.audit.metadata

@@ -0,0 +1 @@
+45cffb1ded9a57a79b33547f58228131d3eb14a6 SOURCES/audit-3.1.2.tar.gz

.fmf/version

@@ -1 +0,0 @@
-1

.gitignore

@@ -1,174 +1 @@
-audit-0.5.tar.gz
+SOURCES/audit-3.1.2.tar.gz
-audit-0.6.2.tar.gz
-audit-0.5.5.tar.gz
-audit-0.6.3.tar.gz
-audit-0.6.4.tar.gz
-audit-0.6.5.tar.gz
-audit-0.6.6.tar.gz
-audit-0.6.7.tar.gz
-audit-0.6.8.tar.gz
-audit-0.6.9.tar.gz
-audit-0.6.10.tar.gz
-audit-0.6.11.tar.gz
-audit-0.6.12.tar.gz
-audit-0.7.tar.gz
-audit-0.7.1.tar.gz
-audit-0.7.2.tar.gz
-audit-0.7.3.tar.gz
-audit-0.7.4.tar.gz
-audit-0.8.1.tar.gz
-audit-0.8.2.tar.gz
-audit-0.9.2.tar.gz
-audit-0.9.3.tar.gz
-audit-0.9.4.tar.gz
-audit-0.9.5.tar.gz
-audit-0.9.6.tar.gz
-audit-0.9.7.tar.gz
-audit-0.9.8.tar.gz
-audit-0.9.9.tar.gz
-audit-0.9.10.tar.gz
-audit-0.9.11.tar.gz
-audit-0.9.12.tar.gz
-audit-0.9.13.tar.gz
-audit-0.9.14.tar.gz
-audit-0.9.15.tar.gz
-audit-0.9.16.tar.gz
-audit-0.9.17.tar.gz
-audit-0.9.18.tar.gz
-audit-0.9.19.tar.gz
-audit-0.9.20.tar.gz
-audit-1.0.tar.gz
-audit-1.0.1.tar.gz
-audit-1.0.2.tar.gz
-audit-1.0.3.tar.gz
-audit-1.0.4.tar.gz
-audit-1.0.5.tar.gz
-audit-1.0.6.tar.gz
-audit-1.0.7.tar.gz
-audit-1.0.8.tar.gz
-audit-1.0.9.tar.gz
-audit-1.0.10.tar.gz
-audit-1.0.12.tar.gz
-audit-1.1.tar.gz
-audit-1.1.1.tar.gz
-audit-1.1.2.tar.gz
-audit-1.1.3.tar.gz
-audit-1.1.4.tar.gz
-audit-1.1.5.tar.gz
-audit-1.1.6.tar.gz
-audit-1.2.tar.gz
-audit-1.2.1.tar.gz
-audit-1.2.2.tar.gz
-audit-1.2.3.tar.gz
-audit-1.2.4.tar.gz
-audit-1.2.5.tar.gz
-audit-1.2.6.tar.gz
-audit-1.2.7.tar.gz
-audit-1.2.8.tar.gz
-audit-1.2.9.tar.gz
-audit-1.3.tar.gz
-audit-1.3.1.tar.gz
-audit-1.4.tar.gz
-audit-1.4.1.tar.gz
-audit-1.4.2.tar.gz
-audit-1.5.tar.gz
-audit-1.5.1.tar.gz
-audit-1.5.2.tar.gz
-audit-1.5.3.tar.gz
-audit-1.5.5.tar.gz
-audit-1.5.6.tar.gz
-audit-1.6.tar.gz
-audit-1.6.1.tar.gz
-audit-1.6.2.tar.gz
-audit-1.6.4.tar.gz
-audit-1.6.5.tar.gz
-audit-1.6.6.tar.gz
-audit-1.6.7.tar.gz
-audit-1.6.8.tar.gz
-audit-1.6.9.tar.gz
-audit-1.7.tar.gz
-audit-1.7.1.tar.gz
-audit-1.7.3.tar.gz
-audit-1.7.4.tar.gz
-audit-1.7.5.tar.gz
-audit-1.7.6.tar.gz
-audit-1.7.7.tar.gz
-audit-1.7.8.tar.gz
-audit-1.7.9.tar.gz
-audit-1.7.10.tar.gz
-audit-1.7.11.tar.gz
-audit-1.7.12.tar.gz
-audit-1.7.13.tar.gz
-audit-2.0.tar.gz
-audit-1.8.tar.gz
-audit-2.0.1.tar.gz
-audit-2.0.3.tar.gz
-audit-2.0.4.tar.gz
-/audit-2.0.5.tar.gz
-/audit-2.0.6.tar.gz
-/audit-2.1.tar.gz
-/audit-2.1.1.tar.gz
-/audit-2.1.2.tar.gz
-/audit-2.1.3.tar.gz
-/audit-2.2.tar.gz
-/audit-2.2.1.tar.gz
-/audit-2.2.2.tar.gz
-/audit-2.3.tar.gz
-/audit-2.3.1.tar.gz
-/audit-2.3.2.tar.gz
-/audit-2.3.3.tar.gz
-/audit-2.3.4.tar.gz
-/audit-2.3.5.tar.gz
-/audit-2.3.6.tar.gz
-/audit-2.3.7.tar.gz
-/audit-2.3.8svn20140801.tar.gz
-/audit-2.3.8.svn20140801.tar.gz
-/audit-2.3.8.svn20140802.tar.gz
-/audit-2.3.8.svn20140803.tar.gz
-/audit-2.4.tar.gz
-/audit-2.4.1.tar.gz
-/audit-2.4.2.tar.gz
-/audit-2.4.3.tar.gz
-/audit-2.4.4.tar.gz
-/audit-2.4.5.tar.gz
-/audit-2.5.tar.gz
-/audit-2.5.1.tar.gz
-/audit-2.5.2.tar.gz
-/audit-2.6.tar.gz
-/audit-2.6.1.tar.gz
-/audit-2.6.2.tar.gz
-/audit-2.6.3.tar.gz
-/audit-2.6.4.tar.gz
-/audit-2.6.5.tar.gz
-/audit-2.6.6.tar.gz
-/audit-2.6.7.tar.gz
-/audit-2.7.tar.gz
-/audit-2.7.1.tar.gz
-/audit-2.7.2.tar.gz
-/audit-2.7.3.tar.gz
-/audit-2.7.4.tar.gz
-/audit-2.7.5.tar.gz
-/audit-2.7.6.tar.gz
-/audit-2.7.7.tar.gz
-/audit-2.7.8.tar.gz
-/audit-2.8.tar.gz
-/audit-2.8.1.tar.gz
-/audit-2.8.2.tar.gz
-/audit-2.8.3.tar.gz
-/audit-2.8.4.tar.gz
-/audit-3.0-alpha.tar.gz
-/audit-3.0-alpha2.tar.gz
-/audit-3.0-alpha3.tar.gz
-/audit-3.0-alpha5.tar.gz
-/audit-3.0-alpha6.tar.gz
-/audit-3.0-alpha7.tar.gz
-/audit-3.0-alpha8.tar.gz
-/audit-3.0-alpha9.tar.gz
-/audit-3.0.tar.gz
-/audit-3.0.1.tar.gz
-/audit-3.0.2.tar.gz
-/audit-3.0.5.tar.gz
-/audit-3.0.7.tar.gz
-/audit-3.1.2.tar.gz
-/audit-3.1.4.tar.gz
-/audit-3.1.5.tar.gz

