shadow-utils/shadow-4.14.0-audit-update.patch

diff -up shadow-4.14.0/libmisc/audit_help.c.audit-update shadow-4.14.0/libmisc/audit_help.c
--- shadow-4.14.0/libmisc/audit_help.c.audit-update	2023-05-26 04:56:11.000000000 +0200
+++ shadow-4.14.0/libmisc/audit_help.c	2023-08-04 09:30:25.206963536 +0200
@@ -46,7 +46,7 @@ void audit_help_open (void)
  * This function will log a message to the audit system using a predefined
  * message format. Parameter usage is as follows:
  *
- * type - type of message: AUDIT_USER_CHAUTHTOK for changing any account
+ * type - type of message: AUDIT_USER_MGMT for changing any account
  *	  attributes.
  * pgname - program's name
  * op  -  operation. "adding user", "changing finger info", "deleting group"
@@ -66,6 +66,39 @@ void audit_logger (int type, unused cons
 	}
 }
 
+/*
+ * This function will log a message to the audit system using a predefined
+ * message format. Parameter usage is as follows:
+ *
+ * type - type of message: AUDIT_USER_MGMT for changing any account 
+ *	  attributes.
+ * pgname - program's name
+ * op  -  operation. "adding user", "changing finger info", "deleting group"
+ * name - user's account or group name. If not available use NULL.
+ * id  -  uid or gid that the operation is being performed on. This is used
+ *	  only when user is NULL.
+ * grp - group name associated with event
+ */
+void audit_logger_with_group (int type, unused const char *pgname,
+		const char *op, const char *name, unsigned int id,
+		const char *grp, shadow_audit_result result)
+{
+	int len;
+	char enc_group[(GROUP_NAME_MAX_LENGTH*2)+1], buf[1024];
+	if (audit_fd < 0) {
+		return;
+	}
+	len = strnlen(grp, sizeof(enc_group)/2);
+	if (audit_value_needs_encoding(grp, len)) {
+		snprintf(buf, sizeof(buf), "%s grp=%s", op,
+			audit_encode_value(enc_group, grp, len));
+	} else {
+		snprintf(buf, sizeof(buf), "%s grp=\"%s\"", op, grp);
+	}
+	audit_log_acct_message (audit_fd, type, NULL, buf, name, id,
+		                        NULL, NULL, NULL, (int) result);
+}
+
 void audit_logger_message (const char *message, shadow_audit_result result)
 {
 	if (audit_fd < 0) {
diff -up shadow-4.14.0/libmisc/cleanup_group.c.audit-update shadow-4.14.0/libmisc/cleanup_group.c
--- shadow-4.14.0/libmisc/cleanup_group.c.audit-update	2023-05-26 04:56:11.000000000 +0200
+++ shadow-4.14.0/libmisc/cleanup_group.c	2023-08-04 09:30:25.207963539 +0200
@@ -61,7 +61,7 @@ void cleanup_report_mod_group (void *cle
 	         gr_dbname (),
 	         info->action));
 #ifdef WITH_AUDIT
-	audit_logger (AUDIT_USER_ACCT, log_get_progname(),
+	audit_logger (AUDIT_GRP_MGMT, log_get_progname(),
 	              info->audit_msg,
 	              info->name, AUDIT_NO_ID,
 	              SHADOW_AUDIT_FAILURE);
@@ -79,7 +79,7 @@ void cleanup_report_mod_gshadow (void *c
 	         sgr_dbname (),
 	         info->action));
 #ifdef WITH_AUDIT
-	audit_logger (AUDIT_USER_ACCT, log_get_progname(),
+	audit_logger (AUDIT_GRP_MGMT, log_get_progname(),
 	              info->audit_msg,
 	              info->name, AUDIT_NO_ID,
 	              SHADOW_AUDIT_FAILURE);
@@ -100,7 +100,7 @@ void cleanup_report_add_group_group (voi
 	SYSLOG ((LOG_ERR, "failed to add group %s to %s", name, gr_dbname ()));
 #ifdef WITH_AUDIT
 	audit_logger (AUDIT_ADD_GROUP, log_get_progname(),
-	              "adding group to /etc/group",
+	              "adding-group",
 	              name, AUDIT_NO_ID,
 	              SHADOW_AUDIT_FAILURE);
 #endif
@@ -119,8 +119,8 @@ void cleanup_report_add_group_gshadow (v
 
 	SYSLOG ((LOG_ERR, "failed to add group %s to %s", name, sgr_dbname ()));
 #ifdef WITH_AUDIT
-	audit_logger (AUDIT_ADD_GROUP, log_get_progname(),
-	              "adding group to /etc/gshadow",
+	audit_logger (AUDIT_GRP_MGMT, log_get_progname(),
+	              "adding-shadow-group",
 	              name, AUDIT_NO_ID,
 	              SHADOW_AUDIT_FAILURE);
 #endif
@@ -142,8 +142,8 @@ void cleanup_report_del_group_group (voi
 	         "failed to remove group %s from %s",
 	         name, gr_dbname ()));
 #ifdef WITH_AUDIT
-	audit_logger (AUDIT_ADD_GROUP, log_get_progname(),
-	              "removing group from /etc/group",
+	audit_logger (AUDIT_DEL_GROUP, log_get_progname(),
+	              "removing-group",
 	              name, AUDIT_NO_ID,
 	              SHADOW_AUDIT_FAILURE);
 #endif
@@ -165,8 +165,8 @@ void cleanup_report_del_group_gshadow (v
 	         "failed to remove group %s from %s",
 	         name, sgr_dbname ()));
 #ifdef WITH_AUDIT
-	audit_logger (AUDIT_ADD_GROUP, log_get_progname(),
-	              "removing group from /etc/gshadow",
+	audit_logger (AUDIT_GRP_MGMT, log_get_progname(),
+	              "removing-shadow-group",
 	              name, AUDIT_NO_ID,
 	              SHADOW_AUDIT_FAILURE);
 #endif
@@ -186,7 +186,7 @@ void cleanup_unlock_group (unused void *
 		         log_get_progname(), gr_dbname ());
 		SYSLOG ((LOG_ERR, "failed to unlock %s", gr_dbname ()));
 #ifdef WITH_AUDIT
-		audit_logger_message ("unlocking group file",
+		audit_logger_message ("unlocking-group",
 		                      SHADOW_AUDIT_FAILURE);
 #endif
 	}
@@ -206,7 +206,7 @@ void cleanup_unlock_gshadow (unused void
 		         log_get_progname(), sgr_dbname ());
 		SYSLOG ((LOG_ERR, "failed to unlock %s", sgr_dbname ()));
 #ifdef WITH_AUDIT
-		audit_logger_message ("unlocking gshadow file",
+		audit_logger_message ("unlocking-gshadow",
 		                      SHADOW_AUDIT_FAILURE);
 #endif
 	}
diff -up shadow-4.14.0/libmisc/cleanup_user.c.audit-update shadow-4.14.0/libmisc/cleanup_user.c
--- shadow-4.14.0/libmisc/cleanup_user.c.audit-update	2023-05-26 04:56:11.000000000 +0200
+++ shadow-4.14.0/libmisc/cleanup_user.c	2023-08-04 09:30:25.207963539 +0200
@@ -43,7 +43,7 @@ void cleanup_report_mod_passwd (void *cl
 	         pw_dbname (),
 	         info->action));
 #ifdef WITH_AUDIT
-	audit_logger (AUDIT_USER_ACCT, log_get_progname(),
+	audit_logger (AUDIT_USER_MGMT, log_get_progname(),
 	              info->audit_msg,
 	              info->name, AUDIT_NO_ID,
 	              SHADOW_AUDIT_FAILURE);
@@ -64,7 +64,7 @@ void cleanup_report_add_user_passwd (voi
 	SYSLOG ((LOG_ERR, "failed to add user %s to %s", name, pw_dbname ()));
 #ifdef WITH_AUDIT
 	audit_logger (AUDIT_ADD_USER, log_get_progname(),
-	              "adding user to /etc/passwd",
+	              "adding-user",
 	              name, AUDIT_NO_ID,
 	              SHADOW_AUDIT_FAILURE);
 #endif
@@ -83,8 +83,8 @@ void cleanup_report_add_user_shadow (voi
 
 	SYSLOG ((LOG_ERR, "failed to add user %s to %s", name, spw_dbname ()));
 #ifdef WITH_AUDIT
-	audit_logger (AUDIT_ADD_USER, log_get_progname(),
-	              "adding user to /etc/shadow",
+	audit_logger (AUDIT_USER_MGMT, log_get_progname(),
+	              "adding-shadow-user",
 	              name, AUDIT_NO_ID,
 	              SHADOW_AUDIT_FAILURE);
 #endif
@@ -103,7 +103,7 @@ void cleanup_unlock_passwd (unused void
 		         log_get_progname(), pw_dbname ());
 		SYSLOG ((LOG_ERR, "failed to unlock %s", pw_dbname ()));
 #ifdef WITH_AUDIT
-		audit_logger_message ("unlocking passwd file",
+		audit_logger_message ("unlocking-passwd",
 		                      SHADOW_AUDIT_FAILURE);
 #endif
 	}
@@ -122,7 +122,7 @@ void cleanup_unlock_shadow (unused void
 		         log_get_progname(), spw_dbname ());
 		SYSLOG ((LOG_ERR, "failed to unlock %s", spw_dbname ()));
 #ifdef WITH_AUDIT
-		audit_logger_message ("unlocking shadow file",
+		audit_logger_message ("unlocking-shadow",
 		                      SHADOW_AUDIT_FAILURE);
 #endif
 	}
diff -up shadow-4.14.0/lib/prototypes.h.audit-update shadow-4.14.0/lib/prototypes.h
--- shadow-4.14.0/lib/prototypes.h.audit-update	2023-08-03 18:28:35.000000000 +0200
+++ shadow-4.14.0/lib/prototypes.h	2023-08-04 09:30:25.207963539 +0200
@@ -202,12 +202,21 @@ extern int audit_fd;
 extern void audit_help_open (void);
 /* Use AUDIT_NO_ID when a name is provided to audit_logger instead of an ID */
 #define AUDIT_NO_ID	((unsigned int) -1)
+#ifndef AUDIT_GRP_MGMT
+#define AUDIT_GRP_MGMT          1132    /* Group account was modified */
+#endif
+#ifndef AUDIT_GRP_CHAUTHTOK
+#define AUDIT_GRP_CHAUTHTOK     1133    /* Group account password was changed */
+#endif
 typedef enum {
 	SHADOW_AUDIT_FAILURE = 0,
 	SHADOW_AUDIT_SUCCESS = 1} shadow_audit_result;
 extern void audit_logger (int type, const char *pgname, const char *op,
                           const char *name, unsigned int id,
                           shadow_audit_result result);
+void audit_logger_with_group (int type, unused const char *pgname,
+                const char *op, const char *name, unsigned int id, 
+                const char *grp, shadow_audit_result result);
 void audit_logger_message (const char *message, shadow_audit_result result);
 #endif
 
diff -up shadow-4.14.0/src/chage.c.audit-update shadow-4.14.0/src/chage.c
--- shadow-4.14.0/src/chage.c.audit-update	2023-08-04 09:30:25.207963539 +0200
+++ shadow-4.14.0/src/chage.c	2023-08-04 09:31:12.237080212 +0200
@@ -106,8 +106,8 @@ fail_exit (int code)
 
 #ifdef WITH_AUDIT
 	if (E_SUCCESS != code) {
-		audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
-		              "change age", user_name, user_uid, 0);
+		audit_logger (AUDIT_USER_MGMT, Prog,
+		              "change-age", user_name, user_uid, SHADOW_AUDIT_FAILURE);
 	}
 #endif
 
