.audit.metadata

@@ -0,0 +1 @@
+45cffb1ded9a57a79b33547f58228131d3eb14a6 SOURCES/audit-3.1.2.tar.gz

.fmf/version

@@ -1 +0,0 @@
-1

.gitignore

@@ -1,174 +1 @@
-audit-0.5.tar.gz
+SOURCES/audit-3.1.2.tar.gz
-audit-0.6.2.tar.gz
-audit-0.5.5.tar.gz
-audit-0.6.3.tar.gz
-audit-0.6.4.tar.gz
-audit-0.6.5.tar.gz
-audit-0.6.6.tar.gz
-audit-0.6.7.tar.gz
-audit-0.6.8.tar.gz
-audit-0.6.9.tar.gz
-audit-0.6.10.tar.gz
-audit-0.6.11.tar.gz
-audit-0.6.12.tar.gz
-audit-0.7.tar.gz
-audit-0.7.1.tar.gz
-audit-0.7.2.tar.gz
-audit-0.7.3.tar.gz
-audit-0.7.4.tar.gz
-audit-0.8.1.tar.gz
-audit-0.8.2.tar.gz
-audit-0.9.2.tar.gz
-audit-0.9.3.tar.gz
-audit-0.9.4.tar.gz
-audit-0.9.5.tar.gz
-audit-0.9.6.tar.gz
-audit-0.9.7.tar.gz
-audit-0.9.8.tar.gz
-audit-0.9.9.tar.gz
-audit-0.9.10.tar.gz
-audit-0.9.11.tar.gz
-audit-0.9.12.tar.gz
-audit-0.9.13.tar.gz
-audit-0.9.14.tar.gz
-audit-0.9.15.tar.gz
-audit-0.9.16.tar.gz
-audit-0.9.17.tar.gz
-audit-0.9.18.tar.gz
-audit-0.9.19.tar.gz
-audit-0.9.20.tar.gz
-audit-1.0.tar.gz
-audit-1.0.1.tar.gz
-audit-1.0.2.tar.gz
-audit-1.0.3.tar.gz
-audit-1.0.4.tar.gz
-audit-1.0.5.tar.gz
-audit-1.0.6.tar.gz
-audit-1.0.7.tar.gz
-audit-1.0.8.tar.gz
-audit-1.0.9.tar.gz
-audit-1.0.10.tar.gz
-audit-1.0.12.tar.gz
-audit-1.1.tar.gz
-audit-1.1.1.tar.gz
-audit-1.1.2.tar.gz
-audit-1.1.3.tar.gz
-audit-1.1.4.tar.gz
-audit-1.1.5.tar.gz
-audit-1.1.6.tar.gz
-audit-1.2.tar.gz
-audit-1.2.1.tar.gz
-audit-1.2.2.tar.gz
-audit-1.2.3.tar.gz
-audit-1.2.4.tar.gz
-audit-1.2.5.tar.gz
-audit-1.2.6.tar.gz
-audit-1.2.7.tar.gz
-audit-1.2.8.tar.gz
-audit-1.2.9.tar.gz
-audit-1.3.tar.gz
-audit-1.3.1.tar.gz
-audit-1.4.tar.gz
-audit-1.4.1.tar.gz
-audit-1.4.2.tar.gz
-audit-1.5.tar.gz
-audit-1.5.1.tar.gz
-audit-1.5.2.tar.gz
-audit-1.5.3.tar.gz
-audit-1.5.5.tar.gz
-audit-1.5.6.tar.gz
-audit-1.6.tar.gz
-audit-1.6.1.tar.gz
-audit-1.6.2.tar.gz
-audit-1.6.4.tar.gz
-audit-1.6.5.tar.gz
-audit-1.6.6.tar.gz
-audit-1.6.7.tar.gz
-audit-1.6.8.tar.gz
-audit-1.6.9.tar.gz
-audit-1.7.tar.gz
-audit-1.7.1.tar.gz
-audit-1.7.3.tar.gz
-audit-1.7.4.tar.gz
-audit-1.7.5.tar.gz
-audit-1.7.6.tar.gz
-audit-1.7.7.tar.gz
-audit-1.7.8.tar.gz
-audit-1.7.9.tar.gz
-audit-1.7.10.tar.gz
-audit-1.7.11.tar.gz
-audit-1.7.12.tar.gz
-audit-1.7.13.tar.gz
-audit-2.0.tar.gz
-audit-1.8.tar.gz
-audit-2.0.1.tar.gz
-audit-2.0.3.tar.gz
-audit-2.0.4.tar.gz
-/audit-2.0.5.tar.gz
-/audit-2.0.6.tar.gz
-/audit-2.1.tar.gz
-/audit-2.1.1.tar.gz
-/audit-2.1.2.tar.gz
-/audit-2.1.3.tar.gz
-/audit-2.2.tar.gz
-/audit-2.2.1.tar.gz
-/audit-2.2.2.tar.gz
-/audit-2.3.tar.gz
-/audit-2.3.1.tar.gz
-/audit-2.3.2.tar.gz
-/audit-2.3.3.tar.gz
-/audit-2.3.4.tar.gz
-/audit-2.3.5.tar.gz
-/audit-2.3.6.tar.gz
-/audit-2.3.7.tar.gz
-/audit-2.3.8svn20140801.tar.gz
-/audit-2.3.8.svn20140801.tar.gz
-/audit-2.3.8.svn20140802.tar.gz
-/audit-2.3.8.svn20140803.tar.gz
-/audit-2.4.tar.gz
-/audit-2.4.1.tar.gz
-/audit-2.4.2.tar.gz
-/audit-2.4.3.tar.gz
-/audit-2.4.4.tar.gz
-/audit-2.4.5.tar.gz
-/audit-2.5.tar.gz
-/audit-2.5.1.tar.gz
-/audit-2.5.2.tar.gz
-/audit-2.6.tar.gz
-/audit-2.6.1.tar.gz
-/audit-2.6.2.tar.gz
-/audit-2.6.3.tar.gz
-/audit-2.6.4.tar.gz
-/audit-2.6.5.tar.gz
-/audit-2.6.6.tar.gz
-/audit-2.6.7.tar.gz
-/audit-2.7.tar.gz
-/audit-2.7.1.tar.gz
-/audit-2.7.2.tar.gz
-/audit-2.7.3.tar.gz
-/audit-2.7.4.tar.gz
-/audit-2.7.5.tar.gz
-/audit-2.7.6.tar.gz
-/audit-2.7.7.tar.gz
-/audit-2.7.8.tar.gz
-/audit-2.8.tar.gz
-/audit-2.8.1.tar.gz
-/audit-2.8.2.tar.gz
-/audit-2.8.3.tar.gz
-/audit-2.8.4.tar.gz
-/audit-3.0-alpha.tar.gz
-/audit-3.0-alpha2.tar.gz
-/audit-3.0-alpha3.tar.gz
-/audit-3.0-alpha5.tar.gz
-/audit-3.0-alpha6.tar.gz
-/audit-3.0-alpha7.tar.gz
-/audit-3.0-alpha8.tar.gz
-/audit-3.0-alpha9.tar.gz
-/audit-3.0.tar.gz
-/audit-3.0.1.tar.gz
-/audit-3.0.2.tar.gz
-/audit-3.0.5.tar.gz
-/audit-3.0.7.tar.gz
-/audit-3.1.2.tar.gz
-/audit-3.1.4.tar.gz
-/audit-3.1.5.tar.gz