0001-Add-ausysrulevalidate.patch

@@ -1,217 +0,0 @@
-From 4011007b445e8f8da9b0cc45eccd793b94f6b5ce Mon Sep 17 00:00:00 2001
-From: Sergio Correia <scorreia@redhat.com>
-Date: Thu, 29 Jul 2021 19:25:43 -0300
-Subject: [PATCH] Add ausysrulevalidate
-
----
- contrib/ausysrulevalidate | 198 ++++++++++++++++++++++++++++++++++++++
- 1 file changed, 198 insertions(+)
- create mode 100755 contrib/ausysrulevalidate
-
-diff --git a/contrib/ausysrulevalidate b/contrib/ausysrulevalidate
-new file mode 100755
-index 0000000..a251b2c
---- /dev/null
-+++ b/contrib/ausysrulevalidate
-@@ -0,0 +1,198 @@
-+#!/usr/bin/env python3
-+# -*- coding: utf-8 -*-
-+
-+# ausysrulevalidate - A program that lets you validate the syscalls
-+# in audit rules.
-+# Copyright (c) 2021 Red Hat Inc., Durham, North Carolina.
-+# All Rights Reserved.
-+#
-+# This software may be freely redistributed and/or modified under the
-+# terms of the GNU General Public License as published by the Free
-+# Software Foundation; either version 2, or (at your option) any
-+# later version.
-+#
-+# This program is distributed in the hope that it will be useful,
-+# but WITHOUT ANY WARRANTY; without even the implied warranty of
-+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-+# GNU General Public License for more details.
-+#
-+# You should have received a copy of the GNU General Public License
-+# along with this program; see the file COPYING. If not, write to the
-+# Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor
-+# Boston, MA 02110-1335, USA.
-+#
-+# Authors:
-+#   Sergio Correia <scorreia@redhat.com>
-+
-+""" This program lets you validate syscalls in audit rules. """
-+
-+import argparse
-+import os.path
-+import sys
-+
-+import audit
-+
-+
-+class AuSyscallRuleValidate:
-+    """AuSyscallRuleValidate validates syscalls in audit rules."""
-+
-+    def __init__(self):
-+        self.syscalls_table = {}
-+        self.invalid_syscalls = {}
-+        self.machines = {
-+            "b32": audit.audit_determine_machine("b32"),
-+            "b64": audit.audit_determine_machine("b64"),
-+        }
-+
-+        if self.machines["b32"] == -1 or self.machines["b64"] == -1:
-+            sys.stderr.write("ERROR: Unable to determine machine type\n")
-+            sys.exit(1)
-+
-+    def validate_syscall(self, arch, syscall):
-+        """Validates a single syscall."""
-+
-+        if syscall == "all":
-+            return True
-+
-+        lookup = "{0}:{1}".format(arch, syscall)
-+        if lookup in self.syscalls_table:
-+            return self.syscalls_table[lookup]
-+
-+        ret = audit.audit_name_to_syscall(syscall, self.machines[arch])
-+        self.syscalls_table[lookup] = ret != -1
-+        if not self.syscalls_table[lookup]:
-+            self.invalid_syscalls[lookup] = lookup
-+
-+        return self.syscalls_table[lookup]
-+
-+    def process_syscalls(self, arch, syscalls):
-+        """Processes a group of syscalls, validating them individually."""
-+
-+        scalls = syscalls.split(",")
-+        processed = []
-+        for syscall in scalls:
-+            if self.validate_syscall(arch, syscall):
-+                processed.append(syscall)
-+        return ",".join(processed)
-+
-+    def parse_line(self, line):
-+        """Processes a single line from the audit rules file, and returns the
-+        same line adjusted, if required, by removing invalid syscalls, or even
-+        removing the rule altogether, if no valid syscall remain after
-+        validation."""
-+
-+        if line.lstrip().startswith("#") or "-S" not in line:
-+            return line
-+
-+        # We do have a rule specifying syscalls, so let's validate them.
-+        tokens = line.split()
-+        processed = []
-+        is_syscall = False
-+        arch = None
-+
-+        for val in tokens:
-+            if not is_syscall:
-+                processed.append(val)
-+
-+            if val.startswith("arch="):
-+                archs = val.split("=")
-+                if len(archs) == 2:
-+                    arch = val.split("=")[1]
-+                    if arch not in self.machines:
-+                        sys.stderr.write("ERROR: unexpected arch '{0}'\n".format(arch))
-+                        continue
-+
-+            if val == "-S":
-+                is_syscall = True
-+                continue
-+
-+            if is_syscall:
-+                is_syscall = False
-+                scalls = self.process_syscalls(arch, val)
-+
-+                if len(scalls) == 0:
-+                    processed = processed[:-1]
-+                    continue
-+                processed.append(scalls)
-+
-+        if "-S" not in processed:
-+            # Removing rule altogether, as we have no valid syscalls remaining.
-+            return None
-+        return " ".join(processed)
-+
-+    def process_rules(self, rules_file):
-+        """Reads a file with audit rules and returns the rules after
-+        validation of syscalls/architecture. Invalid syscalls will be removed
-+        and, if there are no valid remaining syscalls, the rule itself is
-+        removed."""
-+
-+        if not os.path.isfile(rules_file):
-+            sys.stderr.write("ERROR: rules file '{0}' not found\n".format(rules_file))
-+            sys.exit(1)
-+
-+        with open(rules_file) as rules:
-+            content = rules.readlines()
-+
-+        processed = []
-+        changed = False
-+        for line in content:
-+            validated = self.parse_line(line)
-+            if validated is None:
-+                changed = True
-+                continue
-+
-+            if validated.rstrip("\r\n") != line.rstrip("\r\n"):
-+                changed = True
-+            processed.append(validated.rstrip("\r\n"))
-+
-+        invalid_syscalls = []
-+        for invalid in self.invalid_syscalls:
-+            invalid_syscalls.append(invalid)
-+
-+        return (processed, changed, invalid_syscalls)
-+
-+    def update_rules(self, rules_file):
-+        """Reads a file with audit rules and updates it after validation of
-+        syscalls/architecture. Invalid syscalls will be removed and, if
-+        there are no valid remaining syscalls, the rule itself is removed."""
-+
-+        new_rules, changed, invalid_syscalls = self.process_rules(rules_file)
-+        if changed:
-+            with open(rules_file, "w") as rules:
-+                for line in new_rules:
-+                    rules.write("{0}\n".format(line))
-+
-+        return (new_rules, changed, invalid_syscalls)
-+
-+
-+if __name__ == "__main__":
-+    parser = argparse.ArgumentParser(description="ausysrulevalidate")
-+    parser.add_argument(
-+        "-u", "--update", help="Update rules file if required", action="store_true"
-+    )
-+    parser.add_argument(
-+        "-v", "--verbose", help="Show the resulting rules file", action="store_true"
-+    )
-+    required_named = parser.add_argument_group("required named arguments")
-+    required_named.add_argument(
-+        "-r", "--rules-file", help="Rules file name", required=True
-+    )
-+    args = parser.parse_args()
-+
-+    validator = AuSyscallRuleValidate()
-+
-+    action = validator.process_rules
-+    if args.update:
-+        action = validator.update_rules
-+
-+    data, changed, invalid = action(args.rules_file)
-+    if changed:
-+        verb = "require"
-+        if args.update:
-+            verb += "d"
-+        sys.stderr.write("Rules in '{0}' {1} changes\n".format(args.rules_file, verb))
-+        if len(invalid) > 0:
-+            sys.stderr.write("Invalid syscalls: {0}\n".format(", ".join(invalid)))
-+
-+    if args.verbose:
-+        print(*data, sep="\n")
--- 
-2.31.1
-

SOURCES/augenrules-immutable.patch

@@ -0,0 +1,77 @@
+diff -up audit-3.1.2/init.d/augenrules.orig audit-3.1.2/init.d/augenrules
+--- audit-3.1.2/init.d/augenrules.orig	2025-03-31 12:33:04.141223438 +0200
++++ audit-3.1.2/init.d/augenrules	2025-03-31 12:33:29.280457333 +0200
+@@ -32,10 +32,11 @@ ASuffix="prev"
+ OnlyCheck=0
+ LoadRules=0
+ RETVAL=0
+-usage="Usage: $0 [--check|--load]"
++cmd="$0"
++usage="Usage: $cmd [--check|--load]"
+ 
+ # Delete the interim file on faults
+-trap 'rm -f ${TmpRules}; exit 1' 1 2 3 13 15
++trap 'rm -f ${TmpRules}; exit 1' HUP INT QUIT PIPE TERM
+ 
+ try_load() {
+ 	if [ $LoadRules -eq 1 ] ; then
+@@ -44,6 +45,14 @@ try_load() {
+ 	fi
+ }
+ 
++# Check if audit is in immutable mode - exit if so
++check_immutable () {
++    if [ "$(auditctl -s | awk '$1 == "enabled" { print $2 }')" = "2" ] ; then
++	echo "$cmd: Audit system is in immutable mode - exiting with no changes"
++	exit 0
++    fi
++}
++
+ while [ $# -ge 1 ]
+ do
+ 	if [ "$1" = "--check" ] ; then
+@@ -59,7 +68,7 @@ done
+ 
+ # Check environment
+ if [ ! -d ${SourceRulesDir} ]; then
+-	echo "$0: No rules directory - ${SourceRulesDir}"
++	echo "$cmd: No rules directory - ${SourceRulesDir}"
+ 	rm -f "${TmpRules}"
+ 	try_load
+ 	exit 1
+@@ -101,7 +110,7 @@ END     {
+ 
+ # If empty then quit
+ if [ ! -s "${TmpRules}" ]; then
+-	echo "$0: No rules"
++	echo "$cmd: No rules"
+ 	rm -f "${TmpRules}"
+ 	try_load
+ 	exit $RETVAL
+@@ -110,17 +119,19 @@ fi
+ # If the same then quit
+ cmp -s "${TmpRules}" ${DestinationFile} > /dev/null 2>&1
+ if [ $? -eq 0 ]; then
+-	echo "$0: No change"
++	echo "$cmd: No change"
+ 	rm -f "${TmpRules}"
++	check_immutable
+ 	try_load
+ 	exit $RETVAL
+ elif [ $OnlyCheck -eq 1 ] ; then
+-	echo "$0: Rules have changed and should be updated"
++	echo "$cmd: Rules have changed and should be updated"
+ 	rm -f "${TmpRules}"
+ 	exit 0
+ fi
+ 
+ # Otherwise we install the new file
++check_immutable
+ if [ -f ${DestinationFile} ]; then
+ 	cp ${DestinationFile} ${DestinationFile}.${ASuffix}
+ fi
+@@ -135,3 +146,4 @@ rm -f "${TmpRules}"
+ 
+ try_load
+ exit $RETVAL
++

SPECS/audit.spec

@@ -1,46 +1,28 @@
+%{!?python_sitearch: %define python_sitearch %(%{__python} -c "from distutils.sysconfig import get_python_lib; print get_python_lib(1)")}
 
 Summary: User space tools for kernel auditing
 Name: audit
-Version: 3.1.5
+Version: 3.1.2
-Release: 7%{?dist}
+Release: 1%{?dist}.1
 License: GPLv2+
 URL: http://people.redhat.com/sgrubb/audit/
 Source0: http://people.redhat.com/sgrubb/audit/%{name}-%{version}.tar.gz
 Source1: https://www.gnu.org/licenses/lgpl-2.1.txt
 
-Patch1: 0001-Add-ausysrulevalidate.patch
+Patch0: protected-kernel-modules.patch
-Patch2: audisp-restore.patch
+Patch1: augenrules-immutable.patch
-Patch3: audisp-restore-fix.patch
-Patch4: readonly.patch
-Patch5: disable-protectkernmelmodules.patch
-Patch6: remote-logging-ordering-cycle.patch
-Patch7: permtab-filter-unsupport.patch
-Patch8: auditctl-permtab.patch
-Patch9: interpret-tty-data.patch
-Patch10: tty-hostname.patch
-Patch11: ausearch-DAEMON_END.patch
-Patch12: afunix-memleak.patch
-Patch13: end-of-event.patch
-Patch14: end-of-event-check.patch
-Patch15: end-of-event-gdm.patch
-Patch16: ausearch-checkpoint-race.patch
 
-BuildRequires: make gcc swig
+BuildRequires: gcc swig make
 BuildRequires: openldap-devel
 BuildRequires: krb5-devel libcap-ng-devel
 BuildRequires: kernel-headers >= 2.6.29
 BuildRequires: systemd
-BuildRequires: autoconf automake libtool
+#BuildRequires: autoconf automake libtool
 
 Requires: %{name}-libs%{?_isa} = %{version}-%{release}
 Requires(post): systemd coreutils
-Requires(preun): systemd
+Requires(preun): systemd initscripts
-Requires(postun): systemd coreutils
+Requires(postun): systemd coreutils initscripts
-Recommends: initscripts-service
-
-# Placing this here under the assumption that anything using the
-# python libraries expects the system to have an audit daemon
-Obsoletes: python2-audit < %{version}-%{release}
 
 %description
 The audit package contains the user space utilities for
@@ -52,7 +34,7 @@ Summary: Dynamic library for libaudit
 License: LGPLv2+
 
 %description libs
-The audit-libs package contains the dynamic libraries needed for
+The audit-libs package contains the dynamic libraries needed for 
 applications to use the audit framework.
 
