5 changed files with 251 additions and 372 deletions
--- a/.audit.metadata
+++ b/.audit.metadata
@ -1 +1 @@
-e58e9ecd90b54b04783e0a1f0c1cfd65880f42f8 SOURCES/audit-3.1.5.tar.gz
+5938533442194c78af30a56bffa6586a244ba7a4 SOURCES/audit-4.0.tar.gz
--- a/.gitignore
+++ b/.gitignore
@ -1 +1 @@
-SOURCES/audit-3.1.5.tar.gz
+SOURCES/audit-4.0.tar.gz
--- a/SOURCES/0001-Add-ausysrulevalidate.patch
+++ b/SOURCES/0001-Add-ausysrulevalidate.patch
@ -1,217 +0,0 @@
 From 4011007b445e8f8da9b0cc45eccd793b94f6b5ce Mon Sep 17 00:00:00 2001
 From: Sergio Correia <scorreia@redhat.com>
 Date: Thu, 29 Jul 2021 19:25:43 -0300
 Subject: [PATCH] Add ausysrulevalidate
 ---
 contrib/ausysrulevalidate | 198 ++++++++++++++++++++++++++++++++++++++
 1 file changed, 198 insertions(+)
 create mode 100755 contrib/ausysrulevalidate
 diff --git a/contrib/ausysrulevalidate b/contrib/ausysrulevalidate
 new file mode 100755
 index 0000000..a251b2c
 --- /dev/null
 +++ b/contrib/ausysrulevalidate
@@ -0,0 +1,198 @@
 +#!/usr/bin/env python3
 +# -*- coding: utf-8 -*-
 +
 +# ausysrulevalidate - A program that lets you validate the syscalls
 +# in audit rules.
 +# Copyright (c) 2021 Red Hat Inc., Durham, North Carolina.
 +# All Rights Reserved.
 +#
 +# This software may be freely redistributed and/or modified under the
 +# terms of the GNU General Public License as published by the Free
 +# Software Foundation; either version 2, or (at your option) any
 +# later version.
 +#
 +# This program is distributed in the hope that it will be useful,
 +# but WITHOUT ANY WARRANTY; without even the implied warranty of
 +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 +# GNU General Public License for more details.
 +#
 +# You should have received a copy of the GNU General Public License
 +# along with this program; see the file COPYING. If not, write to the
 +# Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor
 +# Boston, MA 02110-1335, USA.
 +#
 +# Authors:
 +#   Sergio Correia <scorreia@redhat.com>
 +
 +""" This program lets you validate syscalls in audit rules. """
 +
 +import argparse
 +import os.path
 +import sys
 +
 +import audit
 +
 +
 +class AuSyscallRuleValidate:
 +    """AuSyscallRuleValidate validates syscalls in audit rules."""
 +
 +    def __init__(self):
 +        self.syscalls_table = {}
 +        self.invalid_syscalls = {}
 +        self.machines = {
 +            "b32": audit.audit_determine_machine("b32"),
 +            "b64": audit.audit_determine_machine("b64"),
 +        }
 +
 +        if self.machines["b32"] == -1 or self.machines["b64"] == -1:
 +            sys.stderr.write("ERROR: Unable to determine machine type\n")
 +            sys.exit(1)
 +
 +    def validate_syscall(self, arch, syscall):
 +        """Validates a single syscall."""
 +
 +        if syscall == "all":
 +            return True
 +
 +        lookup = "{0}:{1}".format(arch, syscall)
 +        if lookup in self.syscalls_table:
 +            return self.syscalls_table[lookup]
 +
 +        ret = audit.audit_name_to_syscall(syscall, self.machines[arch])
 +        self.syscalls_table[lookup] = ret != -1
 +        if not self.syscalls_table[lookup]:
 +            self.invalid_syscalls[lookup] = lookup
 +
 +        return self.syscalls_table[lookup]
 +
 +    def process_syscalls(self, arch, syscalls):
 +        """Processes a group of syscalls, validating them individually."""
 +
 +        scalls = syscalls.split(",")
 +        processed = []
 +        for syscall in scalls:
 +            if self.validate_syscall(arch, syscall):
 +                processed.append(syscall)
 +        return ",".join(processed)
 +
 +    def parse_line(self, line):
 +        """Processes a single line from the audit rules file, and returns the
 +        same line adjusted, if required, by removing invalid syscalls, or even
 +        removing the rule altogether, if no valid syscall remain after
 +        validation."""
 +
 +        if line.lstrip().startswith("#") or "-S" not in line:
 +            return line
 +
 +        # We do have a rule specifying syscalls, so let's validate them.