@@ -841,10 +841,7 @@ int main (int argc, char **argv)
 			fprintf (stderr, _("%s: Permission denied.\n"), Prog);
 			fail_exit (E_NOPERM);
 		}
-#ifdef WITH_AUDIT
-		audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
-		              "display aging info", user_name, user_uid, 1);
-#endif
+		/* Displaying fields is not of interest to audit */
 		list_fields ();
 		fail_exit (E_SUCCESS);
 	}
@@ -863,39 +860,39 @@ int main (int argc, char **argv)
 		}
 #ifdef WITH_AUDIT
 		else {
-			audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
-			              "change all aging information",
-			              user_name, user_uid, 1);
+			audit_logger (AUDIT_USER_MGMT, Prog,
+			              "change-all-aging-information",
+			              user_name, user_uid, SHADOW_AUDIT_SUCCESS);
 		}
 #endif
 	} else {
 #ifdef WITH_AUDIT
 		if (Mflg) {
-			audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
-			              "change max age", user_name, user_uid, 1);
+			audit_logger (AUDIT_USER_MGMT, Prog,
+			              "change-max-age", user_name, user_uid, SHADOW_AUDIT_SUCCESS);
 		}
 		if (mflg) {
-			audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
-			              "change min age", user_name, user_uid, 1);
+			audit_logger (AUDIT_USER_MGMT, Prog,
+			              "change-min-age", user_name, user_uid, 1);
 		}
 		if (dflg) {
-			audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
-			              "change last change date",
+			audit_logger (AUDIT_USER_MGMT, Prog,
+			              "change-last-change-date",
 			              user_name, user_uid, 1);
 		}
 		if (Wflg) {
-			audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
-			              "change passwd warning",
+			audit_logger (AUDIT_USER_MGMT, Prog,
+			              "change-passwd-warning",
 			              user_name, user_uid, 1);
 		}
 		if (Iflg) {
-			audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
-			              "change inactive days",
+			audit_logger (AUDIT_USER_MGMT, Prog,
+			              "change-inactive-days",
 			              user_name, user_uid, 1);
 		}
 		if (Eflg) {
-			audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
-			              "change passwd expiration",
+			audit_logger (AUDIT_USER_MGMT, Prog,
+			              "change-passwd-expiration",
 			              user_name, user_uid, 1);
 		}
 #endif
diff -up shadow-4.14.0/src/gpasswd.c.audit-update shadow-4.14.0/src/gpasswd.c
--- shadow-4.14.0/src/gpasswd.c.audit-update	2023-06-11 03:35:50.000000000 +0200
+++ shadow-4.14.0/src/gpasswd.c	2023-08-04 09:30:25.207963539 +0200
@@ -118,7 +118,7 @@ static void usage (int status)
 	(void) fputs (_("  -d, --delete USER             remove USER from GROUP\n"), usageout);
 	(void) fputs (_("  -h, --help                    display this help message and exit\n"), usageout);
 	(void) fputs (_("  -Q, --root CHROOT_DIR         directory to chroot into\n"), usageout);
-	(void) fputs (_("  -r, --remove-password         remove the GROUP's password\n"), usageout);
+	(void) fputs (_("  -r, --delete-password         remove the GROUP's password\n"), usageout);
 	(void) fputs (_("  -R, --restrict                restrict access to GROUP to its members\n"), usageout);
 	(void) fputs (_("  -M, --members USER,...        set the list of members of GROUP\n"), usageout);
 #ifdef SHADOWGRP
@@ -377,21 +377,14 @@ static void open_files (void)
 
 static void log_gpasswd_failure (const char *suffix)
 {
-#ifdef WITH_AUDIT
-	char buf[1024];
-#endif
 	if (aflg) {
 		SYSLOG ((LOG_ERR,
 		         "%s failed to add user %s to group %s%s",
 		         myname, user, group, suffix));
 #ifdef WITH_AUDIT
-		snprintf (buf, 1023,
-		          "%s failed to add user %s to group %s%s",
-		          myname, user, group, suffix);
-		buf[1023] = '\0';
-		audit_logger (AUDIT_USER_ACCT, Prog,
-		              buf,
-		              group, AUDIT_NO_ID,
+		audit_logger_with_group (AUDIT_USER_MGMT, Prog,
+		              "add-user-to-group",
+		              user, AUDIT_NO_ID, group,
 		              SHADOW_AUDIT_FAILURE);
 #endif
 	} else if (dflg) {
@@ -399,13 +392,9 @@ static void log_gpasswd_failure (const c
 		         "%s failed to remove user %s from group %s%s",
 		         myname, user, group, suffix));
 #ifdef WITH_AUDIT
-		snprintf (buf, 1023,
-		          "%s failed to remove user %s from group %s%s",
-		          myname, user, group, suffix);
-		buf[1023] = '\0';
-		audit_logger (AUDIT_USER_ACCT, Prog,
-		              buf,
-		              group, AUDIT_NO_ID,
+		audit_logger_with_group (AUDIT_USER_MGMT, Prog,
+		              "delete-user-from-group",
+		              user, AUDIT_NO_ID, group,
 		              SHADOW_AUDIT_FAILURE);
 #endif
 	} else if (rflg) {
@@ -413,13 +402,9 @@ static void log_gpasswd_failure (const c
 		         "%s failed to remove password of group %s%s",
 		         myname, group, suffix));
 #ifdef WITH_AUDIT
-		snprintf (buf, 1023,
-		          "%s failed to remove password of group %s%s",
-		          myname, group, suffix);
-		buf[1023] = '\0';
-		audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
-		              buf,
-		              group, AUDIT_NO_ID,
+		audit_logger_with_group (AUDIT_GRP_CHAUTHTOK, Prog,
+		              "delete-group-password",
+		              myname, AUDIT_NO_ID, group,
 		              SHADOW_AUDIT_FAILURE);
 #endif
 	} else if (Rflg) {
@@ -427,13 +412,9 @@ static void log_gpasswd_failure (const c
 		         "%s failed to restrict access to group %s%s",
 		         myname, group, suffix));
 #ifdef WITH_AUDIT
-		snprintf (buf, 1023,
-		          "%s failed to restrict access to group %s%s",
-		          myname, group, suffix);
-		buf[1023] = '\0';
-		audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
-		              buf,
-		              group, AUDIT_NO_ID,
+		audit_logger_with_group (AUDIT_GRP_MGMT, Prog,
+		              "restrict-group",
+		              myname, AUDIT_NO_ID, group,
 		              SHADOW_AUDIT_FAILURE);
 #endif
 	} else if (Aflg || Mflg) {
@@ -443,13 +424,9 @@ static void log_gpasswd_failure (const c
 			         "%s failed to set the administrators of group %s to %s%s",
 			         myname, group, admins, suffix));
 #ifdef WITH_AUDIT
-			snprintf (buf, 1023,
-			          "%s failed to set the administrators of group %s to %s%s",
-			          myname, group, admins, suffix);
-			buf[1023] = '\0';
-			audit_logger (AUDIT_USER_ACCT, Prog,
-			              buf,
-			              group, AUDIT_NO_ID,
+			audit_logger_with_group (AUDIT_GRP_MGMT, Prog,
+			              "set-admins-of-group",
+			              admins, AUDIT_NO_ID, group,
 			              SHADOW_AUDIT_FAILURE);
 #endif
 		}
@@ -459,13 +436,9 @@ static void log_gpasswd_failure (const c
 			         "%s failed to set the members of group %s to %s%s",
 			         myname, group, members, suffix));
 #ifdef WITH_AUDIT
-			snprintf (buf, 1023,
-			          "%s failed to set the members of group %s to %s%s",
-			          myname, group, members, suffix);
-			buf[1023] = '\0';
-			audit_logger (AUDIT_USER_ACCT, Prog,
-			              buf,
-			              group, AUDIT_NO_ID,
+			audit_logger_with_group (AUDIT_USER_MGMT, Prog,
+			              "add-users-to-group",
+			              members, AUDIT_NO_ID, group,
 			              SHADOW_AUDIT_FAILURE);
 #endif
 		}
@@ -474,13 +447,9 @@ static void log_gpasswd_failure (const c
 		         "%s failed to change password of group %s%s",
 		         myname, group, suffix));
 #ifdef WITH_AUDIT
-		snprintf (buf, 1023,
-		          "%s failed to change password of group %s%s",
-		          myname, group, suffix);
-		buf[1023] = '\0';
-		audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
-		              buf,
-		              group, AUDIT_NO_ID,
+		audit_logger_with_group (AUDIT_GRP_CHAUTHTOK, Prog,
+		              "change-password",
+		              myname, AUDIT_NO_ID, group,
 		              SHADOW_AUDIT_FAILURE);
 #endif
 	}
@@ -511,21 +480,14 @@ static void log_gpasswd_failure_gshadow
 
 static void log_gpasswd_success (const char *suffix)
 {
-#ifdef WITH_AUDIT
-	char buf[1024];
-#endif
 	if (aflg) {
 		SYSLOG ((LOG_INFO,
 		         "user %s added by %s to group %s%s",
 		         user, myname, group, suffix));
 #ifdef WITH_AUDIT
-		snprintf (buf, 1023,
-		          "user %s added by %s to group %s%s",
-		          user, myname, group, suffix);
-		buf[1023] = '\0';
-		audit_logger (AUDIT_USER_ACCT, Prog,
-		              buf,
-		              group, AUDIT_NO_ID,
+		audit_logger_with_group (AUDIT_USER_MGMT, Prog,
+		              "add-user-to-group",
+		              user, AUDIT_NO_ID, group,
 		              SHADOW_AUDIT_SUCCESS);
 #endif
 	} else if (dflg) {
@@ -533,13 +495,9 @@ static void log_gpasswd_success (const c
 		         "user %s removed by %s from group %s%s",
 		         user, myname, group, suffix));
 #ifdef WITH_AUDIT
-		snprintf (buf, 1023,
-		          "user %s removed by %s from group %s%s",
-		          user, myname, group, suffix);
-		buf[1023] = '\0';
-		audit_logger (AUDIT_USER_ACCT, Prog,
-		              buf,
-		              group, AUDIT_NO_ID,
+		audit_logger_with_group (AUDIT_USER_MGMT, Prog,
+		              "delete-user-from-group",
+		              user, AUDIT_NO_ID, group,
 		              SHADOW_AUDIT_SUCCESS);
 #endif
 	} else if (rflg) {
@@ -547,13 +505,9 @@ static void log_gpasswd_success (const c
 		         "password of group %s removed by %s%s",
 		         group, myname, suffix));
 #ifdef WITH_AUDIT
-		snprintf (buf, 1023,
-		          "password of group %s removed by %s%s",
-		          group, myname, suffix);
-		buf[1023] = '\0';
-		audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
-		              buf,
-		              group, AUDIT_NO_ID,
+		audit_logger_with_group (AUDIT_GRP_CHAUTHTOK, Prog,
+		              "delete-group-password",
+		              myname, AUDIT_NO_ID, group,
 		              SHADOW_AUDIT_SUCCESS);
 #endif
 	} else if (Rflg) {
@@ -561,13 +515,9 @@ static void log_gpasswd_success (const c
 		         "access to group %s restricted by %s%s",
 		         group, myname, suffix));
 #ifdef WITH_AUDIT
-		snprintf (buf, 1023,
-		          "access to group %s restricted by %s%s",
-		          group, myname, suffix);
-		buf[1023] = '\0';
-		audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
-		              buf,
-		              group, AUDIT_NO_ID,
+		audit_logger_with_group (AUDIT_GRP_MGMT, Prog,
+		              "restrict-group",
+		              myname, AUDIT_NO_ID, group,
 		              SHADOW_AUDIT_SUCCESS);
 #endif
 	} else if (Aflg || Mflg) {
@@ -577,13 +527,9 @@ static void log_gpasswd_success (const c
 			         "administrators of group %s set by %s to %s%s",
 			         group, myname, admins, suffix));
 #ifdef WITH_AUDIT
-			snprintf (buf, 1023,
-			          "administrators of group %s set by %s to %s%s",
-			          group, myname, admins, suffix);
-			buf[1023] = '\0';
-			audit_logger (AUDIT_USER_ACCT, Prog,
-			              buf,
-			              group, AUDIT_NO_ID,
+			audit_logger_with_group (AUDIT_GRP_MGMT, Prog,
+			              "set-admins-of-group",
+			              admins, AUDIT_NO_ID, group,
 			              SHADOW_AUDIT_SUCCESS);
 #endif
 		}
@@ -593,13 +539,9 @@ static void log_gpasswd_success (const c
 			         "members of group %s set by %s to %s%s",
 			         group, myname, members, suffix));
 #ifdef WITH_AUDIT
-			snprintf (buf, 1023,
-			          "members of group %s set by %s to %s%s",
-			          group, myname, members, suffix);
-			buf[1023] = '\0';
-			audit_logger (AUDIT_USER_ACCT, Prog,
-			              buf,
-			              group, AUDIT_NO_ID,
+			audit_logger_with_group (AUDIT_USER_MGMT, Prog,
+			              "add-users-to-group",
+			              members, AUDIT_NO_ID, group,
 			              SHADOW_AUDIT_SUCCESS);
 #endif
 		}
@@ -608,13 +550,9 @@ static void log_gpasswd_success (const c
 		         "password of group %s changed by %s%s",
 		         group, myname, suffix));
 #ifdef WITH_AUDIT
-		snprintf (buf, 1023,
-		          "password of group %s changed by %s%s",
-		          group, myname, suffix);
-		buf[1023] = '\0';
-		audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
-		              buf,
-		              group, AUDIT_NO_ID,
+		audit_logger_with_group (AUDIT_GRP_CHAUTHTOK, Prog,
+		              "change-password",
+		              myname, AUDIT_NO_ID, group,
 		              SHADOW_AUDIT_SUCCESS);
 #endif
 	}
diff -up shadow-4.14.0/src/groupadd.c.audit-update shadow-4.14.0/src/groupadd.c
--- shadow-4.14.0/src/groupadd.c.audit-update	2023-05-26 04:56:11.000000000 +0200
+++ shadow-4.14.0/src/groupadd.c	2023-08-04 09:34:34.125581046 +0200
@@ -114,6 +114,15 @@ usage (int status)
 	exit (status);
 }
 