 %package libs-devel
@@ -69,7 +51,6 @@ developing applications that need to use the audit framework libraries.
 Summary: Python3 bindings for libaudit
 License: LGPLv2+
 BuildRequires: python3-devel
-BuildRequires: make
 Requires: %{name}-libs%{?_isa} = %{version}-%{release}
 Provides: audit-libs-python3 = %{version}-%{release}
 Provides: audit-libs-python3%{?_isa} = %{version}-%{release}
@@ -105,35 +86,19 @@ Management Facility) database, through an IBM Tivoli Directory Server
 
 %prep
 %setup -q
-cp %{SOURCE1} .
+
+%patch -P 0 -p1
 %patch -P 1 -p1
-%patch -P 2 -p1
-%patch -P 3 -p1
-%patch -P 4 -p1
-%patch -P 5 -p1
-%patch -P 6 -p1
-%patch -P 7 -p1
-%patch -P 8 -p1
-%patch -P 9 -p1
-%patch -P 10 -p1
-%patch -P 11 -p1
-%patch -P 12 -p1
-%patch -P 13 -p1
-%patch -P 14 -p1
-%patch -P 15 -p1
-%patch -P 16 -p1
 
-autoreconf -fv --install
+cp %{SOURCE1} .
-
+#autoreconf -fv --install
-# Remove the ids code, its not ready
-sed -i 's/ ids / /' audisp/plugins/Makefile.in
 
 %build
 %configure --with-python=no \
 	   --with-python3=yes \
 	   --enable-gssapi-krb5=yes --with-arm --with-aarch64 \
-	   --with-libcap-ng=yes --enable-zos-remote --without-golang \
+	   --with-libcap-ng=yes --without-golang --enable-zos-remote \
-	   --enable-systemd --enable-experimental --with-io_uring
+	   --enable-systemd
 
 make CFLAGS="%{optflags}" %{?_smp_mflags}
 
@@ -144,23 +109,14 @@ mkdir -p $RPM_BUILD_ROOT/%{_lib}
 mkdir -p $RPM_BUILD_ROOT/%{_libdir}/audit
 mkdir -p --mode=0700 $RPM_BUILD_ROOT/%{_var}/log/audit
 mkdir -p $RPM_BUILD_ROOT/%{_var}/spool/audit
-mkdir -p $RPM_BUILD_ROOT/%{_datadir}
 make DESTDIR=$RPM_BUILD_ROOT install
 
-# Validate sample rules shipped.
-for r in $RPM_BUILD_ROOT/%{_datadir}/%{name}/sample-rules/*.rules; do
-    PYTHONPATH=$RPM_BUILD_ROOT/%{python3_sitearch} \
-    LD_LIBRARY_PATH=$RPM_BUILD_ROOT/%{_libdir} \
-        %{_builddir}/%{name}-%{version}/contrib/ausysrulevalidate \
-        --update --rules-file "${r}"
-done
-
 # Remove these items so they don't get picked up.
 rm -f $RPM_BUILD_ROOT/%{_libdir}/libaudit.a
 rm -f $RPM_BUILD_ROOT/%{_libdir}/libauparse.a
 
 find $RPM_BUILD_ROOT -name '*.la' -delete
-find $RPM_BUILD_ROOT/%{_libdir}/python%{python3_version}/site-packages -name '*.a' -delete
+find $RPM_BUILD_ROOT/%{_libdir}/python?.?/site-packages -name '*.a' -delete || true
 
 # On platforms with 32 & 64 bit libs, we need to coordinate the timestamp
 touch -r ./audit.spec $RPM_BUILD_ROOT/etc/libaudit.conf
@@ -172,43 +128,27 @@ make check
 rm -f rules/Makefile*
 
 %post
-%systemd_post auditd.service
-# Do not perform service start/restart when running during an rpm-ostree compose
-if [ -f /run/ostree-booted ] ; then
-    exit 0
-fi
-
 # Copy default rules into place on new installation
 files=`ls /etc/audit/rules.d/ 2>/dev/null | wc -w`
 if [ "$files" -eq 0 ] ; then
-	if [ -e %{_datadir}/%{name}/sample-rules/10-base-config.rules ] ; then
+  if [ -e %{_datadir}/%{name}/sample-rules/10-base-config.rules ] ; then
-		cp %{_datadir}/%{name}/sample-rules/10-base-config.rules /etc/audit/rules.d/audit.rules
+    cp %{_datadir}/%{name}/sample-rules/10-base-config.rules /etc/audit/rules.d/audit.rules
-	else
+  else
-		touch /etc/audit/rules.d/audit.rules
+    touch /etc/audit/rules.d/audit.rules
-	fi
+  fi
-	chmod 0600 /etc/audit/rules.d/audit.rules
+  chmod 0600 /etc/audit/rules.d/audit.rules
-fi
-
-# If upgrading, restart the daemon if it's running
-if [ $1 -eq 2 ]; then
-	state=$(systemctl status auditd | awk '/Active:/ { print $2 }')
-
-	if [ $state = "active" ] ; then
-		auditctl --signal stop || true
-		systemctl start auditd
-	fi
-# if installing, start it since preset says we should be running
-elif [ $1 -eq 1 ]; then
-	systemctl start auditd
 fi
+%systemd_post auditd.service
 
 %preun
 %systemd_preun auditd.service
-# if uninstalling stop the daemon
 if [ $1 -eq 0 ]; then
-	auditctl --signal stop || true
+    /sbin/service auditd stop > /dev/null 2>&1
-	# also delete loaded rules if uninstalling
+fi
-	auditctl -D || true
+
+%postun
+if [ $1 -ge 1 ]; then
+    /sbin/service auditd condrestart > /dev/null 2>&1 || :
 fi
 
 %files libs
@@ -263,7 +203,6 @@ fi
 %attr(755,root,root) %{_bindir}/aulast
 %attr(755,root,root) %{_bindir}/aulastlog
 %attr(755,root,root) %{_bindir}/ausyscall
-%attr(640,root,root) %{_tmpfilesdir}/audit.conf
 %attr(755,root,root) %{_bindir}/auvirt
 %attr(644,root,root) %{_unitdir}/auditd.service
 %attr(750,root,root) %dir %{_libexecdir}/initscripts/legacy-actions/auditd
@@ -274,6 +213,7 @@ fi
 %attr(750,root,root) %{_libexecdir}/initscripts/legacy-actions/auditd/rotate
 %attr(750,root,root) %{_libexecdir}/initscripts/legacy-actions/auditd/state
 %attr(750,root,root) %{_libexecdir}/initscripts/legacy-actions/auditd/stop
+%attr(750,root,root) %{_libexecdir}/audit-functions
 %ghost %{_localstatedir}/run/auditd.state
 %attr(-,root,-) %dir %{_var}/log/audit
 %attr(750,root,root) %dir /etc/audit
@@ -283,24 +223,21 @@ fi
 %ghost %config(noreplace) %attr(600,root,root) /etc/audit/rules.d/audit.rules
 %ghost %config(noreplace) %attr(640,root,root) /etc/audit/audit.rules
 %config(noreplace) %attr(640,root,root) /etc/audit/audit-stop.rules
+%config(noreplace) %attr(640,root,root) /etc/audit/plugins.d/af_unix.conf
 
 %files -n audispd-plugins
 %config(noreplace) %attr(640,root,root) /etc/audit/audisp-remote.conf
 %config(noreplace) %attr(640,root,root) /etc/audit/plugins.d/au-remote.conf
 %config(noreplace) %attr(640,root,root) /etc/audit/plugins.d/syslog.conf
-%config(noreplace) %attr(640,root,root) /etc/audit/audisp-statsd.conf
-%config(noreplace) %attr(640,root,root) /etc/audit/plugins.d/au-statsd.conf
 %config(noreplace) %attr(640,root,root) /etc/audit/plugins.d/af_unix.conf
 %attr(750,root,root) %{_sbindir}/audisp-remote
 %attr(750,root,root) %{_sbindir}/audisp-syslog
 %attr(750,root,root) %{_sbindir}/audisp-af_unix
-%attr(750,root,root) %{_sbindir}/audisp-statsd
 %attr(700,root,root) %dir %{_var}/spool/audit
 %attr(644,root,root) %{_mandir}/man5/audisp-remote.conf.5.gz
 %attr(644,root,root) %{_mandir}/man8/audisp-remote.8.gz
 %attr(644,root,root) %{_mandir}/man8/audisp-syslog.8.gz
 %attr(644,root,root) %{_mandir}/man8/audisp-af_unix.8.gz
-%attr(644,root,root) %{_mandir}/man8/audisp-statsd.8.gz
 
 %files -n audispd-plugins-zos
 %attr(644,root,root) %{_mandir}/man8/audispd-zos-remote.8.gz
@@ -310,240 +247,106 @@ fi
 %attr(750,root,root) %{_sbindir}/audispd-zos-remote
 
 %changelog
-* Fri Apr 11 2025 Attila Lakatos <alakatos@redhat.com> - 3.1.5-7
+* Mon Mar 31 2025 Attila Lakatos <alakatos@redhat.com> - 3.1.2-1.1
-- ausearch-checkpoint race condition fix
+- Allow defining rules for /usr/lib/modules dir
-  Resolves: RHEL-86897
+  Resolves: RHEL-59013
+- augenrules: fix return code if immutable mode is set
+  Resolves: RHEL-40109
 
-* Wed Apr 02 2025 Attila Lakatos <alakatos@redhat.com> - 3.1.5-6
+* Sat Oct 21 2023 Sergio Correia <scorreia@redhat.com> - 3.1.2-1
-- Update end of event detection mechanism
+- Rebase audit to latest upstream release
-  Resolves: RHEL-78323
+  Resolves: RHEL-15001
 
-* Fri Mar 28 2025 Attila Lakatos <alakatos@redhat.com> - 3.1.5-5
+* Thu Jun 22 2023 Radovan Sroka <rsroka@redhat.com> - 3.0.7-5
-- ausearch: correct search for DAEMON related events
-- allow hex digits when interpreting tty data
-  Resolves: RHEL-82279
-- Fix TTY hostname in log messages
-  Resolves: RHEL-78323
-
-* Tue Feb 11 2025 Attila Lakatos <alakatos@redhat.com> - 3.1.5-4
-- auditctl: correct buffer in filter_supported_syscalls to avoid overflow
-  Resolves: RHEL-59585
-
-* Mon Feb 03 2025 Attila Lakatos <alakatos@redhat.com> - 3.1.5-3
-- Don't do "live" operations during rpm-ostree composes
-  Resolves: RHEL-69033
-
-* Wed Jan 08 2025 Attila Lakatos <alakatos@redhat.com> - 3.1.5-2
-- Disable ProtectKernelModules=true in service file
-  Resolves: RHEL-59570
-- af_unix plugin: restore original behavior in binary mode
-  Resolves: RHEL-59585
-- Support image mode
-  Resolves: RHEL-69033
-- Resolve ordering cycle when using remote logging
-  Resolves: RHEL-11252
-- Filter syscalls to ensure architecture-specific availability
-  Resolves: RHEL-70455
-
-* Tue Jul 09 2024 Attila Lakatos <alakatos@redhat.com> - 3.1.5-1
-- New upstream maintenance release, 3.1.4
-- Prevent scriplets from failing
-- When upgrading, restart the daemon if it's running
-- If uninstalling, stop the daemon
-- auditctl: use pidfd_send_signal for signaling auditd
-  Resolves: RHEL-45865
-- Minor doc update
-  Resolves: RHEL-5186
-- augenrules: do not exit with failure if in immutable mode
-  Resolves: RHEL-40110
-- auditd.service: Disable ProtectControlGroups
-  Resolves: RHEL-5197
-- auditctl: correct output when displaying rules with exe/path/dir
-  Resolves: RHEL-40243
-
-* Wed Nov 08 2023 Sergio Correia <scorreia@redhat.com> - 3.1.2-2
-- Remove %systemd_preun from %preun scriptlet, as it was causing troubles when removing audit
-  Related: RHEL-14896
-
-* Fri Oct 27 2023 Sergio Correia <scorreia@redhat.com> - 3.1.2-1
-- New upstream release, 3.1.2
-  Resolves: RHEL-14896
-
-* Thu Jun 22 2023 Radovan Sroka <rsroka@redhat.com> - 3.0.7-104
 - Introduce new fanotify record fields
-  Resolves: rhbz#2216666
+  Resolves: rhbz#2216668
+- invalid use of flexible array member
+  Resolves: rhbz#2116867
 