 +        tokens = line.split()
 +        processed = []
 +        is_syscall = False
 +        arch = None
 +
 +        for val in tokens:
 +            if not is_syscall:
 +                processed.append(val)
 +
 +            if val.startswith("arch="):
 +                archs = val.split("=")
 +                if len(archs) == 2:
 +                    arch = val.split("=")[1]
 +                    if arch not in self.machines:
 +                        sys.stderr.write("ERROR: unexpected arch '{0}'\n".format(arch))
 +                        continue
 +
 +            if val == "-S":
 +                is_syscall = True
 +                continue
 +
 +            if is_syscall:
 +                is_syscall = False
 +                scalls = self.process_syscalls(arch, val)
 +
 +                if len(scalls) == 0:
 +                    processed = processed[:-1]
 +                    continue
 +                processed.append(scalls)
 +
 +        if "-S" not in processed:
 +            # Removing rule altogether, as we have no valid syscalls remaining.
 +            return None
 +        return " ".join(processed)
 +
 +    def process_rules(self, rules_file):
 +        """Reads a file with audit rules and returns the rules after
 +        validation of syscalls/architecture. Invalid syscalls will be removed
 +        and, if there are no valid remaining syscalls, the rule itself is
 +        removed."""
 +
 +        if not os.path.isfile(rules_file):
 +            sys.stderr.write("ERROR: rules file '{0}' not found\n".format(rules_file))
 +            sys.exit(1)
 +
 +        with open(rules_file) as rules:
 +            content = rules.readlines()
 +
 +        processed = []
 +        changed = False
 +        for line in content:
 +            validated = self.parse_line(line)
 +            if validated is None:
 +                changed = True
 +                continue
 +
 +            if validated.rstrip("\r\n") != line.rstrip("\r\n"):
 +                changed = True
 +            processed.append(validated.rstrip("\r\n"))
 +
 +        invalid_syscalls = []
 +        for invalid in self.invalid_syscalls:
 +            invalid_syscalls.append(invalid)
 +
 +        return (processed, changed, invalid_syscalls)
 +
 +    def update_rules(self, rules_file):
 +        """Reads a file with audit rules and updates it after validation of
 +        syscalls/architecture. Invalid syscalls will be removed and, if
 +        there are no valid remaining syscalls, the rule itself is removed."""
 +
 +        new_rules, changed, invalid_syscalls = self.process_rules(rules_file)
 +        if changed:
 +            with open(rules_file, "w") as rules:
 +                for line in new_rules:
 +                    rules.write("{0}\n".format(line))
 +
 +        return (new_rules, changed, invalid_syscalls)
 +
 +
 +if __name__ == "__main__":
 +    parser = argparse.ArgumentParser(description="ausysrulevalidate")
 +    parser.add_argument(
 +        "-u", "--update", help="Update rules file if required", action="store_true"
 +    )
 +    parser.add_argument(
 +        "-v", "--verbose", help="Show the resulting rules file", action="store_true"
 +    )
 +    required_named = parser.add_argument_group("required named arguments")
 +    required_named.add_argument(
 +        "-r", "--rules-file", help="Rules file name", required=True
 +    )
 +    args = parser.parse_args()
 +
 +    validator = AuSyscallRuleValidate()
 +
 +    action = validator.process_rules
 +    if args.update:
 +        action = validator.update_rules
 +
 +    data, changed, invalid = action(args.rules_file)
 +    if changed:
 +        verb = "require"
 +        if args.update:
 +            verb += "d"
 +        sys.stderr.write("Rules in '{0}' {1} changes\n".format(args.rules_file, verb))
 +        if len(invalid) > 0:
 +            sys.stderr.write("Invalid syscalls: {0}\n".format(", ".join(invalid)))
 +
 +    if args.verbose:
 +        print(*data, sep="\n")