0001-Add-ausysrulevalidate.patch

@@ -1,217 +0,0 @@
-From 4011007b445e8f8da9b0cc45eccd793b94f6b5ce Mon Sep 17 00:00:00 2001
-From: Sergio Correia <scorreia@redhat.com>
-Date: Thu, 29 Jul 2021 19:25:43 -0300
-Subject: [PATCH] Add ausysrulevalidate
-
----
- contrib/ausysrulevalidate | 198 ++++++++++++++++++++++++++++++++++++++
- 1 file changed, 198 insertions(+)
- create mode 100755 contrib/ausysrulevalidate
-
-diff --git a/contrib/ausysrulevalidate b/contrib/ausysrulevalidate
-new file mode 100755
-index 0000000..a251b2c
---- /dev/null
-+++ b/contrib/ausysrulevalidate
-@@ -0,0 +1,198 @@
-+#!/usr/bin/env python3
-+# -*- coding: utf-8 -*-
-+
-+# ausysrulevalidate - A program that lets you validate the syscalls
-+# in audit rules.
-+# Copyright (c) 2021 Red Hat Inc., Durham, North Carolina.
-+# All Rights Reserved.
-+#
-+# This software may be freely redistributed and/or modified under the
-+# terms of the GNU General Public License as published by the Free
-+# Software Foundation; either version 2, or (at your option) any
-+# later version.
-+#
-+# This program is distributed in the hope that it will be useful,
-+# but WITHOUT ANY WARRANTY; without even the implied warranty of
-+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-+# GNU General Public License for more details.
-+#
-+# You should have received a copy of the GNU General Public License
-+# along with this program; see the file COPYING. If not, write to the
-+# Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor
-+# Boston, MA 02110-1335, USA.
-+#
-+# Authors:
-+#   Sergio Correia <scorreia@redhat.com>
-+
-+""" This program lets you validate syscalls in audit rules. """
-+
-+import argparse
-+import os.path
-+import sys
-+
-+import audit
-+
-+
-+class AuSyscallRuleValidate:
-+    """AuSyscallRuleValidate validates syscalls in audit rules."""
-+
-+    def __init__(self):
-+        self.syscalls_table = {}
-+        self.invalid_syscalls = {}
-+        self.machines = {
-+            "b32": audit.audit_determine_machine("b32"),
-+            "b64": audit.audit_determine_machine("b64"),
-+        }
-+
-+        if self.machines["b32"] == -1 or self.machines["b64"] == -1:
-+            sys.stderr.write("ERROR: Unable to determine machine type\n")
-+            sys.exit(1)
-+
-+    def validate_syscall(self, arch, syscall):
-+        """Validates a single syscall."""
-+
-+        if syscall == "all":
-+            return True
-+
-+        lookup = "{0}:{1}".format(arch, syscall)
-+        if lookup in self.syscalls_table:
-+            return self.syscalls_table[lookup]
-+
-+        ret = audit.audit_name_to_syscall(syscall, self.machines[arch])
-+        self.syscalls_table[lookup] = ret != -1
-+        if not self.syscalls_table[lookup]:
-+            self.invalid_syscalls[lookup] = lookup
-+
-+        return self.syscalls_table[lookup]
-+
-+    def process_syscalls(self, arch, syscalls):
-+        """Processes a group of syscalls, validating them individually."""
-+
-+        scalls = syscalls.split(",")
-+        processed = []
-+        for syscall in scalls:
-+            if self.validate_syscall(arch, syscall):
-+                processed.append(syscall)
-+        return ",".join(processed)
-+
-+    def parse_line(self, line):
-+        """Processes a single line from the audit rules file, and returns the
-+        same line adjusted, if required, by removing invalid syscalls, or even
-+        removing the rule altogether, if no valid syscall remain after
-+        validation."""
-+
-+        if line.lstrip().startswith("#") or "-S" not in line:
-+            return line
-+
-+        # We do have a rule specifying syscalls, so let's validate them.
-+        tokens = line.split()
-+        processed = []
-+        is_syscall = False
-+        arch = None
-+
-+        for val in tokens:
-+            if not is_syscall:
-+                processed.append(val)
-+
-+            if val.startswith("arch="):
-+                archs = val.split("=")
-+                if len(archs) == 2:
-+                    arch = val.split("=")[1]
-+                    if arch not in self.machines:
-+                        sys.stderr.write("ERROR: unexpected arch '{0}'\n".format(arch))
-+                        continue
-+
-+            if val == "-S":
-+                is_syscall = True
-+                continue
-+
-+            if is_syscall:
-+                is_syscall = False
-+                scalls = self.process_syscalls(arch, val)
-+
-+                if len(scalls) == 0:
-+                    processed = processed[:-1]
-+                    continue
-+                processed.append(scalls)
-+
-+        if "-S" not in processed:
-+            # Removing rule altogether, as we have no valid syscalls remaining.
-+            return None
-+        return " ".join(processed)
-+
-+    def process_rules(self, rules_file):
-+        """Reads a file with audit rules and returns the rules after
-+        validation of syscalls/architecture. Invalid syscalls will be removed
-+        and, if there are no valid remaining syscalls, the rule itself is
-+        removed."""
-+
-+        if not os.path.isfile(rules_file):
-+            sys.stderr.write("ERROR: rules file '{0}' not found\n".format(rules_file))
-+            sys.exit(1)
-+
-+        with open(rules_file) as rules:
-+            content = rules.readlines()
-+
-+        processed = []
-+        changed = False
-+        for line in content:
-+            validated = self.parse_line(line)
-+            if validated is None:
-+                changed = True
-+                continue
-+
-+            if validated.rstrip("\r\n") != line.rstrip("\r\n"):
-+                changed = True
-+            processed.append(validated.rstrip("\r\n"))
-+
-+        invalid_syscalls = []
-+        for invalid in self.invalid_syscalls:
-+            invalid_syscalls.append(invalid)
-+
-+        return (processed, changed, invalid_syscalls)
-+
-+    def update_rules(self, rules_file):
-+        """Reads a file with audit rules and updates it after validation of
-+        syscalls/architecture. Invalid syscalls will be removed and, if
-+        there are no valid remaining syscalls, the rule itself is removed."""
-+
-+        new_rules, changed, invalid_syscalls = self.process_rules(rules_file)
-+        if changed:
-+            with open(rules_file, "w") as rules:
-+                for line in new_rules:
-+                    rules.write("{0}\n".format(line))
-+
-+        return (new_rules, changed, invalid_syscalls)
-+
-+
-+if __name__ == "__main__":
-+    parser = argparse.ArgumentParser(description="ausysrulevalidate")
-+    parser.add_argument(
-+        "-u", "--update", help="Update rules file if required", action="store_true"
-+    )
-+    parser.add_argument(
-+        "-v", "--verbose", help="Show the resulting rules file", action="store_true"
-+    )
-+    required_named = parser.add_argument_group("required named arguments")
-+    required_named.add_argument(
-+        "-r", "--rules-file", help="Rules file name", required=True
-+    )
-+    args = parser.parse_args()
-+
-+    validator = AuSyscallRuleValidate()
-+
-+    action = validator.process_rules
-+    if args.update:
-+        action = validator.update_rules
-+
-+    data, changed, invalid = action(args.rules_file)
-+    if changed:
-+        verb = "require"
-+        if args.update:
-+            verb += "d"
-+        sys.stderr.write("Rules in '{0}' {1} changes\n".format(args.rules_file, verb))
-+        if len(invalid) > 0:
-+            sys.stderr.write("Invalid syscalls: {0}\n".format(", ".join(invalid)))
-+
-+    if args.verbose:
-+        print(*data, sep="\n")
--- 
-2.31.1
-

SPECS/audit.spec

@@ -1,37 +1,25 @@
+%{!?python_sitearch: %define python_sitearch %(%{__python} -c "from distutils.sysconfig import get_python_lib; print get_python_lib(1)")}
 