-* Mon May 02 2022 Sergio Correia <scorreia@redhat.com> - 3.0.7-103
+* Mon May 02 2022 Sergio Correia <scorreia@redhat.com> - 3.0.7-4
 - Drop ProtectHome from auditd.service as it interferes with rules
-  Resolves: rhbz#2071725 - Default systemd service config blocks audit watch rules in some directories [rhel-9.1.0]
+  Resolves: rhbz#2071727 - Default systemd service config blocks audit watch rules in some directories
 
-* Sun Mar 13 2022 Sergio Correia <scorreia@redhat.com> - 3.0.7-102
+* Mon Mar 14 2022 Sergio Correia <scorreia@redhat.com> - 3.0.7-3
 - Fix path normalization in auparse
-  Resolves: rhbz#2062824 - auparse missing information when used with --format-text
+  Resolves: rhbz#2062612 - auparse missing information when used with --format-text
 
-* Tue Feb 22 2022 Sergio Correia <scorreia@redhat.com> - 3.0.7-101
+* Tue Feb 22 2022 Sergio Correia <scorreia@redhat.com> - 3.0.7-2
 - Adjust sample-rules dir permissions
-  Resolves: rhbz#2054432 - /usr/share/audit/sample-rules is no longer readable by non-root users
+  Resolves: rhbz#2054727 - /usr/share/audit/sample-rules is no longer readable by non-root users
 
-* Tue Jan 25 2022 Sergio Correia <scorreia@redhat.com> - 3.0.7-100
+* Tue Jan 25 2022 Sergio Correia <scorreia@redhat.com> - 3.0.7-1
-- New upstream release, 3.0.7
+- New upstream release - 3.0.7
-  Resolves: rhbz#2019929 - capability=unknown-capability(39) in audit messages
+  Related: rhbz#1939406
 
-* Wed Nov 03 2021 Sergio Correia <scorreia@redhat.com> - 3.0.5-5
+* Thu Jan 13 2022 Sergio Correia <scorreia@redhat.com> - 3.0.5-1
-- auparse: refact nvlist cleanup code
+- Rebase audit package on 8.6
-  Resolves: rhbz#2008965
+  Resolves: rhbz#1939406
+  Resolves: rhbz#1906065
+  Resolves: rhbz#1921447
+  Resolves: rhbz#1927884
+  Resolves: rhbz#1921658
 
-* Wed Nov 03 2021 Sergio Correia <scorreia@redhat.com> - 3.0.5-4
+* Wed Jan 08 2020 Steve Grubb <sgrubb@redhat.com> 3.0-0.17.20191104git1c2f876
-- When interpreting, if val is NULL return an empty string
+resolves: rhbz#1757986 - Rebase audit package on 8.2 for updates (bpf patch)
-  Resolves: rhbz#2004420
 
-* Wed Nov 03 2021 Sergio Correia <scorreia@redhat.com> - 3.0.5-3
+* Thu Nov 28 2019 Steve Grubb <sgrubb@redhat.com> 3.0-0.16.20191104git1c2f876
-- Update dependency to initscripts-service instead of initscripts
+resolves: rhbz#1497279 - Add option to interpret fields in audit syslog plugin
-  Resolves: rhbz#2000933
 
-* Tue Aug 17 2021 Sergio Correia <scorreia@redhat.com> - 3.0.5-2
+* Mon Nov 04 2019 Steve Grubb <sgrubb@redhat.com> 3.0-0.15.20191104git1c2f876
-- Fix timestamp parsing
+resolves: rhbz#1757986 - Rebase audit package on 8.2 for updates
-  Related: rhbz#1938680
+resolves: rhbz#1767054 - move audit rules to shared data directory
+resolves: rhbz#1746018 - Breakup 30-ospp-v42.rules into more granular files
+resolves: rhbz#1740798 - auditctl(8) needs clarification for backlog_limit
+resolves: rhbz#1497279 - Add option to interpret fields in audit syslog plugin
 
-* Mon Aug 16 2021 Sergio Correia <scorreia@redhat.com> - 3.0.5-1
+* Thu Jul 25 2019 Steve Grubb <sgrubb@redhat.com> 3.0-0.13.20190607gitf58ec40
-- New upstream release, 3.0.5
+resolves: rhbz#1695638 - Rebase audit package to pick up latest bugfixes
-  Related: rhbz#1938680
 
-* Mon Aug 16 2021 Sergio Correia <scorreia@redhat.com> - 3.0.2-3
+* Sat Jul 13 2019 Steve Grubb <sgrubb@redhat.com> 3.0-0.12.20190607gitf58ec40
-- Validates the sample rules we ship
+resolves: rhbz#1695638 - Rebase audit package to pick up latest bugfixes
-  Resolves: rhbz#1985630
 
-* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 3.0.2-2
+* Mon Jun 10 2019 Steve Grubb <sgrubb@redhat.com> 3.0-0.11.20190607gitf58ec40
-- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
+resolves: rhbz#1643567 - service auditd stop exits prematurely
-  Related: rhbz#1991688
+resolves: rhbz#1693470 - libauparse memory leak
+resolves: rhbz#1694071 - ausearch doesn't record device/inode details checkpointing a single file
+resolves: rhbz#1695638 - Rebase audit package to pick up latest bugfixes
+resolves: rhbz#1705894 - aureport aborts when using a specific input
+resolves: rhbz#1706045 - RFE: Backport support for new audit record types
+resolves: rhbz#1715852 - RFE: provide a way to filter on network address family
 
-* Tue Jun 22 2021 Sergio Correia <scorreia@redhat.com> - 3.0.2-1
+* Wed Jan 09 2019 Steve Grubb <sgrubb@redhat.com> 3.0-0.10.20180831git0047a6c
-- New upstream release, 3.0.2.
+resolves: rhbz#1655270] Message "audit: backlog limit exceeded" reported
-  Fix issues detected by static analyzers
+- Fix annobin failure
-  Resolves: rhbz#1938680
 
-* Mon Jun 21 2021 Sergio Correia <scorreia@redhat.com> - 3.0.1-4
+* Fri Dec 07 2018 Steve Grubb <sgrubb@redhat.com> 3.0-0.8.20180831git0047a6c
-- Enable default RHEL configuration
+resolves: rhbz#1639745 - build requires go-toolset-7 which is not available
-  This enables syscall auditing by default.
+resolves: rhbz#1643567 - service auditd stop exits prematurely
-  Resolves: rhbz#1924561
+resolves: rhbz#1616428 - Update git snapshot of audit package
+- Remove static libs subpackage
 
-* Thu Apr 15 2021 Mohan Boddu <mboddu@redhat.com> - 3.0.1-3
+* Fri Aug 31 2018 Steve Grubb <sgrubb@redhat.com> 3.0-0.5.20180831git0047a6c
-- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
+resolves: rhbz#1616428 - Update git snapshot of audit package
-
-* Thu Feb 18 2021 Steve Grubb <sgrubb@redhat.com> 3.0.1-2
-- Add patch fixing segafult in the audisp-statsd plugin
-
-* Fri Feb 12 2021 Steve Grubb <sgrubb@redhat.com> 3.0.1-1
-- New upstream feature and bugfix release
-- Enable building the audisp-statsd plugin
-
-* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 3.0-2
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
-
-* Wed Dec 16 2020 Steve Grubb <sgrubb@redhat.com> 3.0-1
-- New upstream feature and bugfix release
-
-* Mon Jul 27 2020 Fedora Release Engineering <releng@fedoraproject.org> - 3.0-0.21.20191104git1c2f876
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
-
-* Tue May 26 2020 Miro Hrončok <mhroncok@redhat.com> - 3.0-0.20.20191104git1c2f876
-- Rebuilt for Python 3.9
-
-* Thu Mar 12 2020 Steve Grubb <sgrubb@redhat.com> 3.0-0.19.20191104git1c2f876
-- Add Obsolete python2-audit (#1783061)
-
-* Wed Jan 29 2020 Steve Grubb <sgrubb@redhat.com> 3.0-0.18.20191104git1c2f876
-- Fix multiple definition of `event_node_list' (#1794446)
-
-* Tue Jan 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 3.0-0.17.20191104git1c2f876
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
-
-* Fri Nov 22 2019 Steve Grubb <sgrubb@redhat.com> 3.0-0.16.20191104git1c2f876
-- Drop python2 subpackage (#1775076)
-
-* Mon Nov 04 2019 Steve Grubb <sgrubb@redhat.com> 3.0-0.14.20191104git1c2f876
-- New upstream git snapshot prerelease
-
-* Thu Oct 03 2019 Miro Hrončok <mhroncok@redhat.com> - 3.0-0.14.20190507gitf58ec40
-- Rebuilt for Python 3.8.0rc1 (#1748018)
-
-* Mon Aug 19 2019 Miro Hrončok <mhroncok@redhat.com> - 3.0-0.13.20190507gitf58ec40
-- Rebuilt for Python 3.8
-
-* Wed Jul 31 2019 Steve Grubb <sgrubb@redhat.com> 3.0-0.12.20190507gitf58ec40
-- Fix 1734953 - audit: FTBFS in Fedora rawhide/f31
-
-* Wed Jul 24 2019 Fedora Release Engineering <releng@fedoraproject.org> - 3.0-0.11.20190507gitf58ec40
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
-
-* Fri Jul 05 2019 Steve Grubb <sgrubb@redhat.com> 3.0-0.10.20190507gitf58ec40
-- Add initscripts package to the requires (bz #1727058)
-
-* Mon Jun 10 2019 Steve Grubb <sgrubb@redhat.com> 3.0-0.9.20190507gitf58ec40
-- New upstream git snapshot prerelease which fixes several problems
-- Fixed 1698130 - removing audit.rpm doesn't stop auditd
-
-* Tue Mar 26 2019 Steve Grubb <sgrubb@redhat.com> 3.0-0.7.20190326git03e7489
-- New upstream git snapshot prerelease which fixes a memory leak
-
-* Thu Jan 31 2019 Fedora Release Engineering <releng@fedoraproject.org> - 3.0-0.6.20181218gitbdb72c0
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
-
-* Tue Dec 18 2018 Steve Grubb <sgrubb@redhat.com> 3.0-0.5.20181218gitbdb72c0
-- New upstream git snapshot prerelease
-- Remove historical ldconfig scriptlet (#1644056)
-
-* Fri Aug 31 2018 Steve Grubb <sgrubb@redhat.com> 3.0-0.4.20180831git0047a6c
-- New upstream feature prerelease
 
 * Wed Aug 08 2018 Steve Grubb <sgrubb@redhat.com> 3.0-0.2.20180808git77fbcf3
-- New upstream feature prerelease
+resolves: rhbz#1567357 New upstream feature prerelease
 
 * Tue Jul 17 2018 Steve Grubb <sgrubb@redhat.com> 3.0-0.1.20180717gitacd53d1
 - New upstream feature prerelease
 
