.audit.metadata

@@ -1 +0,0 @@
-45cffb1ded9a57a79b33547f58228131d3eb14a6 SOURCES/audit-3.1.2.tar.gz

.fmf/version

@@ -0,0 +1 @@
+1

.gitignore

@@ -1 +1,174 @@
-SOURCES/audit-3.1.2.tar.gz
+audit-0.5.tar.gz
+audit-0.6.2.tar.gz
+audit-0.5.5.tar.gz
+audit-0.6.3.tar.gz
+audit-0.6.4.tar.gz
+audit-0.6.5.tar.gz
+audit-0.6.6.tar.gz
+audit-0.6.7.tar.gz
+audit-0.6.8.tar.gz
+audit-0.6.9.tar.gz
+audit-0.6.10.tar.gz
+audit-0.6.11.tar.gz
+audit-0.6.12.tar.gz
+audit-0.7.tar.gz
+audit-0.7.1.tar.gz
+audit-0.7.2.tar.gz
+audit-0.7.3.tar.gz
+audit-0.7.4.tar.gz
+audit-0.8.1.tar.gz
+audit-0.8.2.tar.gz
+audit-0.9.2.tar.gz
+audit-0.9.3.tar.gz
+audit-0.9.4.tar.gz
+audit-0.9.5.tar.gz
+audit-0.9.6.tar.gz
+audit-0.9.7.tar.gz
+audit-0.9.8.tar.gz
+audit-0.9.9.tar.gz
+audit-0.9.10.tar.gz
+audit-0.9.11.tar.gz
+audit-0.9.12.tar.gz
+audit-0.9.13.tar.gz
+audit-0.9.14.tar.gz
+audit-0.9.15.tar.gz
+audit-0.9.16.tar.gz
+audit-0.9.17.tar.gz
+audit-0.9.18.tar.gz
+audit-0.9.19.tar.gz
+audit-0.9.20.tar.gz
+audit-1.0.tar.gz
+audit-1.0.1.tar.gz
+audit-1.0.2.tar.gz
+audit-1.0.3.tar.gz
+audit-1.0.4.tar.gz
+audit-1.0.5.tar.gz
+audit-1.0.6.tar.gz
+audit-1.0.7.tar.gz
+audit-1.0.8.tar.gz
+audit-1.0.9.tar.gz
+audit-1.0.10.tar.gz
+audit-1.0.12.tar.gz
+audit-1.1.tar.gz
+audit-1.1.1.tar.gz
+audit-1.1.2.tar.gz
+audit-1.1.3.tar.gz
+audit-1.1.4.tar.gz
+audit-1.1.5.tar.gz
+audit-1.1.6.tar.gz
+audit-1.2.tar.gz
+audit-1.2.1.tar.gz
+audit-1.2.2.tar.gz
+audit-1.2.3.tar.gz
+audit-1.2.4.tar.gz
+audit-1.2.5.tar.gz
+audit-1.2.6.tar.gz
+audit-1.2.7.tar.gz
+audit-1.2.8.tar.gz
+audit-1.2.9.tar.gz
+audit-1.3.tar.gz
+audit-1.3.1.tar.gz
+audit-1.4.tar.gz
+audit-1.4.1.tar.gz
+audit-1.4.2.tar.gz
+audit-1.5.tar.gz
+audit-1.5.1.tar.gz
+audit-1.5.2.tar.gz
+audit-1.5.3.tar.gz
+audit-1.5.5.tar.gz
+audit-1.5.6.tar.gz
+audit-1.6.tar.gz
+audit-1.6.1.tar.gz
+audit-1.6.2.tar.gz
+audit-1.6.4.tar.gz
+audit-1.6.5.tar.gz
+audit-1.6.6.tar.gz
+audit-1.6.7.tar.gz
+audit-1.6.8.tar.gz
+audit-1.6.9.tar.gz
+audit-1.7.tar.gz
+audit-1.7.1.tar.gz
+audit-1.7.3.tar.gz
+audit-1.7.4.tar.gz
+audit-1.7.5.tar.gz
+audit-1.7.6.tar.gz
+audit-1.7.7.tar.gz
+audit-1.7.8.tar.gz
+audit-1.7.9.tar.gz
+audit-1.7.10.tar.gz
+audit-1.7.11.tar.gz
+audit-1.7.12.tar.gz
+audit-1.7.13.tar.gz
+audit-2.0.tar.gz
+audit-1.8.tar.gz
+audit-2.0.1.tar.gz
+audit-2.0.3.tar.gz
+audit-2.0.4.tar.gz
+/audit-2.0.5.tar.gz
+/audit-2.0.6.tar.gz
+/audit-2.1.tar.gz
+/audit-2.1.1.tar.gz
+/audit-2.1.2.tar.gz
+/audit-2.1.3.tar.gz
+/audit-2.2.tar.gz
+/audit-2.2.1.tar.gz
+/audit-2.2.2.tar.gz
+/audit-2.3.tar.gz
+/audit-2.3.1.tar.gz
+/audit-2.3.2.tar.gz
+/audit-2.3.3.tar.gz
+/audit-2.3.4.tar.gz
+/audit-2.3.5.tar.gz
+/audit-2.3.6.tar.gz
+/audit-2.3.7.tar.gz
+/audit-2.3.8svn20140801.tar.gz
+/audit-2.3.8.svn20140801.tar.gz
+/audit-2.3.8.svn20140802.tar.gz
+/audit-2.3.8.svn20140803.tar.gz
+/audit-2.4.tar.gz
+/audit-2.4.1.tar.gz
+/audit-2.4.2.tar.gz
+/audit-2.4.3.tar.gz
+/audit-2.4.4.tar.gz
+/audit-2.4.5.tar.gz
+/audit-2.5.tar.gz
+/audit-2.5.1.tar.gz
+/audit-2.5.2.tar.gz
+/audit-2.6.tar.gz
+/audit-2.6.1.tar.gz
+/audit-2.6.2.tar.gz
+/audit-2.6.3.tar.gz
+/audit-2.6.4.tar.gz
+/audit-2.6.5.tar.gz
+/audit-2.6.6.tar.gz
+/audit-2.6.7.tar.gz
+/audit-2.7.tar.gz
+/audit-2.7.1.tar.gz
+/audit-2.7.2.tar.gz
+/audit-2.7.3.tar.gz
+/audit-2.7.4.tar.gz
+/audit-2.7.5.tar.gz
+/audit-2.7.6.tar.gz
+/audit-2.7.7.tar.gz
+/audit-2.7.8.tar.gz
+/audit-2.8.tar.gz
+/audit-2.8.1.tar.gz
+/audit-2.8.2.tar.gz
+/audit-2.8.3.tar.gz
+/audit-2.8.4.tar.gz
+/audit-3.0-alpha.tar.gz
+/audit-3.0-alpha2.tar.gz
+/audit-3.0-alpha3.tar.gz
+/audit-3.0-alpha5.tar.gz
+/audit-3.0-alpha6.tar.gz
+/audit-3.0-alpha7.tar.gz
+/audit-3.0-alpha8.tar.gz
+/audit-3.0-alpha9.tar.gz
+/audit-3.0.tar.gz
+/audit-3.0.1.tar.gz
+/audit-3.0.2.tar.gz
+/audit-3.0.5.tar.gz
+/audit-3.0.7.tar.gz
+/audit-3.1.2.tar.gz
+/audit-3.1.4.tar.gz
+/audit-3.1.5.tar.gz

