.audit.metadata

@@ -1 +1 @@
-e58e9ecd90b54b04783e0a1f0c1cfd65880f42f8 SOURCES/audit-3.1.5.tar.gz
+5938533442194c78af30a56bffa6586a244ba7a4 SOURCES/audit-4.0.tar.gz

.gitignore

@@ -1 +1 @@
-SOURCES/audit-3.1.5.tar.gz
+SOURCES/audit-4.0.tar.gz

SOURCES/0001-Add-ausysrulevalidate.patch

@@ -1,217 +0,0 @@
-From 4011007b445e8f8da9b0cc45eccd793b94f6b5ce Mon Sep 17 00:00:00 2001
-From: Sergio Correia <scorreia@redhat.com>
-Date: Thu, 29 Jul 2021 19:25:43 -0300
-Subject: [PATCH] Add ausysrulevalidate
-
----
- contrib/ausysrulevalidate | 198 ++++++++++++++++++++++++++++++++++++++
- 1 file changed, 198 insertions(+)
- create mode 100755 contrib/ausysrulevalidate
-
-diff --git a/contrib/ausysrulevalidate b/contrib/ausysrulevalidate
-new file mode 100755
-index 0000000..a251b2c
---- /dev/null
-+++ b/contrib/ausysrulevalidate
-@@ -0,0 +1,198 @@
-+#!/usr/bin/env python3
-+# -*- coding: utf-8 -*-
-+
-+# ausysrulevalidate - A program that lets you validate the syscalls
-+# in audit rules.
-+# Copyright (c) 2021 Red Hat Inc., Durham, North Carolina.
-+# All Rights Reserved.
-+#
-+# This software may be freely redistributed and/or modified under the
-+# terms of the GNU General Public License as published by the Free
-+# Software Foundation; either version 2, or (at your option) any
-+# later version.
-+#
-+# This program is distributed in the hope that it will be useful,
-+# but WITHOUT ANY WARRANTY; without even the implied warranty of
-+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-+# GNU General Public License for more details.
-+#
-+# You should have received a copy of the GNU General Public License
-+# along with this program; see the file COPYING. If not, write to the
-+# Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor
-+# Boston, MA 02110-1335, USA.
-+#
-+# Authors:
-+#   Sergio Correia <scorreia@redhat.com>
-+
-+""" This program lets you validate syscalls in audit rules. """
-+
-+import argparse
-+import os.path
-+import sys
-+
-+import audit
-+
-+
-+class AuSyscallRuleValidate:
-+    """AuSyscallRuleValidate validates syscalls in audit rules."""
-+
-+    def __init__(self):
-+        self.syscalls_table = {}
-+        self.invalid_syscalls = {}
-+        self.machines = {
-+            "b32": audit.audit_determine_machine("b32"),
-+            "b64": audit.audit_determine_machine("b64"),
-+        }
-+
-+        if self.machines["b32"] == -1 or self.machines["b64"] == -1:
-+            sys.stderr.write("ERROR: Unable to determine machine type\n")
-+            sys.exit(1)
-+
-+    def validate_syscall(self, arch, syscall):
-+        """Validates a single syscall."""
-+
-+        if syscall == "all":
-+            return True
-+
-+        lookup = "{0}:{1}".format(arch, syscall)
-+        if lookup in self.syscalls_table:
-+            return self.syscalls_table[lookup]
-+
-+        ret = audit.audit_name_to_syscall(syscall, self.machines[arch])
-+        self.syscalls_table[lookup] = ret != -1
-+        if not self.syscalls_table[lookup]:
-+            self.invalid_syscalls[lookup] = lookup
-+
-+        return self.syscalls_table[lookup]
-+
-+    def process_syscalls(self, arch, syscalls):
-+        """Processes a group of syscalls, validating them individually."""
-+
-+        scalls = syscalls.split(",")
-+        processed = []
-+        for syscall in scalls:
-+            if self.validate_syscall(arch, syscall):
-+                processed.append(syscall)
-+        return ",".join(processed)
-+
-+    def parse_line(self, line):
-+        """Processes a single line from the audit rules file, and returns the
-+        same line adjusted, if required, by removing invalid syscalls, or even
-+        removing the rule altogether, if no valid syscall remain after
-+        validation."""
-+
-+        if line.lstrip().startswith("#") or "-S" not in line:
-+            return line
-+
-+        # We do have a rule specifying syscalls, so let's validate them.
-+        tokens = line.split()