 Summary: User space tools for kernel auditing
 Name: audit
-Version: 3.1.5
+Version: 3.1.2
-Release: 2%{?dist}
+Release: 1%{?dist}
 License: GPLv2+
 URL: http://people.redhat.com/sgrubb/audit/
 Source0: http://people.redhat.com/sgrubb/audit/%{name}-%{version}.tar.gz
 Source1: https://www.gnu.org/licenses/lgpl-2.1.txt
 
-Patch1: 0001-Add-ausysrulevalidate.patch
+BuildRequires: gcc swig make
-Patch2: audisp-restore.patch
-Patch3: audisp-restore-fix.patch
-Patch4: readonly.patch
-Patch5: disable-protectkernmelmodules.patch
-Patch6: remote-logging-ordering-cycle.patch
-Patch7: permtab-filter-unsupport.patch
-
-BuildRequires: make gcc swig
 BuildRequires: openldap-devel
 BuildRequires: krb5-devel libcap-ng-devel
 BuildRequires: kernel-headers >= 2.6.29
 BuildRequires: systemd
-BuildRequires: autoconf automake libtool
+#BuildRequires: autoconf automake libtool
 
 Requires: %{name}-libs%{?_isa} = %{version}-%{release}
 Requires(post): systemd coreutils
-Requires(preun): systemd
+Requires(preun): systemd initscripts
-Requires(postun): systemd coreutils
+Requires(postun): systemd coreutils initscripts
-Recommends: initscripts-service
-
-# Placing this here under the assumption that anything using the
-# python libraries expects the system to have an audit daemon
-Obsoletes: python2-audit < %{version}-%{release}
 
 %description
 The audit package contains the user space utilities for
@@ -60,7 +48,6 @@ developing applications that need to use the audit framework libraries.
 Summary: Python3 bindings for libaudit
 License: LGPLv2+
 BuildRequires: python3-devel
-BuildRequires: make
 Requires: %{name}-libs%{?_isa} = %{version}-%{release}
 Provides: audit-libs-python3 = %{version}-%{release}
 Provides: audit-libs-python3%{?_isa} = %{version}-%{release}
@@ -97,25 +84,14 @@ Management Facility) database, through an IBM Tivoli Directory Server
 %prep
 %setup -q
 cp %{SOURCE1} .
-%patch -P 1 -p1
+#autoreconf -fv --install
-%patch -P 2 -p1
-%patch -P 3 -p1
-%patch -P 4 -p1
-%patch -P 5 -p1
-%patch -P 6 -p1
-%patch -P 7 -p1
-
-autoreconf -fv --install
-
-# Remove the ids code, its not ready
-sed -i 's/ ids / /' audisp/plugins/Makefile.in
 
 %build
 %configure --with-python=no \
 	   --with-python3=yes \
 	   --enable-gssapi-krb5=yes --with-arm --with-aarch64 \
-	   --with-libcap-ng=yes --enable-zos-remote --without-golang \
+	   --with-libcap-ng=yes --without-golang --enable-zos-remote \
-	   --enable-systemd --enable-experimental --with-io_uring
+	   --enable-systemd
 
 make CFLAGS="%{optflags}" %{?_smp_mflags}
 
@@ -126,23 +102,14 @@ mkdir -p $RPM_BUILD_ROOT/%{_lib}
 mkdir -p $RPM_BUILD_ROOT/%{_libdir}/audit
 mkdir -p --mode=0700 $RPM_BUILD_ROOT/%{_var}/log/audit
 mkdir -p $RPM_BUILD_ROOT/%{_var}/spool/audit
-mkdir -p $RPM_BUILD_ROOT/%{_datadir}
 make DESTDIR=$RPM_BUILD_ROOT install
 
-# Validate sample rules shipped.
-for r in $RPM_BUILD_ROOT/%{_datadir}/%{name}/sample-rules/*.rules; do
-    PYTHONPATH=$RPM_BUILD_ROOT/%{python3_sitearch} \
-    LD_LIBRARY_PATH=$RPM_BUILD_ROOT/%{_libdir} \
-        %{_builddir}/%{name}-%{version}/contrib/ausysrulevalidate \
-        --update --rules-file "${r}"
-done
-
 # Remove these items so they don't get picked up.
 rm -f $RPM_BUILD_ROOT/%{_libdir}/libaudit.a
 rm -f $RPM_BUILD_ROOT/%{_libdir}/libauparse.a
 
 find $RPM_BUILD_ROOT -name '*.la' -delete
-find $RPM_BUILD_ROOT/%{_libdir}/python%{python3_version}/site-packages -name '*.a' -delete
+find $RPM_BUILD_ROOT/%{_libdir}/python?.?/site-packages -name '*.a' -delete || true
 
 # On platforms with 32 & 64 bit libs, we need to coordinate the timestamp
 touch -r ./audit.spec $RPM_BUILD_ROOT/etc/libaudit.conf
@@ -154,8 +121,6 @@ make check
 rm -f rules/Makefile*
 
 %post
-%systemd_post auditd.service
-
 # Copy default rules into place on new installation
 files=`ls /etc/audit/rules.d/ 2>/dev/null | wc -w`
 if [ "$files" -eq 0 ] ; then
@@ -166,27 +131,17 @@ if [ "$files" -eq 0 ] ; then
   fi
   chmod 0600 /etc/audit/rules.d/audit.rules
 fi
-
+%systemd_post auditd.service
-# If upgrading, restart the daemon if it's running
-if [ $1 -eq 2 ]; then
-	state=$(systemctl status auditd | awk '/Active:/ { print $2 }')
-
-	if [ $state = "active" ] ; then
-		auditctl --signal stop || true
-		systemctl start auditd
-	fi
-# if installing, start it since preset says we should be running
-elif [ $1 -eq 1 ]; then
-	systemctl start auditd
-fi
 
 %preun
 %systemd_preun auditd.service
-# if uninstalling stop the daemon
 if [ $1 -eq 0 ]; then
-	auditctl --signal stop || true
+    /sbin/service auditd stop > /dev/null 2>&1
-	# also delete loaded rules if uninstalling
+fi
-	auditctl -D || true
+
+%postun
+if [ $1 -ge 1 ]; then
+    /sbin/service auditd condrestart > /dev/null 2>&1 || :
 fi
 
 %files libs
@@ -241,7 +196,6 @@ fi
 %attr(755,root,root) %{_bindir}/aulast
 %attr(755,root,root) %{_bindir}/aulastlog
 %attr(755,root,root) %{_bindir}/ausyscall
-%attr(640,root,root) %{_tmpfilesdir}/audit.conf
 %attr(755,root,root) %{_bindir}/auvirt
 %attr(644,root,root) %{_unitdir}/auditd.service
 %attr(750,root,root) %dir %{_libexecdir}/initscripts/legacy-actions/auditd
@@ -252,6 +206,7 @@ fi
 %attr(750,root,root) %{_libexecdir}/initscripts/legacy-actions/auditd/rotate
 %attr(750,root,root) %{_libexecdir}/initscripts/legacy-actions/auditd/state
 %attr(750,root,root) %{_libexecdir}/initscripts/legacy-actions/auditd/stop
+%attr(750,root,root) %{_libexecdir}/audit-functions
 %ghost %{_localstatedir}/run/auditd.state
 %attr(-,root,-) %dir %{_var}/log/audit
 %attr(750,root,root) %dir /etc/audit
@@ -261,24 +216,21 @@ fi
 %ghost %config(noreplace) %attr(600,root,root) /etc/audit/rules.d/audit.rules
 %ghost %config(noreplace) %attr(640,root,root) /etc/audit/audit.rules
 %config(noreplace) %attr(640,root,root) /etc/audit/audit-stop.rules
+%config(noreplace) %attr(640,root,root) /etc/audit/plugins.d/af_unix.conf
 
