diff -up Linux-PAM-1.1.6/modules/pam_faillock/main.c.audata Linux-PAM-1.1.6/modules/pam_faillock/main.c
--- Linux-PAM-1.1.6/modules/pam_faillock/main.c.audata	2012-09-03 15:18:19.077405822 +0200
+++ Linux-PAM-1.1.6/modules/pam_faillock/main.c	2012-09-03 15:18:19.082405927 +0200
@@ -42,6 +42,7 @@
 #include <errno.h>
 #include <pwd.h>
 #include <time.h>
+#include <unistd.h>
 #ifdef HAVE_LIBAUDIT
 #include <libaudit.h>
 #endif
@@ -142,7 +143,7 @@ do_user(struct options *opts, const char
 				snprintf(buf, sizeof(buf), "faillock reset uid=%u",
 					pwd->pw_uid);
 				audit_log_user_message(audit_fd, AUDIT_USER_ACCT,
-					buf, NULL, NULL, NULL, rv == 0);
+					buf, NULL, NULL, ttyname(fileno(stdin)), rv == 0);
 			}
 			close(audit_fd);
 		}
diff -up Linux-PAM-1.1.6/modules/pam_faillock/pam_faillock.c.audata Linux-PAM-1.1.6/modules/pam_faillock/pam_faillock.c
--- Linux-PAM-1.1.6/modules/pam_faillock/pam_faillock.c.audata	2012-09-03 15:18:19.077405822 +0200
+++ Linux-PAM-1.1.6/modules/pam_faillock/pam_faillock.c	2012-09-03 15:18:19.083405948 +0200
@@ -264,6 +264,7 @@ check_tally(pam_handle_t *pamh, struct o
 			if (opts->action != FAILLOCK_ACTION_PREAUTH) { /* do not audit in preauth */
 				char buf[64];
 				int audit_fd;
+				const void *rhost = NULL, *tty = NULL;
 
 				audit_fd = audit_open();
 				/* If there is an error & audit support is in the kernel report error */
@@ -271,9 +272,11 @@ check_tally(pam_handle_t *pamh, struct o
 					errno == EAFNOSUPPORT))
 					return PAM_SYSTEM_ERR;
 
+				(void)pam_get_item(pamh, PAM_TTY, &tty);
+				(void)pam_get_item(pamh, PAM_RHOST, &rhost);
 				snprintf(buf, sizeof(buf), "pam_faillock uid=%u ", opts->uid);
 				audit_log_user_message(audit_fd, AUDIT_RESP_ACCT_UNLOCK_TIMED, buf,
-					NULL, NULL, NULL, 1);
+					rhost, NULL, tty, 1);
 			}
 #endif
 			opts->flags |= FAILLOCK_FLAG_UNLOCKED;
@@ -378,6 +381,7 @@ write_tally(pam_handle_t *pamh, struct o
 #ifdef HAVE_LIBAUDIT
 		char buf[64];
 		int audit_fd;
+		const void *tty = NULL, *rhost = NULL;
 
 		audit_fd = audit_open();
 		/* If there is an error & audit support is in the kernel report error */
@@ -385,13 +389,15 @@ write_tally(pam_handle_t *pamh, struct o
 			errno == EAFNOSUPPORT))
 			return PAM_SYSTEM_ERR;
 
+		(void)pam_get_item(pamh, PAM_TTY, &tty);
+		(void)pam_get_item(pamh, PAM_RHOST, &rhost);
 		snprintf(buf, sizeof(buf), "pam_faillock uid=%u ", opts->uid);
 		audit_log_user_message(audit_fd, AUDIT_ANOM_LOGIN_FAILURES, buf,
-			NULL, NULL, NULL, 1);
+			rhost, NULL, tty, 1);
 