-* Thu Jul 12 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2.8.4-4
+* Tue Jun 26 2018 Steve Grubb <sgrubb@redhat.com> 2.8.4-2
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
+- Fix segfault on shutdown
-
-* Wed Jul  4 2018 Peter Robinson <pbrobinson@fedoraproject.org> 2.8.4-3
-- Remove unused sys V initscripts legacy bits
-
-* Mon Jul 02 2018 Miro Hrončok <mhroncok@redhat.com> - 2.8.4-2
-- Rebuilt for Python 3.7
 
 * Tue Jun 19 2018 Steve Grubb <sgrubb@redhat.com> 2.8.4-1
 - New upstream bugfix release
 
-* Tue Jun 19 2018 Miro Hrončok <mhroncok@redhat.com> - 2.8.3-4
+* Wed May 30 2018 Steve Grubb <sgrubb@redhat.com> 2.8.3-1
-- Rebuilt for Python 3.7
-
-* Tue Apr 10 2018 Pete Walter <pwalter@fedoraproject.org> - 2.8.3-3
-- Rename Python 2 and 3 subpackages to python2-audit and python3-audit as per guidelines
-
-* Mon Mar 26 2018 Steve Grubb <sgrubb@redhat.com> 2.8.3-2
-- Fix Obsoletion of audit-libs-python not handled properly (#1559674)
-
-* Sat Mar 10 2018 Steve Grubb <sgrubb@redhat.com> 2.8.3-1
 - New upstream bugfix release
+- Remove Python2 support
 
-* Wed Feb 07 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2.8.2-4
+* Fri Apr 13 2018 Tom Stellard <tstellar@redhat.com> - 2.7.8-2
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
+- Use go-toolset-7 instead of golang
-
+- Package now must be built with: rhpkg --release rhel-8.0-go-toolset
-* Mon Feb 05 2018 Steve Grubb <sgrubb@redhat.com> 2.8.2-3
-- Add a Provides audit-libs-python (#1537864)
-- Remove tcp_wrappers support?
-
-* Thu Dec 14 2017 Steve Grubb <sgrubb@redhat.com> 2.8.2-2
-- Rename things from python to python2
-
-* Thu Dec 14 2017 Steve Grubb <sgrubb@redhat.com> 2.8.2-1
-- New upstream bugfix release
-
-* Thu Oct 12 2017 Steve Grubb <sgrubb@redhat.com> 2.8.1-1
-- New upstream bugfix release
-
-* Tue Oct 10 2017 Steve Grubb <sgrubb@redhat.com> 2.8-1
-- New upstream feature release
 
 * Mon Sep 18 2017 Steve Grubb <sgrubb@redhat.com> 2.7.8-1
 - New upstream bugfix release

afunix-memleak.patch

@@ -1,12 +0,0 @@
-diff --git a/audisp/plugins/af_unix/audisp-af_unix.c b/audisp/plugins/af_unix/audisp-af_unix.c
-index 578533f52..e2e7dc7ef 100644
---- a/audisp/plugins/af_unix/audisp-af_unix.c
-+++ b/audisp/plugins/af_unix/audisp-af_unix.c
-@@ -253,6 +253,7 @@ void read_audit_record(int ifd)
- 					do {
- 						rc = write(conn, str, str_len);
- 					} while (rc < 0 && errno == EINTR);
-+					free(str);
- 				} else if (format == F_BINARY) {
- 					struct iovec vec[2];
- 

audisp-restore-fix.patch

@@ -1,38 +0,0 @@
-diff --git a/audisp/plugins/af_unix/audisp-af_unix.c b/audisp/plugins/af_unix/audisp-af_unix.c
-index d85f15f8a..578533f52 100644
---- a/audisp/plugins/af_unix/audisp-af_unix.c
-+++ b/audisp/plugins/af_unix/audisp-af_unix.c
-@@ -132,7 +132,7 @@ int setup_socket(int argc, char *argv[])
- 			if (errno) {
- 				syslog(LOG_ERR,
- 					"Error converting %s (%s)",
--					arg[i], strerror(errno));
-+					argv[i], strerror(errno));
- 				mode = 0;
- 			}
- 		} else if (strchr(arg, '/') != NULL) {
-@@ -265,16 +265,15 @@ void read_audit_record(int ifd)
- 					do {
- 						rc = writev(conn, vec, 2);
- 					} while (rc < 0 && errno == EINTR);
--				}
--
--				if (rc < 0 && errno == EPIPE) {
--					close(conn);
--					conn = -1;
--					client = 0;
--					audit_fgets_clear();
--				}
--				if (rc >= 0 && rc != len) {
-+					if (rc < 0 && errno == EPIPE) {
-+						close(conn);
-+						conn = -1;
-+						client = 0;
-+						audit_fgets_clear();
-+					}
-+					//if (rc >= 0 && rc != len) {
- 					// what to do with leftovers?
-+					//}
- 				}
- 			}
- #endif

audisp-restore.patch

@@ -1,256 +0,0 @@
-diff --git a/audisp/plugins/af_unix/Makefile.am b/audisp/plugins/af_unix/Makefile.am
-index 501b35d43..e8faec7df 100644
---- a/audisp/plugins/af_unix/Makefile.am
-+++ b/audisp/plugins/af_unix/Makefile.am
-@@ -25,7 +25,8 @@ CONFIG_CLEAN_FILES = *.rej *.orig
- CONF_FILES = af_unix.conf
- EXTRA_DIST = $(CONF_FILES) $(man_MANS)
- 
--AM_CPPFLAGS = -I${top_srcdir} -I${top_srcdir}/lib -I${top_srcdir}/common
-+AM_CPPFLAGS = -I${top_srcdir} -I${top_srcdir}/lib -I${top_srcdir}/common -I${top_srcdir}/audisp
-+LIBS = ${top_builddir}/lib/libaudit.la
- prog_confdir = $(sysconfdir)/audit
- plugin_confdir=$(prog_confdir)/plugins.d
- plugin_conf = af_unix.conf
-diff --git a/audisp/plugins/af_unix/audisp-af_unix.c b/audisp/plugins/af_unix/audisp-af_unix.c
-index ffbf2ac07..d85f15f8a 100644
---- a/audisp/plugins/af_unix/audisp-af_unix.c
-+++ b/audisp/plugins/af_unix/audisp-af_unix.c
-@@ -33,6 +33,7 @@
- #include <libgen.h>
- #include <string.h>
- #include <sys/stat.h>
-+#include <sys/uio.h>
- #include <dirent.h>
- #include <sys/un.h>
- #include <fcntl.h>
-@@ -43,16 +44,19 @@
- #endif
- #include "libaudit.h"
- #include "common.h"
-+#include "audispd-pconfig.h"
- 
- #define DEFAULT_PATH "/var/run/audispd_events"
-+#define MAX_AUDIT_EVENT_FRAME_SIZE (sizeof(struct audit_dispatcher_header) + MAX_AUDIT_MESSAGE_LENGTH)
- //#define DEBUG
- 
- /* Global Data */
- static volatile int stop = 0, hup = 0;
--char rx_buf[MAX_AUDIT_MESSAGE_LENGTH];
-+char rx_buf[MAX_AUDIT_EVENT_FRAME_SIZE+1];
- int sock = -1, conn = -1, client = 0;
- struct pollfd pfd[3];
- unsigned mode = 0;
-+format_t format = -1;
- char *path = NULL;
- 
- /*
-@@ -119,77 +123,150 @@ int create_af_unix_socket(const char *spath, int mode)
- 
- int setup_socket(int argc, char *argv[])
- {
--	if (argc != 3) {
--		syslog(LOG_ERR, "Missing arguments, using defaults");
--		mode = 0640;
--		path = DEFAULT_PATH;
--	} else {
--		int i;
--		for (i=1; i < 3; i++) {
--			if (isdigit((unsigned char)argv[i][0])) {
--				errno = 0;
--				mode = strtoul(argv[i], NULL, 8);
--				if (errno) {
--					syslog(LOG_ERR,
--					       "Error converting %s (%s)",
--					       argv[i], strerror(errno));
--					mode = 0;
--				}
--			} else {
--				char *base;
--				path = argv[i];
--				// Make sure there are directories
--				base = strchr(path, '/');
--				if (base) {
--					DIR *d;
--					char *dir = strdup(path);
--					base = dirname(dir);
--					d = opendir(base);
--					if (d) {
--						closedir(d);
--						unlink(path);
--						free(dir);
--					} else {
--						syslog(LOG_ERR,
--						       "Couldn't open %s (%s)",
--						       base, strerror(errno));
--						free(dir);
--						exit(1);
--					}
--
-+	for (int i = 1; i < argc; i++) {
-+		char *arg = argv[i];
-+		if (isdigit((unsigned char)arg[0])) {
-+			// parse mode
-+			errno = 0;
-+			mode = strtoul(arg, NULL, 8);
-+			if (errno) {
-+				syslog(LOG_ERR,
-+					"Error converting %s (%s)",
-+					arg[i], strerror(errno));
-+				mode = 0;
-+			}
-+		} else if (strchr(arg, '/') != NULL) {
-+			// parse path
-+			char* base;
-+			path = arg;
-+			// Make sure there are directories
-+			base = strchr(path, '/');
-+			if (base) {
-+				DIR* d;
-+				char* dir = strdup(path);
-+				base = dirname(dir);
-+				d = opendir(base);
-+				if (d) {
-+					closedir(d);
-+					unlink(path);
-+					free(dir);
- 				} else {
--					syslog(LOG_ERR, "Malformed path %s",
--					       path);
-+					syslog(LOG_ERR,
-+						"Couldn't open %s (%s)",
-+						base, strerror(errno));
-+					free(dir);
- 					exit(1);
- 				}
-+
-+			} else {
-+				syslog(LOG_ERR, "Malformed path %s",
-+					path);
-+				exit(1);
- 			}
--		}
--		if (mode == 0 || path == NULL) {
--			syslog(LOG_ERR, "Bad arguments, using defaults");
--			mode = 0640;
--			path = DEFAULT_PATH;
-+		} else {
-+			if (strcmp(arg, "string") == 0)
-+				format = F_STRING;
-+			else if (strcmp(arg, "binary") == 0)
-+				format = F_BINARY;
-+			else
-+				syslog(LOG_ERR, "Invalid format detected");
- 		}
- 	}
-+
-+	if (mode == 0 || path == NULL || format == -1) {
-+		syslog(LOG_ERR, "Bad or not enough arguments, using defaults");
-+		mode = 0640;
-+		path = DEFAULT_PATH;
-+		format = F_STRING;
-+	}
-+
- 	return create_af_unix_socket(path, mode);
- }
- 
-+static int event_to_string(struct audit_dispatcher_header *hdr, char *data, char **out, int *outlen)
-+{
-+	char *v = NULL, *ptr, unknown[32];
-+	int len;
-+
-+	if (hdr->ver == AUDISP_PROTOCOL_VER) {
-+		const char *type;
-+
-+		/* Get the event formatted */
-+		type = audit_msg_type_to_name(hdr->type);
-+		if (type == NULL) {
-+			snprintf(unknown, sizeof(unknown),
-+				"UNKNOWN[%u]", hdr->type);
-+			type = unknown;
-+		}
-+		len = asprintf(&v, "type=%s msg=%.*s\n",
-+				type, hdr->size, data);
-+	// Protocol 2 events are already formatted
-+	} else if (hdr->ver == AUDISP_PROTOCOL_VER2) {
-+		len = asprintf(&v, "%.*s\n", hdr->size, data);
-+	} else
-+		len = 0;
-+	if (len <= 0) {
-+		*out = NULL;
-+		*outlen = 0;
-+		return -1;
-+	}
-+
-+	/* Strip newlines from event record */
-+	ptr = v;
-+	while ((ptr = strchr(ptr, 0x0A)) != NULL) {
-+		if (ptr != &v[len-1])
-+			*ptr = ' ';
-+		else
-+			break; /* Done - exit loop */
-+	}
-+
-+	*out = v;
-+	*outlen = len;
-+	return 1;
-+}
-+
- void read_audit_record(int ifd)
- {
- 	do {
- 		int len;
- 
- 		// Read stdin
--		if ((len = audit_fgets(rx_buf, sizeof(rx_buf), ifd)) > 0) {
-+		if ((len = audit_fgets(rx_buf, MAX_AUDIT_EVENT_FRAME_SIZE + 1, ifd)) > 0) {
- #ifdef DEBUG
- 			write(1, rx_buf, len);
- #else
-+			struct audit_dispatcher_header *hdr = (struct audit_dispatcher_header *)rx_buf;
-+			char *data = rx_buf + sizeof(struct audit_dispatcher_header);
- 			if (client) {
- 				// Send it to the client
- 				int rc;
- 
--				do {
--					rc = write(conn, rx_buf, len);
--				} while (rc < 0 && errno == EINTR);
-+				if (format == F_STRING) {
-+					
-+					char *str = NULL;
-+					int str_len = 0;
-+					if (event_to_string(hdr, data, &str, &str_len) < 0) {
-+						// what to do with error?
-+						continue;
-+					}
-+
-+					do {
-+						rc = write(conn, str, str_len);
-+					} while (rc < 0 && errno == EINTR);
-+				} else if (format == F_BINARY) {
-+					struct iovec vec[2];
-+
-+					vec[0].iov_base = hdr;
-+					vec[0].iov_len = sizeof(struct audit_dispatcher_header);
-+
-+					vec[1].iov_base = data;
-+					vec[1].iov_len = MAX_AUDIT_MESSAGE_LENGTH;
-+
-+					do {
-+						rc = writev(conn, vec, 2);
-+					} while (rc < 0 && errno == EINTR);
-+				}
-+
- 				if (rc < 0 && errno == EPIPE) {
- 					close(conn);
- 					conn = -1;
-@@ -203,7 +280,7 @@ void read_audit_record(int ifd)
- #endif
- 		} else if (audit_fgets_eof())
- 			stop = 1;
--	} while (audit_fgets_more(sizeof(rx_buf)));
-+	} while (audit_fgets_more(MAX_AUDIT_EVENT_FRAME_SIZE));
- }
- 
- void accept_connection(void)