 %files -n audispd-plugins
 %config(noreplace) %attr(640,root,root) /etc/audit/audisp-remote.conf
 %config(noreplace) %attr(640,root,root) /etc/audit/plugins.d/au-remote.conf
 %config(noreplace) %attr(640,root,root) /etc/audit/plugins.d/syslog.conf
-%config(noreplace) %attr(640,root,root) /etc/audit/audisp-statsd.conf
-%config(noreplace) %attr(640,root,root) /etc/audit/plugins.d/au-statsd.conf
 %config(noreplace) %attr(640,root,root) /etc/audit/plugins.d/af_unix.conf
 %attr(750,root,root) %{_sbindir}/audisp-remote
 %attr(750,root,root) %{_sbindir}/audisp-syslog
 %attr(750,root,root) %{_sbindir}/audisp-af_unix
-%attr(750,root,root) %{_sbindir}/audisp-statsd
 %attr(700,root,root) %dir %{_var}/spool/audit
 %attr(644,root,root) %{_mandir}/man5/audisp-remote.conf.5.gz
 %attr(644,root,root) %{_mandir}/man8/audisp-remote.8.gz
 %attr(644,root,root) %{_mandir}/man8/audisp-syslog.8.gz
 %attr(644,root,root) %{_mandir}/man8/audisp-af_unix.8.gz
-%attr(644,root,root) %{_mandir}/man8/audisp-statsd.8.gz
 
 %files -n audispd-plugins-zos
 %attr(644,root,root) %{_mandir}/man8/audispd-zos-remote.8.gz
@@ -288,217 +240,100 @@ fi
 %attr(750,root,root) %{_sbindir}/audispd-zos-remote
 
 %changelog
-* Wed Jan 08 2025 Attila Lakatos <alakatos@redhat.com> - 3.1.5-2
+* Sat Oct 21 2023 Sergio Correia <scorreia@redhat.com> - 3.1.2-1
-- Disable ProtectKernelModules=true in service file
+- Rebase audit to latest upstream release
-  Resolves: RHEL-59570
+  Resolves: RHEL-15001
-- af_unix plugin: restore original behavior in binary mode
-  Resolves: RHEL-59585
-- Support image mode
-  Resolves: RHEL-69033
-- Resolve ordering cycle when using remote logging
-  Resolves: RHEL-11252
-- Filter syscalls to ensure architecture-specific availability
-  Resolves: RHEL-70455
 
-* Tue Jul 09 2024 Attila Lakatos <alakatos@redhat.com> - 3.1.5-1
+* Thu Jun 22 2023 Radovan Sroka <rsroka@redhat.com> - 3.0.7-5
-- New upstream maintenance release, 3.1.4
-- Prevent scriplets from failing
-- When upgrading, restart the daemon if it's running
-- If uninstalling, stop the daemon
-- auditctl: use pidfd_send_signal for signaling auditd
-  Resolves: RHEL-45865
-- Minor doc update
-  Resolves: RHEL-5186
-- augenrules: do not exit with failure if in immutable mode
-  Resolves: RHEL-40110
-- auditd.service: Disable ProtectControlGroups
-  Resolves: RHEL-5197
-- auditctl: correct output when displaying rules with exe/path/dir
-  Resolves: RHEL-40243
-
-* Wed Nov 08 2023 Sergio Correia <scorreia@redhat.com> - 3.1.2-2
-- Remove %systemd_preun from %preun scriptlet, as it was causing troubles when removing audit
-  Related: RHEL-14896
-
-* Fri Oct 27 2023 Sergio Correia <scorreia@redhat.com> - 3.1.2-1
-- New upstream release, 3.1.2
-  Resolves: RHEL-14896
-
-* Thu Jun 22 2023 Radovan Sroka <rsroka@redhat.com> - 3.0.7-104
 - Introduce new fanotify record fields
-  Resolves: rhbz#2216666
+  Resolves: rhbz#2216668
+- invalid use of flexible array member
+  Resolves: rhbz#2116867
 
-* Mon May 02 2022 Sergio Correia <scorreia@redhat.com> - 3.0.7-103
+* Mon May 02 2022 Sergio Correia <scorreia@redhat.com> - 3.0.7-4
 - Drop ProtectHome from auditd.service as it interferes with rules
-  Resolves: rhbz#2071725 - Default systemd service config blocks audit watch rules in some directories [rhel-9.1.0]
+  Resolves: rhbz#2071727 - Default systemd service config blocks audit watch rules in some directories
 
-* Sun Mar 13 2022 Sergio Correia <scorreia@redhat.com> - 3.0.7-102
+* Mon Mar 14 2022 Sergio Correia <scorreia@redhat.com> - 3.0.7-3
 - Fix path normalization in auparse
-  Resolves: rhbz#2062824 - auparse missing information when used with --format-text
+  Resolves: rhbz#2062612 - auparse missing information when used with --format-text
 
-* Tue Feb 22 2022 Sergio Correia <scorreia@redhat.com> - 3.0.7-101
+* Tue Feb 22 2022 Sergio Correia <scorreia@redhat.com> - 3.0.7-2
 - Adjust sample-rules dir permissions
-  Resolves: rhbz#2054432 - /usr/share/audit/sample-rules is no longer readable by non-root users
+  Resolves: rhbz#2054727 - /usr/share/audit/sample-rules is no longer readable by non-root users
 
-* Tue Jan 25 2022 Sergio Correia <scorreia@redhat.com> - 3.0.7-100
+* Tue Jan 25 2022 Sergio Correia <scorreia@redhat.com> - 3.0.7-1
-- New upstream release, 3.0.7
+- New upstream release - 3.0.7
-  Resolves: rhbz#2019929 - capability=unknown-capability(39) in audit messages
+  Related: rhbz#1939406
 
-* Wed Nov 03 2021 Sergio Correia <scorreia@redhat.com> - 3.0.5-5
+* Thu Jan 13 2022 Sergio Correia <scorreia@redhat.com> - 3.0.5-1
-- auparse: refact nvlist cleanup code
+- Rebase audit package on 8.6
-  Resolves: rhbz#2008965
+  Resolves: rhbz#1939406
+  Resolves: rhbz#1906065
+  Resolves: rhbz#1921447
+  Resolves: rhbz#1927884
+  Resolves: rhbz#1921658
 
-* Wed Nov 03 2021 Sergio Correia <scorreia@redhat.com> - 3.0.5-4
+* Wed Jan 08 2020 Steve Grubb <sgrubb@redhat.com> 3.0-0.17.20191104git1c2f876
-- When interpreting, if val is NULL return an empty string
+resolves: rhbz#1757986 - Rebase audit package on 8.2 for updates (bpf patch)
-  Resolves: rhbz#2004420
 
-* Wed Nov 03 2021 Sergio Correia <scorreia@redhat.com> - 3.0.5-3
+* Thu Nov 28 2019 Steve Grubb <sgrubb@redhat.com> 3.0-0.16.20191104git1c2f876
-- Update dependency to initscripts-service instead of initscripts
+resolves: rhbz#1497279 - Add option to interpret fields in audit syslog plugin
-  Resolves: rhbz#2000933
 
-* Tue Aug 17 2021 Sergio Correia <scorreia@redhat.com> - 3.0.5-2
+* Mon Nov 04 2019 Steve Grubb <sgrubb@redhat.com> 3.0-0.15.20191104git1c2f876
-- Fix timestamp parsing
+resolves: rhbz#1757986 - Rebase audit package on 8.2 for updates
-  Related: rhbz#1938680
+resolves: rhbz#1767054 - move audit rules to shared data directory
+resolves: rhbz#1746018 - Breakup 30-ospp-v42.rules into more granular files
+resolves: rhbz#1740798 - auditctl(8) needs clarification for backlog_limit
+resolves: rhbz#1497279 - Add option to interpret fields in audit syslog plugin
 