0001-Add-ausysrulevalidate.patch

@@ -0,0 +1,217 @@
+From 4011007b445e8f8da9b0cc45eccd793b94f6b5ce Mon Sep 17 00:00:00 2001
+From: Sergio Correia <scorreia@redhat.com>
+Date: Thu, 29 Jul 2021 19:25:43 -0300
+Subject: [PATCH] Add ausysrulevalidate
+
+---
+ contrib/ausysrulevalidate | 198 ++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 198 insertions(+)
+ create mode 100755 contrib/ausysrulevalidate
+
+diff --git a/contrib/ausysrulevalidate b/contrib/ausysrulevalidate
+new file mode 100755
+index 0000000..a251b2c
+--- /dev/null
++++ b/contrib/ausysrulevalidate
+@@ -0,0 +1,198 @@
++#!/usr/bin/env python3
++# -*- coding: utf-8 -*-
++
++# ausysrulevalidate - A program that lets you validate the syscalls
++# in audit rules.
++# Copyright (c) 2021 Red Hat Inc., Durham, North Carolina.
++# All Rights Reserved.
++#
++# This software may be freely redistributed and/or modified under the
++# terms of the GNU General Public License as published by the Free
++# Software Foundation; either version 2, or (at your option) any
++# later version.
++#
++# This program is distributed in the hope that it will be useful,
++# but WITHOUT ANY WARRANTY; without even the implied warranty of
++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++# GNU General Public License for more details.
++#
++# You should have received a copy of the GNU General Public License
++# along with this program; see the file COPYING. If not, write to the
++# Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor
++# Boston, MA 02110-1335, USA.
++#
++# Authors:
++#   Sergio Correia <scorreia@redhat.com>
++
++""" This program lets you validate syscalls in audit rules. """
++
++import argparse
++import os.path
++import sys
++
++import audit
++
++
++class AuSyscallRuleValidate:
++    """AuSyscallRuleValidate validates syscalls in audit rules."""
++
++    def __init__(self):
++        self.syscalls_table = {}
++        self.invalid_syscalls = {}
++        self.machines = {
++            "b32": audit.audit_determine_machine("b32"),
++            "b64": audit.audit_determine_machine("b64"),
++        }
++
++        if self.machines["b32"] == -1 or self.machines["b64"] == -1:
++            sys.stderr.write("ERROR: Unable to determine machine type\n")
++            sys.exit(1)
++
++    def validate_syscall(self, arch, syscall):
++        """Validates a single syscall."""
++
++        if syscall == "all":
++            return True
++
++        lookup = "{0}:{1}".format(arch, syscall)
++        if lookup in self.syscalls_table:
++            return self.syscalls_table[lookup]
++
++        ret = audit.audit_name_to_syscall(syscall, self.machines[arch])
++        self.syscalls_table[lookup] = ret != -1
++        if not self.syscalls_table[lookup]:
++            self.invalid_syscalls[lookup] = lookup
++
++        return self.syscalls_table[lookup]
++
++    def process_syscalls(self, arch, syscalls):
++        """Processes a group of syscalls, validating them individually."""
++
++        scalls = syscalls.split(",")
++        processed = []
++        for syscall in scalls:
++            if self.validate_syscall(arch, syscall):
++                processed.append(syscall)
++        return ",".join(processed)
++
++    def parse_line(self, line):
++        """Processes a single line from the audit rules file, and returns the
++        same line adjusted, if required, by removing invalid syscalls, or even
++        removing the rule altogether, if no valid syscall remain after
++        validation."""
++
++        if line.lstrip().startswith("#") or "-S" not in line:
++            return line
++
++        # We do have a rule specifying syscalls, so let's validate them.
++        tokens = line.split()
++        processed = []
++        is_syscall = False
++        arch = None
++
++        for val in tokens:
++            if not is_syscall:
++                processed.append(val)
++
++            if val.startswith("arch="):
++                archs = val.split("=")
++                if len(archs) == 2:
++                    arch = val.split("=")[1]
++                    if arch not in self.machines:
++                        sys.stderr.write("ERROR: unexpected arch '{0}'\n".format(arch))
++                        continue
++
++            if val == "-S":
++                is_syscall = True
++                continue
++
++            if is_syscall:
++                is_syscall = False
++                scalls = self.process_syscalls(arch, val)
++
++                if len(scalls) == 0:
++                    processed = processed[:-1]
++                    continue
++                processed.append(scalls)
++
++        if "-S" not in processed:
++            # Removing rule altogether, as we have no valid syscalls remaining.
++            return None
++        return " ".join(processed)
++
++    def process_rules(self, rules_file):
++        """Reads a file with audit rules and returns the rules after
++        validation of syscalls/architecture. Invalid syscalls will be removed
++        and, if there are no valid remaining syscalls, the rule itself is
++        removed."""
++
++        if not os.path.isfile(rules_file):
++            sys.stderr.write("ERROR: rules file '{0}' not found\n".format(rules_file))
++            sys.exit(1)
++
++        with open(rules_file) as rules:
++            content = rules.readlines()
++
++        processed = []
++        changed = False
++        for line in content:
++            validated = self.parse_line(line)
++            if validated is None:
++                changed = True
++                continue
++
++            if validated.rstrip("\r\n") != line.rstrip("\r\n"):
++                changed = True
++            processed.append(validated.rstrip("\r\n"))
++
++        invalid_syscalls = []
++        for invalid in self.invalid_syscalls:
++            invalid_syscalls.append(invalid)
++
++        return (processed, changed, invalid_syscalls)
++
++    def update_rules(self, rules_file):
++        """Reads a file with audit rules and updates it after validation of
++        syscalls/architecture. Invalid syscalls will be removed and, if
++        there are no valid remaining syscalls, the rule itself is removed."""
++
++        new_rules, changed, invalid_syscalls = self.process_rules(rules_file)
++        if changed:
++            with open(rules_file, "w") as rules:
++                for line in new_rules:
++                    rules.write("{0}\n".format(line))
++
++        return (new_rules, changed, invalid_syscalls)
++
++
++if __name__ == "__main__":
++    parser = argparse.ArgumentParser(description="ausysrulevalidate")
++    parser.add_argument(
++        "-u", "--update", help="Update rules file if required", action="store_true"
++    )
++    parser.add_argument(
++        "-v", "--verbose", help="Show the resulting rules file", action="store_true"
++    )
++    required_named = parser.add_argument_group("required named arguments")
++    required_named.add_argument(
++        "-r", "--rules-file", help="Rules file name", required=True
++    )
++    args = parser.parse_args()
++
++    validator = AuSyscallRuleValidate()
++
++    action = validator.process_rules
++    if args.update:
++        action = validator.update_rules
++
++    data, changed, invalid = action(args.rules_file)
++    if changed:
++        verb = "require"
++        if args.update:
++            verb += "d"
++        sys.stderr.write("Rules in '{0}' {1} changes\n".format(args.rules_file, verb))
++        if len(invalid) > 0:
++            sys.stderr.write("Invalid syscalls: {0}\n".format(", ".join(invalid)))
++
++    if args.verbose:
++        print(*data, sep="\n")
+-- 
+2.31.1
+

audisp-restore-fix.patch

@@ -0,0 +1,38 @@
+diff --git a/audisp/plugins/af_unix/audisp-af_unix.c b/audisp/plugins/af_unix/audisp-af_unix.c
+index d85f15f8a..578533f52 100644
+--- a/audisp/plugins/af_unix/audisp-af_unix.c
++++ b/audisp/plugins/af_unix/audisp-af_unix.c
+@@ -132,7 +132,7 @@ int setup_socket(int argc, char *argv[])
+ 			if (errno) {
+ 				syslog(LOG_ERR,
+ 					"Error converting %s (%s)",
+-					arg[i], strerror(errno));
++					argv[i], strerror(errno));
+ 				mode = 0;
+ 			}
+ 		} else if (strchr(arg, '/') != NULL) {
+@@ -265,16 +265,15 @@ void read_audit_record(int ifd)
+ 					do {
+ 						rc = writev(conn, vec, 2);
+ 					} while (rc < 0 && errno == EINTR);
+-				}
+-
+-				if (rc < 0 && errno == EPIPE) {
+-					close(conn);
+-					conn = -1;
+-					client = 0;
+-					audit_fgets_clear();
+-				}
+-				if (rc >= 0 && rc != len) {
++					if (rc < 0 && errno == EPIPE) {
++						close(conn);
++						conn = -1;
++						client = 0;
++						audit_fgets_clear();
++					}
++					//if (rc >= 0 && rc != len) {
+ 					// what to do with leftovers?
++					//}
+ 				}
+ 			}
+ #endif