+static void fail_exit(int status)
+{
+#ifdef WITH_AUDIT
+	audit_logger(AUDIT_ADD_GROUP, Prog, "add-group", group_name,
+			AUDIT_NO_ID, SHADOW_AUDIT_FAILURE);
+#endif
+	exit (status);
+}
+
 /*
  * new_grent - initialize the values in a group file entry
  *
@@ -210,7 +219,7 @@ static void grp_update (void)
 		fprintf (stderr,
 		         _("%s: failed to prepare the new %s entry '%s'\n"),
 		         Prog, gr_dbname (), grp.gr_name);
-		exit (E_GRP_UPDATE);
+		fail_exit (E_GRP_UPDATE);
 	}
 #ifdef	SHADOWGRP
 	/*
@@ -220,7 +229,7 @@ static void grp_update (void)
 		fprintf (stderr,
 		         _("%s: failed to prepare the new %s entry '%s'\n"),
 		         Prog, sgr_dbname (), sgrp.sg_name);
-		exit (E_GRP_UPDATE);
+		fail_exit (E_GRP_UPDATE);
 	}
 #endif				/* SHADOWGRP */
 }
@@ -244,7 +253,7 @@ static void check_new_name (void)
 	fprintf (stderr, _("%s: '%s' is not a valid group name\n"),
 	         Prog, group_name);
 
-	exit (E_BAD_ARG);
+	fail_exit (E_BAD_ARG);
 }
 
 /*
@@ -260,11 +269,11 @@ static void close_files (void)
 		fprintf (stderr,
 		         _("%s: failure while writing changes to %s\n"),
 		         Prog, gr_dbname ());
-		exit (E_GRP_UPDATE);
+		fail_exit (E_GRP_UPDATE);
 	}
 #ifdef WITH_AUDIT
 	audit_logger (AUDIT_ADD_GROUP, Prog,
-	              "adding group to /etc/group",
+	              "add-group",
 	              group_name, group_id, SHADOW_AUDIT_SUCCESS);
 #endif
 	SYSLOG ((LOG_INFO, "group added to %s: name=%s, GID=%u",
@@ -281,11 +290,11 @@ static void close_files (void)
 			fprintf (stderr,
 			         _("%s: failure while writing changes to %s\n"),
 			         Prog, sgr_dbname ());
-			exit (E_GRP_UPDATE);
+			fail_exit (E_GRP_UPDATE);
 		}
 #ifdef WITH_AUDIT
-		audit_logger (AUDIT_ADD_GROUP, Prog,
-		              "adding group to /etc/gshadow",
+		audit_logger (AUDIT_GRP_MGMT, Prog,
+		              "add-shadow-group",
 		              group_name, group_id, SHADOW_AUDIT_SUCCESS);
 #endif
 		SYSLOG ((LOG_INFO, "group added to %s: name=%s",
@@ -298,10 +307,6 @@ static void close_files (void)
 #endif				/* SHADOWGRP */
 
 	/* Report success at the system level */
-#ifdef WITH_AUDIT
-	audit_logger (AUDIT_ADD_GROUP, Prog,
-	              "", group_name, group_id, SHADOW_AUDIT_SUCCESS);
-#endif
 	SYSLOG ((LOG_INFO, "new group: name=%s, GID=%u",
 	         group_name, (unsigned int) group_id));
 	del_cleanup (cleanup_report_add_group);
@@ -319,7 +324,7 @@ static void open_files (void)
 		fprintf (stderr,
 		         _("%s: cannot lock %s; try again later.\n"),
 		         Prog, gr_dbname ());
-		exit (E_GRP_UPDATE);
+		fail_exit (E_GRP_UPDATE);
 	}
 	add_cleanup (cleanup_unlock_group, NULL);
 
@@ -329,7 +334,7 @@ static void open_files (void)
 			fprintf (stderr,
 			         _("%s: cannot lock %s; try again later.\n"),
 			         Prog, sgr_dbname ());
-			exit (E_GRP_UPDATE);
+			fail_exit (E_GRP_UPDATE);
 		}
 		add_cleanup (cleanup_unlock_gshadow, NULL);
 	}
@@ -345,7 +350,7 @@ static void open_files (void)
 	if (gr_open (O_CREAT | O_RDWR) == 0) {
 		fprintf (stderr, _("%s: cannot open %s\n"), Prog, gr_dbname ());
 		SYSLOG ((LOG_WARN, "cannot open %s", gr_dbname ()));
-		exit (E_GRP_UPDATE);
+		fail_exit (E_GRP_UPDATE);
 	}
 
 #ifdef	SHADOWGRP
@@ -355,7 +360,7 @@ static void open_files (void)
 			         _("%s: cannot open %s\n"),
 			         Prog, sgr_dbname ());
 			SYSLOG ((LOG_WARN, "cannot open %s", sgr_dbname ()));
-			exit (E_GRP_UPDATE);
+			fail_exit (E_GRP_UPDATE);
 		}
 	}
 #endif				/* SHADOWGRP */
@@ -492,7 +497,7 @@ static void check_flags (void)
 		fprintf (stderr,
 		         _("%s: group '%s' already exists\n"),
 		         Prog, group_name);
-		exit (E_NAME_IN_USE);
+		fail_exit (E_NAME_IN_USE);
 	}
 
 	if (gflg && (prefix_getgrgid (group_id) != NULL)) {
@@ -511,7 +516,7 @@ static void check_flags (void)
 			fprintf (stderr,
 			         _("%s: GID '%lu' already exists\n"),
 			         Prog, (unsigned long int) group_id);
-			exit (E_GID_IN_USE);
+			fail_exit (E_GID_IN_USE);
 		}
 	}
 }
@@ -539,7 +544,7 @@ static void check_perms (void)
 		fprintf (stderr,
 		         _("%s: Cannot determine your user name.\n"),
 		         Prog);
-		exit (1);
+		fail_exit (1);
 	}
 
 	retval = pam_start ("groupadd", pampw->pw_name, &conv, &pamh);
@@ -559,7 +564,7 @@ static void check_perms (void)
 		if (NULL != pamh) {
 			(void) pam_end (pamh, retval);
 		}
-		exit (1);
+		fail_exit (1);
 	}
 	(void) pam_end (pamh, retval);
 #endif				/* USE_PAM */
@@ -594,7 +599,7 @@ int main (int argc, char **argv)
 		fprintf (stderr,
 		         _("%s: Cannot setup cleanup service.\n"),
 		         Prog);
-		exit (1);
+		fail_exit (1);
 	}
 
 	/*
@@ -621,7 +626,7 @@ int main (int argc, char **argv)
 
 	if (!gflg) {
 		if (find_new_gid (rflg, &group_id, NULL) < 0) {
-			exit (E_GID_IN_USE);
+			fail_exit (E_GID_IN_USE);
 		}
 	}
 
diff -up shadow-4.14.0/src/groupdel.c.audit-update shadow-4.14.0/src/groupdel.c
--- shadow-4.14.0/src/groupdel.c.audit-update	2023-05-26 04:56:11.000000000 +0200
+++ shadow-4.14.0/src/groupdel.c	2023-08-04 09:36:42.778900250 +0200
@@ -87,6 +87,15 @@ usage (int status)
 	exit (status);
 }
 
+static void fail_exit(int status)
+{
+#ifdef WITH_AUDIT
+	audit_logger(AUDIT_GRP_MGMT, Prog, "delete-group", group_name,
+                        AUDIT_NO_ID, SHADOW_AUDIT_FAILURE);
+#endif
+	exit (status);
+}
+
 /*
  * grp_update - update group file entries
  *
@@ -113,7 +122,7 @@ static void grp_update (void)
 		fprintf (stderr,
 		         _("%s: cannot remove entry '%s' from %s\n"),
 		         Prog, group_name, gr_dbname ());
-		exit (E_GRP_UPDATE);
+		fail_exit (E_GRP_UPDATE);
 	}
 
 #ifdef	SHADOWGRP
@@ -125,7 +134,7 @@ static void grp_update (void)
 			fprintf (stderr,
 			         _("%s: cannot remove entry '%s' from %s\n"),
 			         Prog, group_name, sgr_dbname ());
-			exit (E_GRP_UPDATE);
+			fail_exit (E_GRP_UPDATE);
 		}
 	}
 #endif				/* SHADOWGRP */
@@ -144,12 +153,12 @@ static void close_files (void)
 		fprintf (stderr,
 		         _("%s: failure while writing changes to %s\n"),
 		         Prog, gr_dbname ());
-		exit (E_GRP_UPDATE);
+		fail_exit (E_GRP_UPDATE);
 	}
 
 #ifdef WITH_AUDIT
 	audit_logger (AUDIT_DEL_GROUP, Prog,
-	              "removing group from /etc/group",
+	              "delete-group",
 	              group_name, group_id, SHADOW_AUDIT_SUCCESS);
 #endif
 	SYSLOG ((LOG_INFO,
@@ -168,12 +177,12 @@ static void close_files (void)
 			fprintf (stderr,
 			         _("%s: failure while writing changes to %s\n"),
 			         Prog, sgr_dbname ());
-			exit (E_GRP_UPDATE);
+			fail_exit (E_GRP_UPDATE);
 		}
 
 #ifdef WITH_AUDIT
-		audit_logger (AUDIT_DEL_GROUP, Prog,
-		              "removing group from /etc/gshadow",
+		audit_logger (AUDIT_GRP_MGMT, Prog,
+		              "delete-shadow-group",
 		              group_name, group_id, SHADOW_AUDIT_SUCCESS);
 #endif
 		SYSLOG ((LOG_INFO,
@@ -186,11 +195,6 @@ static void close_files (void)
 	}
 #endif				/* SHADOWGRP */
 