 -- 
 2.31.1
--- a/SOURCES/audit-4.0-attributes.patch
+++ b/SOURCES/audit-4.0-attributes.patch
@ -0,0 +1,45 @@
 From 0db6e0960a5c55b468f21f9841bbc7e67832b66a Mon Sep 17 00:00:00 2001
 From: Steve Grubb <ausearch.1@gmail.com>
 Date: Wed, 17 Jan 2024 12:07:25 -0500
 Subject: [PATCH] Update function attributes
 ---
 auparse/auparse.h |  2 +-
 lib/libaudit.h    | 10 +++++-----
 2 files changed, 6 insertions(+), 6 deletions(-)
 diff --git a/auparse/auparse.h b/auparse/auparse.h
 index c27f1ff96..0b3f68c35 100644
 --- a/auparse/auparse.h
 +++ b/auparse/auparse.h
@@ -68,7 +68,7 @@ void auparse_add_callback(auparse_state_t *au, auparse_callback_ptr callback,
 			void *user_data, user_destroy user_destroy_func);
 void auparse_set_escape_mode(auparse_state_t *au, auparse_esc_t mode);
 int auparse_reset(auparse_state_t *au);
 -char *auparse_metrics(const auparse_state_t *au);
 +char *auparse_metrics(const auparse_state_t *au) __attr_dealloc_free;
 /* Functions that are part of the search interface */
 int ausearch_add_expression(auparse_state_t *au, const char *expression,
 diff --git a/lib/libaudit.h b/lib/libaudit.h
 index 34b337a7c..15ea2e6f4 100644
 --- a/lib/libaudit.h
 +++ b/lib/libaudit.h
@@ -248,12 +248,12 @@ int  audit_set_enabled(int fd, uint32_t enabled) __wur;
 int  audit_set_failure(int fd, uint32_t failure) __wur;
 int  audit_set_rate_limit(int fd, uint32_t limit);
 int  audit_set_backlog_limit(int fd, uint32_t limit);
 -int audit_set_backlog_wait_time(int fd, uint32_t bwt);
 -int audit_reset_lost(int fd);
 -int audit_reset_backlog_wait_time_actual(int fd);
 +int  audit_set_backlog_wait_time(int fd, uint32_t bwt);
 +int  audit_reset_lost(int fd);
 +int  audit_reset_backlog_wait_time_actual(int fd);
 int  audit_set_feature(int fd, unsigned feature, unsigned value,
 -		      unsigned lock);
 -int  audit_set_loginuid_immutable(int fd);
 +		      unsigned lock) __wur;
 +int  audit_set_loginuid_immutable(int fd) __wur;
 /* AUDIT_LIST_RULES */
 int  audit_request_rules_list_data(int fd);
--- a/SPECS/audit.spec
+++ b/SPECS/audit.spec
@ -1,23 +1,19 @@
 Summary: User space tools for kernel auditing
 Name: audit
-Version: 3.1.5
+Version: 4.0
-Release: 1%{?dist}
+Release: 9%{?dist}
-License: GPLv2+
+License: GPL-2.0-or-later AND LGPL-2.0-or-later
 URL: http://people.redhat.com/sgrubb/audit/
 Source0: http://people.redhat.com/sgrubb/audit/%{name}-%{version}.tar.gz
 Source1: https://www.gnu.org/licenses/lgpl-2.1.txt
-
+Patch1: audit-4.0-attributes.patch
-Patch1: 0001-Add-ausysrulevalidate.patch
+BuildRequires: make gcc
-
+BuildRequires: kernel-headers >= 5.0
 BuildRequires: make gcc swig
 BuildRequires: openldap-devel
 BuildRequires: krb5-devel libcap-ng-devel
 BuildRequires: kernel-headers >= 2.6.29
 BuildRequires: systemd
 BuildRequires: autoconf automake libtool
 Requires: %{name}-libs%{?_isa} = %{version}-%{release}
 Requires: %{name}-rules%{?_isa} = %{version}-%{release}
 Requires(post): systemd coreutils
 Requires(preun): systemd
 Requires(postun): systemd coreutils
@ -31,10 +27,12 @@ Obsoletes: python2-audit < %{version}-%{release}
 The audit package contains the user space utilities for
 storing and searching the audit records generated by
 the audit subsystem in the Linux 2.6 and later kernels.
 It includes example rules that you can use.
 %package libs
 Summary: Dynamic library for libaudit
-License: LGPLv2+
+License: LGPL-2.0-or-later
 BuildRequires: libcap-ng-devel
 %description libs
 The audit-libs package contains the dynamic libraries needed for 
@ -42,9 +40,9 @@ applications to use the audit framework.
 %package libs-devel
 Summary: Header files for libaudit
-License: LGPLv2+
+License: LGPL-2.0-or-later
 Requires: %{name}-libs%{?_isa} = %{version}-%{release}
-Requires: kernel-headers >= 2.6.29
+Requires: kernel-headers >= 5.0
 %description libs-devel
 The audit-libs-devel package contains the header files needed for
@ -52,9 +50,8 @@ developing applications that need to use the audit framework libraries.