audisp-restore.patch

@@ -0,0 +1,256 @@
+diff --git a/audisp/plugins/af_unix/Makefile.am b/audisp/plugins/af_unix/Makefile.am
+index 501b35d43..e8faec7df 100644
+--- a/audisp/plugins/af_unix/Makefile.am
++++ b/audisp/plugins/af_unix/Makefile.am
+@@ -25,7 +25,8 @@ CONFIG_CLEAN_FILES = *.rej *.orig
+ CONF_FILES = af_unix.conf
+ EXTRA_DIST = $(CONF_FILES) $(man_MANS)
+ 
+-AM_CPPFLAGS = -I${top_srcdir} -I${top_srcdir}/lib -I${top_srcdir}/common
++AM_CPPFLAGS = -I${top_srcdir} -I${top_srcdir}/lib -I${top_srcdir}/common -I${top_srcdir}/audisp
++LIBS = ${top_builddir}/lib/libaudit.la
+ prog_confdir = $(sysconfdir)/audit
+ plugin_confdir=$(prog_confdir)/plugins.d
+ plugin_conf = af_unix.conf
+diff --git a/audisp/plugins/af_unix/audisp-af_unix.c b/audisp/plugins/af_unix/audisp-af_unix.c
+index ffbf2ac07..d85f15f8a 100644
+--- a/audisp/plugins/af_unix/audisp-af_unix.c
++++ b/audisp/plugins/af_unix/audisp-af_unix.c
+@@ -33,6 +33,7 @@
+ #include <libgen.h>
+ #include <string.h>
+ #include <sys/stat.h>
++#include <sys/uio.h>
+ #include <dirent.h>
+ #include <sys/un.h>
+ #include <fcntl.h>
+@@ -43,16 +44,19 @@
+ #endif
+ #include "libaudit.h"
+ #include "common.h"
++#include "audispd-pconfig.h"
+ 
+ #define DEFAULT_PATH "/var/run/audispd_events"
++#define MAX_AUDIT_EVENT_FRAME_SIZE (sizeof(struct audit_dispatcher_header) + MAX_AUDIT_MESSAGE_LENGTH)
+ //#define DEBUG
+ 
+ /* Global Data */
+ static volatile int stop = 0, hup = 0;
+-char rx_buf[MAX_AUDIT_MESSAGE_LENGTH];
++char rx_buf[MAX_AUDIT_EVENT_FRAME_SIZE+1];
+ int sock = -1, conn = -1, client = 0;
+ struct pollfd pfd[3];
+ unsigned mode = 0;
++format_t format = -1;
+ char *path = NULL;
+ 
+ /*
+@@ -119,77 +123,150 @@ int create_af_unix_socket(const char *spath, int mode)
+ 
+ int setup_socket(int argc, char *argv[])
+ {
+-	if (argc != 3) {
+-		syslog(LOG_ERR, "Missing arguments, using defaults");
+-		mode = 0640;
+-		path = DEFAULT_PATH;
+-	} else {
+-		int i;
+-		for (i=1; i < 3; i++) {
+-			if (isdigit((unsigned char)argv[i][0])) {
+-				errno = 0;
+-				mode = strtoul(argv[i], NULL, 8);
+-				if (errno) {
+-					syslog(LOG_ERR,
+-					       "Error converting %s (%s)",
+-					       argv[i], strerror(errno));
+-					mode = 0;
+-				}
+-			} else {
+-				char *base;
+-				path = argv[i];
+-				// Make sure there are directories
+-				base = strchr(path, '/');
+-				if (base) {
+-					DIR *d;
+-					char *dir = strdup(path);
+-					base = dirname(dir);
+-					d = opendir(base);
+-					if (d) {
+-						closedir(d);
+-						unlink(path);
+-						free(dir);
+-					} else {
+-						syslog(LOG_ERR,
+-						       "Couldn't open %s (%s)",
+-						       base, strerror(errno));
+-						free(dir);
+-						exit(1);
+-					}
+-
++	for (int i = 1; i < argc; i++) {
++		char *arg = argv[i];
++		if (isdigit((unsigned char)arg[0])) {
++			// parse mode
++			errno = 0;
++			mode = strtoul(arg, NULL, 8);
++			if (errno) {
++				syslog(LOG_ERR,
++					"Error converting %s (%s)",
++					arg[i], strerror(errno));
++				mode = 0;
++			}
++		} else if (strchr(arg, '/') != NULL) {
++			// parse path
++			char* base;
++			path = arg;
++			// Make sure there are directories
++			base = strchr(path, '/');
++			if (base) {
++				DIR* d;
++				char* dir = strdup(path);
++				base = dirname(dir);
++				d = opendir(base);
++				if (d) {
++					closedir(d);
++					unlink(path);
++					free(dir);
+ 				} else {
+-					syslog(LOG_ERR, "Malformed path %s",
+-					       path);
++					syslog(LOG_ERR,
++						"Couldn't open %s (%s)",
++						base, strerror(errno));
++					free(dir);
+ 					exit(1);
+ 				}
++
++			} else {
++				syslog(LOG_ERR, "Malformed path %s",
++					path);
++				exit(1);
+ 			}
+-		}
+-		if (mode == 0 || path == NULL) {
+-			syslog(LOG_ERR, "Bad arguments, using defaults");
+-			mode = 0640;
+-			path = DEFAULT_PATH;
++		} else {
++			if (strcmp(arg, "string") == 0)
++				format = F_STRING;
++			else if (strcmp(arg, "binary") == 0)
++				format = F_BINARY;
++			else
++				syslog(LOG_ERR, "Invalid format detected");
+ 		}
+ 	}
++
++	if (mode == 0 || path == NULL || format == -1) {
++		syslog(LOG_ERR, "Bad or not enough arguments, using defaults");
++		mode = 0640;
++		path = DEFAULT_PATH;
++		format = F_STRING;
++	}
++
+ 	return create_af_unix_socket(path, mode);
+ }
+ 
++static int event_to_string(struct audit_dispatcher_header *hdr, char *data, char **out, int *outlen)
++{
++	char *v = NULL, *ptr, unknown[32];
++	int len;
++
++	if (hdr->ver == AUDISP_PROTOCOL_VER) {
++		const char *type;
++
++		/* Get the event formatted */
++		type = audit_msg_type_to_name(hdr->type);
++		if (type == NULL) {
++			snprintf(unknown, sizeof(unknown),
++				"UNKNOWN[%u]", hdr->type);
++			type = unknown;
++		}
++		len = asprintf(&v, "type=%s msg=%.*s\n",
++				type, hdr->size, data);
++	// Protocol 2 events are already formatted
++	} else if (hdr->ver == AUDISP_PROTOCOL_VER2) {
++		len = asprintf(&v, "%.*s\n", hdr->size, data);
++	} else
++		len = 0;
++	if (len <= 0) {
++		*out = NULL;
++		*outlen = 0;
++		return -1;
++	}
++
++	/* Strip newlines from event record */
++	ptr = v;
++	while ((ptr = strchr(ptr, 0x0A)) != NULL) {
++		if (ptr != &v[len-1])
++			*ptr = ' ';
++		else
++			break; /* Done - exit loop */
++	}
++
++	*out = v;
++	*outlen = len;
++	return 1;
++}
++
+ void read_audit_record(int ifd)
+ {
+ 	do {
+ 		int len;
+ 
+ 		// Read stdin
+-		if ((len = audit_fgets(rx_buf, sizeof(rx_buf), ifd)) > 0) {
++		if ((len = audit_fgets(rx_buf, MAX_AUDIT_EVENT_FRAME_SIZE + 1, ifd)) > 0) {
+ #ifdef DEBUG
+ 			write(1, rx_buf, len);
+ #else
++			struct audit_dispatcher_header *hdr = (struct audit_dispatcher_header *)rx_buf;
++			char *data = rx_buf + sizeof(struct audit_dispatcher_header);
+ 			if (client) {
+ 				// Send it to the client
+ 				int rc;
+ 
+-				do {
+-					rc = write(conn, rx_buf, len);
+-				} while (rc < 0 && errno == EINTR);
++				if (format == F_STRING) {
++					
++					char *str = NULL;
++					int str_len = 0;
++					if (event_to_string(hdr, data, &str, &str_len) < 0) {
++						// what to do with error?
++						continue;
++					}
++
++					do {
++						rc = write(conn, str, str_len);
++					} while (rc < 0 && errno == EINTR);
++				} else if (format == F_BINARY) {
++					struct iovec vec[2];
++
++					vec[0].iov_base = hdr;
++					vec[0].iov_len = sizeof(struct audit_dispatcher_header);
++
++					vec[1].iov_base = data;
++					vec[1].iov_len = MAX_AUDIT_MESSAGE_LENGTH;
++
++					do {
++						rc = writev(conn, vec, 2);
++					} while (rc < 0 && errno == EINTR);
++				}
++
+ 				if (rc < 0 && errno == EPIPE) {
+ 					close(conn);
+ 					conn = -1;
+@@ -203,7 +280,7 @@ void read_audit_record(int ifd)
+ #endif
+ 		} else if (audit_fgets_eof())
+ 			stop = 1;
+-	} while (audit_fgets_more(sizeof(rx_buf)));
++	} while (audit_fgets_more(MAX_AUDIT_EVENT_FRAME_SIZE));
+ }
+ 
+ void accept_connection(void)