-	/* Report success at the system level */
-#ifdef WITH_AUDIT
-	audit_logger (AUDIT_DEL_GROUP, Prog,
-	              "", group_name, group_id, SHADOW_AUDIT_SUCCESS);
-#endif
 	SYSLOG ((LOG_INFO, "group '%s' removed\n", group_name));
 	del_cleanup (cleanup_report_del_group);
 }
@@ -207,7 +211,7 @@ static void open_files (void)
 		fprintf (stderr,
 		         _("%s: cannot lock %s; try again later.\n"),
 		         Prog, gr_dbname ());
-		exit (E_GRP_UPDATE);
+		fail_exit (E_GRP_UPDATE);
 	}
 	add_cleanup (cleanup_unlock_group, NULL);
 #ifdef	SHADOWGRP
@@ -216,7 +220,7 @@ static void open_files (void)
 			fprintf (stderr,
 			         _("%s: cannot lock %s; try again later.\n"),
 			         Prog, sgr_dbname ());
-			exit (E_GRP_UPDATE);
+			fail_exit (E_GRP_UPDATE);
 		}
 		add_cleanup (cleanup_unlock_gshadow, NULL);
 	}
@@ -234,7 +238,7 @@ static void open_files (void)
 		         _("%s: cannot open %s\n"),
 		         Prog, gr_dbname ());
 		SYSLOG ((LOG_WARN, "cannot open %s", gr_dbname ()));
-		exit (E_GRP_UPDATE);
+		fail_exit (E_GRP_UPDATE);
 	}
 #ifdef	SHADOWGRP
 	if (is_shadow_grp) {
@@ -243,7 +247,7 @@ static void open_files (void)
 			         _("%s: cannot open %s\n"),
 			         Prog, sgr_dbname ());
 			SYSLOG ((LOG_WARN, "cannot open %s", sgr_dbname ()));
-			exit (E_GRP_UPDATE);
+			fail_exit (E_GRP_UPDATE);
 		}
 	}
 #endif				/* SHADOWGRP */
@@ -284,7 +288,7 @@ static void group_busy (gid_t gid)
 	fprintf (stderr,
 	         _("%s: cannot remove the primary group of user '%s'\n"),
 	         Prog, pwd->pw_name);
-	exit (E_GROUP_BUSY);
+	fail_exit (E_GROUP_BUSY);
 }
 
 /*
@@ -372,7 +376,7 @@ int main (int argc, char **argv)
 		fprintf (stderr,
 		         _("%s: Cannot setup cleanup service.\n"),
 		         Prog);
-		exit (1);
+		fail_exit (1);
 	}
 
 	process_flags (argc, argv);
@@ -386,7 +390,7 @@ int main (int argc, char **argv)
 			fprintf (stderr,
 			         _("%s: Cannot determine your user name.\n"),
 			         Prog);
-			exit (1);
+			fail_exit (1);
 		}
 
 		retval = pam_start ("groupdel", pampw->pw_name, &conv, &pamh);
@@ -407,7 +411,7 @@ int main (int argc, char **argv)
 		if (NULL != pamh) {
 			(void) pam_end (pamh, retval);
 		}
-		exit (1);
+		fail_exit (1);
 	}
 	(void) pam_end (pamh, retval);
 #endif				/* USE_PAM */
@@ -427,7 +431,7 @@ int main (int argc, char **argv)
 			fprintf (stderr,
 			         _("%s: group '%s' does not exist\n"),
 			         Prog, group_name);
-			exit (E_NOTFOUND);
+			fail_exit (E_NOTFOUND);
 		}
 
 		group_id = grp->gr_gid;
@@ -451,7 +455,7 @@ int main (int argc, char **argv)
 			         _("%s: %s is the NIS master\n"),
 			         Prog, nis_master);
 		}
-		exit (E_NOTFOUND);
+		fail_exit (E_NOTFOUND);
 	}
 #endif
 
diff -up shadow-4.14.0/src/groupmod.c.audit-update shadow-4.14.0/src/groupmod.c
--- shadow-4.14.0/src/groupmod.c.audit-update	2023-06-10 02:02:29.000000000 +0200
+++ shadow-4.14.0/src/groupmod.c	2023-08-04 09:30:25.208963541 +0200
@@ -473,7 +473,7 @@ static void close_files (void)
 		exit (E_GRP_UPDATE);
 	}
 #ifdef WITH_AUDIT
-	audit_logger (AUDIT_USER_ACCT, Prog,
+	audit_logger (AUDIT_GRP_MGMT, Prog,
 	              info_group.audit_msg,
 	              group_name, AUDIT_NO_ID,
 	              SHADOW_AUDIT_SUCCESS);
@@ -496,7 +496,14 @@ static void close_files (void)
 			exit (E_GRP_UPDATE);
 		}
 #ifdef WITH_AUDIT
-		audit_logger (AUDIT_USER_ACCT, Prog,
+		/* If both happened, log password change as its more important */
+		if (pflg)
+			audit_logger (AUDIT_GRP_CHAUTHTOK, Prog,
+		              info_gshadow.audit_msg,
+		              group_name, AUDIT_NO_ID,
+		              SHADOW_AUDIT_SUCCESS);
+		else
+			audit_logger (AUDIT_GRP_MGMT, Prog,
 		              info_gshadow.audit_msg,
 		              group_name, AUDIT_NO_ID,
 		              SHADOW_AUDIT_SUCCESS);
@@ -519,7 +526,7 @@ static void close_files (void)
 			exit (E_GRP_UPDATE);
 		}
 #ifdef WITH_AUDIT
-		audit_logger (AUDIT_USER_ACCT, Prog,
+		audit_logger (AUDIT_GRP_MGMT, Prog,
 		              info_passwd.audit_msg,
 		              group_name, AUDIT_NO_ID,
 		              SHADOW_AUDIT_SUCCESS);
@@ -534,8 +541,8 @@ static void close_files (void)
 	}
 
 #ifdef WITH_AUDIT
-	audit_logger (AUDIT_USER_ACCT, Prog,
-	              "modifying group",
+	audit_logger (AUDIT_GRP_MGMT, Prog,
+	              "modify-group",
 	              group_name, AUDIT_NO_ID,
 	              SHADOW_AUDIT_SUCCESS);
 #endif
diff -up shadow-4.14.0/src/newgrp.c.audit-update shadow-4.14.0/src/newgrp.c
--- shadow-4.14.0/src/newgrp.c.audit-update	2023-08-04 09:30:25.208963541 +0200
+++ shadow-4.14.0/src/newgrp.c	2023-08-04 09:51:28.354208322 +0200
@@ -186,10 +186,10 @@ static void check_perms (const struct gr
 		    strcmp (cpasswd, grp->gr_passwd) != 0) {
 #ifdef WITH_AUDIT
 			snprintf (audit_buf, sizeof(audit_buf),
-			          "authentication new-gid=%lu",
+			          "authentication new_gid=%lu",
 			          (unsigned long) grp->gr_gid);
 			audit_logger (AUDIT_GRP_AUTH, Prog,
-			              audit_buf, NULL, getuid (), 0);
+			              audit_buf, NULL, getuid (), SHADOW_AUDIT_FAILURE);
 #endif
 			SYSLOG ((LOG_INFO,
 				 "Invalid password for group '%s' from '%s'",
@@ -200,10 +200,10 @@ static void check_perms (const struct gr
 		}
 #ifdef WITH_AUDIT
 		snprintf (audit_buf, sizeof(audit_buf),
-		          "authentication new-gid=%lu",
+		          "authentication new_gid=%lu",
 		          (unsigned long) grp->gr_gid);
 		audit_logger (AUDIT_GRP_AUTH, Prog,
-		              audit_buf, NULL, getuid (), 1);
+		              audit_buf, NULL, getuid (), SHADOW_AUDIT_SUCCESS);
 #endif
 	}
 
@@ -214,17 +214,6 @@ failure:
 	 * harm.  -- JWP
 	 */
 	closelog ();
-#ifdef WITH_AUDIT
-	if (groupname) {
-		snprintf (audit_buf, sizeof(audit_buf),
-		          "changing new-group=%s", groupname);
-		audit_logger (AUDIT_CHGRP_ID, Prog,
-		              audit_buf, NULL, getuid (), 0);
-	} else {
-		audit_logger (AUDIT_CHGRP_ID, Prog,
-		              "changing", NULL, getuid (), 0);
-	}
-#endif
 	exit (EXIT_FAILURE);
 }
 
@@ -298,13 +287,23 @@ static void syslog_sg (const char *name,
 				 is_newgrp ? "newgrp" : "sg", strerror (errno));
 #ifdef WITH_AUDIT
 			if (group) {
-				snprintf (audit_buf, sizeof(audit_buf),
-				          "changing new-group=%s", group);
+				char enc_group[(GROUP_NAME_MAX_LENGTH*2)+1];
+				int len = strnlen(group, sizeof(enc_group)/2);
+				if (audit_value_needs_encoding(group, len)) {
+					snprintf (audit_buf, sizeof(audit_buf),
+					          "changing new_group=%s",
+					          audit_encode_value(enc_group,
+					          group, len));
+				} else {
+					snprintf (audit_buf, sizeof(audit_buf),
+					          "changing new_group=\"%s\"",
+					          group);
+				}
 				audit_logger (AUDIT_CHGRP_ID, Prog,
-				              audit_buf, NULL, getuid (), 0);
+				              audit_buf, NULL, getuid (), SHADOW_AUDIT_FAILURE);
 			} else {
 				audit_logger (AUDIT_CHGRP_ID, Prog,
-				              "changing", NULL, getuid (), 0);
+				              "changing", NULL, getuid (), SHADOW_AUDIT_FAILURE);
 			}
 #endif
 			exit (EXIT_FAILURE);
@@ -440,7 +439,7 @@ int main (int argc, char **argv)
 		         Prog);
 #ifdef WITH_AUDIT
 		audit_logger (AUDIT_CHGRP_ID, Prog,
-		              "changing", NULL, getuid (), 0);
+		              "changing", NULL, getuid (), SHADOW_AUDIT_FAILURE);
 #endif
 		SYSLOG ((LOG_WARN, "Cannot determine the user name of the caller (UID %lu)",
 		         (unsigned long) getuid ()));
@@ -556,13 +555,22 @@ int main (int argc, char **argv)
 		perror ("getgroups");
 #ifdef WITH_AUDIT
 		if (group) {
-			snprintf (audit_buf, sizeof(audit_buf),
-			          "changing new-group=%s", group);
+			char enc_group[(GROUP_NAME_MAX_LENGTH*2)+1];
+			int len = strnlen(group, sizeof(enc_group)/2);
+			if (audit_value_needs_encoding(group, len)) {
+				snprintf (audit_buf, sizeof(audit_buf),
+				          "changing new_group=%s",
+				          audit_encode_value(enc_group,
+				          group, len));
+			} else {
+				snprintf (audit_buf, sizeof(audit_buf),
+				          "changing new_group=\"%s\"", group);
+			}
 			audit_logger (AUDIT_CHGRP_ID, Prog,
-			              audit_buf, NULL, getuid (), 0);
+			              audit_buf, NULL, getuid (), SHADOW_AUDIT_FAILURE);
 		} else {
 			audit_logger (AUDIT_CHGRP_ID, Prog,
-			              "changing", NULL, getuid (), 0);
+			              "changing", NULL, getuid (), SHADOW_AUDIT_FAILURE);
 		}
 #endif
 		exit (EXIT_FAILURE);
@@ -717,9 +725,9 @@ int main (int argc, char **argv)
 		perror ("setgid");
 #ifdef WITH_AUDIT
 		snprintf (audit_buf, sizeof(audit_buf),
-		          "changing new-gid=%lu", (unsigned long) gid);
+		          "changing new_gid=%lu", (unsigned long) gid);
 		audit_logger (AUDIT_CHGRP_ID, Prog,
-		              audit_buf, NULL, getuid (), 0);
+		              audit_buf, NULL, getuid (), SHADOW_AUDIT_FAILURE);
 #endif
 		exit (EXIT_FAILURE);
 	}
@@ -728,9 +736,9 @@ int main (int argc, char **argv)
 		perror ("setuid");
 #ifdef WITH_AUDIT
 		snprintf (audit_buf, sizeof(audit_buf),
-		          "changing new-gid=%lu", (unsigned long) gid);
+		          "changing new_gid=%lu", (unsigned long) gid);
 		audit_logger (AUDIT_CHGRP_ID, Prog,
-		              audit_buf, NULL, getuid (), 0);
+		              audit_buf, NULL, getuid (), SHADOW_AUDIT_FAILURE);
 #endif
 		exit (EXIT_FAILURE);
 	}
@@ -744,9 +752,9 @@ int main (int argc, char **argv)
 		execl (SHELL, "sh", "-c", command, (char *) NULL);
 #ifdef WITH_AUDIT
 		snprintf (audit_buf, sizeof(audit_buf),
-		          "changing new-gid=%lu", (unsigned long) gid);
+		          "changing new_gid=%lu", (unsigned long) gid);
 		audit_logger (AUDIT_CHGRP_ID, Prog,
-		              audit_buf, NULL, getuid (), 0);
+		              audit_buf, NULL, getuid (), SHADOW_AUDIT_FAILURE);
 #endif
 		perror (SHELL);
 		exit ((errno == ENOENT) ? E_CMD_NOTFOUND : E_CMD_NOEXEC);
@@ -810,10 +818,10 @@ int main (int argc, char **argv)
 	}
 