auditctl-permtab.patch

@@ -1,57 +0,0 @@
-diff -up audit-3.1.5/lib/libaudit.c.orig audit-3.1.5/lib/libaudit.c
---- audit-3.1.5/lib/libaudit.c.orig	2025-02-11 12:11:17.529016934 +0100
-+++ audit-3.1.5/lib/libaudit.c	2025-02-11 12:13:51.206171338 +0100
-@@ -1516,37 +1516,35 @@ static char* filter_supported_syscalls(c
- 		return NULL;
- 	}
- 
--	// Allocate memory for the filtered syscalls string
--	char* filtered_syscalls = malloc(strlen(syscalls) + 1);
--	if (filtered_syscalls == NULL) {
--		return NULL;
--	}
--	filtered_syscalls[0] = '\0'; // Initialize as empty string
--
--	// Tokenize the syscalls string and filter unsupported syscalls
-+	char buf[512] = "";
-+	char* ptr = buf;
- 	const char* delimiter = ",";
-+
- 	char* syscalls_copy = strdup(syscalls);
--	if (syscalls_copy == NULL) {
--		free(filtered_syscalls);
-+	if (syscalls_copy == NULL)
- 		return NULL;
--	}
-+
- 	char* token = strtok(syscalls_copy, delimiter);
-+	int first = 1; // Track if this is the first syscall being added
-+
- 	while (token != NULL) {
- 		if (audit_name_to_syscall(token, machine) != -1) {
--			strcat(filtered_syscalls, token);
--			strcat(filtered_syscalls, delimiter);
-+			if (!first)
-+				*ptr++ = ',';
-+			ptr = stpcpy(ptr, token);
-+			first = 0;
- 		}
- 		token = strtok(NULL, delimiter);
- 	}
-+
- 	free(syscalls_copy);
- 
--	// Remove the trailing delimiter, if present
--	size_t len = strlen(filtered_syscalls);
--	if (len > 0 && filtered_syscalls[len - 1] == ',') {
--		filtered_syscalls[len - 1] = '\0';
-+	// If no valid syscalls were found, return NULL
-+	if (ptr == buf) {
-+		return NULL;
- 	}
- 
--	return filtered_syscalls;
-+	return strdup(buf);
- }
- 
- static int audit_add_perm_syscalls(int perm, struct audit_rule_data *rule)

ausearch-DAEMON_END.patch

@@ -1,15 +0,0 @@
-diff --git a/src/ausearch-parse.c b/src/ausearch-parse.c
-index 7d9731842..e77fbf129 100644
---- a/src/ausearch-parse.c
-+++ b/src/ausearch-parse.c
-@@ -1549,7 +1549,9 @@ static int parse_daemon1(const lnode *n, search_items *s)
- 
- 	// uid - optional
- 	if (event_uid != -1) {
--		ptr = term;
-+		// As the uid= field may happen in different orders, e.g. both before
-+		// and after pid=, let us search for the uid from the beginning.
-+		term = mptr;
- 		str = strstr(term, " uid=");
- 		if (str) {
- 			ptr = str + 5;

ausearch-checkpoint-race.patch

@@ -1,35 +0,0 @@
-diff --git a/src/ausearch.c b/src/ausearch.c
-index 3bf95b5a..cf77ba14 100644
---- a/src/ausearch.c
-+++ b/src/ausearch.c
-@@ -464,6 +464,17 @@ static int process_log_fd(void)
- 		if ((ret != 0)||(entries->cnt == 0))
- 			break;
- 
-+		/*
-+		 * If we are checkpointing, decide if we output this event.
-+		 * We need to do it as early as here. The chkpt_input_levent event
-+		 * might not match the entries, so we need to ensure that we don't
-+		 * skip the event that is the checkpoint event. That is the marking point
-+		 * from which we start outputting events. Leaving that event out will produce
-+		 * empty results.
-+		 */
-+		if (checkpt_filename)
-+			do_output = chkpt_output_decision(&entries->e);
-+
- 		/*
-  		 * We flush all events on the last log file being processed.
-  		 * Thus incomplete events are 'carried forward' to be
-@@ -471,12 +482,6 @@ static int process_log_fd(void)
-  		 * in the next file we are about to process.
-  		 */
- 		if (match(entries)) {
--			/*
--			 * If we are checkpointing, decide if we output
--			 * this event
--			 */
--			if (checkpt_filename)
--				do_output = chkpt_output_decision(&entries->e);
- 
- 			if (do_output == 1) {
- 				found = 1;

ci_tests.fmf

@@ -1,12 +0,0 @@
-/e2e_internal:
-  plan:
-    import:
-      url: https://github.com/RedHat-SP-Security/audit-plans.git
-      name: /generic/e2e_ci_internal
-
-/rpmverify:
-  plan:
-    import:
-      url: https://github.com/RedHat-SP-Security/audit-plans.git
-      name: /generic/rpmverify
-