 %package -n python3-audit
 Summary: Python3 bindings for libaudit
-License: LGPLv2+
+License: LGPL-2.0-or-later
-BuildRequires: python3-devel
+BuildRequires: python3-devel python-unversioned-command swig
 BuildRequires: make
 Requires: %{name}-libs%{?_isa} = %{version}-%{release}
 Provides: audit-libs-python3 = %{version}-%{release}
 Provides: audit-libs-python3%{?_isa} = %{version}-%{release}
@ -66,7 +63,8 @@ and libauparse can be used by python3.
 %package -n audispd-plugins
 Summary: Plugins for the audit event dispatcher
-License: GPLv2+
+License: GPL-2.0-or-later
 BuildRequires: krb5-devel libcap-ng-devel
 Requires: %{name}%{?_isa} = %{version}-%{release}
 Requires: %{name}-libs%{?_isa} = %{version}-%{release}
@ -77,10 +75,10 @@ like relay events to remote machines.
 %package -n audispd-plugins-zos
 Summary: z/OS plugin for the audit event dispatcher
-License: GPLv2+
+License: GPL-2.0-or-later
 BuildRequires: openldap-devel libcap-ng-devel
 Requires: %{name}%{?_isa} = %{version}-%{release}
 Requires: %{name}-libs%{?_isa} = %{version}-%{release}
 Requires: openldap
 %description -n audispd-plugins-zos
 The audispd-plugins-zos package provides a plugin that will forward all
@ -88,21 +86,28 @@ incoming audit events, as they happen, to a configured z/OS SMF (Service
 Management Facility) database, through an IBM Tivoli Directory Server
 (ITDS) set for Remote Audit service.
 %package rules
 Summary: audit rules and utilities
 License: GPL-2.0-or-later
 Recommends: %{name} = %{version}-%{release}
 %description rules
 The audit rules package contains the rules and utilities to load audit rules.
 %prep
 %setup -q
 %patch 1 -p1
 cp %{SOURCE1} .
 %patch -P 1 -p1
 autoreconf -fv --install
 # Remove the ids code, its not ready
 sed -i 's/ ids / /' audisp/plugins/Makefile.am
 sed -i 's/ ids / /' audisp/plugins/Makefile.in
 %build
 %configure --with-python=no \
           --with-python3=yes \
           --enable-gssapi-krb5=yes --with-arm --with-aarch64 \
-	   --with-libcap-ng=yes --enable-zos-remote --without-golang \
+           --with-libcap-ng=yes --without-golang --enable-zos-remote \
           --enable-systemd --enable-experimental --with-io_uring
 make CFLAGS="%{optflags}" %{?_smp_mflags}
@ -110,71 +115,81 @@ make CFLAGS="%{optflags}" %{?_smp_mflags}
 %install
 mkdir -p $RPM_BUILD_ROOT/{sbin,etc/audit/plugins.d,etc/audit/rules.d}
 mkdir -p $RPM_BUILD_ROOT/%{_mandir}/{man5,man8}
 mkdir -p $RPM_BUILD_ROOT/%{_lib}
 mkdir -p $RPM_BUILD_ROOT/%{_libdir}/audit
 mkdir -p --mode=0700 $RPM_BUILD_ROOT/%{_var}/log/audit
 mkdir -p $RPM_BUILD_ROOT/%{_var}/spool/audit
 mkdir -p $RPM_BUILD_ROOT/%{_datadir}
 make DESTDIR=$RPM_BUILD_ROOT install
 # Validate sample rules shipped.
 for r in $RPM_BUILD_ROOT/%{_datadir}/%{name}/sample-rules/*.rules; do
    PYTHONPATH=$RPM_BUILD_ROOT/%{python3_sitearch} \
    LD_LIBRARY_PATH=$RPM_BUILD_ROOT/%{_libdir} \
        %{_builddir}/%{name}-%{version}/contrib/ausysrulevalidate \
        --update --rules-file "${r}"
 done
 # Remove these items so they don't get picked up.
 rm -f $RPM_BUILD_ROOT/%{_libdir}/libaudit.a
 rm -f $RPM_BUILD_ROOT/%{_libdir}/libauparse.a
 find $RPM_BUILD_ROOT -name '*.la' -delete
-find $RPM_BUILD_ROOT/%{_libdir}/python%{python3_version}/site-packages -name '*.a' -delete
+find $RPM_BUILD_ROOT/%{_libdir}/python%{python3_version}/site-packages -name '*.a' -delete || true