 #ifdef WITH_AUDIT
-	snprintf (audit_buf, sizeof(audit_buf), "changing new-gid=%lu",
+	snprintf (audit_buf, sizeof(audit_buf), "changing new_gid=%lu",
 	          (unsigned long) gid);
 	audit_logger (AUDIT_CHGRP_ID, Prog,
-	              audit_buf, NULL, getuid (), 1);
+	              audit_buf, NULL, getuid (), SHADOW_AUDIT_SUCCESS);
 #endif
 	/*
 	 * Exec the login shell and go away. We are trying to get back to
@@ -837,13 +845,22 @@ int main (int argc, char **argv)
 	closelog ();
 #ifdef WITH_AUDIT
 	if (NULL != group) {
-		snprintf (audit_buf, sizeof(audit_buf),
-		          "changing new-group=%s", group);
+		char enc_group[(GROUP_NAME_MAX_LENGTH*2)+1];
+		int len = strnlen(group, sizeof(enc_group)/2);
+		if (audit_value_needs_encoding(group, len)) {
+			snprintf (audit_buf, sizeof(audit_buf),
+			          "changing new_group=%s",
+			          audit_encode_value(enc_group,
+			          group, len));
+		} else {
+			snprintf (audit_buf, sizeof(audit_buf),
+			          "changing new_group=\"%s\"", group);
+		}
 		audit_logger (AUDIT_CHGRP_ID, Prog,
-		              audit_buf, NULL, getuid (), 0);
+		              audit_buf, NULL, getuid (), SHADOW_AUDIT_FAILURE);
 	} else {
 		audit_logger (AUDIT_CHGRP_ID, Prog,
-		              "changing", NULL, getuid (), 0);
+		              "changing", NULL, getuid (), SHADOW_AUDIT_FAILURE);
 	}
 #endif
 	exit (EXIT_FAILURE);
diff -up shadow-4.14.0/src/useradd.c.audit-update shadow-4.14.0/src/useradd.c
--- shadow-4.14.0/src/useradd.c.audit-update	2023-07-30 12:38:39.000000000 +0200
+++ shadow-4.14.0/src/useradd.c	2023-08-04 10:02:18.851935396 +0200
@@ -240,6 +240,8 @@ static void check_uid_range(int rflg, ui
  */
 static void fail_exit (int code)
 {
+	int type;
+
 	if (home_added && rmdir(prefix_user_home) != 0) {
 		fprintf(stderr,
 		        _("%s: %s was created, but could not be removed\n"),
@@ -250,38 +252,22 @@ static void fail_exit (int code)
 	if (spw_locked && spw_unlock() == 0) {
 		fprintf(stderr, _("%s: failed to unlock %s\n"), Prog, spw_dbname());
 		SYSLOG((LOG_ERR, "failed to unlock %s", spw_dbname()));
-#ifdef WITH_AUDIT
-		audit_logger(AUDIT_ADD_USER, Prog, "unlocking shadow file",
-			     user_name, AUDIT_NO_ID, SHADOW_AUDIT_FAILURE);
-#endif
 		/* continue */
 	}
 	if (pw_locked && pw_unlock() == 0) {
 		fprintf(stderr, _("%s: failed to unlock %s\n"), Prog, pw_dbname());
 		SYSLOG((LOG_ERR, "failed to unlock %s", pw_dbname()));
-#ifdef WITH_AUDIT
-		audit_logger(AUDIT_ADD_USER, Prog, "unlocking passwd file",
-			     user_name, AUDIT_NO_ID, SHADOW_AUDIT_FAILURE);
-#endif
 		/* continue */
 	}
 	if (gr_locked && gr_unlock() == 0) {
 		fprintf(stderr, _("%s: failed to unlock %s\n"), Prog, gr_dbname());
 		SYSLOG((LOG_ERR, "failed to unlock %s", gr_dbname()));
-#ifdef WITH_AUDIT
-		audit_logger(AUDIT_ADD_USER, Prog, "unlocking group file",
-			     user_name, AUDIT_NO_ID, SHADOW_AUDIT_FAILURE);
-#endif
 		/* continue */
 	}
 #ifdef SHADOWGRP
 	if (sgr_locked && sgr_unlock() == 0) {
 		fprintf(stderr, _("%s: failed to unlock %s\n"), Prog, sgr_dbname());
 		SYSLOG((LOG_ERR, "failed to unlock %s", sgr_dbname()));
-# ifdef WITH_AUDIT
-		audit_logger(AUDIT_ADD_USER, Prog, "unlocking gshadow file",
-			     user_name, AUDIT_NO_ID, SHADOW_AUDIT_FAILURE);
-# endif
 		/* continue */
 	}
 #endif
@@ -289,27 +275,23 @@ static void fail_exit (int code)
 	if (sub_uid_locked && sub_uid_unlock() == 0) {
 		fprintf(stderr, _("%s: failed to unlock %s\n"), Prog, sub_uid_dbname());
 		SYSLOG((LOG_ERR, "failed to unlock %s", sub_uid_dbname()));
-# ifdef WITH_AUDIT
-		audit_logger(AUDIT_ADD_USER, Prog,
-		             "unlocking subordinate user file",
-			     user_name, AUDIT_NO_ID, SHADOW_AUDIT_FAILURE);
-# endif
 		/* continue */
 	}
 	if (sub_gid_locked && sub_gid_unlock() == 0) {
 		fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, sub_gid_dbname());
 		SYSLOG ((LOG_ERR, "failed to unlock %s", sub_gid_dbname()));
-# ifdef WITH_AUDIT
-		audit_logger(AUDIT_ADD_USER, Prog,
-			     "unlocking subordinate group file",
-			     user_name, AUDIT_NO_ID, SHADOW_AUDIT_FAILURE);
-# endif
 		/* continue */
 	}
 #endif  /* ENABLE_SUBIDS */
 
 #ifdef WITH_AUDIT
-	audit_logger(AUDIT_ADD_USER, Prog, "adding user",
+	if (code == E_PW_UPDATE || code >= E_GRP_UPDATE)
+		type = AUDIT_USER_MGMT;
+	else
+		type = AUDIT_ADD_USER;
+
+	audit_logger (type, Prog,
+	              "add-user",
 	             user_name, AUDIT_NO_ID, SHADOW_AUDIT_FAILURE);
 #endif
 	SYSLOG((LOG_INFO, "failed adding user '%s', exit code: %d", user_name, code));
@@ -759,7 +741,7 @@ static int set_defaults (void)
 	}
 #ifdef WITH_AUDIT
 	audit_logger (AUDIT_USYS_CONFIG, Prog,
-	              "changing useradd defaults",
+	              "changing-useradd-defaults",
 	              NULL, AUDIT_NO_ID,
 	              SHADOW_AUDIT_SUCCESS);
 #endif
@@ -1096,12 +1078,6 @@ static void grp_update (void)
 			         _("%s: Out of memory. Cannot update %s.\n"),
 			         Prog, gr_dbname ());
 			SYSLOG ((LOG_ERR, "failed to prepare the new %s entry '%s'", gr_dbname (), user_name));
-#ifdef WITH_AUDIT
-			audit_logger (AUDIT_ADD_USER, Prog,
-			              "adding user to group",
-			              user_name, AUDIT_NO_ID,
-			              SHADOW_AUDIT_FAILURE);
-#endif
 			fail_exit (E_GRP_UPDATE);	/* XXX */
 		}
 
@@ -1115,18 +1091,12 @@ static void grp_update (void)
 			         _("%s: failed to prepare the new %s entry '%s'\n"),
 			         Prog, gr_dbname (), ngrp->gr_name);
 			SYSLOG ((LOG_ERR, "failed to prepare the new %s entry '%s'", gr_dbname (), user_name));
-#ifdef WITH_AUDIT
-			audit_logger (AUDIT_ADD_USER, Prog,
-			              "adding user to group",
-			              user_name, AUDIT_NO_ID,
-			              SHADOW_AUDIT_FAILURE);
-#endif
 			fail_exit (E_GRP_UPDATE);
 		}
 #ifdef WITH_AUDIT
-		audit_logger (AUDIT_ADD_USER, Prog,
-		              "adding user to group",
-		              user_name, AUDIT_NO_ID,
+		audit_logger_with_group (AUDIT_USER_MGMT, Prog,
+		              "add-user-to-group",
+		              user_name, AUDIT_NO_ID, ngrp->gr_name,
 		              SHADOW_AUDIT_SUCCESS);
 #endif
 		SYSLOG ((LOG_INFO,
@@ -1171,12 +1141,6 @@ static void grp_update (void)
 			         _("%s: Out of memory. Cannot update %s.\n"),
 			         Prog, sgr_dbname ());
 			SYSLOG ((LOG_ERR, "failed to prepare the new %s entry '%s'", sgr_dbname (), user_name));
-#ifdef WITH_AUDIT
-			audit_logger (AUDIT_ADD_USER, Prog,
-			              "adding user to shadow group",
-			              user_name, AUDIT_NO_ID,
-			              SHADOW_AUDIT_FAILURE);
-#endif
 			fail_exit (E_GRP_UPDATE);	/* XXX */
 		}
 