-* Mon Aug 16 2021 Sergio Correia <scorreia@redhat.com> - 3.0.5-1
+* Thu Jul 25 2019 Steve Grubb <sgrubb@redhat.com> 3.0-0.13.20190607gitf58ec40
-- New upstream release, 3.0.5
+resolves: rhbz#1695638 - Rebase audit package to pick up latest bugfixes
-  Related: rhbz#1938680
 
-* Mon Aug 16 2021 Sergio Correia <scorreia@redhat.com> - 3.0.2-3
+* Sat Jul 13 2019 Steve Grubb <sgrubb@redhat.com> 3.0-0.12.20190607gitf58ec40
-- Validates the sample rules we ship
+resolves: rhbz#1695638 - Rebase audit package to pick up latest bugfixes
-  Resolves: rhbz#1985630
 
-* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 3.0.2-2
+* Mon Jun 10 2019 Steve Grubb <sgrubb@redhat.com> 3.0-0.11.20190607gitf58ec40
-- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
+resolves: rhbz#1643567 - service auditd stop exits prematurely
-  Related: rhbz#1991688
+resolves: rhbz#1693470 - libauparse memory leak
+resolves: rhbz#1694071 - ausearch doesn't record device/inode details checkpointing a single file
+resolves: rhbz#1695638 - Rebase audit package to pick up latest bugfixes
+resolves: rhbz#1705894 - aureport aborts when using a specific input
+resolves: rhbz#1706045 - RFE: Backport support for new audit record types
+resolves: rhbz#1715852 - RFE: provide a way to filter on network address family
 
-* Tue Jun 22 2021 Sergio Correia <scorreia@redhat.com> - 3.0.2-1
+* Wed Jan 09 2019 Steve Grubb <sgrubb@redhat.com> 3.0-0.10.20180831git0047a6c
-- New upstream release, 3.0.2.
+resolves: rhbz#1655270] Message "audit: backlog limit exceeded" reported
-  Fix issues detected by static analyzers
+- Fix annobin failure
-  Resolves: rhbz#1938680
 
-* Mon Jun 21 2021 Sergio Correia <scorreia@redhat.com> - 3.0.1-4
+* Fri Dec 07 2018 Steve Grubb <sgrubb@redhat.com> 3.0-0.8.20180831git0047a6c
-- Enable default RHEL configuration
+resolves: rhbz#1639745 - build requires go-toolset-7 which is not available
-  This enables syscall auditing by default.
+resolves: rhbz#1643567 - service auditd stop exits prematurely
-  Resolves: rhbz#1924561
+resolves: rhbz#1616428 - Update git snapshot of audit package
+- Remove static libs subpackage
 
-* Thu Apr 15 2021 Mohan Boddu <mboddu@redhat.com> - 3.0.1-3
+* Fri Aug 31 2018 Steve Grubb <sgrubb@redhat.com> 3.0-0.5.20180831git0047a6c
-- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
+resolves: rhbz#1616428 - Update git snapshot of audit package
-
-* Thu Feb 18 2021 Steve Grubb <sgrubb@redhat.com> 3.0.1-2
-- Add patch fixing segafult in the audisp-statsd plugin
-
-* Fri Feb 12 2021 Steve Grubb <sgrubb@redhat.com> 3.0.1-1
-- New upstream feature and bugfix release
-- Enable building the audisp-statsd plugin
-
-* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 3.0-2
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
-
-* Wed Dec 16 2020 Steve Grubb <sgrubb@redhat.com> 3.0-1
-- New upstream feature and bugfix release
-
-* Mon Jul 27 2020 Fedora Release Engineering <releng@fedoraproject.org> - 3.0-0.21.20191104git1c2f876
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
-
-* Tue May 26 2020 Miro Hrončok <mhroncok@redhat.com> - 3.0-0.20.20191104git1c2f876
-- Rebuilt for Python 3.9
-
-* Thu Mar 12 2020 Steve Grubb <sgrubb@redhat.com> 3.0-0.19.20191104git1c2f876
-- Add Obsolete python2-audit (#1783061)
-
-* Wed Jan 29 2020 Steve Grubb <sgrubb@redhat.com> 3.0-0.18.20191104git1c2f876
-- Fix multiple definition of `event_node_list' (#1794446)
-
-* Tue Jan 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 3.0-0.17.20191104git1c2f876
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
-
-* Fri Nov 22 2019 Steve Grubb <sgrubb@redhat.com> 3.0-0.16.20191104git1c2f876
-- Drop python2 subpackage (#1775076)
-
-* Mon Nov 04 2019 Steve Grubb <sgrubb@redhat.com> 3.0-0.14.20191104git1c2f876
-- New upstream git snapshot prerelease
-
-* Thu Oct 03 2019 Miro Hrončok <mhroncok@redhat.com> - 3.0-0.14.20190507gitf58ec40
-- Rebuilt for Python 3.8.0rc1 (#1748018)
-
-* Mon Aug 19 2019 Miro Hrončok <mhroncok@redhat.com> - 3.0-0.13.20190507gitf58ec40
-- Rebuilt for Python 3.8
-
-* Wed Jul 31 2019 Steve Grubb <sgrubb@redhat.com> 3.0-0.12.20190507gitf58ec40
-- Fix 1734953 - audit: FTBFS in Fedora rawhide/f31
-
-* Wed Jul 24 2019 Fedora Release Engineering <releng@fedoraproject.org> - 3.0-0.11.20190507gitf58ec40
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
-
-* Fri Jul 05 2019 Steve Grubb <sgrubb@redhat.com> 3.0-0.10.20190507gitf58ec40
-- Add initscripts package to the requires (bz #1727058)
-
-* Mon Jun 10 2019 Steve Grubb <sgrubb@redhat.com> 3.0-0.9.20190507gitf58ec40
-- New upstream git snapshot prerelease which fixes several problems
-- Fixed 1698130 - removing audit.rpm doesn't stop auditd
-
-* Tue Mar 26 2019 Steve Grubb <sgrubb@redhat.com> 3.0-0.7.20190326git03e7489
-- New upstream git snapshot prerelease which fixes a memory leak
-
-* Thu Jan 31 2019 Fedora Release Engineering <releng@fedoraproject.org> - 3.0-0.6.20181218gitbdb72c0
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
-
-* Tue Dec 18 2018 Steve Grubb <sgrubb@redhat.com> 3.0-0.5.20181218gitbdb72c0
-- New upstream git snapshot prerelease
-- Remove historical ldconfig scriptlet (#1644056)
-
-* Fri Aug 31 2018 Steve Grubb <sgrubb@redhat.com> 3.0-0.4.20180831git0047a6c
-- New upstream feature prerelease
 
 * Wed Aug 08 2018 Steve Grubb <sgrubb@redhat.com> 3.0-0.2.20180808git77fbcf3
-- New upstream feature prerelease
+resolves: rhbz#1567357 New upstream feature prerelease
 
 * Tue Jul 17 2018 Steve Grubb <sgrubb@redhat.com> 3.0-0.1.20180717gitacd53d1
 - New upstream feature prerelease
 
-* Thu Jul 12 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2.8.4-4
+* Tue Jun 26 2018 Steve Grubb <sgrubb@redhat.com> 2.8.4-2
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
+- Fix segfault on shutdown
-
-* Wed Jul  4 2018 Peter Robinson <pbrobinson@fedoraproject.org> 2.8.4-3
-- Remove unused sys V initscripts legacy bits
-
-* Mon Jul 02 2018 Miro Hrončok <mhroncok@redhat.com> - 2.8.4-2
-- Rebuilt for Python 3.7
 