 # On platforms with 32 & 64 bit libs, we need to coordinate the timestamp
 touch -r ./audit.spec $RPM_BUILD_ROOT/etc/libaudit.conf
 touch -r ./audit.spec $RPM_BUILD_ROOT/usr/share/man/man5/libaudit.conf.5.gz
 %check
-make check
+#make %{?_smp_mflags} check
 # Get rid of make files so that they don't get packaged.
 rm -f rules/Makefile*
 %post
 %systemd_post auditd.service
-
+# Do not perform service start/restart when running during an rpm-ostree compose
-# Copy default rules into place on new installation
+if [ -f /run/ostree-booted ] ; then
-files=`ls /etc/audit/rules.d/ 2>/dev/null | wc -w`
+    exit 0
 if [ "$files" -eq 0 ] ; then
 	if [ -e %{_datadir}/%{name}/sample-rules/10-base-config.rules ] ; then
 		cp %{_datadir}/%{name}/sample-rules/10-base-config.rules /etc/audit/rules.d/audit.rules
 	else
 		touch /etc/audit/rules.d/audit.rules
 	fi
 	chmod 0600 /etc/audit/rules.d/audit.rules
 fi
-
+# If an upgrade, restart it if it's running
-# If upgrading, restart the daemon if it's running
+if [ $1 -eq 2 ] ; then
 if [ $1 -eq 2 ]; then
    state=$(systemctl status auditd | awk '/Active:/ { print $2 }')
    if [ $state = "active" ] ; then
        auditctl --signal stop || true
        systemctl start auditd
    fi
-# if installing, start it since preset says we should be running
+# if an install, start it since preset says we should be running
-elif [ $1 -eq 1 ]; then
+elif [ $1 -eq 1 ] ; then
        systemctl start auditd
 fi
 %post rules
 %systemd_post audit-rules.service
 # Copy default rules into place on new installation
 files=`ls /etc/audit/rules.d/ 2>/dev/null | wc -w`
 if [ "$files" -eq 0 ] ; then
    echo "No rules detected, adding default"
 %if 0%{?rhel}
    if [ -e %{_datadir}/%{name}-rules/10-base-config.rules ] ; then
        install -m 0600 -o 0 -g 0 -p %{_datadir}/%{name}-rules/10-base-config.rules /etc/audit/rules.d/audit.rules
 %else
    # FESCO asked for audit to be off by default. #1117953
    if [ -e %{_datadir}/%{name}-rules/10-no-audit.rules ] ; then
        install -m 0600 -o 0 -g 0 -p %{_datadir}/%{name}-rules/10-no-audit.rules /etc/audit/rules.d/audit.rules
 %endif
    else
        install -m 0600 -o 0 -g 0 /dev/null /etc/audit/rules.d/audit.rules
    fi
    # Only load the new rules if not running during an rpm-ostree compose
    if [ ! -f /run/ostree-booted ] ; then
        # Make the new rules active
        augenrules --load || true
    fi
 fi
 %preun
 %systemd_preun auditd.service
-# if uninstalling stop the daemon
+# If uninstalling, stop it
-if [ $1 -eq 0 ]; then
+if [ $1 -eq 0 ] ; then
    auditctl --signal stop || true
-	# also delete loaded rules if uninstalling
+fi
-	auditctl -D || true
+
 %preun rules
 %systemd_preun audit-rules.service
 # If uninstalling, delete the rules loaded in the kernel
 if [ $1 -eq 0 ] ; then
    auditctl -D > /dev/null 2>&1 || true
 fi
 %files libs
@ -190,46 +205,37 @@ fi
 %{_libdir}/libaudit.so
 %{_libdir}/libauparse.so
 %{_includedir}/libaudit.h
 %{_includedir}/audit_logging.h
 %{_includedir}/audit-records.h
 %{_includedir}/auparse.h
 %{_includedir}/auparse-defs.h
 %{_datadir}/aclocal/audit.m4
 %{_libdir}/pkgconfig/audit.pc
 %{_libdir}/pkgconfig/auparse.pc
 %{_mandir}/man3/*
 %{_mandir}/man5/ausearch-expression.5.gz
 %files -n python3-audit
 %attr(755,root,root) %{python3_sitearch}/*
 %files
-%doc README ChangeLog init.d/auditd.cron
+%doc README.md ChangeLog init.d/auditd.cron
 %{!?_licensedir:%global license %%doc}
 %license COPYING
 %attr(755,root,root) %{_datadir}/%{name}
