair optiontab[] = {
- 	{ R_AUTH, "-au" },
-@@ -98,6 +99,7 @@
- 	{ R_CONFIGS, "--config" },
- 	{ R_CRYPTO, "-cr" },
- 	{ R_CRYPTO, "--crypto" },
-+	{ R_DEBUG, "--debug" },
- 	{ R_DEL, "--delete" },
- 	{ R_EVENTS, "-e" },
- 	{ R_EVENTS, "--event" },
-@@ -731,6 +733,9 @@
- 		case R_DEL:
- 			event_conf_act = C_DEL;
- 			break;
-+		case R_DEBUG:
-+			event_debug = 1;
-+			break;
- 		case R_IN_LOGS:
- 			force_logs = 1;
- 			break;
-diff -ur audit-3.0.orig/src/ausearch-parse.c audit-3.0/src/ausearch-parse.c
---- audit-3.0.orig/src/ausearch-parse.c	2018-08-31 17:05:48.000000000 -0400
-+++ audit-3.0/src/ausearch-parse.c	2018-12-06 19:31:26.945634371 -0500
-@@ -102,7 +102,8 @@
- 				ret = parse_path(n, s);
- 				break;
- 			case AUDIT_USER:
--			case AUDIT_FIRST_USER_MSG...AUDIT_LAST_USER_MSG:
-+			case AUDIT_FIRST_USER_MSG...AUDIT_USER_END:
-+			case AUDIT_USER_CHAUTHTOK...AUDIT_LAST_USER_MSG:
- 			case AUDIT_FIRST_USER_MSG2...AUDIT_LAST_USER_MSG2:
- 				ret = parse_user(n, s);
- 				break;
-@@ -136,6 +137,7 @@
- 				avc_parse_path(n, s);
- 				break;
- 			case AUDIT_AVC:
-+			case AUDIT_USER_AVC:
- 				ret = parse_avc(n, s);
- 				break;
- 			case AUDIT_NETFILTER_PKT:
-@@ -1867,6 +1869,20 @@
- 		*term = ' ';
- 	}
- 
-+	// User AVC's are not formatted like a kernel AVC
-+	if (n->type == AUDIT_USER_AVC) {
-+		rc = parse_user(n, s);
-+		if (rc > 20)
-+			rc = 0;
-+		if (audit_avc_init(s) == 0) {
-+			alist_append(s->avc, &an);
-+		} else {
-+			rc = 10;
-+			goto err;
-+		}
-+		return rc;
-+	}
-+
- 	// get pid
- 	if (event_pid != -1) {
- 		str = strstr(term, "pid=");
-diff -urp audit-3.0.orig/src/ausearch-parse.c audit-3.0/src/ausearch-parse.c
---- audit-3.0.orig/src/ausearch-parse.c	2018-10-03 19:46:52.000000000 -0400
-+++ audit-3.0/src/ausearch-parse.c	2018-12-08 15:48:54.350009208 -0500
-@@ -1839,8 +1839,10 @@ static int parse_avc(const lnode *n, sea
- 	if (str) {
- 		str += 5;
- 		term = strchr(str, '{');
--		if (term == NULL)
--			return 1;
-+		if (term == NULL) {
-+			term = n->message;
-+			goto other_avc;
-+		}
- 		if (event_success != S_UNSET) {
- 			*term = 0;
- 			// FIXME. Do not override syscall success if already
-@@ -1869,6 +1871,7 @@ static int parse_avc(const lnode *n, sea
- 		*term = ' ';
- 	}
- 
-+other_avc:
- 	// User AVC's are not formatted like a kernel AVC
- 	if (n->type == AUDIT_USER_AVC) {
- 		rc = parse_user(n, s);