-+        processed = []
-+        is_syscall = False
-+        arch = None
-+
-+        for val in tokens:
-+            if not is_syscall:
-+                processed.append(val)
-+
-+            if val.startswith("arch="):
-+                archs = val.split("=")
-+                if len(archs) == 2:
-+                    arch = val.split("=")[1]
-+                    if arch not in self.machines:
-+                        sys.stderr.write("ERROR: unexpected arch '{0}'\n".format(arch))
-+                        continue
-+
-+            if val == "-S":
-+                is_syscall = True
-+                continue
-+
-+            if is_syscall:
-+                is_syscall = False
-+                scalls = self.process_syscalls(arch, val)
-+
-+                if len(scalls) == 0:
-+                    processed = processed[:-1]
-+                    continue
-+                processed.append(scalls)
-+
-+        if "-S" not in processed:
-+            # Removing rule altogether, as we have no valid syscalls remaining.
-+            return None
-+        return " ".join(processed)
-+
-+    def process_rules(self, rules_file):
-+        """Reads a file with audit rules and returns the rules after
-+        validation of syscalls/architecture. Invalid syscalls will be removed
-+        and, if there are no valid remaining syscalls, the rule itself is
-+        removed."""
-+
-+        if not os.path.isfile(rules_file):
-+            sys.stderr.write("ERROR: rules file '{0}' not found\n".format(rules_file))
-+            sys.exit(1)
-+
-+        with open(rules_file) as rules:
-+            content = rules.readlines()
-+
-+        processed = []
-+        changed = False
-+        for line in content:
-+            validated = self.parse_line(line)
-+            if validated is None:
-+                changed = True
-+                continue
-+
-+            if validated.rstrip("\r\n") != line.rstrip("\r\n"):
-+                changed = True
-+            processed.append(validated.rstrip("\r\n"))
-+
-+        invalid_syscalls = []
-+        for invalid in self.invalid_syscalls:
-+            invalid_syscalls.append(invalid)
-+
-+        return (processed, changed, invalid_syscalls)
-+
-+    def update_rules(self, rules_file):
-+        """Reads a file with audit rules and updates it after validation of
-+        syscalls/architecture. Invalid syscalls will be removed and, if
-+        there are no valid remaining syscalls, the rule itself is removed."""
-+
-+        new_rules, changed, invalid_syscalls = self.process_rules(rules_file)
-+        if changed:
-+            with open(rules_file, "w") as rules:
-+                for line in new_rules:
-+                    rules.write("{0}\n".format(line))
-+
-+        return (new_rules, changed, invalid_syscalls)
-+
-+
-+if __name__ == "__main__":
-+    parser = argparse.ArgumentParser(description="ausysrulevalidate")
-+    parser.add_argument(
-+        "-u", "--update", help="Update rules file if required", action="store_true"
-+    )
-+    parser.add_argument(
-+        "-v", "--verbose", help="Show the resulting rules file", action="store_true"
-+    )
-+    required_named = parser.add_argument_group("required named arguments")
-+    required_named.add_argument(
-+        "-r", "--rules-file", help="Rules file name", required=True
-+    )
-+    args = parser.parse_args()
-+
-+    validator = AuSyscallRuleValidate()
-+
-+    action = validator.process_rules
-+    if args.update:
-+        action = validator.update_rules
-+
-+    data, changed, invalid = action(args.rules_file)
-+    if changed:
-+        verb = "require"
-+        if args.update:
-+            verb += "d"
-+        sys.stderr.write("Rules in '{0}' {1} changes\n".format(args.rules_file, verb))
-+        if len(invalid) > 0:
-+            sys.stderr.write("Invalid syscalls: {0}\n".format(", ".join(invalid)))
-+
-+    if args.verbose:
-+        print(*data, sep="\n")
--- 
-2.31.1
-