 %attr(644,root,root) %{_datadir}/%{name}/sample-rules/*
 %attr(644,root,root) %{_mandir}/man8/auditctl.8.gz
 %attr(644,root,root) %{_mandir}/man8/auditd.8.gz
 %attr(644,root,root) %{_mandir}/man8/aureport.8.gz
 %attr(644,root,root) %{_mandir}/man8/ausearch.8.gz
 %attr(644,root,root) %{_mandir}/man8/autrace.8.gz
 %attr(644,root,root) %{_mandir}/man8/aulast.8.gz
 %attr(644,root,root) %{_mandir}/man8/aulastlog.8.gz
 %attr(644,root,root) %{_mandir}/man8/auvirt.8.gz
 %attr(644,root,root) %{_mandir}/man8/augenrules.8.gz
 %attr(644,root,root) %{_mandir}/man8/ausyscall.8.gz
 %attr(644,root,root) %{_mandir}/man7/audit.rules.7.gz
 %attr(644,root,root) %{_mandir}/man5/auditd.conf.5.gz
 %attr(644,root,root) %{_mandir}/man5/ausearch-expression.5.gz
 %attr(644,root,root) %{_mandir}/man5/auditd-plugins.5.gz
 %attr(755,root,root) %{_sbindir}/auditctl
 %attr(755,root,root) %{_sbindir}/auditd
 %attr(755,root,root) %{_sbindir}/ausearch
 %attr(755,root,root) %{_sbindir}/aureport
 %attr(750,root,root) %{_sbindir}/autrace
 %attr(755,root,root) %{_sbindir}/augenrules
 %attr(755,root,root) %{_bindir}/aulast
 %attr(755,root,root) %{_bindir}/aulastlog
 %attr(755,root,root) %{_bindir}/ausyscall
 %attr(755,root,root) %{_bindir}/auvirt
 %attr(644,root,root) %{_unitdir}/auditd.service
 %attr(750,root,root) %dir %{_libexecdir}/initscripts/legacy-actions/auditd
 %attr(750,root,root) %{_libexecdir}/initscripts/legacy-actions/auditd/condrestart
@ -241,11 +247,21 @@ fi
 %attr(750,root,root) %{_libexecdir}/initscripts/legacy-actions/auditd/stop
 %ghost %{_localstatedir}/run/auditd.state
 %attr(-,root,-) %dir %{_var}/log/audit
 %attr(750,root,root) %dir /etc/audit
 %attr(750,root,root) %dir /etc/audit/rules.d
 %attr(750,root,root) %dir /etc/audit/plugins.d
 %config(noreplace) %attr(640,root,root) /etc/audit/auditd.conf
-%ghost %config(noreplace) %attr(600,root,root) /etc/audit/rules.d/audit.rules
+
 %files rules
 %attr(755,root,root) %dir %{_datadir}/%{name}-rules
 %attr(644,root,root) %{_datadir}/%{name}-rules/*
 %attr(644,root,root) %{_mandir}/man8/auditctl.8.gz
 %attr(644,root,root) %{_mandir}/man8/augenrules.8.gz
 %attr(644,root,root) %{_mandir}/man7/audit.rules.7.gz
 %attr(755,root,root) %{_sbindir}/auditctl
 %attr(755,root,root) %{_sbindir}/augenrules
 %attr(644,root,root) %{_unitdir}/audit-rules.service
 %attr(750,root,root) %dir /etc/audit
 %attr(750,root,root) %dir /etc/audit/rules.d
 %ghost %config(noreplace) %attr(640,root,root) /etc/audit/rules.d/audit.rules
 %ghost %config(noreplace) %attr(640,root,root) /etc/audit/audit.rules
 %config(noreplace) %attr(640,root,root) /etc/audit/audit-stop.rules
@ -275,90 +291,125 @@ fi
 %attr(750,root,root) %{_sbindir}/audispd-zos-remote
 %changelog
-* Tue Jul 09 2024 Attila Lakatos <alakatos@redhat.com> - 3.1.5-1
+* Tue Nov 26 2024 MSVSphere Packaging Team <packager@msvsphere-os.ru> - 4.0-9
- New upstream maintenance release, 3.1.4
+- Rebuilt for MSVSphere 10
- Prevent scriplets from failing
+
- When upgrading, restart the daemon if it's running
+* Mon Jun 24 2024 Troy Dawson <tdawson@redhat.com> - 4.0-9
- If uninstalling, stop the daemon
+- Bump release for June 2024 mass rebuild
- auditctl: use pidfd_send_signal for signaling auditd
+
-  Resolves: RHEL-45865
+* Sun Feb 04 2024 Timothée Ravier <tim@siosm.fr> - 4.0-8
- Minor doc update
+- Fix 'install' calls in post scriptlet
-  Resolves: RHEL-5186
+
- augenrules: do not exit with failure if in immutable mode
+* Thu Jan 25 2024 Steve Grubb <sgrubb@redhat.com> 4.0-7