@@ -1190,18 +1154,13 @@ static void grp_update (void)
 			         _("%s: failed to prepare the new %s entry '%s'\n"),
 			         Prog, sgr_dbname (), nsgrp->sg_name);
 			SYSLOG ((LOG_ERR, "failed to prepare the new %s entry '%s'", sgr_dbname (), user_name));
-#ifdef WITH_AUDIT
-			audit_logger (AUDIT_ADD_USER, Prog,
-			              "adding user to shadow group",
-			              user_name, AUDIT_NO_ID,
-			              SHADOW_AUDIT_FAILURE);
-#endif
+
 			fail_exit (E_GRP_UPDATE);
 		}
 #ifdef WITH_AUDIT
-		audit_logger (AUDIT_ADD_USER, Prog,
-		              "adding user to shadow group",
-		              user_name, AUDIT_NO_ID,
+		audit_logger_with_group (AUDIT_USER_MGMT, Prog,
+		              "add-to-shadow-group",
+		              user_name, AUDIT_NO_ID, nsgrp->sg_name,
 		              SHADOW_AUDIT_SUCCESS);
 #endif
 		SYSLOG ((LOG_INFO,
@@ -1596,7 +1555,7 @@ static void process_flags (int argc, cha
 			         Prog, user_name);
 #ifdef WITH_AUDIT
 			audit_logger (AUDIT_ADD_USER, Prog,
-			              "adding user",
+			              "add-user",
 			              user_name, AUDIT_NO_ID,
 			              SHADOW_AUDIT_FAILURE);
 #endif
@@ -1705,7 +1664,7 @@ static void close_files (void)
 			SYSLOG ((LOG_ERR, "failed to unlock %s", spw_dbname ()));
 #ifdef WITH_AUDIT
 			audit_logger (AUDIT_ADD_USER, Prog,
-			              "unlocking shadow file",
+			              "unlocking-shadow-file",
 			              user_name, AUDIT_NO_ID,
 			              SHADOW_AUDIT_FAILURE);
 #endif
@@ -1718,7 +1677,7 @@ static void close_files (void)
 		SYSLOG ((LOG_ERR, "failed to unlock %s", pw_dbname ()));
 #ifdef WITH_AUDIT
 		audit_logger (AUDIT_ADD_USER, Prog,
-		              "unlocking passwd file",
+		              "unlocking-passwd-file",
 		              user_name, AUDIT_NO_ID,
 		              SHADOW_AUDIT_FAILURE);
 #endif
@@ -1735,7 +1694,7 @@ static void close_files (void)
 			SYSLOG ((LOG_ERR, "failed to unlock %s", sub_uid_dbname ()));
 #ifdef WITH_AUDIT
 			audit_logger (AUDIT_ADD_USER, Prog,
-				"unlocking subordinate user file",
+				"unlocking-subordinate-user-file",
 				user_name, AUDIT_NO_ID,
 				SHADOW_AUDIT_FAILURE);
 #endif
@@ -1749,7 +1708,7 @@ static void close_files (void)
 			SYSLOG ((LOG_ERR, "failed to unlock %s", sub_gid_dbname ()));
 #ifdef WITH_AUDIT
 			audit_logger (AUDIT_ADD_USER, Prog,
-				"unlocking subordinate group file",
+				"unlocking-subordinate-group-file",
 				user_name, AUDIT_NO_ID,
 				SHADOW_AUDIT_FAILURE);
 #endif
@@ -2012,7 +1971,7 @@ static void grp_add (void)
 		         Prog, gr_dbname (), grp.gr_name);
 #ifdef WITH_AUDIT
 		audit_logger (AUDIT_ADD_GROUP, Prog,
-		              "adding group",
+		              "add-group",
 		              grp.gr_name, AUDIT_NO_ID,
 		              SHADOW_AUDIT_FAILURE);
 #endif
@@ -2028,7 +1987,7 @@ static void grp_add (void)
 		         Prog, sgr_dbname (), sgrp.sg_name);
 #ifdef WITH_AUDIT
 		audit_logger (AUDIT_ADD_GROUP, Prog,
-		              "adding group",
+		              "add-group",
 		              grp.gr_name, AUDIT_NO_ID,
 		              SHADOW_AUDIT_FAILURE);
 #endif
@@ -2038,7 +1997,7 @@ static void grp_add (void)
 	SYSLOG ((LOG_INFO, "new group: name=%s, GID=%u", user_name, user_gid));
 #ifdef WITH_AUDIT
 	audit_logger (AUDIT_ADD_GROUP, Prog,
-	              "adding group",
+	              "add-group",
 	              grp.gr_name, AUDIT_NO_ID,
 	              SHADOW_AUDIT_SUCCESS);
 #endif
@@ -2240,11 +2199,6 @@ static void usr_update (unsigned long su
 		fprintf (stderr,
 		         _("%s: failed to prepare the new %s entry '%s'\n"),
 		         Prog, spw_dbname (), spent.sp_namp);
-#ifdef WITH_AUDIT
-		audit_logger (AUDIT_ADD_USER, Prog,
-		              "adding shadow password",
-		              user_name, user_id, SHADOW_AUDIT_FAILURE);
-#endif
 		fail_exit (E_PW_UPDATE);
 	}
 #ifdef ENABLE_SUBIDS
@@ -2271,7 +2225,7 @@ static void usr_update (unsigned long su
 	 * and we can use the real ID thereafter.
 	 */
 	audit_logger (AUDIT_ADD_USER, Prog,
-	              "adding user",
+	              "add-user",
 	              user_name, AUDIT_NO_ID,
 	              SHADOW_AUDIT_SUCCESS);
 #endif
@@ -2365,10 +2319,6 @@ static void create_home (void)
 		if (mkdir(path, 0) != 0) {
 			fprintf(stderr, _("%s: cannot create directory %s\n"),
 				Prog, path);
-#ifdef WITH_AUDIT
-			audit_logger(AUDIT_ADD_USER, Prog, "adding home directory",
-				     user_name, user_id, SHADOW_AUDIT_FAILURE);
-#endif
 			fail_exit(E_HOMEDIR);
 		}
 		if (chown(path, 0, 0) < 0) {
@@ -2393,7 +2343,7 @@ static void create_home (void)
 	}
 	home_added = true;
 #ifdef WITH_AUDIT
-	audit_logger(AUDIT_ADD_USER, Prog, "adding home directory",
+	audit_logger(AUDIT_USER_MGMT, Prog, "add-home-dir",
 		     user_name, user_id, SHADOW_AUDIT_SUCCESS);
 #endif
 #ifdef WITH_SELINUX
@@ -2637,12 +2587,6 @@ int main (int argc, char **argv)
 	 */
 	if (prefix_getpwnam (user_name) != NULL) { /* local, no need for xgetpwnam */
 		fprintf (stderr, _("%s: user '%s' already exists\n"), Prog, user_name);
-#ifdef WITH_AUDIT
-		audit_logger (AUDIT_ADD_USER, Prog,
-		              "adding user",
-		              user_name, AUDIT_NO_ID,
-		              SHADOW_AUDIT_FAILURE);
-#endif
 		fail_exit (E_NAME_IN_USE);
 	}
 
@@ -2658,12 +2602,6 @@ int main (int argc, char **argv)
 			fprintf (stderr,
 			         _("%s: group %s exists - if you want to add this user to that group, use -g.\n"),
 			         Prog, user_name);
-#ifdef WITH_AUDIT
-			audit_logger (AUDIT_ADD_USER, Prog,
-			              "adding group",
-			              user_name, AUDIT_NO_ID,
-			              SHADOW_AUDIT_FAILURE);
-#endif
 			fail_exit (E_NAME_IN_USE);
 		}
 	}
@@ -2693,12 +2631,6 @@ int main (int argc, char **argv)
 				fprintf (stderr,
 				         _("%s: UID %lu is not unique\n"),
 				         Prog, (unsigned long) user_id);
-#ifdef WITH_AUDIT
-				audit_logger (AUDIT_ADD_USER, Prog,
-				              "adding user",
-				              user_name, user_id,
-				              SHADOW_AUDIT_FAILURE);
-#endif
 				fail_exit (E_UID_IN_USE);
 			}
 		}
@@ -2773,9 +2705,9 @@ int main (int argc, char **argv)
 			         _("%s: warning: the user name %s to %s SELinux user mapping failed.\n"),
 			         Prog, user_name, user_selinux);
 #ifdef WITH_AUDIT
-			audit_logger (AUDIT_ADD_USER, Prog,
-			              "adding SELinux user mapping",
-			              user_name, user_id, 0);
+			audit_logger (AUDIT_ROLE_ASSIGN, Prog,
+			              "add-selinux-user-mapping",
+			              user_name, user_id, SHADOW_AUDIT_FAILURE);
 #endif				/* WITH_AUDIT */
 			fail_exit (E_SE_UPDATE);
 		}
diff -up shadow-4.14.0/src/userdel.c.audit-update shadow-4.14.0/src/userdel.c
--- shadow-4.14.0/src/userdel.c.audit-update	2023-06-10 02:02:29.000000000 +0200
+++ shadow-4.14.0/src/userdel.c	2023-08-04 10:26:18.225695416 +0200
@@ -204,9 +204,9 @@ static void update_groups (void)
 		 * Update the DBM group file with the new entry as well.
 		 */
 #ifdef WITH_AUDIT
-		audit_logger (AUDIT_DEL_USER, Prog,
-		              "deleting user from group",
-		              user_name, user_id, SHADOW_AUDIT_SUCCESS);
+		audit_logger_with_group (AUDIT_USER_MGMT, Prog,
+		              "deleting-user-from-group",
+		              user_name, user_id, ngrp->gr_name, SHADOW_AUDIT_SUCCESS);
 #endif				/* WITH_AUDIT */
 		SYSLOG ((LOG_INFO, "delete '%s' from group '%s'\n",
 			 user_name, ngrp->gr_name));
@@ -265,9 +265,9 @@ static void update_groups (void)
 			exit (E_GRP_UPDATE);
 		}
 #ifdef WITH_AUDIT
-		audit_logger (AUDIT_DEL_USER, Prog,
-		              "deleting user from shadow group",
-		              user_name, user_id, SHADOW_AUDIT_SUCCESS);
+		audit_logger_with_group (AUDIT_USER_MGMT, Prog,
+		              "deleting-user-from-shadow-group",
+		              user_name, user_id, nsgrp->sg_name, SHADOW_AUDIT_SUCCESS);
 #endif				/* WITH_AUDIT */
 		SYSLOG ((LOG_INFO, "delete '%s' from shadow group '%s'\n",
 		         user_name, nsgrp->sg_name));
@@ -343,9 +343,9 @@ static void remove_usergroup (void)
 		}
 
 #ifdef WITH_AUDIT
-		audit_logger (AUDIT_DEL_GROUP, Prog,
-		              "deleting group",
-		              user_name, AUDIT_NO_ID,
+		audit_logger_with_group (AUDIT_DEL_GROUP, Prog,
+		              "delete-group",
+		              user_name, AUDIT_NO_ID, user_name,
 		              SHADOW_AUDIT_SUCCESS);
 #endif				/* WITH_AUDIT */
 		SYSLOG ((LOG_INFO,
@@ -361,9 +361,9 @@ static void remove_usergroup (void)
 				fail_exit (E_GRP_UPDATE);
 			}
 #ifdef WITH_AUDIT
-			audit_logger (AUDIT_DEL_GROUP, Prog,
-			              "deleting shadow group",
-			              user_name, AUDIT_NO_ID,
+			audit_logger_with_group (AUDIT_GRP_MGMT, Prog,
+			              "delete-shadow-group",
+			              user_name, AUDIT_NO_ID, user_name,
 			              SHADOW_AUDIT_SUCCESS);
 #endif				/* WITH_AUDIT */
 			SYSLOG ((LOG_INFO,
@@ -525,7 +525,7 @@ static void fail_exit (int code)
 
 #ifdef WITH_AUDIT
 	audit_logger (AUDIT_DEL_USER, Prog,
-	              "deleting user",
+	              "delete-user",
 	              user_name, user_id, SHADOW_AUDIT_FAILURE);
 #endif				/* WITH_AUDIT */
 