end-of-event-gdm.patch

@@ -1,219 +0,0 @@
-From 23eb05485637dd51e5898ece17324921308de085 Mon Sep 17 00:00:00 2001
-From: Cropi <alakatos@redhat.com>
-Date: Wed, 2 Apr 2025 14:12:36 +0200
-Subject: [PATCH] test suite: replace auid=42 with auid=0
-
-Executing make check, the test case expected the system
-to have user gdm with id of 42, which might not be true in all cases.
-In case the user was not present, ID to name translation failed, thus
-make check exited with error.
----
- auparse/test/auparse_test.ref    | 18 +++++++++---------
- auparse/test/auparse_test.ref.py | 18 +++++++++---------
- auparse/test/test.log            |  4 ++--
- auparse/test/test2.log           |  4 ++--
- 4 files changed, 22 insertions(+), 22 deletions(-)
-
-diff --git a/auparse/test/auparse_test.ref b/auparse/test/auparse_test.ref
-index dbeddf22..455dbb3a 100644
---- a/auparse/test/auparse_test.ref
-+++ b/auparse/test/auparse_test.ref
-@@ -188,7 +188,7 @@ event 4 has 3 records
-         uid=0 (root)
-         subj=system_u:system_r:init_t:s0 (system_u:system_r:init_t:s0)
-         old-auid=4294967295 (unset)
--        auid=42 (gdm)
-+        auid=0 (root)
-         tty=(none) ((none))
-         old-ses=4294967295 (4294967295)
-         ses=1 (1)
-@@ -209,7 +209,7 @@ event 4 has 3 records
-         items=0 (0)
-         ppid=1 (1)
-         pid=2288 (2288)
--        auid=42 (gdm)
-+        auid=0 (root)
-         uid=0 (root)
-         gid=0 (root)
-         euid=0 (root)
-@@ -389,7 +389,7 @@ event 4 has 3 records
-         uid=0 (root)
-         subj=system_u:system_r:init_t:s0 (system_u:system_r:init_t:s0)
-         old-auid=4294967295 (unset)
--        auid=42 (gdm)
-+        auid=0 (root)
-         tty=(none) ((none))
-         old-ses=4294967295 (4294967295)
-         ses=1 (1)
-@@ -410,7 +410,7 @@ event 4 has 3 records
-         items=0 (0)
-         ppid=1 (1)
-         pid=2288 (2288)
--        auid=42 (gdm)
-+        auid=0 (root)
-         uid=0 (root)
-         gid=0 (root)
-         euid=0 (root)
-@@ -587,7 +587,7 @@ event 11 has 3 records
-         uid=0 (root)
-         subj=system_u:system_r:init_t:s0 (system_u:system_r:init_t:s0)
-         old-auid=4294967295 (unset)
--        auid=42 (gdm)
-+        auid=0 (root)
-         tty=(none) ((none))
-         old-ses=4294967295 (4294967295)
-         ses=1 (1)
-@@ -608,7 +608,7 @@ event 11 has 3 records
-         items=0 (0)
-         ppid=1 (1)
-         pid=2288 (2288)
--        auid=42 (gdm)
-+        auid=0 (root)
-         uid=0 (root)
-         gid=0 (root)
-         euid=0 (root)
-@@ -699,7 +699,7 @@ Test 6 Done
- 
- Starting Test 7, compound search...
- Found type = USER_START
--Found auid = 42
-+Found auid = 0
- Test 7 Done
- 
- Starting Test 8, regex search...
-@@ -874,7 +874,7 @@ event 4 has 3 records
-         uid=0 (root)
-         subj=system_u:system_r:init_t:s0 (system_u:system_r:init_t:s0)
-         old-auid=4294967295 (unset)
--        auid=42 (gdm)
-+        auid=0 (root)
-         tty=(none) ((none))
-         old-ses=4294967295 (4294967295)
-         ses=1 (1)
-@@ -895,7 +895,7 @@ event 4 has 3 records
-         items=0 (0)
-         ppid=1 (1)
-         pid=2288 (2288)
--        auid=42 (gdm)
-+        auid=0 (root)
-         uid=0 (root)
-         gid=0 (root)
-         euid=0 (root)
-diff --git a/auparse/test/auparse_test.ref.py b/auparse/test/auparse_test.ref.py
-index 83dc47ad..73b2a099 100644
---- a/auparse/test/auparse_test.ref.py
-+++ b/auparse/test/auparse_test.ref.py
-@@ -180,7 +180,7 @@ event 4 has 3 records
-         uid=0 (root)
-         subj=system_u:system_r:init_t:s0 (system_u:system_r:init_t:s0)
-         old-auid=4294967295 (unset)
--        auid=42 (gdm)
-+        auid=0 (root)
-         tty=(none) ((none))
-         old-ses=4294967295 (4294967295)
-         ses=1 (1)
-@@ -201,7 +201,7 @@ event 4 has 3 records
-         items=0 (0)
-         ppid=1 (1)
-         pid=2288 (2288)
--        auid=42 (gdm)
-+        auid=0 (root)
-         uid=0 (root)
-         gid=0 (root)
-         euid=0 (root)
-@@ -381,7 +381,7 @@ event 4 has 3 records
-         uid=0 (root)
-         subj=system_u:system_r:init_t:s0 (system_u:system_r:init_t:s0)
-         old-auid=4294967295 (unset)
--        auid=42 (gdm)
-+        auid=0 (root)
-         tty=(none) ((none))
-         old-ses=4294967295 (4294967295)
-         ses=1 (1)
-@@ -402,7 +402,7 @@ event 4 has 3 records
-         items=0 (0)
-         ppid=1 (1)
-         pid=2288 (2288)
--        auid=42 (gdm)
-+        auid=0 (root)
-         uid=0 (root)
-         gid=0 (root)
-         euid=0 (root)
-@@ -579,7 +579,7 @@ event 11 has 3 records
-         uid=0 (root)
-         subj=system_u:system_r:init_t:s0 (system_u:system_r:init_t:s0)
-         old-auid=4294967295 (unset)
--        auid=42 (gdm)
-+        auid=0 (root)
-         tty=(none) ((none))
-         old-ses=4294967295 (4294967295)
-         ses=1 (1)
-@@ -600,7 +600,7 @@ event 11 has 3 records
-         items=0 (0)
-         ppid=1 (1)
-         pid=2288 (2288)
--        auid=42 (gdm)
-+        auid=0 (root)
-         uid=0 (root)
-         gid=0 (root)
-         euid=0 (root)
-@@ -691,7 +691,7 @@ Test 6 Done
- 
- Starting Test 7, compound search...
- Found type = USER_START
--Found auid = 42
-+Found auid = 0
- Test 7 Done
- 
- Starting Test 8, regex search...
-@@ -864,7 +864,7 @@ event 4 has 3 records
-         uid=0 (root)
-         subj=system_u:system_r:init_t:s0 (system_u:system_r:init_t:s0)
-         old-auid=4294967295 (unset)
--        auid=42 (gdm)
-+        auid=0 (root)
-         tty=(none) ((none))
-         old-ses=4294967295 (4294967295)
-         ses=1 (1)
-@@ -885,7 +885,7 @@ event 4 has 3 records
-         items=0 (0)
-         ppid=1 (1)
-         pid=2288 (2288)
--        auid=42 (gdm)
-+        auid=0 (root)
-         uid=0 (root)
-         gid=0 (root)
-         euid=0 (root)
-diff --git a/auparse/test/test.log b/auparse/test/test.log
-index cef1838d..24e0557f 100644
---- a/auparse/test/test.log
-+++ b/auparse/test/test.log
-@@ -4,8 +4,8 @@ type=CWD msg=audit(1170021493.977:293):  cwd="/var/spool/postfix"
- type=PATH msg=audit(1170021493.977:293): item=0 name="maildrop" inode=14911367 dev=03:07 mode=040730 ouid=890 ogid=891 rdev=00:00 obj=system_u:object_r:postfix_spool_maildrop_t:s0
- type=USER_ACCT msg=audit(1170021601.340:294): user pid=13015 uid=0 auid=4294967295 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM: accounting acct=root : exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
- type=CRED_ACQ msg=audit(1170021601.342:295): user pid=13015 uid=0 auid=4294967295 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM: setcred acct=root : exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
--type=LOGIN msg=audit(1170021601.343:296): pid=2288 uid=0 subj=system_u:system_r:init_t:s0 old-auid=4294967295 auid=42 tty=(none) old-ses=4294967295 ses=1 res=1
--type=SYSCALL msg=audit(1170021601.343:296): arch=c000003e syscall=1 success=yes exit=2 a0=8 a1=7fffa7aede20 a2=2 a3=0 items=0 ppid=1 pid=2288 auid=42 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="(systemd)" exe="/usr/lib/systemd/systemd" subj=system_u:system_r:init_t:s0 key=(null)
-+type=LOGIN msg=audit(1170021601.343:296): pid=2288 uid=0 subj=system_u:system_r:init_t:s0 old-auid=4294967295 auid=0 tty=(none) old-ses=4294967295 ses=1 res=1
-+type=SYSCALL msg=audit(1170021601.343:296): arch=c000003e syscall=1 success=yes exit=2 a0=8 a1=7fffa7aede20 a2=2 a3=0 items=0 ppid=1 pid=2288 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="(systemd)" exe="/usr/lib/systemd/systemd" subj=system_u:system_r:init_t:s0 key=(null)
- type=PROCTITLE msg=audit(1170021601.343:296): proctitle="(systemd)"
- type=USER_START msg=audit(1170021601.344:297): user pid=13015 uid=0 auid=0 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM: session open acct=root : exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron res=success)'
- type=CRED_DISP msg=audit(1170021601.364:298): user pid=13015 uid=0 auid=0 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM: setcred acct=root : exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron res=success)'
-diff --git a/auparse/test/test2.log b/auparse/test/test2.log
-index 63aadaa9..a2f3e755 100644
---- a/auparse/test/test2.log
-+++ b/auparse/test/test2.log
-@@ -4,8 +4,8 @@ type=CWD msg=audit(1170021493.977:283):  cwd="/var/spool/postfix"
- type=PATH msg=audit(1170021493.977:283): item=0 name="maildrop" inode=14911367 dev=03:07 mode=040730 ouid=890 ogid=891 rdev=00:00 obj=system_u:object_r:postfix_spool_maildrop_t:s0
- type=USER_ACCT msg=audit(1170021601.340:284): user pid=13015 uid=0 auid=4294967295 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM: accounting acct=root : exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
- type=CRED_ACQ msg=audit(1170021601.342:285): user pid=13015 uid=0 auid=4294967295 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM: setcred acct=root : exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
--type=LOGIN msg=audit(1170021601.343:286): pid=2288 uid=0 subj=system_u:system_r:init_t:s0 old-auid=4294967295 auid=42 tty=(none) old-ses=4294967295 ses=1 res=1
--type=SYSCALL msg=audit(1170021601.343:286): arch=c000003e syscall=1 success=yes exit=2 a0=8 a1=7fffa7aede20 a2=2 a3=0 items=0 ppid=1 pid=2288 auid=42 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="(systemd)" exe="/usr/lib/systemd/systemd" subj=system_u:system_r:init_t:s0 key=(null)
-+type=LOGIN msg=audit(1170021601.343:286): pid=2288 uid=0 subj=system_u:system_r:init_t:s0 old-auid=4294967295 auid=0 tty=(none) old-ses=4294967295 ses=1 res=1
-+type=SYSCALL msg=audit(1170021601.343:286): arch=c000003e syscall=1 success=yes exit=2 a0=8 a1=7fffa7aede20 a2=2 a3=0 items=0 ppid=1 pid=2288 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="(systemd)" exe="/usr/lib/systemd/systemd" subj=system_u:system_r:init_t:s0 key=(null)
- type=PROCTITLE msg=audit(1170021601.343:286): proctitle="(systemd)"
- type=USER_START msg=audit(1170021601.344:287): user pid=13015 uid=0 auid=0 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM: session open acct=root : exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron res=success)'
- type=CRED_DISP msg=audit(1170021601.364:288): user pid=13015 uid=0 auid=0 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM: setcred acct=root : exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron res=success)'
--- 
-2.49.0
-

end-of-event.patch

@@ -1,60 +0,0 @@
-From d6aac5857a7aea11a7fc95926d587ecc824b6152 Mon Sep 17 00:00:00 2001
-From: Cropi <alakatos@redhat.com>
-Date: Wed, 2 Apr 2025 11:04:37 +0200
-Subject: [PATCH] Update end of event detection
-
----
- auparse/auparse.c  | 5 ++++-
- src/ausearch-lol.c | 6 +++++-
- 2 files changed, 9 insertions(+), 2 deletions(-)
-
-diff --git a/auparse/auparse.c b/auparse/auparse.c
-index c3e1fb9e..1b0c5a39 100644
---- a/auparse/auparse.c
-+++ b/auparse/auparse.c
-@@ -319,7 +319,9 @@ static void au_check_events(auparse_state_t *au, time_t sec)
-                         } else if ( // FIXME: Check this v remains true
- 				r->type == AUDIT_PROCTITLE ||
- 				r->type == AUDIT_EOE ||
--				r->type < AUDIT_FIRST_EVENT ||
-+				(r->type > AUDIT_LOGIN &&
-+					r->type < AUDIT_FIRST_EVENT) ||
-+				r->type == AUDIT_USER ||
- 				r->type >= AUDIT_FIRST_ANOM_MSG ||
- 				r->type == AUDIT_KERNEL ||
- 				(r->type >= AUDIT_MAC_UNLBL_ALLOW &&
-@@ -332,6 +334,7 @@ static void au_check_events(auparse_state_t *au, time_t sec)
-         }
- }
- 
-+
- /*
-  * au_terminate_all_events - Mark all events in 'BUILD' state to be COMPLETE
-  *
-diff --git a/src/ausearch-lol.c b/src/ausearch-lol.c
-index 31c5ff2e..e2a6017d 100644
---- a/src/ausearch-lol.c
-+++ b/src/ausearch-lol.c
-@@ -259,7 +259,10 @@ static void check_events(lol *lo, time_t sec)
- 				cur->status = L_COMPLETE;
- 				ready++;
- 			} else if (cur->l->e.type == AUDIT_PROCTITLE ||
--				    cur->l->e.type < AUDIT_FIRST_EVENT ||
-+				    cur->l->e.type == AUDIT_EOE ||
-+				    (cur->l->e.type > AUDIT_LOGIN &&
-+				        cur->l->e.type < AUDIT_FIRST_EVENT) ||
-+				    cur->l->e.type == AUDIT_USER ||
- 				    cur->l->e.type >= AUDIT_FIRST_ANOM_MSG ||
- 				    cur->l->e.type == AUDIT_KERNEL ||
- 				    (cur->l->e.type >= AUDIT_MAC_UNLBL_ALLOW &&
-@@ -272,6 +275,7 @@ static void check_events(lol *lo, time_t sec)
- 	}
- }
- 
-+
- // This function adds a new record to an existing linked list
- // or creates a new one if its a new event
- int lol_add_record(lol *lo, char *buff)
--- 
-2.49.0
-