SOURCES/audit-4.0-attributes.patch

@@ -0,0 +1,45 @@
+From 0db6e0960a5c55b468f21f9841bbc7e67832b66a Mon Sep 17 00:00:00 2001
+From: Steve Grubb <ausearch.1@gmail.com>
+Date: Wed, 17 Jan 2024 12:07:25 -0500
+Subject: [PATCH] Update function attributes
+
+---
+ auparse/auparse.h |  2 +-
+ lib/libaudit.h    | 10 +++++-----
+ 2 files changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/auparse/auparse.h b/auparse/auparse.h
+index c27f1ff96..0b3f68c35 100644
+--- a/auparse/auparse.h
++++ b/auparse/auparse.h
+@@ -68,7 +68,7 @@ void auparse_add_callback(auparse_state_t *au, auparse_callback_ptr callback,
+ 			void *user_data, user_destroy user_destroy_func);
+ void auparse_set_escape_mode(auparse_state_t *au, auparse_esc_t mode);
+ int auparse_reset(auparse_state_t *au);
+-char *auparse_metrics(const auparse_state_t *au);
++char *auparse_metrics(const auparse_state_t *au) __attr_dealloc_free;
+ 
+ /* Functions that are part of the search interface */
+ int ausearch_add_expression(auparse_state_t *au, const char *expression,
+diff --git a/lib/libaudit.h b/lib/libaudit.h
+index 34b337a7c..15ea2e6f4 100644
+--- a/lib/libaudit.h
++++ b/lib/libaudit.h
+@@ -248,12 +248,12 @@ int  audit_set_enabled(int fd, uint32_t enabled) __wur;
+ int  audit_set_failure(int fd, uint32_t failure) __wur;
+ int  audit_set_rate_limit(int fd, uint32_t limit);
+ int  audit_set_backlog_limit(int fd, uint32_t limit);
+-int audit_set_backlog_wait_time(int fd, uint32_t bwt);
+-int audit_reset_lost(int fd);
+-int audit_reset_backlog_wait_time_actual(int fd);
++int  audit_set_backlog_wait_time(int fd, uint32_t bwt);
++int  audit_reset_lost(int fd);
++int  audit_reset_backlog_wait_time_actual(int fd);
+ int  audit_set_feature(int fd, unsigned feature, unsigned value,
+-		      unsigned lock);
+-int  audit_set_loginuid_immutable(int fd);
++		      unsigned lock) __wur;
++int  audit_set_loginuid_immutable(int fd) __wur;
+ 
+ /* AUDIT_LIST_RULES */
+ int  audit_request_rules_list_data(int fd);

SPECS/audit.spec

@@ -1,23 +1,19 @@
 
 Summary: User space tools for kernel auditing
 Name: audit
-Version: 3.1.5
+Version: 4.0
-Release: 1%{?dist}
+Release: 10%{?dist}
-License: GPLv2+
+License: GPL-2.0-or-later AND LGPL-2.0-or-later
 URL: http://people.redhat.com/sgrubb/audit/
 Source0: http://people.redhat.com/sgrubb/audit/%{name}-%{version}.tar.gz
 Source1: https://www.gnu.org/licenses/lgpl-2.1.txt
-
+Patch1: audit-4.0-attributes.patch
-Patch1: 0001-Add-ausysrulevalidate.patch
+BuildRequires: make gcc
-
+BuildRequires: kernel-headers >= 5.0
-BuildRequires: make gcc swig
-BuildRequires: openldap-devel
-BuildRequires: krb5-devel libcap-ng-devel
-BuildRequires: kernel-headers >= 2.6.29
 BuildRequires: systemd
-BuildRequires: autoconf automake libtool
 
 Requires: %{name}-libs%{?_isa} = %{version}-%{release}
+Requires: %{name}-rules%{?_isa} = %{version}-%{release}
 Requires(post): systemd coreutils
 Requires(preun): systemd
 Requires(postun): systemd coreutils
@@ -31,20 +27,22 @@ Obsoletes: python2-audit < %{version}-%{release}
 The audit package contains the user space utilities for
 storing and searching the audit records generated by
 the audit subsystem in the Linux 2.6 and later kernels.
+It includes example rules that you can use.
 
 %package libs
 Summary: Dynamic library for libaudit
-License: LGPLv2+
+License: LGPL-2.0-or-later
+BuildRequires: libcap-ng-devel
 
 %description libs
-The audit-libs package contains the dynamic libraries needed for
+The audit-libs package contains the dynamic libraries needed for 
 applications to use the audit framework.
 
 %package libs-devel
 Summary: Header files for libaudit
-License: LGPLv2+
+License: LGPL-2.0-or-later
 Requires: %{name}-libs%{?_isa} = %{version}-%{release}
-Requires: kernel-headers >= 2.6.29
+Requires: kernel-headers >= 5.0
 
 %description libs-devel
 The audit-libs-devel package contains the header files needed for
@@ -52,9 +50,8 @@ developing applications that need to use the audit framework libraries.
 
 %package -n python3-audit
 Summary: Python3 bindings for libaudit
-License: LGPLv2+
+License: LGPL-2.0-or-later
-BuildRequires: python3-devel
+BuildRequires: python3-devel python-unversioned-command swig
-BuildRequires: make
 Requires: %{name}-libs%{?_isa} = %{version}-%{release}
 Provides: audit-libs-python3 = %{version}-%{release}
 Provides: audit-libs-python3%{?_isa} = %{version}-%{release}
@@ -66,7 +63,8 @@ and libauparse can be used by python3.
 