-  Resolves: RHEL-40110
+- Don't do "live" operations during rpm-ostree composes
- auditd.service: Disable ProtectControlGroups
+
-  Resolves: RHEL-5197
+* Wed Jan 24 2024 Steve Grubb <sgrubb@redhat.com> 4.0-5
- auditctl: correct output when displaying rules with exe/path/dir
+- Auditd is stopping during upgrade (bz 2259610)
-  Resolves: RHEL-40243
+
-
+* Mon Jan 22 2024 Fedora Release Engineering <releng@fedoraproject.org> - 4.0-3
-* Wed Nov 08 2023 Sergio Correia <scorreia@redhat.com> - 3.1.2-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
- Remove %systemd_preun from %preun scriptlet, as it was causing troubles when removing audit
+
-  Related: RHEL-14896
+* Fri Jan 19 2024 Fedora Release Engineering <releng@fedoraproject.org> - 4.0-2
-
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
-* Fri Oct 27 2023 Sergio Correia <scorreia@redhat.com> - 3.1.2-1
+
- New upstream release, 3.1.2
+* Tue Jan 16 2024 Steve Grubb <sgrubb@redhat.com> 4.0-1
-  Resolves: RHEL-14896
+- New upstream major release
-
+
-* Thu Jun 22 2023 Radovan Sroka <rsroka@redhat.com> - 3.0.7-104
+* Sat Nov 04 2023 Steve Grubb <sgrubb@redhat.com> 3.1.2-5
- Introduce new fanotify record fields
+- Bug fixes pulled from upstrean
-  Resolves: rhbz#2216666
+
-
+* Wed Sep 13 2023 Dusty Mabe <dusty@dustymabe.com> 3.1.2-4
-* Mon May 02 2022 Sergio Correia <scorreia@redhat.com> - 3.0.7-103
+- Remove initscripts-service from Requires(postun)
- Drop ProtectHome from auditd.service as it interferes with rules
+
-  Resolves: rhbz#2071725 - Default systemd service config blocks audit watch rules in some directories [rhel-9.1.0]
+* Fri Sep 01 2023 Steve Grubb <sgrubb@redhat.com> 3.1.2-3
-
+- Change initscrips-service to a Recommends
-* Sun Mar 13 2022 Sergio Correia <scorreia@redhat.com> - 3.0.7-102
+
- Fix path normalization in auparse
+* Sat Aug 26 2023 Steve Grubb <sgrubb@redhat.com> 3.1.2-2
-  Resolves: rhbz#2062824 - auparse missing information when used with --format-text
+- SPDX Migration
-
+
-* Tue Feb 22 2022 Sergio Correia <scorreia@redhat.com> - 3.0.7-101
+* Sun Aug 06 2023 Steve Grubb <sgrubb@redhat.com> 3.1.2-1
 - New upstream release
 * Wed Jul 19 2023 Fedora Release Engineering <releng@fedoraproject.org> - 3.1.1-4
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
 * Tue Jun 13 2023 Python Maint <python-maint@redhat.com> - 3.1.1-3
 - Rebuilt for Python 3.12
 * Tue May 09 2023 Davide Cavalca <dcavalca@fedoraproject.org> 3.1.1-2
 - Install the base ruleset on RHEL
 * Thu Apr 27 2023 Steve Grubb <sgrubb@redhat.com> 3.1.1-1
 - New upstream release
 * Thu Feb 09 2023 Steve Grubb <sgrubb@redhat.com> 3.1-2
 - New upstream feature release
 * Wed Jan 18 2023 Fedora Release Engineering <releng@fedoraproject.org> - 3.0.9-3
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
 * Thu Dec 22 2022 Steve Grubb <sgrubb@redhat.com> 3.0.9-2
 - BuildRequires python-setuptools
 - SPDX Migration
 * Mon Aug 29 2022 Steve Grubb <sgrubb@redhat.com> 3.0.9-1
 - New upstream bugfix release
 * Wed Jul 20 2022 Fedora Release Engineering <releng@fedoraproject.org> - 3.0.8-3
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
 * Mon Jun 13 2022 Python Maint <python-maint@redhat.com> - 3.0.8-2
 - Rebuilt for Python 3.11
 * Tue Mar 29 2022 Steve Grubb <sgrubb@redhat.com> 3.0.8-1
 - New upstream bugfix release
 * Thu Feb 24 2022 Steve Grubb <sgrubb@redhat.com> 3.0.7-3
 - Undo fix to libaudit.h before installing
 * Mon Feb 14 2022 Steve Grubb <sgrubb@redhat.com> 3.0.7-2
 - Adjust sample-rules dir permissions