gating.yaml

@@ -1,7 +0,0 @@
---- !Policy
-product_versions:
-  - rhel-9
-decision_context: osci_compose_gate
-rules:
-  - !PassingTestCaseRule {test_case_name: osci.brew-build.tier0.functional}
-  - !PassingTestCaseRule {test_case_name: baseos-ci.brew-build.tedude.validation}

interpret-tty-data.patch

@@ -1,13 +0,0 @@
-diff --git a/auparse/interpret.c b/auparse/interpret.c
-index ad949c90f..5c182ae69 100644
---- a/auparse/interpret.c
-+++ b/auparse/interpret.c
-@@ -331,7 +331,7 @@ static void key_escape(const char *orig, char *dest, auparse_esc_t escape_mode)
- static int is_hex_string(const char *str)
- {
- 	while (*str) {
--		if (!isdigit((unsigned char)*str))
-+		if (!isxdigit((unsigned char)*str))
- 			return 0;
- 		str++;
- 	}

permtab-filter-unsupport.patch

@@ -1,102 +0,0 @@
-diff --git a/lib/libaudit.c b/lib/libaudit.c
-index 7a8c6d4b1..de34812f0 100644
---- a/lib/libaudit.c
-+++ b/lib/libaudit.c
-@@ -100,6 +100,7 @@ static struct libaudit_conf config;
- static int audit_failure_parser(const char *val, int line);
- static int audit_name_to_uid(const char *name, uid_t *auid);
- static int audit_name_to_gid(const char *name, gid_t *gid);
-+static char* filter_supported_syscalls(const char* syscalls, int machine) __attr_dealloc_free;
- 
- static const struct kw_pair keywords[] =
- {
-@@ -1524,6 +1525,50 @@ int _audit_parse_syscall(const char *optarg, struct audit_rule_data *rule)
- 	return audit_rule_syscallbyname_data(rule, optarg);
- }
- 
-+/*
-+ * Filters unsupported syscalls from a comma-separated string based
-+ * on the given architecture. Returns a new string with supported syscalls
-+ * or NULL on error.
-+ */
-+static char* filter_supported_syscalls(const char* syscalls, int machine)
-+{
-+	if (syscalls == NULL) {
-+		return NULL;
-+	}
-+
-+	// Allocate memory for the filtered syscalls string
-+	char* filtered_syscalls = malloc(strlen(syscalls) + 1);
-+	if (filtered_syscalls == NULL) {
-+		return NULL;
-+	}
-+	filtered_syscalls[0] = '\0'; // Initialize as empty string
-+
-+	// Tokenize the syscalls string and filter unsupported syscalls
-+	const char* delimiter = ",";
-+	char* syscalls_copy = strdup(syscalls);
-+	if (syscalls_copy == NULL) {
-+		free(filtered_syscalls);
-+		return NULL;
-+	}
-+	char* token = strtok(syscalls_copy, delimiter);
-+	while (token != NULL) {
-+		if (audit_name_to_syscall(token, machine) != -1) {
-+			strcat(filtered_syscalls, token);
-+			strcat(filtered_syscalls, delimiter);
-+		}
-+		token = strtok(NULL, delimiter);
-+	}
-+	free(syscalls_copy);
-+
-+	// Remove the trailing delimiter, if present
-+	size_t len = strlen(filtered_syscalls);
-+	if (len > 0 && filtered_syscalls[len - 1] == ',') {
-+		filtered_syscalls[len - 1] = '\0';
-+	}
-+
-+	return filtered_syscalls;
-+}
-+
- static int audit_add_perm_syscalls(int perm, struct audit_rule_data *rule)
- {
- 	// We only get here if syscall notation is being used in the rule.
-@@ -1536,20 +1581,36 @@ static int audit_add_perm_syscalls(int perm, struct audit_rule_data *rule)
- 		return 0;
- 	}
- 
-+	const int machine = audit_elf_to_machine(_audit_elf);
- 	const char *syscalls = audit_perm_to_name(perm);
--	int rc = _audit_parse_syscall(syscalls, rule);
-+	const char *syscalls_to_use;
-+
-+	// The permtab table is hardcoded, but some syscalls, like rename
-+	// on arm64, are unavailable on certain architectures. To ensure compatibility,
-+	// we must avoid creating rules with unsupported syscalls.
-+	char* filtered_syscalls = filter_supported_syscalls(syscalls, machine);
-+	if (filtered_syscalls == NULL) {
-+		// use original syscalls in case we failed to parse - should not happen
-+		syscalls_to_use = syscalls;
-+		audit_msg(LOG_WARNING, "Filtering syscalls failed; using original syscalls.");
-+	} else {
-+		syscalls_to_use = filtered_syscalls;
-+	}
-+
-+	int rc = _audit_parse_syscall(syscalls_to_use, rule);
- 	switch (rc)
- 	{
- 	case 0:
- 		_audit_syscalladded = 1;
- 		break;
- 	case -1: // Should never happen
--		audit_msg(LOG_ERR, "Syscall name unknown: %s", syscalls);
-+		audit_msg(LOG_ERR, "Syscall name unknown: %s", syscalls_to_use);
- 		break;
- 	default: // Error reported - do nothing here
- 		break;
- 	}
- 
-+	free(filtered_syscalls);
- 	return rc;
- }
- 

readonly.patch

@@ -1,48 +0,0 @@
-diff --git a/audit.spec b/audit.spec
-index 39f640e36..313d803f1 100644
---- a/audit.spec
-+++ b/audit.spec
-@@ -215,6 +215,7 @@ fi
- %attr(755,root,root) %{_bindir}/aulast
- %attr(755,root,root) %{_bindir}/aulastlog
- %attr(755,root,root) %{_bindir}/ausyscall
-+%attr(640,root,root) %{_tmpfilesdir}/audit.conf
- %attr(755,root,root) %{_bindir}/auvirt
- %attr(644,root,root) %{_unitdir}/auditd.service
- %attr(750,root,root) %dir %{_libexecdir}/initscripts/legacy-actions/auditd
-diff --git a/init.d/Makefile.am b/init.d/Makefile.am
-index 3a73697a6..63fae2ab4 100644
---- a/init.d/Makefile.am
-+++ b/init.d/Makefile.am
-@@ -23,6 +23,7 @@
- 
- CONFIG_CLEAN_FILES = *.rej *.orig
- EXTRA_DIST = auditd.init auditd.service auditd.sysconfig auditd.conf \
-+	audit-tmpfiles.conf \
- 	auditd.cron libaudit.conf auditd.condrestart \
- 	auditd.reload auditd.restart auditd.resume \
- 	auditd.rotate auditd.state auditd.stop \
-@@ -43,6 +44,8 @@ sbin_SCRIPTS = augenrules
- 
- install-data-hook:
- 	$(INSTALL_DATA) -D -m 640 ${srcdir}/${libconfig} ${DESTDIR}${sysconfdir}
-+	mkdir -p ${DESTDIR}$(prefix)/lib/tmpfiles.d/
-+	$(INSTALL_DATA) -m 640 ${srcdir}/audit-tmpfiles.conf ${DESTDIR}$(prefix)/lib/tmpfiles.d/audit.conf
- if ENABLE_SYSTEMD
- else
- 	$(INSTALL_DATA) -D -m 640 ${srcdir}/auditd.sysconfig ${DESTDIR}${sysconfigdir}/auditd
-@@ -69,6 +72,7 @@ endif
- 
- uninstall-hook:
- 	rm ${DESTDIR}${sysconfdir}/${libconfig}
-+	rm ${DESTDIR}$(prefix)/lib/tmpfiles.d/audit.conf
- if ENABLE_SYSTEMD
- 	rm ${DESTDIR}${initdir}/auditd.service
- 	rm ${DESTDIR}${legacydir}/rotate
-diff --git a/init.d/audit-tmpfiles.conf b/init.d/audit-tmpfiles.conf
-new file mode 100644
-index 000000000..5512a535a
---- /dev/null
-+++ b/init.d/audit-tmpfiles.conf
-@@ -0,0 +1 @@
-+d /var/log/audit 0700 root root - -

remote-logging-ordering-cycle.patch

@@ -1,14 +0,0 @@
-diff --git a/init.d/auditd.service b/init.d/auditd.service
-index dd7ec694b..d5139ae92 100644
---- a/init.d/auditd.service
-+++ b/init.d/auditd.service
-@@ -6,6 +6,9 @@ DefaultDependencies=no
- ## uncomment the second so that network-online.target is part of After.
- ## then comment the first Before and uncomment the second Before to remove
- ## sysinit.target from "Before".
-+## If using remote logging, ensure that the systemd-update-utmp.service file
-+## is updated to remove the After=auditd.service directive to prevent a
-+## boot-time ordering cycle.
- After=local-fs.target systemd-tmpfiles-setup.service
- ##After=network-online.target local-fs.target systemd-tmpfiles-setup.service
- Before=sysinit.target shutdown.target

sources

@@ -1 +0,0 @@
-SHA512 (audit-3.1.5.tar.gz) = 2bb6dd30108d2c4cc498011f50cbeea0112b9877a78158907cf8005b6dc253c8c2c98bfea7ed3fe6f6a5baf274cd8a9ace4108a58b0c9529b03191bd84b7e73d

tty-hostname.patch

@@ -1,14 +0,0 @@
-diff --git a/lib/audit_logging.c b/lib/audit_logging.c
-index f89a13bb0..70205b332 100644
---- a/lib/audit_logging.c
-+++ b/lib/audit_logging.c
-@@ -243,7 +243,8 @@ static const char *_get_hostname(const char *ttyn)
- {
- 	if (ttyn && ((strncmp(ttyn, "pts", 3) == 0) ||
- 		(strncmp(ttyn, "tty", 3) == 0) ||
--		(strncmp(ttyn, "/dev/tty", 8) == 0) )) {
-+		(strncmp(ttyn, "/dev/tty", 8) == 0) ||
-+		(strncmp(ttyn, "/dev/pts", 8) == 0) )) {
- 		if (_host[0] == 0) {
- 			gethostname(_host, HOSTLEN);
- 			_host[HOSTLEN - 1] = 0;