 %package -n audispd-plugins
 Summary: Plugins for the audit event dispatcher
-License: GPLv2+
+License: GPL-2.0-or-later
+BuildRequires: krb5-devel libcap-ng-devel
 Requires: %{name}%{?_isa} = %{version}-%{release}
 Requires: %{name}-libs%{?_isa} = %{version}-%{release}
 
@@ -77,10 +75,10 @@ like relay events to remote machines.
 
 %package -n audispd-plugins-zos
 Summary: z/OS plugin for the audit event dispatcher
-License: GPLv2+
+License: GPL-2.0-or-later
+BuildRequires: openldap-devel libcap-ng-devel
 Requires: %{name}%{?_isa} = %{version}-%{release}
 Requires: %{name}-libs%{?_isa} = %{version}-%{release}
-Requires: openldap
 
 %description -n audispd-plugins-zos
 The audispd-plugins-zos package provides a plugin that will forward all
@@ -88,93 +86,110 @@ incoming audit events, as they happen, to a configured z/OS SMF (Service
 Management Facility) database, through an IBM Tivoli Directory Server
 (ITDS) set for Remote Audit service.
 
+%package rules
+Summary: audit rules and utilities
+License: GPL-2.0-or-later
+Recommends: %{name} = %{version}-%{release}
+
+%description rules
+The audit rules package contains the rules and utilities to load audit rules.
+
 %prep
 %setup -q
+%patch 1 -p1
 cp %{SOURCE1} .
-%patch -P 1 -p1
-
-autoreconf -fv --install
 
 # Remove the ids code, its not ready
+sed -i 's/ ids / /' audisp/plugins/Makefile.am
 sed -i 's/ ids / /' audisp/plugins/Makefile.in
 
 %build
 %configure --with-python=no \
-	   --with-python3=yes \
+           --with-python3=yes \
-	   --enable-gssapi-krb5=yes --with-arm --with-aarch64 \
+           --enable-gssapi-krb5=yes --with-arm --with-aarch64 \
-	   --with-libcap-ng=yes --enable-zos-remote --without-golang \
+           --with-libcap-ng=yes --without-golang --enable-zos-remote \
-	   --enable-systemd --enable-experimental --with-io_uring
+           --enable-systemd --enable-experimental --with-io_uring
 
 make CFLAGS="%{optflags}" %{?_smp_mflags}
 
 %install
 mkdir -p $RPM_BUILD_ROOT/{sbin,etc/audit/plugins.d,etc/audit/rules.d}
 mkdir -p $RPM_BUILD_ROOT/%{_mandir}/{man5,man8}
-mkdir -p $RPM_BUILD_ROOT/%{_lib}
 mkdir -p $RPM_BUILD_ROOT/%{_libdir}/audit
 mkdir -p --mode=0700 $RPM_BUILD_ROOT/%{_var}/log/audit
 mkdir -p $RPM_BUILD_ROOT/%{_var}/spool/audit
-mkdir -p $RPM_BUILD_ROOT/%{_datadir}
 make DESTDIR=$RPM_BUILD_ROOT install
 
-# Validate sample rules shipped.
-for r in $RPM_BUILD_ROOT/%{_datadir}/%{name}/sample-rules/*.rules; do
-    PYTHONPATH=$RPM_BUILD_ROOT/%{python3_sitearch} \
-    LD_LIBRARY_PATH=$RPM_BUILD_ROOT/%{_libdir} \
-        %{_builddir}/%{name}-%{version}/contrib/ausysrulevalidate \
-        --update --rules-file "${r}"
-done
-
 # Remove these items so they don't get picked up.
 rm -f $RPM_BUILD_ROOT/%{_libdir}/libaudit.a
 rm -f $RPM_BUILD_ROOT/%{_libdir}/libauparse.a
 
 find $RPM_BUILD_ROOT -name '*.la' -delete
-find $RPM_BUILD_ROOT/%{_libdir}/python%{python3_version}/site-packages -name '*.a' -delete
+find $RPM_BUILD_ROOT/%{_libdir}/python%{python3_version}/site-packages -name '*.a' -delete || true
 
 # On platforms with 32 & 64 bit libs, we need to coordinate the timestamp
 touch -r ./audit.spec $RPM_BUILD_ROOT/etc/libaudit.conf
 touch -r ./audit.spec $RPM_BUILD_ROOT/usr/share/man/man5/libaudit.conf.5.gz
 
 %check
-make check
+#make %{?_smp_mflags} check
 # Get rid of make files so that they don't get packaged.
 rm -f rules/Makefile*
 
