3 changed files with 1 additions and 105 deletions
--- a/SOURCES/augenrules-immutable.patch
+++ b/SOURCES/augenrules-immutable.patch
@ -1,77 +0,0 @@
 diff -up audit-3.1.2/init.d/augenrules.orig audit-3.1.2/init.d/augenrules
 --- audit-3.1.2/init.d/augenrules.orig	2025-03-31 12:33:04.141223438 +0200
 +++ audit-3.1.2/init.d/augenrules	2025-03-31 12:33:29.280457333 +0200
@@ -32,10 +32,11 @@ ASuffix="prev"
 OnlyCheck=0
 LoadRules=0
 RETVAL=0
 -usage="Usage: $0 [--check|--load]"
 +cmd="$0"
 +usage="Usage: $cmd [--check|--load]"
 # Delete the interim file on faults
 -trap 'rm -f ${TmpRules}; exit 1' 1 2 3 13 15
 +trap 'rm -f ${TmpRules}; exit 1' HUP INT QUIT PIPE TERM
 try_load() {
 	if [ $LoadRules -eq 1 ] ; then
@@ -44,6 +45,14 @@ try_load() {
 	fi
 }
 +# Check if audit is in immutable mode - exit if so
 +check_immutable () {
 +    if [ "$(auditctl -s | awk '$1 == "enabled" { print $2 }')" = "2" ] ; then
 +	echo "$cmd: Audit system is in immutable mode - exiting with no changes"
 +	exit 0
 +    fi
 +}
 +
 while [ $# -ge 1 ]
 do
 	if [ "$1" = "--check" ] ; then
@@ -59,7 +68,7 @@ done
 # Check environment
 if [ ! -d ${SourceRulesDir} ]; then
 -	echo "$0: No rules directory - ${SourceRulesDir}"
 +	echo "$cmd: No rules directory - ${SourceRulesDir}"
 	rm -f "${TmpRules}"
 	try_load
 	exit 1
@@ -101,7 +110,7 @@ END     {
 # If empty then quit
 if [ ! -s "${TmpRules}" ]; then
 -	echo "$0: No rules"
 +	echo "$cmd: No rules"
 	rm -f "${TmpRules}"
 	try_load
 	exit $RETVAL
@@ -110,17 +119,19 @@ fi
 # If the same then quit
 cmp -s "${TmpRules}" ${DestinationFile} > /dev/null 2>&1
 if [ $? -eq 0 ]; then
 -	echo "$0: No change"
 +	echo "$cmd: No change"
 	rm -f "${TmpRules}"
 +	check_immutable
 	try_load
 	exit $RETVAL
 elif [ $OnlyCheck -eq 1 ] ; then
 -	echo "$0: Rules have changed and should be updated"
 +	echo "$cmd: Rules have changed and should be updated"
 	rm -f "${TmpRules}"
 	exit 0
 fi
 # Otherwise we install the new file
 +check_immutable
 if [ -f ${DestinationFile} ]; then
 	cp ${DestinationFile} ${DestinationFile}.${ASuffix}
 fi
@@ -135,3 +146,4 @@ rm -f "${TmpRules}"
 try_load
 exit $RETVAL
 +
--- a/SOURCES/protected-kernel-modules.patch
+++ b/SOURCES/protected-kernel-modules.patch
@ -1,14 +0,0 @@
 diff --git a/init.d/auditd.service b/init.d/auditd.service
 index 8210c60eb..dd7ec694b 100644
 --- a/init.d/auditd.service
 +++ b/init.d/auditd.service
@@ -38,7 +38,8 @@ MemoryDenyWriteExecute=true
 LockPersonality=true
 # The following control prevents rules on /proc so its off by default
 #ProtectControlGroups=true
 -ProtectKernelModules=true
 +## The following control prevents rules on /usr/lib/modules/ its off by default
 +#ProtectKernelModules=true
 RestrictRealtime=true
 [Install]
--- a/SPECS/audit.spec
+++ b/SPECS/audit.spec
@ -3,15 +3,12 @@
 Summary: User space tools for kernel auditing
 Name: audit
 Version: 3.1.2
-Release: 1%{?dist}.1
+Release: 1%{?dist}
 License: GPLv2+
 URL: http://people.redhat.com/sgrubb/audit/
 Source0: http://people.redhat.com/sgrubb/audit/%{name}-%{version}.tar.gz
 Source1: https://www.gnu.org/licenses/lgpl-2.1.txt
 Patch0: protected-kernel-modules.patch
 Patch1: augenrules-immutable.patch
 BuildRequires: gcc swig make
 BuildRequires: openldap-devel
 BuildRequires: krb5-devel libcap-ng-devel
@ -86,10 +83,6 @@ Management Facility) database, through an IBM Tivoli Directory Server
 %prep
 %setup -q
 %patch -P 0 -p1
 %patch -P 1 -p1
 cp %{SOURCE1} .
 #autoreconf -fv --install
@ -247,12 +240,6 @@ fi
 %attr(750,root,root) %{_sbindir}/audispd-zos-remote
 %changelog
 * Mon Mar 31 2025 Attila Lakatos <alakatos@redhat.com> - 3.1.2-1.1
 - Allow defining rules for /usr/lib/modules dir
  Resolves: RHEL-59013
 - augenrules: fix return code if immutable mode is set
  Resolves: RHEL-40109
 * Sat Oct 21 2023 Sergio Correia <scorreia@redhat.com> - 3.1.2-1
 - Rebase audit to latest upstream release
  Resolves: RHEL-15001