 		if (opts->uid != 0 || (opts->flags & FAILLOCK_FLAG_DENY_ROOT)) {
 			audit_log_user_message(audit_fd, AUDIT_RESP_ACCT_LOCK, buf,
-				NULL, NULL, NULL, 1);
+				rhost, NULL, tty, 1);
 		}
 		close(audit_fd);
 #endif
diff -up Linux-PAM-1.1.6/modules/pam_selinux/pam_selinux.c.audata Linux-PAM-1.1.6/modules/pam_selinux/pam_selinux.c
--- Linux-PAM-1.1.6/modules/pam_selinux/pam_selinux.c.audata	2012-08-15 13:08:43.000000000 +0200
+++ Linux-PAM-1.1.6/modules/pam_selinux/pam_selinux.c	2012-09-03 15:18:19.083405948 +0200
@@ -87,6 +87,7 @@ int send_audit_message(pam_handle_t *pam
 	int audit_fd = audit_open();
 	security_context_t default_raw=NULL;
 	security_context_t selected_raw=NULL;
+	const void *tty = NULL, *rhost = NULL;
 	rc = -1;
 	if (audit_fd < 0) {
 		if (errno == EINVAL || errno == EPROTONOSUPPORT ||
@@ -95,6 +96,8 @@ int send_audit_message(pam_handle_t *pam
 		pam_syslog(pamh, LOG_ERR, "Error connecting to audit system.");
 		return rc;
 	}
+	(void)pam_get_item(pamh, PAM_TTY, &tty);
+	(void)pam_get_item(pamh, PAM_RHOST, &rhost);
 	if (selinux_trans_to_raw_context(default_context, &default_raw) < 0) {
 		pam_syslog(pamh, LOG_ERR, "Error translating default context.");
 		default_raw = NULL;
@@ -110,7 +113,7 @@ int send_audit_message(pam_handle_t *pam
 		goto out;
 	}
 	if (audit_log_user_message(audit_fd, AUDIT_USER_ROLE_CHANGE,
-				   msg, NULL, NULL, NULL, success) <= 0) {
+				   msg, rhost, NULL, tty, success) <= 0) {
 		pam_syslog(pamh, LOG_ERR, "Error sending audit message.");
 		goto out;
 	}
diff -up Linux-PAM-1.1.6/modules/pam_tally2/pam_tally2.c.audata Linux-PAM-1.1.6/modules/pam_tally2/pam_tally2.c
--- Linux-PAM-1.1.6/modules/pam_tally2/pam_tally2.c.audata	2012-08-15 13:08:43.000000000 +0200
+++ Linux-PAM-1.1.6/modules/pam_tally2/pam_tally2.c	2012-09-03 15:20:06.071641000 +0200
@@ -509,6 +509,7 @@ tally_check (tally_t oldcnt, time_t oldt
 #ifdef HAVE_LIBAUDIT
     char buf[64];
     int audit_fd = -1;
+    const void *rhost = NULL, *tty = NULL;
 #endif
 
     if ((opts->ctrl & OPT_MAGIC_ROOT) && getuid() == 0) {
@@ -521,6 +522,8 @@ tally_check (tally_t oldcnt, time_t oldt
     if ((audit_fd < 0) && !(errno == EINVAL || errno == EPROTONOSUPPORT ||
                             errno == EAFNOSUPPORT))
          return PAM_SYSTEM_ERR;
+    (void)pam_get_item(pamh, PAM_TTY, &tty);
+    (void)pam_get_item(pamh, PAM_RHOST, &rhost);
 #endif
     if (opts->deny != 0 &&                        /* deny==0 means no deny        */
         tally->fail_cnt > opts->deny &&           /* tally>deny means exceeded    */
@@ -530,7 +533,7 @@ tally_check (tally_t oldcnt, time_t oldt
             /* First say that max number was hit. */
             snprintf(buf, sizeof(buf), "pam_tally2 uid=%u ", uid);
             audit_log_user_message(audit_fd, AUDIT_ANOM_LOGIN_FAILURES, buf,
-                                   NULL, NULL, NULL, 1);
+                                   rhost, NULL, tty, 1);
         }
 #endif
         if (uid) {
@@ -541,7 +544,7 @@ tally_check (tally_t oldcnt, time_t oldt
 #ifdef HAVE_LIBAUDIT
                     snprintf(buf, sizeof(buf), "pam_tally2 uid=%u ", uid);
                     audit_log_user_message(audit_fd, AUDIT_RESP_ACCT_UNLOCK_TIMED, buf,
-                                   NULL, NULL, NULL, 1);
+                                   rhost, NULL, tty, 1);
 #endif
 	            rv = PAM_SUCCESS;
 		    goto cleanup;
@@ -555,7 +558,7 @@ tally_check (tally_t oldcnt, time_t oldt
 #ifdef HAVE_LIBAUDIT
                     snprintf(buf, sizeof(buf), "pam_tally2 uid=%u ", uid);
                     audit_log_user_message(audit_fd, AUDIT_RESP_ACCT_UNLOCK_TIMED, buf,
-                                   NULL, NULL, NULL, 1);
+                                   rhost, NULL, tty, 1);
 #endif
 	            rv = PAM_SUCCESS;
 	            goto cleanup;
@@ -567,7 +570,7 @@ tally_check (tally_t oldcnt, time_t oldt
         if (tally->fail_cnt == opts->deny+1) {
             /* First say that max number was hit. */
             audit_log_user_message(audit_fd, AUDIT_RESP_ACCT_LOCK, buf,
-                                   NULL, NULL, NULL, 1);
+                                   rhost, NULL, tty, 1);
         }
 #endif
 
@@ -996,7 +999,7 @@ main( int argc UNUSED, char **argv )
         int audit_fd = audit_open();
         snprintf(buf, sizeof(buf), "pam_tally2 uid=%u reset=%hu", uid, cline_reset);
         audit_log_user_message(audit_fd, AUDIT_USER_ACCT,
-                buf, NULL, NULL, NULL, 1);
+                buf, NULL, NULL, ttyname(fileno(stdin)), 1);
         if (audit_fd >=0)
                 close(audit_fd);
 #endif
@@ -1041,7 +1044,7 @@ main( int argc UNUSED, char **argv )
       int audit_fd = audit_open();
       snprintf(buf, sizeof(buf), "pam_tally2 uid=all reset=0");
       audit_log_user_message(audit_fd, AUDIT_USER_ACCT,
-              buf, NULL, NULL, NULL, 1);
+              buf, NULL, NULL, ttyname(fileno(stdin)), 1);
       if (audit_fd >=0)
               close(audit_fd);
 #endif