 %post
 %systemd_post auditd.service
+# Do not perform service start/restart when running during an rpm-ostree compose
+if [ -f /run/ostree-booted ] ; then
+    exit 0
+fi
+# If an upgrade, restart it if it's running
+if [ $1 -eq 2 ] ; then
+    state=$(systemctl status auditd | awk '/Active:/ { print $2 }')
+    if [ $state = "active" ] ; then
+        auditctl --signal stop || true
+        systemctl start auditd
+    fi
+# if an install, start it since preset says we should be running
+elif [ $1 -eq 1 ] ; then
+        systemctl start auditd
+fi
 
+%post rules
+%systemd_post audit-rules.service
 # Copy default rules into place on new installation
 files=`ls /etc/audit/rules.d/ 2>/dev/null | wc -w`
 if [ "$files" -eq 0 ] ; then
-	if [ -e %{_datadir}/%{name}/sample-rules/10-base-config.rules ] ; then
+    echo "No rules detected, adding default"
-		cp %{_datadir}/%{name}/sample-rules/10-base-config.rules /etc/audit/rules.d/audit.rules
+%if 0%{?rhel}
-	else
+    if [ -e %{_datadir}/%{name}-rules/10-base-config.rules ] ; then
-		touch /etc/audit/rules.d/audit.rules
+        install -m 0600 -o 0 -g 0 -p %{_datadir}/%{name}-rules/10-base-config.rules /etc/audit/rules.d/audit.rules
-	fi
+%else
-	chmod 0600 /etc/audit/rules.d/audit.rules
+    # FESCO asked for audit to be off by default. #1117953
-fi
+    if [ -e %{_datadir}/%{name}-rules/10-no-audit.rules ] ; then
-
+        install -m 0600 -o 0 -g 0 -p %{_datadir}/%{name}-rules/10-no-audit.rules /etc/audit/rules.d/audit.rules
-# If upgrading, restart the daemon if it's running
+%endif
-if [ $1 -eq 2 ]; then
+    else
-	state=$(systemctl status auditd | awk '/Active:/ { print $2 }')
+        install -m 0600 -o 0 -g 0 /dev/null /etc/audit/rules.d/audit.rules
-
+    fi
-	if [ $state = "active" ] ; then
+    # Only load the new rules if not running during an rpm-ostree compose
-		auditctl --signal stop || true
+    if [ ! -f /run/ostree-booted ] ; then
-		systemctl start auditd
+        # Make the new rules active
-	fi
+        augenrules --load || true
-# if installing, start it since preset says we should be running
+    fi
-elif [ $1 -eq 1 ]; then
-	systemctl start auditd
 fi
 
 %preun
 %systemd_preun auditd.service
-# if uninstalling stop the daemon
+# If uninstalling, stop it
-if [ $1 -eq 0 ]; then
+if [ $1 -eq 0 ] ; then
-	auditctl --signal stop || true
+    auditctl --signal stop || true
-	# also delete loaded rules if uninstalling
+fi
-	auditctl -D || true
+
+%preun rules
+%systemd_preun audit-rules.service
+# If uninstalling, delete the rules loaded in the kernel
+if [ $1 -eq 0 ] ; then
+    auditctl -D > /dev/null 2>&1 || true
 fi
 
 %files libs
@@ -190,46 +205,37 @@ fi
 %{_libdir}/libaudit.so
 %{_libdir}/libauparse.so
 %{_includedir}/libaudit.h
+%{_includedir}/audit_logging.h
+%{_includedir}/audit-records.h
 %{_includedir}/auparse.h
 %{_includedir}/auparse-defs.h
 %{_datadir}/aclocal/audit.m4
 %{_libdir}/pkgconfig/audit.pc
 %{_libdir}/pkgconfig/auparse.pc
 %{_mandir}/man3/*
+%{_mandir}/man5/ausearch-expression.5.gz
 