audit.spec

@@ -1,25 +1,37 @@
-%{!?python_sitearch: %define python_sitearch %(%{__python} -c "from distutils.sysconfig import get_python_lib; print get_python_lib(1)")}
 
 Summary: User space tools for kernel auditing
 Name: audit
-Version: 3.1.2
-Release: 1%{?dist}
+Version: 3.1.5
+Release: 2%{?dist}
 License: GPLv2+
 URL: http://people.redhat.com/sgrubb/audit/
 Source0: http://people.redhat.com/sgrubb/audit/%{name}-%{version}.tar.gz
 Source1: https://www.gnu.org/licenses/lgpl-2.1.txt
 
-BuildRequires: gcc swig make
+Patch1: 0001-Add-ausysrulevalidate.patch
+Patch2: audisp-restore.patch
+Patch3: audisp-restore-fix.patch
+Patch4: readonly.patch
+Patch5: disable-protectkernmelmodules.patch
+Patch6: remote-logging-ordering-cycle.patch
+Patch7: permtab-filter-unsupport.patch
+
+BuildRequires: make gcc swig
 BuildRequires: openldap-devel
 BuildRequires: krb5-devel libcap-ng-devel
 BuildRequires: kernel-headers >= 2.6.29
 BuildRequires: systemd
-#BuildRequires: autoconf automake libtool
+BuildRequires: autoconf automake libtool
 
 Requires: %{name}-libs%{?_isa} = %{version}-%{release}
 Requires(post): systemd coreutils
-Requires(preun): systemd initscripts
-Requires(postun): systemd coreutils initscripts
+Requires(preun): systemd
+Requires(postun): systemd coreutils
+Recommends: initscripts-service
+
+# Placing this here under the assumption that anything using the
+# python libraries expects the system to have an audit daemon
+Obsoletes: python2-audit < %{version}-%{release}
 
 %description
 The audit package contains the user space utilities for
@@ -31,7 +43,7 @@ Summary: Dynamic library for libaudit
 License: LGPLv2+
 
 %description libs
-The audit-libs package contains the dynamic libraries needed for 
+The audit-libs package contains the dynamic libraries needed for
 applications to use the audit framework.
 
 %package libs-devel
@@ -48,6 +60,7 @@ developing applications that need to use the audit framework libraries.
 Summary: Python3 bindings for libaudit
 License: LGPLv2+
 BuildRequires: python3-devel
+BuildRequires: make
 Requires: %{name}-libs%{?_isa} = %{version}-%{release}
 Provides: audit-libs-python3 = %{version}-%{release}
 Provides: audit-libs-python3%{?_isa} = %{version}-%{release}
@@ -84,14 +97,25 @@ Management Facility) database, through an IBM Tivoli Directory Server
 %prep
 %setup -q
 cp %{SOURCE1} .
-#autoreconf -fv --install
+%patch -P 1 -p1
+%patch -P 2 -p1
+%patch -P 3 -p1
+%patch -P 4 -p1
+%patch -P 5 -p1
+%patch -P 6 -p1
+%patch -P 7 -p1
+
+autoreconf -fv --install
+
+# Remove the ids code, its not ready
+sed -i 's/ ids / /' audisp/plugins/Makefile.in
 
 %build
 %configure --with-python=no \
 	   --with-python3=yes \
 	   --enable-gssapi-krb5=yes --with-arm --with-aarch64 \
-	   --with-libcap-ng=yes --without-golang --enable-zos-remote \
-	   --enable-systemd
+	   --with-libcap-ng=yes --enable-zos-remote --without-golang \
+	   --enable-systemd --enable-experimental --with-io_uring
 
 make CFLAGS="%{optflags}" %{?_smp_mflags}
 
@@ -102,14 +126,23 @@ mkdir -p $RPM_BUILD_ROOT/%{_lib}
 mkdir -p $RPM_BUILD_ROOT/%{_libdir}/audit
 mkdir -p --mode=0700 $RPM_BUILD_ROOT/%{_var}/log/audit
 mkdir -p $RPM_BUILD_ROOT/%{_var}/spool/audit
+mkdir -p $RPM_BUILD_ROOT/%{_datadir}
 make DESTDIR=$RPM_BUILD_ROOT install
 
+# Validate sample rules shipped.
+for r in $RPM_BUILD_ROOT/%{_datadir}/%{name}/sample-rules/*.rules; do
+    PYTHONPATH=$RPM_BUILD_ROOT/%{python3_sitearch} \
+    LD_LIBRARY_PATH=$RPM_BUILD_ROOT/%{_libdir} \
+        %{_builddir}/%{name}-%{version}/contrib/ausysrulevalidate \
+        --update --rules-file "${r}"
+done
+
 # Remove these items so they don't get picked up.
 rm -f $RPM_BUILD_ROOT/%{_libdir}/libaudit.a
 rm -f $RPM_BUILD_ROOT/%{_libdir}/libauparse.a
 
 find $RPM_BUILD_ROOT -name '*.la' -delete
-find $RPM_BUILD_ROOT/%{_libdir}/python?.?/site-packages -name '*.a' -delete || true
+find $RPM_BUILD_ROOT/%{_libdir}/python%{python3_version}/site-packages -name '*.a' -delete
 
 # On platforms with 32 & 64 bit libs, we need to coordinate the timestamp
 touch -r ./audit.spec $RPM_BUILD_ROOT/etc/libaudit.conf
@@ -121,27 +154,39 @@ make check
 rm -f rules/Makefile*
 