 * Tue Jun 19 2018 Steve Grubb <sgrubb@redhat.com> 2.8.4-1
 - New upstream bugfix release
 
-* Tue Jun 19 2018 Miro Hrončok <mhroncok@redhat.com> - 2.8.3-4
+* Wed May 30 2018 Steve Grubb <sgrubb@redhat.com> 2.8.3-1
-- Rebuilt for Python 3.7
-
-* Tue Apr 10 2018 Pete Walter <pwalter@fedoraproject.org> - 2.8.3-3
-- Rename Python 2 and 3 subpackages to python2-audit and python3-audit as per guidelines
-
-* Mon Mar 26 2018 Steve Grubb <sgrubb@redhat.com> 2.8.3-2
-- Fix Obsoletion of audit-libs-python not handled properly (#1559674)
-
-* Sat Mar 10 2018 Steve Grubb <sgrubb@redhat.com> 2.8.3-1
 - New upstream bugfix release
+- Remove Python2 support
 
-* Wed Feb 07 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2.8.2-4
+* Fri Apr 13 2018 Tom Stellard <tstellar@redhat.com> - 2.7.8-2
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
+- Use go-toolset-7 instead of golang
-
+- Package now must be built with: rhpkg --release rhel-8.0-go-toolset
-* Mon Feb 05 2018 Steve Grubb <sgrubb@redhat.com> 2.8.2-3
-- Add a Provides audit-libs-python (#1537864)
-- Remove tcp_wrappers support?
-
-* Thu Dec 14 2017 Steve Grubb <sgrubb@redhat.com> 2.8.2-2
-- Rename things from python to python2
-
-* Thu Dec 14 2017 Steve Grubb <sgrubb@redhat.com> 2.8.2-1
-- New upstream bugfix release
-
-* Thu Oct 12 2017 Steve Grubb <sgrubb@redhat.com> 2.8.1-1
-- New upstream bugfix release
-
-* Tue Oct 10 2017 Steve Grubb <sgrubb@redhat.com> 2.8-1
-- New upstream feature release
 
 * Mon Sep 18 2017 Steve Grubb <sgrubb@redhat.com> 2.7.8-1
 - New upstream bugfix release

audisp-restore-fix.patch

@@ -1,38 +0,0 @@
-diff --git a/audisp/plugins/af_unix/audisp-af_unix.c b/audisp/plugins/af_unix/audisp-af_unix.c
-index d85f15f8a..578533f52 100644
---- a/audisp/plugins/af_unix/audisp-af_unix.c
-+++ b/audisp/plugins/af_unix/audisp-af_unix.c
-@@ -132,7 +132,7 @@ int setup_socket(int argc, char *argv[])
- 			if (errno) {
- 				syslog(LOG_ERR,
- 					"Error converting %s (%s)",
--					arg[i], strerror(errno));
-+					argv[i], strerror(errno));
- 				mode = 0;
- 			}
- 		} else if (strchr(arg, '/') != NULL) {
-@@ -265,16 +265,15 @@ void read_audit_record(int ifd)
- 					do {
- 						rc = writev(conn, vec, 2);
- 					} while (rc < 0 && errno == EINTR);
--				}
--
--				if (rc < 0 && errno == EPIPE) {
--					close(conn);
--					conn = -1;
--					client = 0;
--					audit_fgets_clear();
--				}
--				if (rc >= 0 && rc != len) {
-+					if (rc < 0 && errno == EPIPE) {
-+						close(conn);
-+						conn = -1;
-+						client = 0;
-+						audit_fgets_clear();
-+					}
-+					//if (rc >= 0 && rc != len) {
- 					// what to do with leftovers?
-+					//}
- 				}
- 			}
- #endif