SPECS/audit.spec

@@ -3,31 +3,15 @@
 Summary: User space tools for 2.6 kernel auditing
 Name: audit
 Version: 3.0
-Release: 0.10.20180831git0047a6c%{?dist}
+Release: 0.13.20190507gitf58ec40%{?dist}
 License: GPLv2+
 URL: http://people.redhat.com/sgrubb/audit/
-Source0: http://people.redhat.com/sgrubb/audit/%{name}-%{version}-alpha5.tar.gz
+Source0: http://people.redhat.com/sgrubb/audit/%{name}-%{version}-alpha8.tar.gz
 Source1: https://www.gnu.org/licenses/lgpl-2.1.txt
-# Update documentation and rules
+Source2: 30-ospp-v42.rules
-Patch1: audit-3.0-docs.patch
+Patch1: audit-3.0-saddr_fam-doc.patch
-# 1628626 - lightly parse USER_AVC events
+Patch2: audit-3.0-chkconfig.patch
-Patch2: audit-3.0-user_avc.patch
+Patch3: audit-3.0-krb-remote-fixup.patch
-# Fix a buffer length calculation in ausearch
-Patch3: audit-3.0-ausearch-buffer-fix.patch
-# Remove CAP_AUDIT_READ from daemon permission checks
-Patch4: audit-3.0-cap_audit_read.patch
-# Port af_unix plugin to libev
-Patch5: audit-3.0-af_unix-plugin.patch
-# Make all network originating events VER2 dispatcher protocol
-Patch6: audit-3.0-network-orig-events.patch
-# Adjust state report for plugin queue
-Patch7: audit-3.0-queue-report.patch
-# 1643567 - auditd wasn't quite stopped when it was supposed to be
-Patch8: audit-3.0-auditd-stop.patch
-# In libev, cold functions cause annocheck failures. Remove them.
-Patch9: audit-3.0-libev-remove-cold.patch
-# Next BuildRequires is only needed for the patching - remove in the future
-BuildRequires: autoconf automake
 
 BuildRequires: gcc swig
 BuildRequires: openldap-devel
@@ -36,8 +20,8 @@ BuildRequires: kernel-headers >= 2.6.29
 Requires: %{name}-libs%{?_isa} = %{version}-%{release}
 BuildRequires: systemd
 Requires(post): systemd coreutils
-Requires(preun): systemd
+Requires(preun): systemd initscripts
-Requires(postun): systemd coreutils
+Requires(postun): systemd coreutils initscripts
 
 %description
 The audit package contains the user space utilities for
@@ -99,21 +83,14 @@ incoming audit events, as they happen, to a configured z/OS SMF (Service
 Management Facility) database, through an IBM Tivoli Directory Server
 (ITDS) set for Remote Audit service.
 
-%enable_gotoolset7
-
 %prep
 %setup -q
 %patch1 -p1
 %patch2 -p1
 %patch3 -p1
-%patch4 -p1
-%patch5 -p1
-%patch6 -p1
-%patch7 -p1
-%patch8 -p1
-%patch9 -p1
 cp %{SOURCE1} .
-autoreconf
+## overwrite 30-ospp-v42.rules
+cp -f %{SOURCE2} rules/
 
 %build
 %configure --sbindir=/sbin --libdir=/%{_lib} --with-python=no \
@@ -177,6 +154,9 @@ fi
 
 %preun
 %systemd_preun auditd.service
+if [ $1 -eq 0 ]; then
+	/sbin/service auditd stop > /dev/null 2>&1
+fi
 
 %postun
 if [ $1 -ge 1 ]; then
@@ -244,7 +224,7 @@ fi
 %attr(750,root,root) %{_libexecdir}/initscripts/legacy-actions/auditd/state
 %attr(750,root,root) %{_libexecdir}/initscripts/legacy-actions/auditd/stop
 %ghost %{_localstatedir}/run/auditd.state
-%attr(750,root,root) %dir %{_var}/log/audit
+%attr(-,root,-) %dir %{_var}/log/audit
 %attr(750,root,root) %dir /etc/audit
 %attr(750,root,root) %dir /etc/audit/rules.d
 %attr(750,root,root) %dir /etc/audit/plugins.d
@@ -273,6 +253,21 @@ fi
 %attr(750,root,root) /sbin/audispd-zos-remote
 
 %changelog
+* Thu Jul 25 2019 Steve Grubb <sgrubb@redhat.com> 3.0-0.13.20190607gitf58ec40
+resolves: rhbz#1695638 - Rebase audit package to pick up latest bugfixes
+
+* Sat Jul 13 2019 Steve Grubb <sgrubb@redhat.com> 3.0-0.12.20190607gitf58ec40
+resolves: rhbz#1695638 - Rebase audit package to pick up latest bugfixes
+
+* Mon Jun 10 2019 Steve Grubb <sgrubb@redhat.com> 3.0-0.11.20190607gitf58ec40
+resolves: rhbz#1643567 - service auditd stop exits prematurely
+resolves: rhbz#1693470 - libauparse memory leak
+resolves: rhbz#1694071 - ausearch doesn't record device/inode details checkpointing a single file
+resolves: rhbz#1695638 - Rebase audit package to pick up latest bugfixes
+resolves: rhbz#1705894 - aureport aborts when using a specific input
+resolves: rhbz#1706045 - RFE: Backport support for new audit record types
+resolves: rhbz#1715852 - RFE: provide a way to filter on network address family
+
 * Wed Jan 09 2019 Steve Grubb <sgrubb@redhat.com> 3.0-0.10.20180831git0047a6c
 resolves: rhbz#1655270] Message "audit: backlog limit exceeded" reported
 - Fix annobin failure