 %post
+%systemd_post auditd.service
+
 # Copy default rules into place on new installation
 files=`ls /etc/audit/rules.d/ 2>/dev/null | wc -w`
 if [ "$files" -eq 0 ] ; then
-  if [ -e %{_datadir}/%{name}/sample-rules/10-base-config.rules ] ; then
-    cp %{_datadir}/%{name}/sample-rules/10-base-config.rules /etc/audit/rules.d/audit.rules
-  else
-    touch /etc/audit/rules.d/audit.rules
-  fi
-  chmod 0600 /etc/audit/rules.d/audit.rules
+	if [ -e %{_datadir}/%{name}/sample-rules/10-base-config.rules ] ; then
+		cp %{_datadir}/%{name}/sample-rules/10-base-config.rules /etc/audit/rules.d/audit.rules
+	else
+		touch /etc/audit/rules.d/audit.rules
+	fi
+	chmod 0600 /etc/audit/rules.d/audit.rules
+fi
+
+# If upgrading, restart the daemon if it's running
+if [ $1 -eq 2 ]; then
+	state=$(systemctl status auditd | awk '/Active:/ { print $2 }')
+
+	if [ $state = "active" ] ; then
+		auditctl --signal stop || true
+		systemctl start auditd
+	fi
+# if installing, start it since preset says we should be running
+elif [ $1 -eq 1 ]; then
+	systemctl start auditd
 fi
-%systemd_post auditd.service
 
 %preun
 %systemd_preun auditd.service
+# if uninstalling stop the daemon
 if [ $1 -eq 0 ]; then
-    /sbin/service auditd stop > /dev/null 2>&1
-fi
-
-%postun
-if [ $1 -ge 1 ]; then
-    /sbin/service auditd condrestart > /dev/null 2>&1 || :
+	auditctl --signal stop || true
+	# also delete loaded rules if uninstalling
+	auditctl -D || true
 fi
 
 %files libs
@@ -196,6 +241,7 @@ fi
 %attr(755,root,root) %{_bindir}/aulast
 %attr(755,root,root) %{_bindir}/aulastlog
 %attr(755,root,root) %{_bindir}/ausyscall
+%attr(640,root,root) %{_tmpfilesdir}/audit.conf
 %attr(755,root,root) %{_bindir}/auvirt
 %attr(644,root,root) %{_unitdir}/auditd.service
 %attr(750,root,root) %dir %{_libexecdir}/initscripts/legacy-actions/auditd
@@ -206,7 +252,6 @@ fi
 %attr(750,root,root) %{_libexecdir}/initscripts/legacy-actions/auditd/rotate
 %attr(750,root,root) %{_libexecdir}/initscripts/legacy-actions/auditd/state
 %attr(750,root,root) %{_libexecdir}/initscripts/legacy-actions/auditd/stop
-%attr(750,root,root) %{_libexecdir}/audit-functions
 %ghost %{_localstatedir}/run/auditd.state
 %attr(-,root,-) %dir %{_var}/log/audit
 %attr(750,root,root) %dir /etc/audit
@@ -216,21 +261,24 @@ fi
 %ghost %config(noreplace) %attr(600,root,root) /etc/audit/rules.d/audit.rules
 %ghost %config(noreplace) %attr(640,root,root) /etc/audit/audit.rules
 %config(noreplace) %attr(640,root,root) /etc/audit/audit-stop.rules
-%config(noreplace) %attr(640,root,root) /etc/audit/plugins.d/af_unix.conf
 
 %files -n audispd-plugins
 %config(noreplace) %attr(640,root,root) /etc/audit/audisp-remote.conf
 %config(noreplace) %attr(640,root,root) /etc/audit/plugins.d/au-remote.conf
 %config(noreplace) %attr(640,root,root) /etc/audit/plugins.d/syslog.conf
+%config(noreplace) %attr(640,root,root) /etc/audit/audisp-statsd.conf
+%config(noreplace) %attr(640,root,root) /etc/audit/plugins.d/au-statsd.conf
 %config(noreplace) %attr(640,root,root) /etc/audit/plugins.d/af_unix.conf
 %attr(750,root,root) %{_sbindir}/audisp-remote
 %attr(750,root,root) %{_sbindir}/audisp-syslog
 %attr(750,root,root) %{_sbindir}/audisp-af_unix
+%attr(750,root,root) %{_sbindir}/audisp-statsd
 %attr(700,root,root) %dir %{_var}/spool/audit
 %attr(644,root,root) %{_mandir}/man5/audisp-remote.conf.5.gz
 %attr(644,root,root) %{_mandir}/man8/audisp-remote.8.gz
 %attr(644,root,root) %{_mandir}/man8/audisp-syslog.8.gz
 %attr(644,root,root) %{_mandir}/man8/audisp-af_unix.8.gz
+%attr(644,root,root) %{_mandir}/man8/audisp-statsd.8.gz
 
 %files -n audispd-plugins-zos
 %attr(644,root,root) %{_mandir}/man8/audispd-zos-remote.8.gz
@@ -240,100 +288,217 @@ fi
 %attr(750,root,root) %{_sbindir}/audispd-zos-remote
 
 %changelog
-* Sat Oct 21 2023 Sergio Correia <scorreia@redhat.com> - 3.1.2-1
-- Rebase audit to latest upstream release
-  Resolves: RHEL-15001
+* Wed Jan 08 2025 Attila Lakatos <alakatos@redhat.com> - 3.1.5-2
+- Disable ProtectKernelModules=true in service file
+  Resolves: RHEL-59570
+- af_unix plugin: restore original behavior in binary mode
+  Resolves: RHEL-59585
+- Support image mode
+  Resolves: RHEL-69033
+- Resolve ordering cycle when using remote logging
+  Resolves: RHEL-11252
+- Filter syscalls to ensure architecture-specific availability
+  Resolves: RHEL-70455
 
-* Thu Jun 22 2023 Radovan Sroka <rsroka@redhat.com> - 3.0.7-5
+* Tue Jul 09 2024 Attila Lakatos <alakatos@redhat.com> - 3.1.5-1
+- New upstream maintenance release, 3.1.4
+- Prevent scriplets from failing
+- When upgrading, restart the daemon if it's running
+- If uninstalling, stop the daemon
+- auditctl: use pidfd_send_signal for signaling auditd
+  Resolves: RHEL-45865
+- Minor doc update
+  Resolves: RHEL-5186
+- augenrules: do not exit with failure if in immutable mode
+  Resolves: RHEL-40110
+- auditd.service: Disable ProtectControlGroups
+  Resolves: RHEL-5197
+- auditctl: correct output when displaying rules with exe/path/dir
+  Resolves: RHEL-40243
+
+* Wed Nov 08 2023 Sergio Correia <scorreia@redhat.com> - 3.1.2-2
+- Remove %systemd_preun from %preun scriptlet, as it was causing troubles when removing audit
+  Related: RHEL-14896
+
+* Fri Oct 27 2023 Sergio Correia <scorreia@redhat.com> - 3.1.2-1
+- New upstream release, 3.1.2
+  Resolves: RHEL-14896
+
+* Thu Jun 22 2023 Radovan Sroka <rsroka@redhat.com> - 3.0.7-104
 - Introduce new fanotify record fields
-  Resolves: rhbz#2216668
-- invalid use of flexible array member
-  Resolves: rhbz#2116867
+  Resolves: rhbz#2216666
 