@@ -544,22 +544,12 @@ static void open_files (void)
 		fprintf (stderr,
 		         _("%s: cannot lock %s; try again later.\n"),
 		         Prog, pw_dbname ());
-#ifdef WITH_AUDIT
-		audit_logger (AUDIT_DEL_USER, Prog,
-		              "locking password file",
-		              user_name, user_id, SHADOW_AUDIT_FAILURE);
-#endif				/* WITH_AUDIT */
 		fail_exit (E_PW_UPDATE);
 	}
 	pw_locked = true;
 	if (pw_open (O_CREAT | O_RDWR) == 0) {
 		fprintf (stderr,
 		         _("%s: cannot open %s\n"), Prog, pw_dbname ());
-#ifdef WITH_AUDIT
-		audit_logger (AUDIT_DEL_USER, Prog,
-		              "opening password file",
-		              user_name, user_id, SHADOW_AUDIT_FAILURE);
-#endif				/* WITH_AUDIT */
 		fail_exit (E_PW_UPDATE);
 	}
 	if (is_shadow_pwd) {
@@ -567,11 +557,6 @@ static void open_files (void)
 			fprintf (stderr,
 			         _("%s: cannot lock %s; try again later.\n"),
 			         Prog, spw_dbname ());
-#ifdef WITH_AUDIT
-			audit_logger (AUDIT_DEL_USER, Prog,
-			              "locking shadow password file",
-			              user_name, user_id, SHADOW_AUDIT_FAILURE);
-#endif				/* WITH_AUDIT */
 			fail_exit (E_PW_UPDATE);
 		}
 		spw_locked = true;
@@ -579,11 +564,6 @@ static void open_files (void)
 			fprintf (stderr,
 			         _("%s: cannot open %s\n"),
 			         Prog, spw_dbname ());
-#ifdef WITH_AUDIT
-			audit_logger (AUDIT_DEL_USER, Prog,
-			              "opening shadow password file",
-			              user_name, user_id, SHADOW_AUDIT_FAILURE);
-#endif				/* WITH_AUDIT */
 			fail_exit (E_PW_UPDATE);
 		}
 	}
@@ -591,21 +571,11 @@ static void open_files (void)
 		fprintf (stderr,
 		         _("%s: cannot lock %s; try again later.\n"),
 		         Prog, gr_dbname ());
-#ifdef WITH_AUDIT
-		audit_logger (AUDIT_DEL_USER, Prog,
-		              "locking group file",
-		              user_name, user_id, SHADOW_AUDIT_FAILURE);
-#endif				/* WITH_AUDIT */
 		fail_exit (E_GRP_UPDATE);
 	}
 	gr_locked = true;
 	if (gr_open (O_CREAT | O_RDWR) == 0) {
 		fprintf (stderr, _("%s: cannot open %s\n"), Prog, gr_dbname ());
-#ifdef WITH_AUDIT
-		audit_logger (AUDIT_DEL_USER, Prog,
-		              "opening group file",
-		              user_name, user_id, SHADOW_AUDIT_FAILURE);
-#endif				/* WITH_AUDIT */
 		fail_exit (E_GRP_UPDATE);
 	}
 #ifdef	SHADOWGRP
@@ -614,22 +584,12 @@ static void open_files (void)
 			fprintf (stderr,
 			         _("%s: cannot lock %s; try again later.\n"),
 			         Prog, sgr_dbname ());
-#ifdef WITH_AUDIT
-			audit_logger (AUDIT_DEL_USER, Prog,
-			              "locking shadow group file",
-			              user_name, user_id, SHADOW_AUDIT_FAILURE);
-#endif				/* WITH_AUDIT */
 			fail_exit (E_GRP_UPDATE);
 		}
 		sgr_locked= true;
 		if (sgr_open (O_CREAT | O_RDWR) == 0) {
 			fprintf (stderr, _("%s: cannot open %s\n"),
 			         Prog, sgr_dbname ());
-#ifdef WITH_AUDIT
-			audit_logger (AUDIT_DEL_USER, Prog,
-			              "opening shadow group file",
-			              user_name, user_id, SHADOW_AUDIT_FAILURE);
-#endif				/* WITH_AUDIT */
 			fail_exit (E_GRP_UPDATE);
 		}
 	}
@@ -640,22 +600,12 @@ static void open_files (void)
 			fprintf (stderr,
 				_("%s: cannot lock %s; try again later.\n"),
 				Prog, sub_uid_dbname ());
-#ifdef WITH_AUDIT
-			audit_logger (AUDIT_DEL_USER, Prog,
-				"locking subordinate user file",
-				user_name, user_id, SHADOW_AUDIT_FAILURE);
-#endif				/* WITH_AUDIT */
 			fail_exit (E_SUB_UID_UPDATE);
 		}
 		sub_uid_locked = true;
 		if (sub_uid_open (O_CREAT | O_RDWR) == 0) {
 			fprintf (stderr,
 				_("%s: cannot open %s\n"), Prog, sub_uid_dbname ());
-#ifdef WITH_AUDIT
-			audit_logger (AUDIT_DEL_USER, Prog,
-				"opening subordinate user file",
-				user_name, user_id, SHADOW_AUDIT_FAILURE);
-#endif				/* WITH_AUDIT */
 			fail_exit (E_SUB_UID_UPDATE);
 		}
 	}
@@ -664,22 +614,12 @@ static void open_files (void)
 			fprintf (stderr,
 				_("%s: cannot lock %s; try again later.\n"),
 				Prog, sub_gid_dbname ());
-#ifdef WITH_AUDIT
-			audit_logger (AUDIT_DEL_USER, Prog,
-				"locking subordinate group file",
-				user_name, user_id, SHADOW_AUDIT_FAILURE);
-#endif				/* WITH_AUDIT */
 			fail_exit (E_SUB_GID_UPDATE);
 		}
 		sub_gid_locked = true;
 		if (sub_gid_open (O_CREAT | O_RDWR) == 0) {
 			fprintf (stderr,
 				_("%s: cannot open %s\n"), Prog, sub_gid_dbname ());
-#ifdef WITH_AUDIT
-			audit_logger (AUDIT_DEL_USER, Prog,
-				"opening subordinate group file",
-				user_name, user_id, SHADOW_AUDIT_FAILURE);
-#endif				/* WITH_AUDIT */
 			fail_exit (E_SUB_GID_UPDATE);
 		}
 	}
@@ -724,7 +664,7 @@ static void update_user (void)
 #endif				/* ENABLE_SUBIDS */
 #ifdef WITH_AUDIT
 	audit_logger (AUDIT_DEL_USER, Prog,
-	              "deleting user entries",
+	              "delete-user",
 	              user_name, user_id, SHADOW_AUDIT_SUCCESS);
 #endif				/* WITH_AUDIT */
 	SYSLOG ((LOG_INFO, "delete user '%s'\n", user_name));
@@ -831,7 +771,7 @@ static int remove_mailbox (void)
 			SYSLOG ((LOG_ERR, "Cannot remove %s: %s", mailfile, strerror (errno)));
 #ifdef WITH_AUDIT
 			audit_logger (AUDIT_DEL_USER, Prog,
-			              "deleting mail file",
+			              "delete-mail-file",
 			              user_name, user_id, SHADOW_AUDIT_FAILURE);
 #endif				/* WITH_AUDIT */
 			free(mailfile);
@@ -847,7 +787,7 @@ static int remove_mailbox (void)
 			SYSLOG ((LOG_ERR, "Cannot remove %s: %s", mailfile, strerror (errno)));
 #ifdef WITH_AUDIT
 			audit_logger (AUDIT_DEL_USER, Prog,
-			              "deleting mail file",
+			              "delete-mail-file",
 			              user_name, user_id, SHADOW_AUDIT_FAILURE);
 #endif				/* WITH_AUDIT */
 			errors = 1;
@@ -856,8 +796,8 @@ static int remove_mailbox (void)
 #ifdef WITH_AUDIT
 		else
 		{
-			audit_logger (AUDIT_DEL_USER, Prog,
-			              "deleting mail file",
+			audit_logger (AUDIT_USER_MGMT, Prog,
+			              "delete-mail-file",
 			              user_name, user_id, SHADOW_AUDIT_SUCCESS);
 		}
 #endif				/* WITH_AUDIT */
@@ -874,7 +814,7 @@ static int remove_mailbox (void)
 		         mailfile, strerror (errno)));
 #ifdef WITH_AUDIT
 		audit_logger (AUDIT_DEL_USER, Prog,
-		              "deleting mail file",
+		              "delete-mail-file",
 		              user_name, user_id, SHADOW_AUDIT_FAILURE);
 #endif				/* WITH_AUDIT */
 		free(mailfile);
@@ -890,7 +830,7 @@ static int remove_mailbox (void)
 		SYSLOG ((LOG_ERR, "Cannot remove %s: %s", mailfile, strerror (errno)));
 #ifdef WITH_AUDIT
 		audit_logger (AUDIT_DEL_USER, Prog,
-		              "deleting mail file",
+		              "delete-mail-file",
 		              user_name, user_id, SHADOW_AUDIT_FAILURE);
 #endif				/* WITH_AUDIT */
 		errors = 1;
@@ -899,8 +839,8 @@ static int remove_mailbox (void)
 #ifdef WITH_AUDIT
 	else
 	{
-		audit_logger (AUDIT_DEL_USER, Prog,
-		              "deleting mail file",
+		audit_logger (AUDIT_USER_MGMT, Prog,
+		              "delete-mail-file",
 		              user_name, user_id, SHADOW_AUDIT_SUCCESS);
 	}
 #endif				/* WITH_AUDIT */
@@ -1118,7 +1058,7 @@ int main (int argc, char **argv)
 				 Prog, user_name);
 #ifdef WITH_AUDIT
 			audit_logger (AUDIT_DEL_USER, Prog,
-			              "deleting user not found",
+			              "deleting-user-not-found",
 			              user_name, AUDIT_NO_ID,
 			              SHADOW_AUDIT_FAILURE);
 #endif				/* WITH_AUDIT */
@@ -1174,7 +1114,7 @@ int main (int argc, char **argv)
 		if (!fflg) {
 #ifdef WITH_AUDIT
 			audit_logger (AUDIT_DEL_USER, Prog,
-			              "deleting user logged in",
+			              "deleting-user-logged-in",
 			              user_name, AUDIT_NO_ID,
 			              SHADOW_AUDIT_FAILURE);
 #endif				/* WITH_AUDIT */
@@ -1268,8 +1208,8 @@ int main (int argc, char **argv)
 #ifdef WITH_AUDIT
 		else
 		{
-			audit_logger (AUDIT_DEL_USER, Prog,
-			              "deleting home directory",
+			audit_logger (AUDIT_USER_MGMT, Prog,
+			              "deleting-home-directory",
 			              user_name, user_id, SHADOW_AUDIT_SUCCESS);
 		}
 #endif				/* WITH_AUDIT */
@@ -1277,7 +1217,7 @@ int main (int argc, char **argv)
 #ifdef WITH_AUDIT
 	if (0 != errors) {
 		audit_logger (AUDIT_DEL_USER, Prog,
-		              "deleting home directory",
+		              "deleting-home-directory",
 		              user_name, AUDIT_NO_ID,
 		              SHADOW_AUDIT_FAILURE);
 	}
@@ -1290,8 +1230,8 @@ int main (int argc, char **argv)
 			         _("%s: warning: the user name %s to SELinux user mapping removal failed.\n"),
 			         Prog, user_name);
 #ifdef WITH_AUDIT
-			audit_logger (AUDIT_ADD_USER, Prog,
-			              "removing SELinux user mapping",
+			audit_logger (AUDIT_ROLE_REMOVE, Prog,
+			              "delete-selinux-user-mapping",
 			              user_name, user_id, SHADOW_AUDIT_FAILURE);
 #endif				/* WITH_AUDIT */
 			fail_exit (E_SE_UPDATE);
diff -up shadow-4.14.0/src/usermod.c.audit-update shadow-4.14.0/src/usermod.c
--- shadow-4.14.0/src/usermod.c.audit-update	2023-07-30 12:38:39.000000000 +0200
+++ shadow-4.14.0/src/usermod.c	2023-08-04 10:33:04.601749324 +0200
@@ -427,7 +427,7 @@ static char *new_pw_passwd (char *pw_pas
 
 #ifdef WITH_AUDIT
 		audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
-		              "updating passwd", user_newname, user_newid, 0);
+		              "updating-passwd", user_newname, user_newid, 1);
 #endif
 		SYSLOG ((LOG_INFO, "lock user '%s' password", user_newname));
 		strcpy (buf, "!");
@@ -444,14 +444,14 @@ static char *new_pw_passwd (char *pw_pas
 