audisp-restore.patch

@@ -1,256 +0,0 @@
-diff --git a/audisp/plugins/af_unix/Makefile.am b/audisp/plugins/af_unix/Makefile.am
-index 501b35d43..e8faec7df 100644
---- a/audisp/plugins/af_unix/Makefile.am
-+++ b/audisp/plugins/af_unix/Makefile.am
-@@ -25,7 +25,8 @@ CONFIG_CLEAN_FILES = *.rej *.orig
- CONF_FILES = af_unix.conf
- EXTRA_DIST = $(CONF_FILES) $(man_MANS)
- 
--AM_CPPFLAGS = -I${top_srcdir} -I${top_srcdir}/lib -I${top_srcdir}/common
-+AM_CPPFLAGS = -I${top_srcdir} -I${top_srcdir}/lib -I${top_srcdir}/common -I${top_srcdir}/audisp
-+LIBS = ${top_builddir}/lib/libaudit.la
- prog_confdir = $(sysconfdir)/audit
- plugin_confdir=$(prog_confdir)/plugins.d
- plugin_conf = af_unix.conf
-diff --git a/audisp/plugins/af_unix/audisp-af_unix.c b/audisp/plugins/af_unix/audisp-af_unix.c
-index ffbf2ac07..d85f15f8a 100644
---- a/audisp/plugins/af_unix/audisp-af_unix.c
-+++ b/audisp/plugins/af_unix/audisp-af_unix.c
-@@ -33,6 +33,7 @@
- #include <libgen.h>
- #include <string.h>
- #include <sys/stat.h>
-+#include <sys/uio.h>
- #include <dirent.h>
- #include <sys/un.h>
- #include <fcntl.h>
-@@ -43,16 +44,19 @@
- #endif
- #include "libaudit.h"
- #include "common.h"
-+#include "audispd-pconfig.h"
- 
- #define DEFAULT_PATH "/var/run/audispd_events"
-+#define MAX_AUDIT_EVENT_FRAME_SIZE (sizeof(struct audit_dispatcher_header) + MAX_AUDIT_MESSAGE_LENGTH)
- //#define DEBUG
- 
- /* Global Data */
- static volatile int stop = 0, hup = 0;
--char rx_buf[MAX_AUDIT_MESSAGE_LENGTH];
-+char rx_buf[MAX_AUDIT_EVENT_FRAME_SIZE+1];
- int sock = -1, conn = -1, client = 0;
- struct pollfd pfd[3];
- unsigned mode = 0;
-+format_t format = -1;
- char *path = NULL;
- 
- /*
-@@ -119,77 +123,150 @@ int create_af_unix_socket(const char *spath, int mode)
- 
- int setup_socket(int argc, char *argv[])
- {
--	if (argc != 3) {
--		syslog(LOG_ERR, "Missing arguments, using defaults");
--		mode = 0640;
--		path = DEFAULT_PATH;
--	} else {
--		int i;
--		for (i=1; i < 3; i++) {
--			if (isdigit((unsigned char)argv[i][0])) {
--				errno = 0;
--				mode = strtoul(argv[i], NULL, 8);
--				if (errno) {
--					syslog(LOG_ERR,
--					       "Error converting %s (%s)",
--					       argv[i], strerror(errno));
--					mode = 0;
--				}
--			} else {
--				char *base;
--				path = argv[i];
--				// Make sure there are directories
--				base = strchr(path, '/');
--				if (base) {
--					DIR *d;
--					char *dir = strdup(path);
--					base = dirname(dir);
--					d = opendir(base);
--					if (d) {
--						closedir(d);
--						unlink(path);
--						free(dir);
--					} else {
--						syslog(LOG_ERR,
--						       "Couldn't open %s (%s)",
--						       base, strerror(errno));
--						free(dir);
--						exit(1);
--					}
--
-+	for (int i = 1; i < argc; i++) {
-+		char *arg = argv[i];
-+		if (isdigit((unsigned char)arg[0])) {
-+			// parse mode
-+			errno = 0;
-+			mode = strtoul(arg, NULL, 8);
-+			if (errno) {
-+				syslog(LOG_ERR,
-+					"Error converting %s (%s)",
-+					arg[i], strerror(errno));
-+				mode = 0;
-+			}
-+		} else if (strchr(arg, '/') != NULL) {
-+			// parse path
-+			char* base;
-+			path = arg;
-+			// Make sure there are directories
-+			base = strchr(path, '/');
-+			if (base) {
-+				DIR* d;
-+				char* dir = strdup(path);
-+				base = dirname(dir);
-+				d = opendir(base);
-+				if (d) {
-+					closedir(d);
-+					unlink(path);
-+					free(dir);
- 				} else {
--					syslog(LOG_ERR, "Malformed path %s",
--					       path);
-+					syslog(LOG_ERR,
-+						"Couldn't open %s (%s)",
-+						base, strerror(errno));
-+					free(dir);
- 					exit(1);
- 				}
-+
-+			} else {
-+				syslog(LOG_ERR, "Malformed path %s",
-+					path);
-+				exit(1);
- 			}
--		}
--		if (mode == 0 || path == NULL) {
--			syslog(LOG_ERR, "Bad arguments, using defaults");
--			mode = 0640;
--			path = DEFAULT_PATH;
-+		} else {
-+			if (strcmp(arg, "string") == 0)
-+				format = F_STRING;
-+			else if (strcmp(arg, "binary") == 0)
-+				format = F_BINARY;
-+			else
-+				syslog(LOG_ERR, "Invalid format detected");
- 		}
- 	}
-+
-+	if (mode == 0 || path == NULL || format == -1) {
-+		syslog(LOG_ERR, "Bad or not enough arguments, using defaults");
-+		mode = 0640;
-+		path = DEFAULT_PATH;
-+		format = F_STRING;
-+	}
-+
- 	return create_af_unix_socket(path, mode);
- }
- 
-+static int event_to_string(struct audit_dispatcher_header *hdr, char *data, char **out, int *outlen)
-+{
-+	char *v = NULL, *ptr, unknown[32];
-+	int len;
-+
-+	if (hdr->ver == AUDISP_PROTOCOL_VER) {
-+		const char *type;
-+
-+		/* Get the event formatted */
-+		type = audit_msg_type_to_name(hdr->type);
-+		if (type == NULL) {
-+			snprintf(unknown, sizeof(unknown),
-+				"UNKNOWN[%u]", hdr->type);
-+			type = unknown;
-+		}
-+		len = asprintf(&v, "type=%s msg=%.*s\n",
-+				type, hdr->size, data);
-+	// Protocol 2 events are already formatted
-+	} else if (hdr->ver == AUDISP_PROTOCOL_VER2) {
-+		len = asprintf(&v, "%.*s\n", hdr->size, data);
-+	} else
-+		len = 0;
-+	if (len <= 0) {
-+		*out = NULL;
-+		*outlen = 0;
-+		return -1;
-+	}
-+
-+	/* Strip newlines from event record */
-+	ptr = v;
-+	while ((ptr = strchr(ptr, 0x0A)) != NULL) {
-+		if (ptr != &v[len-1])
-+			*ptr = ' ';
-+		else
-+			break; /* Done - exit loop */
-+	}
-+
-+	*out = v;
-+	*outlen = len;
-+	return 1;
-+}
-+
- void read_audit_record(int ifd)
- {
- 	do {
- 		int len;
- 
- 		// Read stdin
--		if ((len = audit_fgets(rx_buf, sizeof(rx_buf), ifd)) > 0) {
-+		if ((len = audit_fgets(rx_buf, MAX_AUDIT_EVENT_FRAME_SIZE + 1, ifd)) > 0) {
- #ifdef DEBUG
- 			write(1, rx_buf, len);
- #else
-+			struct audit_dispatcher_header *hdr = (struct audit_dispatcher_header *)rx_buf;
-+			char *data = rx_buf + sizeof(struct audit_dispatcher_header);
- 			if (client) {
- 				// Send it to the client
- 				int rc;
- 
--				do {
--					rc = write(conn, rx_buf, len);
--				} while (rc < 0 && errno == EINTR);
-+				if (format == F_STRING) {
-+					
-+					char *str = NULL;
-+					int str_len = 0;
-+					if (event_to_string(hdr, data, &str, &str_len) < 0) {
-+						// what to do with error?
-+						continue;
-+					}
-+
-+					do {
-+						rc = write(conn, str, str_len);
-+					} while (rc < 0 && errno == EINTR);
-+				} else if (format == F_BINARY) {
-+					struct iovec vec[2];
-+
-+					vec[0].iov_base = hdr;
-+					vec[0].iov_len = sizeof(struct audit_dispatcher_header);
-+
-+					vec[1].iov_base = data;
-+					vec[1].iov_len = MAX_AUDIT_MESSAGE_LENGTH;
-+
-+					do {
-+						rc = writev(conn, vec, 2);
-+					} while (rc < 0 && errno == EINTR);
-+				}
-+
- 				if (rc < 0 && errno == EPIPE) {
- 					close(conn);
- 					conn = -1;
-@@ -203,7 +280,7 @@ void read_audit_record(int ifd)
- #endif
- 		} else if (audit_fgets_eof())
- 			stop = 1;
--	} while (audit_fgets_more(sizeof(rx_buf)));
-+	} while (audit_fgets_more(MAX_AUDIT_EVENT_FRAME_SIZE));
- }
- 
- void accept_connection(void)

ci_tests.fmf

@@ -1,12 +0,0 @@
-/e2e_internal:
-  plan:
-    import:
-      url: https://github.com/RedHat-SP-Security/audit-plans.git
-      name: /generic/e2e_ci_internal
-
-/rpmverify:
-  plan:
-    import:
-      url: https://github.com/RedHat-SP-Security/audit-plans.git
-      name: /generic/rpmverify
-

disable-protectkernmelmodules.patch

@@ -1,14 +0,0 @@
-diff --git a/init.d/auditd.service b/init.d/auditd.service
-index 8210c60eb..dd7ec694b 100644
---- a/init.d/auditd.service
-+++ b/init.d/auditd.service
-@@ -38,7 +38,8 @@ MemoryDenyWriteExecute=true
- LockPersonality=true
- # The following control prevents rules on /proc so its off by default
- #ProtectControlGroups=true
--ProtectKernelModules=true
-+## The following control prevents rules on /usr/lib/modules/ its off by default
-+#ProtectKernelModules=true
- RestrictRealtime=true
- 
- [Install]

gating.yaml

@@ -1,7 +0,0 @@
---- !Policy
-product_versions:
-  - rhel-9
-decision_context: osci_compose_gate
-rules:
-  - !PassingTestCaseRule {test_case_name: baseos-ci.brew-build.tier1.functional}
-  - !PassingTestCaseRule {test_case_name: baseos-ci.brew-build.tedude.validation}