-* Mon May 02 2022 Sergio Correia <scorreia@redhat.com> - 3.0.7-4
+* Mon May 02 2022 Sergio Correia <scorreia@redhat.com> - 3.0.7-103
 - Drop ProtectHome from auditd.service as it interferes with rules
-  Resolves: rhbz#2071727 - Default systemd service config blocks audit watch rules in some directories
+  Resolves: rhbz#2071725 - Default systemd service config blocks audit watch rules in some directories [rhel-9.1.0]
 
-* Mon Mar 14 2022 Sergio Correia <scorreia@redhat.com> - 3.0.7-3
+* Sun Mar 13 2022 Sergio Correia <scorreia@redhat.com> - 3.0.7-102
 - Fix path normalization in auparse
-  Resolves: rhbz#2062612 - auparse missing information when used with --format-text
+  Resolves: rhbz#2062824 - auparse missing information when used with --format-text
 
-* Tue Feb 22 2022 Sergio Correia <scorreia@redhat.com> - 3.0.7-2
+* Tue Feb 22 2022 Sergio Correia <scorreia@redhat.com> - 3.0.7-101
 - Adjust sample-rules dir permissions
-  Resolves: rhbz#2054727 - /usr/share/audit/sample-rules is no longer readable by non-root users
+  Resolves: rhbz#2054432 - /usr/share/audit/sample-rules is no longer readable by non-root users
 
-* Tue Jan 25 2022 Sergio Correia <scorreia@redhat.com> - 3.0.7-1
-- New upstream release - 3.0.7
-  Related: rhbz#1939406
+* Tue Jan 25 2022 Sergio Correia <scorreia@redhat.com> - 3.0.7-100
+- New upstream release, 3.0.7
+  Resolves: rhbz#2019929 - capability=unknown-capability(39) in audit messages
 
-* Thu Jan 13 2022 Sergio Correia <scorreia@redhat.com> - 3.0.5-1
-- Rebase audit package on 8.6
-  Resolves: rhbz#1939406
-  Resolves: rhbz#1906065
-  Resolves: rhbz#1921447
-  Resolves: rhbz#1927884
-  Resolves: rhbz#1921658
+* Wed Nov 03 2021 Sergio Correia <scorreia@redhat.com> - 3.0.5-5
+- auparse: refact nvlist cleanup code
+  Resolves: rhbz#2008965
 
-* Wed Jan 08 2020 Steve Grubb <sgrubb@redhat.com> 3.0-0.17.20191104git1c2f876
-resolves: rhbz#1757986 - Rebase audit package on 8.2 for updates (bpf patch)
+* Wed Nov 03 2021 Sergio Correia <scorreia@redhat.com> - 3.0.5-4
+- When interpreting, if val is NULL return an empty string
+  Resolves: rhbz#2004420
 
-* Thu Nov 28 2019 Steve Grubb <sgrubb@redhat.com> 3.0-0.16.20191104git1c2f876
-resolves: rhbz#1497279 - Add option to interpret fields in audit syslog plugin
+* Wed Nov 03 2021 Sergio Correia <scorreia@redhat.com> - 3.0.5-3
+- Update dependency to initscripts-service instead of initscripts
+  Resolves: rhbz#2000933
 
-* Mon Nov 04 2019 Steve Grubb <sgrubb@redhat.com> 3.0-0.15.20191104git1c2f876
-resolves: rhbz#1757986 - Rebase audit package on 8.2 for updates
-resolves: rhbz#1767054 - move audit rules to shared data directory
-resolves: rhbz#1746018 - Breakup 30-ospp-v42.rules into more granular files
-resolves: rhbz#1740798 - auditctl(8) needs clarification for backlog_limit
-resolves: rhbz#1497279 - Add option to interpret fields in audit syslog plugin
+* Tue Aug 17 2021 Sergio Correia <scorreia@redhat.com> - 3.0.5-2
+- Fix timestamp parsing
+  Related: rhbz#1938680
 
-* Thu Jul 25 2019 Steve Grubb <sgrubb@redhat.com> 3.0-0.13.20190607gitf58ec40
-resolves: rhbz#1695638 - Rebase audit package to pick up latest bugfixes
+* Mon Aug 16 2021 Sergio Correia <scorreia@redhat.com> - 3.0.5-1
+- New upstream release, 3.0.5
+  Related: rhbz#1938680
 
-* Sat Jul 13 2019 Steve Grubb <sgrubb@redhat.com> 3.0-0.12.20190607gitf58ec40
-resolves: rhbz#1695638 - Rebase audit package to pick up latest bugfixes
+* Mon Aug 16 2021 Sergio Correia <scorreia@redhat.com> - 3.0.2-3
+- Validates the sample rules we ship
+  Resolves: rhbz#1985630
 
-* Mon Jun 10 2019 Steve Grubb <sgrubb@redhat.com> 3.0-0.11.20190607gitf58ec40
-resolves: rhbz#1643567 - service auditd stop exits prematurely
-resolves: rhbz#1693470 - libauparse memory leak
-resolves: rhbz#1694071 - ausearch doesn't record device/inode details checkpointing a single file
-resolves: rhbz#1695638 - Rebase audit package to pick up latest bugfixes
-resolves: rhbz#1705894 - aureport aborts when using a specific input
-resolves: rhbz#1706045 - RFE: Backport support for new audit record types
-resolves: rhbz#1715852 - RFE: provide a way to filter on network address family
+* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 3.0.2-2
+- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
+  Related: rhbz#1991688
 
-* Wed Jan 09 2019 Steve Grubb <sgrubb@redhat.com> 3.0-0.10.20180831git0047a6c
-resolves: rhbz#1655270] Message "audit: backlog limit exceeded" reported
-- Fix annobin failure
+* Tue Jun 22 2021 Sergio Correia <scorreia@redhat.com> - 3.0.2-1
+- New upstream release, 3.0.2.
+  Fix issues detected by static analyzers
+  Resolves: rhbz#1938680
 
-* Fri Dec 07 2018 Steve Grubb <sgrubb@redhat.com> 3.0-0.8.20180831git0047a6c
-resolves: rhbz#1639745 - build requires go-toolset-7 which is not available
-resolves: rhbz#1643567 - service auditd stop exits prematurely
-resolves: rhbz#1616428 - Update git snapshot of audit package
-- Remove static libs subpackage
+* Mon Jun 21 2021 Sergio Correia <scorreia@redhat.com> - 3.0.1-4
+- Enable default RHEL configuration
+  This enables syscall auditing by default.
+  Resolves: rhbz#1924561
 