 #ifdef WITH_AUDIT
 		audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
-		              "updating password", user_newname, user_newid, 0);
+		              "updating-password", user_newname, user_newid, 1);
 #endif
 		SYSLOG ((LOG_INFO, "unlock user '%s' password", user_newname));
 		memmove(pw_pass, pw_pass + 1, strlen(pw_pass));
 	} else if (pflg) {
 #ifdef WITH_AUDIT
 		audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
-		              "changing password", user_newname, user_newid, 1);
+		              "updating-password", user_newname, user_newid, 1);
 #endif
 		SYSLOG ((LOG_INFO, "change user '%s' password", user_newname));
 		pw_pass = xstrdup (user_pass);
@@ -479,8 +479,8 @@ static void new_pwent (struct passwd *pw
 			fail_exit (E_NAME_IN_USE);
 		}
 #ifdef WITH_AUDIT
-		audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
-		              "changing name", user_newname, user_newid, 1);
+		audit_logger (AUDIT_USER_MGMT, Prog,
+		              "changing-name", user_newname, user_newid, 1);
 #endif
 		SYSLOG ((LOG_INFO,
 		         "change user name '%s' to '%s'",
@@ -499,8 +499,8 @@ static void new_pwent (struct passwd *pw
 
 	if (uflg) {
 #ifdef WITH_AUDIT
-		audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
-		              "changing uid", user_newname, user_newid, 1);
+		audit_logger (AUDIT_USER_MGMT, Prog,
+		              "changing-uid", user_newname, user_newid, 1);
 #endif
 		SYSLOG ((LOG_INFO,
 		         "change user '%s' UID from '%d' to '%d'",
@@ -509,8 +509,8 @@ static void new_pwent (struct passwd *pw
 	}
 	if (gflg) {
 #ifdef WITH_AUDIT
-		audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
-		              "changing primary group",
+		audit_logger (AUDIT_USER_MGMT, Prog,
+		              "changing-primary-group",
 		              user_newname, user_newid, 1);
 #endif
 		SYSLOG ((LOG_INFO,
@@ -520,16 +520,16 @@ static void new_pwent (struct passwd *pw
 	}
 	if (cflg) {
 #ifdef WITH_AUDIT
-		audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
-		              "changing comment", user_newname, user_newid, 1);
+		audit_logger (AUDIT_USER_MGMT, Prog,
+		              "changing-comment", user_newname, user_newid, 1);
 #endif
 		pwent->pw_gecos = user_newcomment;
 	}
 
 	if (dflg) {
 #ifdef WITH_AUDIT
-		audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
-		              "changing home directory",
+		audit_logger (AUDIT_USER_MGMT, Prog,
+		              "changing-home-dir",
 		              user_newname, user_newid, 1);
 #endif
 		SYSLOG ((LOG_INFO,
@@ -545,8 +545,8 @@ static void new_pwent (struct passwd *pw
 	}
 	if (sflg) {
 #ifdef WITH_AUDIT
-		audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
-		              "changing user shell",
+		audit_logger (AUDIT_USER_MGMT, Prog,
+		              "changing-shell",
 		              user_newname, user_newid, 1);
 #endif
 		SYSLOG ((LOG_INFO,
@@ -576,8 +576,8 @@ static void new_spent (struct spwd *spen
 
 	if (fflg) {
 #ifdef WITH_AUDIT
-		audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
-		              "changing inactive days",
+		audit_logger (AUDIT_USER_MGMT, Prog,
+		              "changing-inactive-days",
 		              user_newname, user_newid, 1);
 #endif
 		SYSLOG ((LOG_INFO,
@@ -591,8 +591,8 @@ static void new_spent (struct spwd *spen
 		date_to_str (sizeof(new_exp), new_exp, user_newexpire * DAY);
 		date_to_str (sizeof(old_exp), old_exp, user_expire * DAY);
 #ifdef WITH_AUDIT
-		audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
-		              "changing expiration date",
+		audit_logger (AUDIT_USER_MGMT, Prog,
+		              "changing-expiration-date",
 		              user_newname, user_newid, 1);
 #endif
 		SYSLOG ((LOG_INFO,
@@ -677,9 +677,9 @@ fail_exit (int code)
 #endif				/* ENABLE_SUBIDS */
 
 #ifdef WITH_AUDIT
-	audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
-	              "modifying account",
-	              user_name, AUDIT_NO_ID, 0);
+	audit_logger (AUDIT_USER_MGMT, Prog,
+	              "modify-account",
+	              user_name, AUDIT_NO_ID, SHADOW_AUDIT_FAILURE);
 #endif
 	exit (code);
 }
@@ -741,9 +741,12 @@ static void update_group (void)
 					                         user_newname);
 					changed = true;
 #ifdef WITH_AUDIT
-					audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
-					              "changing group member",
-					              user_newname, AUDIT_NO_ID, 1);
+					audit_logger_with_group (
+					              AUDIT_USER_MGMT, Prog,
+					              "update-member-in-group",
+					              user_newname, AUDIT_NO_ID,
+					              ngrp->gr_name,
+					              SHADOW_AUDIT_SUCCESS);
 #endif
 					SYSLOG ((LOG_INFO,
 					         "change '%s' to '%s' in group '%s'",
@@ -757,9 +760,11 @@ static void update_group (void)
 				ngrp->gr_mem = del_list (ngrp->gr_mem, user_name);
 				changed = true;
 #ifdef WITH_AUDIT
-				audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
-				              "removing group member",
-				              user_name, AUDIT_NO_ID, 1);
+				audit_logger_with_group (AUDIT_USER_MGMT, Prog,
+				              "delete-user-from-group",
+				              user_name, AUDIT_NO_ID,
+				              ngrp->gr_name,
+				              SHADOW_AUDIT_SUCCESS);
 #endif
 				SYSLOG ((LOG_INFO,
 				         "delete '%s' from group '%s'",
@@ -772,9 +777,11 @@ static void update_group (void)
 			ngrp->gr_mem = add_list (ngrp->gr_mem, user_newname);
 			changed = true;
 #ifdef WITH_AUDIT
-			audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
-			              "adding user to group",
-			              user_name, AUDIT_NO_ID, 1);
+			audit_logger_with_group (AUDIT_USER_MGMT, Prog,
+			              "add-user-to-group",
+			              user_name, AUDIT_NO_ID,
+			              ngrp->gr_name,
+			              SHADOW_AUDIT_SUCCESS);
 #endif
 			SYSLOG ((LOG_INFO, "add '%s' to group '%s'",
 			         user_newname, ngrp->gr_name));
@@ -859,9 +866,10 @@ static void update_gshadow (void)
 			nsgrp->sg_adm = add_list (nsgrp->sg_adm, user_newname);
 			changed = true;
 #ifdef WITH_AUDIT
-			audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
-			              "changing admin name in shadow group",
-			              user_name, AUDIT_NO_ID, 1);
+			audit_logger_with_group (AUDIT_GRP_MGMT, Prog,
+			              "update-admin-name-in-shadow-group",
+			              user_name, AUDIT_NO_ID, nsgrp->sg_name,
+			              SHADOW_AUDIT_SUCCESS);
 #endif
 			SYSLOG ((LOG_INFO,
 			         "change admin '%s' to '%s' in shadow group '%s'",
@@ -881,9 +889,10 @@ static void update_gshadow (void)
 					                          user_newname);
 					changed = true;
 #ifdef WITH_AUDIT
-					audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
-					              "changing member in shadow group",
-					              user_name, AUDIT_NO_ID, 1);
+					audit_logger_with_group (AUDIT_USER_MGMT, Prog,
+					              "update-member-in-shadow-group",
+					              user_name, AUDIT_NO_ID,
+					              nsgrp->sg_name, 1);
 #endif
 					SYSLOG ((LOG_INFO,
 					         "change '%s' to '%s' in shadow group '%s'",
@@ -897,9 +906,10 @@ static void update_gshadow (void)
 				nsgrp->sg_mem = del_list (nsgrp->sg_mem, user_name);
 				changed = true;
 #ifdef WITH_AUDIT
-				audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
-				              "removing user from shadow group",
-				              user_name, AUDIT_NO_ID, 1);
+				audit_logger_with_group (AUDIT_USER_MGMT, Prog,
+				              "delete-user-from-shadow-group",
+				              user_name, AUDIT_NO_ID,
+				              nsgrp->sg_name, 1);
 #endif
 				SYSLOG ((LOG_INFO,
 				         "delete '%s' from shadow group '%s'",
@@ -912,9 +922,10 @@ static void update_gshadow (void)
 			nsgrp->sg_mem = add_list (nsgrp->sg_mem, user_newname);
 			changed = true;
 #ifdef WITH_AUDIT
-			audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
-			              "adding user to shadow group",
-			              user_newname, AUDIT_NO_ID, 1);
+			audit_logger_with_group (AUDIT_USER_MGMT, Prog,
+			              "add-user-to-shadow-group",
+			              user_newname, AUDIT_NO_ID,
+			              nsgrp->sg_name, 1);
 #endif
 			SYSLOG ((LOG_INFO, "add '%s' to shadow group '%s'",
 			         user_newname, nsgrp->sg_name));
@@ -1830,8 +1841,8 @@ static void move_home (void)
 
 #ifdef WITH_AUDIT
 		if (uflg || gflg) {
-			audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
-				      "changing home directory owner",
+			audit_logger (AUDIT_USER_MGMT, Prog,
+				      "updating-home-dir-owner",
 				      user_newname, user_newid, 1);
 		}
 #endif
@@ -1849,8 +1860,8 @@ static void move_home (void)
 				fail_exit (E_HOMEDIR);
 			}
 #ifdef WITH_AUDIT
-			audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
-			              "moving home directory",
+			audit_logger (AUDIT_USER_MGMT, Prog,
+			              "moving-home-dir",
 			              user_newname, user_newid, 1);
 #endif
 			return;
@@ -1877,9 +1888,9 @@ static void move_home (void)
 						         Prog, prefix_user_home);
 					}
 #ifdef WITH_AUDIT
-					audit_logger (AUDIT_USER_CHAUTHTOK,
+					audit_logger (AUDIT_USER_MGMT,
 					              Prog,
-					              "moving home directory",
+					              "moving-home-dir",
 					              user_newname,
 					              user_newid,
 					              1);
@@ -2100,8 +2111,8 @@ static void move_mailbox (void)
 		}
 #ifdef WITH_AUDIT
 		else {
-			audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
-			              "changing mail file owner",
+			audit_logger (AUDIT_USER_MGMT, Prog,
+			              "updating-mail-file-owner",
 			              user_newname, user_newid, 1);
 		}
 #endif
@@ -2129,8 +2140,8 @@ static void move_mailbox (void)
 		}
 #ifdef WITH_AUDIT
 		else {
-			audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
-			              "changing mail file name",
+			audit_logger (AUDIT_USER_MGMT, Prog,
+			              "updating-mail-file-name",
 			              user_newname, user_newid, 1);
 		}
 
@@ -2331,8 +2342,8 @@ int main (int argc, char **argv)
 				         _("%s: warning: the user name %s to %s SELinux user mapping failed.\n"),
 				         Prog, user_name, user_selinux);
 #ifdef WITH_AUDIT
-				audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
-				              "modifying User mapping ",
+				audit_logger (AUDIT_ROLE_ASSIGN, Prog,
+				              "changing-selinux-user-mapping ",
 				              user_name, user_id,
 				              SHADOW_AUDIT_FAILURE);
 #endif				/* WITH_AUDIT */
@@ -2344,8 +2355,8 @@ int main (int argc, char **argv)
 				         _("%s: warning: the user name %s to SELinux user mapping removal failed.\n"),
 				         Prog, user_name);
 #ifdef WITH_AUDIT
-				audit_logger (AUDIT_ADD_USER, Prog,
-				              "removing SELinux user mapping",
+				audit_logger (AUDIT_ROLE_REMOVE, Prog,
+				              "delete-selinux-user-mapping",
 				              user_name, user_id,
 				              SHADOW_AUDIT_FAILURE);
 #endif				/* WITH_AUDIT */
@@ -2388,8 +2399,8 @@ int main (int argc, char **argv)
 			 */
 #ifdef WITH_AUDIT
 			if (uflg || gflg) {
-				audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
-					      "changing home directory owner",
+				audit_logger (AUDIT_USER_MGMT, Prog,
+					      "updating-home-dir-owner",
 					      user_newname, user_newid, 1);
 			}
 #endif