 %files -n python3-audit
 %attr(755,root,root) %{python3_sitearch}/*
 
 %files
-%doc README ChangeLog init.d/auditd.cron
+%doc README.md ChangeLog init.d/auditd.cron
 %{!?_licensedir:%global license %%doc}
 %license COPYING
-%attr(755,root,root) %{_datadir}/%{name}
-%attr(644,root,root) %{_datadir}/%{name}/sample-rules/*
-%attr(644,root,root) %{_mandir}/man8/auditctl.8.gz
 %attr(644,root,root) %{_mandir}/man8/auditd.8.gz
 %attr(644,root,root) %{_mandir}/man8/aureport.8.gz
 %attr(644,root,root) %{_mandir}/man8/ausearch.8.gz
-%attr(644,root,root) %{_mandir}/man8/autrace.8.gz
 %attr(644,root,root) %{_mandir}/man8/aulast.8.gz
 %attr(644,root,root) %{_mandir}/man8/aulastlog.8.gz
-%attr(644,root,root) %{_mandir}/man8/auvirt.8.gz
-%attr(644,root,root) %{_mandir}/man8/augenrules.8.gz
 %attr(644,root,root) %{_mandir}/man8/ausyscall.8.gz
-%attr(644,root,root) %{_mandir}/man7/audit.rules.7.gz
 %attr(644,root,root) %{_mandir}/man5/auditd.conf.5.gz
-%attr(644,root,root) %{_mandir}/man5/ausearch-expression.5.gz
 %attr(644,root,root) %{_mandir}/man5/auditd-plugins.5.gz
-%attr(755,root,root) %{_sbindir}/auditctl
 %attr(755,root,root) %{_sbindir}/auditd
 %attr(755,root,root) %{_sbindir}/ausearch
 %attr(755,root,root) %{_sbindir}/aureport
-%attr(750,root,root) %{_sbindir}/autrace
-%attr(755,root,root) %{_sbindir}/augenrules
 %attr(755,root,root) %{_bindir}/aulast
 %attr(755,root,root) %{_bindir}/aulastlog
 %attr(755,root,root) %{_bindir}/ausyscall
-%attr(755,root,root) %{_bindir}/auvirt
 %attr(644,root,root) %{_unitdir}/auditd.service
 %attr(750,root,root) %dir %{_libexecdir}/initscripts/legacy-actions/auditd
 %attr(750,root,root) %{_libexecdir}/initscripts/legacy-actions/auditd/condrestart
@@ -241,11 +247,21 @@ fi
 %attr(750,root,root) %{_libexecdir}/initscripts/legacy-actions/auditd/stop
 %ghost %{_localstatedir}/run/auditd.state
 %attr(-,root,-) %dir %{_var}/log/audit
-%attr(750,root,root) %dir /etc/audit
-%attr(750,root,root) %dir /etc/audit/rules.d
 %attr(750,root,root) %dir /etc/audit/plugins.d
 %config(noreplace) %attr(640,root,root) /etc/audit/auditd.conf
-%ghost %config(noreplace) %attr(600,root,root) /etc/audit/rules.d/audit.rules
+
+%files rules
+%attr(755,root,root) %dir %{_datadir}/%{name}-rules
+%attr(644,root,root) %{_datadir}/%{name}-rules/*
+%attr(644,root,root) %{_mandir}/man8/auditctl.8.gz
+%attr(644,root,root) %{_mandir}/man8/augenrules.8.gz
+%attr(644,root,root) %{_mandir}/man7/audit.rules.7.gz
+%attr(755,root,root) %{_sbindir}/auditctl
+%attr(755,root,root) %{_sbindir}/augenrules
+%attr(644,root,root) %{_unitdir}/audit-rules.service
+%attr(750,root,root) %dir /etc/audit
+%attr(750,root,root) %dir /etc/audit/rules.d
+%ghost %config(noreplace) %attr(640,root,root) /etc/audit/rules.d/audit.rules
 %ghost %config(noreplace) %attr(640,root,root) /etc/audit/audit.rules
 %config(noreplace) %attr(640,root,root) /etc/audit/audit-stop.rules
 