-* Fri Aug 31 2018 Steve Grubb <sgrubb@redhat.com> 3.0-0.5.20180831git0047a6c
-resolves: rhbz#1616428 - Update git snapshot of audit package
+* Thu Apr 15 2021 Mohan Boddu <mboddu@redhat.com> - 3.0.1-3
+- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
+
+* Thu Feb 18 2021 Steve Grubb <sgrubb@redhat.com> 3.0.1-2
+- Add patch fixing segafult in the audisp-statsd plugin
+
+* Fri Feb 12 2021 Steve Grubb <sgrubb@redhat.com> 3.0.1-1
+- New upstream feature and bugfix release
+- Enable building the audisp-statsd plugin
+
+* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 3.0-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
+
+* Wed Dec 16 2020 Steve Grubb <sgrubb@redhat.com> 3.0-1
+- New upstream feature and bugfix release
+
+* Mon Jul 27 2020 Fedora Release Engineering <releng@fedoraproject.org> - 3.0-0.21.20191104git1c2f876
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
+
+* Tue May 26 2020 Miro Hrončok <mhroncok@redhat.com> - 3.0-0.20.20191104git1c2f876
+- Rebuilt for Python 3.9
+
+* Thu Mar 12 2020 Steve Grubb <sgrubb@redhat.com> 3.0-0.19.20191104git1c2f876
+- Add Obsolete python2-audit (#1783061)
+
+* Wed Jan 29 2020 Steve Grubb <sgrubb@redhat.com> 3.0-0.18.20191104git1c2f876
+- Fix multiple definition of `event_node_list' (#1794446)
+
+* Tue Jan 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 3.0-0.17.20191104git1c2f876
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
+
+* Fri Nov 22 2019 Steve Grubb <sgrubb@redhat.com> 3.0-0.16.20191104git1c2f876
+- Drop python2 subpackage (#1775076)
+
+* Mon Nov 04 2019 Steve Grubb <sgrubb@redhat.com> 3.0-0.14.20191104git1c2f876
+- New upstream git snapshot prerelease
+
+* Thu Oct 03 2019 Miro Hrončok <mhroncok@redhat.com> - 3.0-0.14.20190507gitf58ec40
+- Rebuilt for Python 3.8.0rc1 (#1748018)
+
+* Mon Aug 19 2019 Miro Hrončok <mhroncok@redhat.com> - 3.0-0.13.20190507gitf58ec40
+- Rebuilt for Python 3.8
+
+* Wed Jul 31 2019 Steve Grubb <sgrubb@redhat.com> 3.0-0.12.20190507gitf58ec40
+- Fix 1734953 - audit: FTBFS in Fedora rawhide/f31
+
+* Wed Jul 24 2019 Fedora Release Engineering <releng@fedoraproject.org> - 3.0-0.11.20190507gitf58ec40
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
+
+* Fri Jul 05 2019 Steve Grubb <sgrubb@redhat.com> 3.0-0.10.20190507gitf58ec40
+- Add initscripts package to the requires (bz #1727058)
+
+* Mon Jun 10 2019 Steve Grubb <sgrubb@redhat.com> 3.0-0.9.20190507gitf58ec40
+- New upstream git snapshot prerelease which fixes several problems
+- Fixed 1698130 - removing audit.rpm doesn't stop auditd
+
+* Tue Mar 26 2019 Steve Grubb <sgrubb@redhat.com> 3.0-0.7.20190326git03e7489
+- New upstream git snapshot prerelease which fixes a memory leak
+
+* Thu Jan 31 2019 Fedora Release Engineering <releng@fedoraproject.org> - 3.0-0.6.20181218gitbdb72c0
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
+
+* Tue Dec 18 2018 Steve Grubb <sgrubb@redhat.com> 3.0-0.5.20181218gitbdb72c0
+- New upstream git snapshot prerelease
+- Remove historical ldconfig scriptlet (#1644056)
+
+* Fri Aug 31 2018 Steve Grubb <sgrubb@redhat.com> 3.0-0.4.20180831git0047a6c
+- New upstream feature prerelease
 
 * Wed Aug 08 2018 Steve Grubb <sgrubb@redhat.com> 3.0-0.2.20180808git77fbcf3
-resolves: rhbz#1567357 New upstream feature prerelease
+- New upstream feature prerelease
 
 * Tue Jul 17 2018 Steve Grubb <sgrubb@redhat.com> 3.0-0.1.20180717gitacd53d1
 - New upstream feature prerelease
 
-* Tue Jun 26 2018 Steve Grubb <sgrubb@redhat.com> 2.8.4-2
-- Fix segfault on shutdown
+* Thu Jul 12 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2.8.4-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
+
+* Wed Jul  4 2018 Peter Robinson <pbrobinson@fedoraproject.org> 2.8.4-3
+- Remove unused sys V initscripts legacy bits
+
+* Mon Jul 02 2018 Miro Hrončok <mhroncok@redhat.com> - 2.8.4-2
+- Rebuilt for Python 3.7
 
 * Tue Jun 19 2018 Steve Grubb <sgrubb@redhat.com> 2.8.4-1
 - New upstream bugfix release
 
-* Wed May 30 2018 Steve Grubb <sgrubb@redhat.com> 2.8.3-1
-- New upstream bugfix release
-- Remove Python2 support
+* Tue Jun 19 2018 Miro Hrončok <mhroncok@redhat.com> - 2.8.3-4
+- Rebuilt for Python 3.7
 
-* Fri Apr 13 2018 Tom Stellard <tstellar@redhat.com> - 2.7.8-2
-- Use go-toolset-7 instead of golang
-- Package now must be built with: rhpkg --release rhel-8.0-go-toolset
+* Tue Apr 10 2018 Pete Walter <pwalter@fedoraproject.org> - 2.8.3-3
+- Rename Python 2 and 3 subpackages to python2-audit and python3-audit as per guidelines
+
+* Mon Mar 26 2018 Steve Grubb <sgrubb@redhat.com> 2.8.3-2
+- Fix Obsoletion of audit-libs-python not handled properly (#1559674)
+
+* Sat Mar 10 2018 Steve Grubb <sgrubb@redhat.com> 2.8.3-1
+- New upstream bugfix release
+
+* Wed Feb 07 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2.8.2-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
+
+* Mon Feb 05 2018 Steve Grubb <sgrubb@redhat.com> 2.8.2-3
+- Add a Provides audit-libs-python (#1537864)
+- Remove tcp_wrappers support?
+
+* Thu Dec 14 2017 Steve Grubb <sgrubb@redhat.com> 2.8.2-2
+- Rename things from python to python2
+
+* Thu Dec 14 2017 Steve Grubb <sgrubb@redhat.com> 2.8.2-1
+- New upstream bugfix release
+
+* Thu Oct 12 2017 Steve Grubb <sgrubb@redhat.com> 2.8.1-1
+- New upstream bugfix release
+
+* Tue Oct 10 2017 Steve Grubb <sgrubb@redhat.com> 2.8-1
+- New upstream feature release
 
 * Mon Sep 18 2017 Steve Grubb <sgrubb@redhat.com> 2.7.8-1
 - New upstream bugfix release

ci_tests.fmf

@@ -0,0 +1,12 @@
+/e2e_internal:
+  plan:
+    import:
+      url: https://github.com/RedHat-SP-Security/audit-plans.git
+      name: /generic/e2e_ci_internal
+
+/rpmverify:
+  plan:
+    import:
+      url: https://github.com/RedHat-SP-Security/audit-plans.git
+      name: /generic/rpmverify
+

disable-protectkernmelmodules.patch

@@ -0,0 +1,14 @@
+diff --git a/init.d/auditd.service b/init.d/auditd.service
+index 8210c60eb..dd7ec694b 100644
+--- a/init.d/auditd.service
++++ b/init.d/auditd.service
+@@ -38,7 +38,8 @@ MemoryDenyWriteExecute=true
+ LockPersonality=true
+ # The following control prevents rules on /proc so its off by default
+ #ProtectControlGroups=true
+-ProtectKernelModules=true
++## The following control prevents rules on /usr/lib/modules/ its off by default
++#ProtectKernelModules=true
+ RestrictRealtime=true
+ 
+ [Install]

gating.yaml

@@ -0,0 +1,7 @@
+--- !Policy
+product_versions:
+  - rhel-9
+decision_context: osci_compose_gate
+rules:
+  - !PassingTestCaseRule {test_case_name: baseos-ci.brew-build.tier1.functional}
+  - !PassingTestCaseRule {test_case_name: baseos-ci.brew-build.tedude.validation}