permtab-filter-unsupport.patch

@@ -1,102 +0,0 @@
-diff --git a/lib/libaudit.c b/lib/libaudit.c
-index 7a8c6d4b1..de34812f0 100644
---- a/lib/libaudit.c
-+++ b/lib/libaudit.c
-@@ -100,6 +100,7 @@ static struct libaudit_conf config;
- static int audit_failure_parser(const char *val, int line);
- static int audit_name_to_uid(const char *name, uid_t *auid);
- static int audit_name_to_gid(const char *name, gid_t *gid);
-+static char* filter_supported_syscalls(const char* syscalls, int machine) __attr_dealloc_free;
- 
- static const struct kw_pair keywords[] =
- {
-@@ -1524,6 +1525,50 @@ int _audit_parse_syscall(const char *optarg, struct audit_rule_data *rule)
- 	return audit_rule_syscallbyname_data(rule, optarg);
- }
- 
-+/*
-+ * Filters unsupported syscalls from a comma-separated string based
-+ * on the given architecture. Returns a new string with supported syscalls
-+ * or NULL on error.
-+ */
-+static char* filter_supported_syscalls(const char* syscalls, int machine)
-+{
-+	if (syscalls == NULL) {
-+		return NULL;
-+	}
-+
-+	// Allocate memory for the filtered syscalls string
-+	char* filtered_syscalls = malloc(strlen(syscalls) + 1);
-+	if (filtered_syscalls == NULL) {
-+		return NULL;
-+	}
-+	filtered_syscalls[0] = '\0'; // Initialize as empty string
-+
-+	// Tokenize the syscalls string and filter unsupported syscalls
-+	const char* delimiter = ",";
-+	char* syscalls_copy = strdup(syscalls);
-+	if (syscalls_copy == NULL) {
-+		free(filtered_syscalls);
-+		return NULL;
-+	}
-+	char* token = strtok(syscalls_copy, delimiter);
-+	while (token != NULL) {
-+		if (audit_name_to_syscall(token, machine) != -1) {
-+			strcat(filtered_syscalls, token);
-+			strcat(filtered_syscalls, delimiter);
-+		}
-+		token = strtok(NULL, delimiter);
-+	}
-+	free(syscalls_copy);
-+
-+	// Remove the trailing delimiter, if present
-+	size_t len = strlen(filtered_syscalls);
-+	if (len > 0 && filtered_syscalls[len - 1] == ',') {
-+		filtered_syscalls[len - 1] = '\0';
-+	}
-+
-+	return filtered_syscalls;
-+}
-+
- static int audit_add_perm_syscalls(int perm, struct audit_rule_data *rule)
- {
- 	// We only get here if syscall notation is being used in the rule.
-@@ -1536,20 +1581,36 @@ static int audit_add_perm_syscalls(int perm, struct audit_rule_data *rule)
- 		return 0;
- 	}
- 
-+	const int machine = audit_elf_to_machine(_audit_elf);
- 	const char *syscalls = audit_perm_to_name(perm);
--	int rc = _audit_parse_syscall(syscalls, rule);
-+	const char *syscalls_to_use;
-+
-+	// The permtab table is hardcoded, but some syscalls, like rename
-+	// on arm64, are unavailable on certain architectures. To ensure compatibility,
-+	// we must avoid creating rules with unsupported syscalls.
-+	char* filtered_syscalls = filter_supported_syscalls(syscalls, machine);
-+	if (filtered_syscalls == NULL) {
-+		// use original syscalls in case we failed to parse - should not happen
-+		syscalls_to_use = syscalls;
-+		audit_msg(LOG_WARNING, "Filtering syscalls failed; using original syscalls.");
-+	} else {
-+		syscalls_to_use = filtered_syscalls;
-+	}
-+
-+	int rc = _audit_parse_syscall(syscalls_to_use, rule);
- 	switch (rc)
- 	{
- 	case 0:
- 		_audit_syscalladded = 1;
- 		break;
- 	case -1: // Should never happen
--		audit_msg(LOG_ERR, "Syscall name unknown: %s", syscalls);
-+		audit_msg(LOG_ERR, "Syscall name unknown: %s", syscalls_to_use);
- 		break;
- 	default: // Error reported - do nothing here
- 		break;
- 	}
- 
-+	free(filtered_syscalls);
- 	return rc;
- }
- 

readonly.patch

@@ -1,48 +0,0 @@
-diff --git a/audit.spec b/audit.spec
-index 39f640e36..313d803f1 100644
---- a/audit.spec
-+++ b/audit.spec
-@@ -215,6 +215,7 @@ fi
- %attr(755,root,root) %{_bindir}/aulast
- %attr(755,root,root) %{_bindir}/aulastlog
- %attr(755,root,root) %{_bindir}/ausyscall
-+%attr(640,root,root) %{_tmpfilesdir}/audit.conf
- %attr(755,root,root) %{_bindir}/auvirt
- %attr(644,root,root) %{_unitdir}/auditd.service
- %attr(750,root,root) %dir %{_libexecdir}/initscripts/legacy-actions/auditd
-diff --git a/init.d/Makefile.am b/init.d/Makefile.am
-index 3a73697a6..63fae2ab4 100644
---- a/init.d/Makefile.am
-+++ b/init.d/Makefile.am
-@@ -23,6 +23,7 @@
- 
- CONFIG_CLEAN_FILES = *.rej *.orig
- EXTRA_DIST = auditd.init auditd.service auditd.sysconfig auditd.conf \
-+	audit-tmpfiles.conf \
- 	auditd.cron libaudit.conf auditd.condrestart \
- 	auditd.reload auditd.restart auditd.resume \
- 	auditd.rotate auditd.state auditd.stop \
-@@ -43,6 +44,8 @@ sbin_SCRIPTS = augenrules
- 
- install-data-hook:
- 	$(INSTALL_DATA) -D -m 640 ${srcdir}/${libconfig} ${DESTDIR}${sysconfdir}
-+	mkdir -p ${DESTDIR}$(prefix)/lib/tmpfiles.d/
-+	$(INSTALL_DATA) -m 640 ${srcdir}/audit-tmpfiles.conf ${DESTDIR}$(prefix)/lib/tmpfiles.d/audit.conf
- if ENABLE_SYSTEMD
- else
- 	$(INSTALL_DATA) -D -m 640 ${srcdir}/auditd.sysconfig ${DESTDIR}${sysconfigdir}/auditd
-@@ -69,6 +72,7 @@ endif
- 
- uninstall-hook:
- 	rm ${DESTDIR}${sysconfdir}/${libconfig}
-+	rm ${DESTDIR}$(prefix)/lib/tmpfiles.d/audit.conf
- if ENABLE_SYSTEMD
- 	rm ${DESTDIR}${initdir}/auditd.service
- 	rm ${DESTDIR}${legacydir}/rotate
-diff --git a/init.d/audit-tmpfiles.conf b/init.d/audit-tmpfiles.conf
-new file mode 100644
-index 000000000..5512a535a
---- /dev/null
-+++ b/init.d/audit-tmpfiles.conf
-@@ -0,0 +1 @@
-+d /var/log/audit 0700 root root - -

remote-logging-ordering-cycle.patch

@@ -1,14 +0,0 @@
-diff --git a/init.d/auditd.service b/init.d/auditd.service
-index dd7ec694b..d5139ae92 100644
---- a/init.d/auditd.service
-+++ b/init.d/auditd.service
-@@ -6,6 +6,9 @@ DefaultDependencies=no
- ## uncomment the second so that network-online.target is part of After.
- ## then comment the first Before and uncomment the second Before to remove
- ## sysinit.target from "Before".
-+## If using remote logging, ensure that the systemd-update-utmp.service file
-+## is updated to remove the After=auditd.service directive to prevent a
-+## boot-time ordering cycle.
- After=local-fs.target systemd-tmpfiles-setup.service
- ##After=network-online.target local-fs.target systemd-tmpfiles-setup.service
- Before=sysinit.target shutdown.target

sources

@@ -1 +0,0 @@
-SHA512 (audit-3.1.5.tar.gz) = 2bb6dd30108d2c4cc498011f50cbeea0112b9877a78158907cf8005b6dc253c8c2c98bfea7ed3fe6f6a5baf274cd8a9ace4108a58b0c9529b03191bd84b7e73d