@@ -275,90 +291,126 @@ fi
 %attr(750,root,root) %{_sbindir}/audispd-zos-remote
 
 %changelog
-* Tue Jul 09 2024 Attila Lakatos <alakatos@redhat.com> - 3.1.5-1
+* Tue Oct 29 2024 Troy Dawson <tdawson@redhat.com> - 4.0-10
-- New upstream maintenance release, 3.1.4
+- Bump release for October 2024 mass rebuild:
-- Prevent scriplets from failing
+  Resolves: RHEL-64018
-- When upgrading, restart the daemon if it's running
+
-- If uninstalling, stop the daemon
+* Mon Jun 24 2024 Troy Dawson <tdawson@redhat.com> - 4.0-9
-- auditctl: use pidfd_send_signal for signaling auditd
+- Bump release for June 2024 mass rebuild
-  Resolves: RHEL-45865
+
-- Minor doc update
+* Sun Feb 04 2024 Timothée Ravier <tim@siosm.fr> - 4.0-8
-  Resolves: RHEL-5186
+- Fix 'install' calls in post scriptlet
-- augenrules: do not exit with failure if in immutable mode
+
-  Resolves: RHEL-40110
+* Thu Jan 25 2024 Steve Grubb <sgrubb@redhat.com> 4.0-7
-- auditd.service: Disable ProtectControlGroups
+- Don't do "live" operations during rpm-ostree composes
-  Resolves: RHEL-5197
+
-- auditctl: correct output when displaying rules with exe/path/dir
+* Wed Jan 24 2024 Steve Grubb <sgrubb@redhat.com> 4.0-5
-  Resolves: RHEL-40243
+- Auditd is stopping during upgrade (bz 2259610)
-
+
-* Wed Nov 08 2023 Sergio Correia <scorreia@redhat.com> - 3.1.2-2
+* Mon Jan 22 2024 Fedora Release Engineering <releng@fedoraproject.org> - 4.0-3
-- Remove %systemd_preun from %preun scriptlet, as it was causing troubles when removing audit
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
-  Related: RHEL-14896
+
-
+* Fri Jan 19 2024 Fedora Release Engineering <releng@fedoraproject.org> - 4.0-2
-* Fri Oct 27 2023 Sergio Correia <scorreia@redhat.com> - 3.1.2-1
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
-- New upstream release, 3.1.2
+
-  Resolves: RHEL-14896
+* Tue Jan 16 2024 Steve Grubb <sgrubb@redhat.com> 4.0-1
-
+- New upstream major release
-* Thu Jun 22 2023 Radovan Sroka <rsroka@redhat.com> - 3.0.7-104
+
-- Introduce new fanotify record fields
+* Sat Nov 04 2023 Steve Grubb <sgrubb@redhat.com> 3.1.2-5
-  Resolves: rhbz#2216666
+- Bug fixes pulled from upstrean
-
+
-* Mon May 02 2022 Sergio Correia <scorreia@redhat.com> - 3.0.7-103
+* Wed Sep 13 2023 Dusty Mabe <dusty@dustymabe.com> 3.1.2-4
-- Drop ProtectHome from auditd.service as it interferes with rules
+- Remove initscripts-service from Requires(postun)
-  Resolves: rhbz#2071725 - Default systemd service config blocks audit watch rules in some directories [rhel-9.1.0]
+
-
+* Fri Sep 01 2023 Steve Grubb <sgrubb@redhat.com> 3.1.2-3
-* Sun Mar 13 2022 Sergio Correia <scorreia@redhat.com> - 3.0.7-102
+- Change initscrips-service to a Recommends
-- Fix path normalization in auparse
+
-  Resolves: rhbz#2062824 - auparse missing information when used with --format-text
+* Sat Aug 26 2023 Steve Grubb <sgrubb@redhat.com> 3.1.2-2
-
+- SPDX Migration
-* Tue Feb 22 2022 Sergio Correia <scorreia@redhat.com> - 3.0.7-101
+
+* Sun Aug 06 2023 Steve Grubb <sgrubb@redhat.com> 3.1.2-1
+- New upstream release
+
+* Wed Jul 19 2023 Fedora Release Engineering <releng@fedoraproject.org> - 3.1.1-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
+
+* Tue Jun 13 2023 Python Maint <python-maint@redhat.com> - 3.1.1-3
+- Rebuilt for Python 3.12
+
+* Tue May 09 2023 Davide Cavalca <dcavalca@fedoraproject.org> 3.1.1-2
+- Install the base ruleset on RHEL
+
+* Thu Apr 27 2023 Steve Grubb <sgrubb@redhat.com> 3.1.1-1
+- New upstream release
+
+* Thu Feb 09 2023 Steve Grubb <sgrubb@redhat.com> 3.1-2
+- New upstream feature release
+
+* Wed Jan 18 2023 Fedora Release Engineering <releng@fedoraproject.org> - 3.0.9-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
+
+* Thu Dec 22 2022 Steve Grubb <sgrubb@redhat.com> 3.0.9-2
+- BuildRequires python-setuptools
+- SPDX Migration
+
+* Mon Aug 29 2022 Steve Grubb <sgrubb@redhat.com> 3.0.9-1
+- New upstream bugfix release
+
+* Wed Jul 20 2022 Fedora Release Engineering <releng@fedoraproject.org> - 3.0.8-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
+
+* Mon Jun 13 2022 Python Maint <python-maint@redhat.com> - 3.0.8-2
+- Rebuilt for Python 3.11
+
+* Tue Mar 29 2022 Steve Grubb <sgrubb@redhat.com> 3.0.8-1
+- New upstream bugfix release
+
+* Thu Feb 24 2022 Steve Grubb <sgrubb@redhat.com> 3.0.7-3
+- Undo fix to libaudit.h before installing
+
+* Mon Feb 14 2022 Steve Grubb <sgrubb@redhat.com> 3.0.7-2
 - Adjust sample-rules dir permissions
-  Resolves: rhbz#2054432 - /usr/share/audit/sample-rules is no longer readable by non-root users
+- Add support for new access/dealloc function attributes
+- Adjust compile flags for less warnings
+
+* Sun Jan 23 2022 Steve Grubb <sgrubb@redhat.com> 3.0.7-1
+- New upstream bugfix and feature release
 