permtab-filter-unsupport.patch

@@ -0,0 +1,102 @@
+diff --git a/lib/libaudit.c b/lib/libaudit.c
+index 7a8c6d4b1..de34812f0 100644
+--- a/lib/libaudit.c
++++ b/lib/libaudit.c
+@@ -100,6 +100,7 @@ static struct libaudit_conf config;
+ static int audit_failure_parser(const char *val, int line);
+ static int audit_name_to_uid(const char *name, uid_t *auid);
+ static int audit_name_to_gid(const char *name, gid_t *gid);
++static char* filter_supported_syscalls(const char* syscalls, int machine) __attr_dealloc_free;
+ 
+ static const struct kw_pair keywords[] =
+ {
+@@ -1524,6 +1525,50 @@ int _audit_parse_syscall(const char *optarg, struct audit_rule_data *rule)
+ 	return audit_rule_syscallbyname_data(rule, optarg);
+ }
+ 
++/*
++ * Filters unsupported syscalls from a comma-separated string based
++ * on the given architecture. Returns a new string with supported syscalls
++ * or NULL on error.
++ */
++static char* filter_supported_syscalls(const char* syscalls, int machine)
++{
++	if (syscalls == NULL) {
++		return NULL;
++	}
++
++	// Allocate memory for the filtered syscalls string
++	char* filtered_syscalls = malloc(strlen(syscalls) + 1);
++	if (filtered_syscalls == NULL) {
++		return NULL;
++	}
++	filtered_syscalls[0] = '\0'; // Initialize as empty string
++
++	// Tokenize the syscalls string and filter unsupported syscalls
++	const char* delimiter = ",";
++	char* syscalls_copy = strdup(syscalls);
++	if (syscalls_copy == NULL) {
++		free(filtered_syscalls);
++		return NULL;
++	}
++	char* token = strtok(syscalls_copy, delimiter);
++	while (token != NULL) {
++		if (audit_name_to_syscall(token, machine) != -1) {
++			strcat(filtered_syscalls, token);
++			strcat(filtered_syscalls, delimiter);
++		}
++		token = strtok(NULL, delimiter);
++	}
++	free(syscalls_copy);
++
++	// Remove the trailing delimiter, if present
++	size_t len = strlen(filtered_syscalls);
++	if (len > 0 && filtered_syscalls[len - 1] == ',') {
++		filtered_syscalls[len - 1] = '\0';
++	}
++
++	return filtered_syscalls;
++}
++
+ static int audit_add_perm_syscalls(int perm, struct audit_rule_data *rule)
+ {
+ 	// We only get here if syscall notation is being used in the rule.
+@@ -1536,20 +1581,36 @@ static int audit_add_perm_syscalls(int perm, struct audit_rule_data *rule)
+ 		return 0;
+ 	}
+ 
++	const int machine = audit_elf_to_machine(_audit_elf);
+ 	const char *syscalls = audit_perm_to_name(perm);
+-	int rc = _audit_parse_syscall(syscalls, rule);
++	const char *syscalls_to_use;
++
++	// The permtab table is hardcoded, but some syscalls, like rename
++	// on arm64, are unavailable on certain architectures. To ensure compatibility,
++	// we must avoid creating rules with unsupported syscalls.
++	char* filtered_syscalls = filter_supported_syscalls(syscalls, machine);
++	if (filtered_syscalls == NULL) {
++		// use original syscalls in case we failed to parse - should not happen
++		syscalls_to_use = syscalls;
++		audit_msg(LOG_WARNING, "Filtering syscalls failed; using original syscalls.");
++	} else {
++		syscalls_to_use = filtered_syscalls;
++	}
++
++	int rc = _audit_parse_syscall(syscalls_to_use, rule);
+ 	switch (rc)
+ 	{
+ 	case 0:
+ 		_audit_syscalladded = 1;
+ 		break;
+ 	case -1: // Should never happen
+-		audit_msg(LOG_ERR, "Syscall name unknown: %s", syscalls);
++		audit_msg(LOG_ERR, "Syscall name unknown: %s", syscalls_to_use);
+ 		break;
+ 	default: // Error reported - do nothing here
+ 		break;
+ 	}
+ 
++	free(filtered_syscalls);
+ 	return rc;
+ }
+ 

readonly.patch

@@ -0,0 +1,48 @@
+diff --git a/audit.spec b/audit.spec
+index 39f640e36..313d803f1 100644
+--- a/audit.spec
++++ b/audit.spec
+@@ -215,6 +215,7 @@ fi
+ %attr(755,root,root) %{_bindir}/aulast
+ %attr(755,root,root) %{_bindir}/aulastlog
+ %attr(755,root,root) %{_bindir}/ausyscall
++%attr(640,root,root) %{_tmpfilesdir}/audit.conf
+ %attr(755,root,root) %{_bindir}/auvirt
+ %attr(644,root,root) %{_unitdir}/auditd.service
+ %attr(750,root,root) %dir %{_libexecdir}/initscripts/legacy-actions/auditd
+diff --git a/init.d/Makefile.am b/init.d/Makefile.am
+index 3a73697a6..63fae2ab4 100644
+--- a/init.d/Makefile.am
++++ b/init.d/Makefile.am
+@@ -23,6 +23,7 @@
+ 
+ CONFIG_CLEAN_FILES = *.rej *.orig
+ EXTRA_DIST = auditd.init auditd.service auditd.sysconfig auditd.conf \
++	audit-tmpfiles.conf \
+ 	auditd.cron libaudit.conf auditd.condrestart \
+ 	auditd.reload auditd.restart auditd.resume \
+ 	auditd.rotate auditd.state auditd.stop \
+@@ -43,6 +44,8 @@ sbin_SCRIPTS = augenrules
+ 
+ install-data-hook:
+ 	$(INSTALL_DATA) -D -m 640 ${srcdir}/${libconfig} ${DESTDIR}${sysconfdir}
++	mkdir -p ${DESTDIR}$(prefix)/lib/tmpfiles.d/
++	$(INSTALL_DATA) -m 640 ${srcdir}/audit-tmpfiles.conf ${DESTDIR}$(prefix)/lib/tmpfiles.d/audit.conf
+ if ENABLE_SYSTEMD
+ else
+ 	$(INSTALL_DATA) -D -m 640 ${srcdir}/auditd.sysconfig ${DESTDIR}${sysconfigdir}/auditd
+@@ -69,6 +72,7 @@ endif
+ 
+ uninstall-hook:
+ 	rm ${DESTDIR}${sysconfdir}/${libconfig}
++	rm ${DESTDIR}$(prefix)/lib/tmpfiles.d/audit.conf
+ if ENABLE_SYSTEMD
+ 	rm ${DESTDIR}${initdir}/auditd.service
+ 	rm ${DESTDIR}${legacydir}/rotate
+diff --git a/init.d/audit-tmpfiles.conf b/init.d/audit-tmpfiles.conf
+new file mode 100644
+index 000000000..5512a535a
+--- /dev/null
++++ b/init.d/audit-tmpfiles.conf
+@@ -0,0 +1 @@
++d /var/log/audit 0700 root root - -

remote-logging-ordering-cycle.patch

@@ -0,0 +1,14 @@
+diff --git a/init.d/auditd.service b/init.d/auditd.service
+index dd7ec694b..d5139ae92 100644
+--- a/init.d/auditd.service
++++ b/init.d/auditd.service
+@@ -6,6 +6,9 @@ DefaultDependencies=no
+ ## uncomment the second so that network-online.target is part of After.
+ ## then comment the first Before and uncomment the second Before to remove
+ ## sysinit.target from "Before".
++## If using remote logging, ensure that the systemd-update-utmp.service file
++## is updated to remove the After=auditd.service directive to prevent a
++## boot-time ordering cycle.
+ After=local-fs.target systemd-tmpfiles-setup.service
+ ##After=network-online.target local-fs.target systemd-tmpfiles-setup.service
+ Before=sysinit.target shutdown.target

sources

@@ -0,0 +1 @@
+SHA512 (audit-3.1.5.tar.gz) = 2bb6dd30108d2c4cc498011f50cbeea0112b9877a78158907cf8005b6dc253c8c2c98bfea7ed3fe6f6a5baf274cd8a9ace4108a58b0c9529b03191bd84b7e73d