-  Resolves: rhbz#2054432 - /usr/share/audit/sample-rules is no longer readable by non-root users
+- Add support for new access/dealloc function attributes
 - Adjust compile flags for less warnings
-* Tue Jan 25 2022 Sergio Correia <scorreia@redhat.com> - 3.0.7-100
+* Sun Jan 23 2022 Steve Grubb <sgrubb@redhat.com> 3.0.7-1
- New upstream release, 3.0.7
+- New upstream bugfix and feature release
  Resolves: rhbz#2019929 - capability=unknown-capability(39) in audit messages
-* Wed Nov 03 2021 Sergio Correia <scorreia@redhat.com> - 3.0.5-5
+* Wed Jan 19 2022 Fedora Release Engineering <releng@fedoraproject.org> - 3.0.6-3
- auparse: refact nvlist cleanup code
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
  Resolves: rhbz#2008965
-* Wed Nov 03 2021 Sergio Correia <scorreia@redhat.com> - 3.0.5-4
+* Wed Jan 05 2022 Steve Grubb <sgrubb@redhat.com> 3.0.6-2
- When interpreting, if val is NULL return an empty string
+- Require initscripts-service instead of initscripts
  Resolves: rhbz#2004420
-* Wed Nov 03 2021 Sergio Correia <scorreia@redhat.com> - 3.0.5-3
+* Fri Oct 01 2021 Steve Grubb <sgrubb@redhat.com> 3.0.6-1
- Update dependency to initscripts-service instead of initscripts
+- New upstream bugfix release
  Resolves: rhbz#2000933
-* Tue Aug 17 2021 Sergio Correia <scorreia@redhat.com> - 3.0.5-2
+* Tue Sep 14 2021 Steve Grubb <sgrubb@redhat.com> 3.0.5-3
- Fix timestamp parsing
+- Move BuildRequires around to what actually needs it
  Related: rhbz#1938680
-* Mon Aug 16 2021 Sergio Correia <scorreia@redhat.com> - 3.0.5-1
+* Tue Sep 14 2021 Steve Grubb <sgrubb@redhat.com> 3.0.5-2
- New upstream release, 3.0.5
+- Drop IPX interpretation support
  Related: rhbz#1938680
-* Mon Aug 16 2021 Sergio Correia <scorreia@redhat.com> - 3.0.2-3
+* Wed Aug 11 2021 Steve Grubb <sgrubb@redhat.com> 3.0.5-1
- Validates the sample rules we ship
+- New upstream bugfix release
  Resolves: rhbz#1985630
-* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 3.0.2-2
+* Sun Aug 08 2021 Steve Grubb <sgrubb@redhat.com> 3.0.4-1
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
+- New upstream feature release
  Related: rhbz#1991688
-* Tue Jun 22 2021 Sergio Correia <scorreia@redhat.com> - 3.0.2-1
+* Wed Jul 21 2021 Fedora Release Engineering <releng@fedoraproject.org> - 3.0.3-2
- New upstream release, 3.0.2.
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
  Fix issues detected by static analyzers
  Resolves: rhbz#1938680
-* Mon Jun 21 2021 Sergio Correia <scorreia@redhat.com> - 3.0.1-4
+* Wed Jul 14 2021 Steve Grubb <sgrubb@redhat.com> 3.0.3-1
- Enable default RHEL configuration
+- New upstream feature release
-  This enables syscall auditing by default.
+
-  Resolves: rhbz#1924561
+* Thu Jun 24 2021 Sergio Correia <scorreia@redhat.com> - 3.0.2-2
 - Do not use custom sbindir and libdir in configure
 * Thu Jun 10 2021 Steve Grubb <sgrubb@redhat.com> 3.0.2-1
 - New upstream feature and bugfix release
-* Thu Apr 15 2021 Mohan Boddu <mboddu@redhat.com> - 3.0.1-3
+* Fri Jun 04 2021 Python Maint <python-maint@redhat.com> - 3.0.1-3
- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
+- Rebuilt for Python 3.10
 * Thu Feb 18 2021 Steve Grubb <sgrubb@redhat.com> 3.0.1-2
 - Add patch fixing segafult in the audisp-statsd plugin
`@ -1 +1 @@`
	`e58e9ecd90b54b04783e0a1f0c1cfd65880f42f8 SOURCES/audit-3.1.5.tar.gz`	`5938533442194c78af30a56bffa6586a244ba7a4 SOURCES/audit-4.0.tar.gz`
`@ -1 +1 @@`
	`SOURCES/audit-3.1.5.tar.gz`	`SOURCES/audit-4.0.tar.gz`