-* Tue Jan 25 2022 Sergio Correia <scorreia@redhat.com> - 3.0.7-100
+* Wed Jan 19 2022 Fedora Release Engineering <releng@fedoraproject.org> - 3.0.6-3
-- New upstream release, 3.0.7
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
-  Resolves: rhbz#2019929 - capability=unknown-capability(39) in audit messages
 
-* Wed Nov 03 2021 Sergio Correia <scorreia@redhat.com> - 3.0.5-5
+* Wed Jan 05 2022 Steve Grubb <sgrubb@redhat.com> 3.0.6-2
-- auparse: refact nvlist cleanup code
+- Require initscripts-service instead of initscripts
-  Resolves: rhbz#2008965
+
+* Fri Oct 01 2021 Steve Grubb <sgrubb@redhat.com> 3.0.6-1
+- New upstream bugfix release
 
-* Wed Nov 03 2021 Sergio Correia <scorreia@redhat.com> - 3.0.5-4
+* Tue Sep 14 2021 Steve Grubb <sgrubb@redhat.com> 3.0.5-3
-- When interpreting, if val is NULL return an empty string
+- Move BuildRequires around to what actually needs it
-  Resolves: rhbz#2004420
 
-* Wed Nov 03 2021 Sergio Correia <scorreia@redhat.com> - 3.0.5-3
+* Tue Sep 14 2021 Steve Grubb <sgrubb@redhat.com> 3.0.5-2
-- Update dependency to initscripts-service instead of initscripts
+- Drop IPX interpretation support
-  Resolves: rhbz#2000933
 
-* Tue Aug 17 2021 Sergio Correia <scorreia@redhat.com> - 3.0.5-2
+* Wed Aug 11 2021 Steve Grubb <sgrubb@redhat.com> 3.0.5-1
-- Fix timestamp parsing
+- New upstream bugfix release
-  Related: rhbz#1938680
 
-* Mon Aug 16 2021 Sergio Correia <scorreia@redhat.com> - 3.0.5-1
+* Sun Aug 08 2021 Steve Grubb <sgrubb@redhat.com> 3.0.4-1
-- New upstream release, 3.0.5
+- New upstream feature release
-  Related: rhbz#1938680
 
-* Mon Aug 16 2021 Sergio Correia <scorreia@redhat.com> - 3.0.2-3
+* Wed Jul 21 2021 Fedora Release Engineering <releng@fedoraproject.org> - 3.0.3-2
-- Validates the sample rules we ship
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
-  Resolves: rhbz#1985630
 
-* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 3.0.2-2
+* Wed Jul 14 2021 Steve Grubb <sgrubb@redhat.com> 3.0.3-1
-- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
+- New upstream feature release
-  Related: rhbz#1991688
 
-* Tue Jun 22 2021 Sergio Correia <scorreia@redhat.com> - 3.0.2-1
+* Thu Jun 24 2021 Sergio Correia <scorreia@redhat.com> - 3.0.2-2
-- New upstream release, 3.0.2.
+- Do not use custom sbindir and libdir in configure
-  Fix issues detected by static analyzers
-  Resolves: rhbz#1938680
 
-* Mon Jun 21 2021 Sergio Correia <scorreia@redhat.com> - 3.0.1-4
+* Thu Jun 10 2021 Steve Grubb <sgrubb@redhat.com> 3.0.2-1
-- Enable default RHEL configuration
+- New upstream feature and bugfix release
-  This enables syscall auditing by default.
-  Resolves: rhbz#1924561
 
-* Thu Apr 15 2021 Mohan Boddu <mboddu@redhat.com> - 3.0.1-3
+* Fri Jun 04 2021 Python Maint <python-maint@redhat.com> - 3.0.1-3
-- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
+- Rebuilt for Python 3.10
 
 * Thu Feb 18 2021 Steve Grubb <sgrubb@redhat.com> 3.0.1-2
 - Add patch fixing segafult in the audisp-statsd plugin
@@ -401,7 +453,7 @@ fi
 - Rebuilt for Python 3.8
 
 * Wed Jul 31 2019 Steve Grubb <sgrubb@redhat.com> 3.0-0.12.20190507gitf58ec40
-- Fix 1734953 - audit: FTBFS in Fedora rawhide/f31
+- Fix 1734953 - audit: FTBFS in Fedora rawhide/f31 
 
 * Wed Jul 24 2019 Fedora Release Engineering <releng@fedoraproject.org> - 3.0-0.11.20190507gitf58ec40
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild