diff -urNp audit-3.0.orig/auparse/normalize.c audit-3.0/auparse/normalize.c
--- audit-3.0.orig/auparse/normalize.c 2018-05-21 13:38:08.000000000 -0400
+++ audit-3.0/auparse/normalize.c 2018-07-01 10:22:28.772089011 -0400
@@ -910,6 +910,7 @@ static const char *normalize_determine_e
case AUDIT_NETFILTER_CFG:
case AUDIT_FEATURE_CHANGE ... AUDIT_REPLACE:
case AUDIT_USER_DEVICE:
+ case AUDIT_SOFTWARE_UPDATE:
kind = NORM_EVTYPE_CONFIG;
break;
case AUDIT_SECCOMP:
@@ -1187,6 +1188,11 @@ static value_t find_simple_object(aupars
f = auparse_find_field(au, "device");
D.thing.what = NORM_WHAT_KEYSTROKES;
break;
+ case AUDIT_SOFTWARE_UPDATE:
+ auparse_first_record(au);
+ f = auparse_find_field(au, "sw");
+ D.thing.what = NORM_WHAT_SOFTWARE;
+ break;
case AUDIT_VIRT_MACHINE_ID:
f = auparse_find_field(au, "vm");
D.thing.what = NORM_WHAT_VM;
@@ -1286,6 +1292,9 @@ static value_t find_simple_obj_secondary
case AUDIT_CRYPTO_SESSION:
f = auparse_find_field(au, "rport");
break;
+ case AUDIT_SOFTWARE_UPDATE:
+ f = auparse_find_field(au, "sw_type");
+ break;
default:
break;
}
@@ -1311,6 +1320,9 @@ static value_t find_simple_obj_primary2(
case AUDIT_VIRT_RESOURCE:
f = auparse_find_field(au, "vm");
break;
+ case AUDIT_SOFTWARE_UPDATE:
+ f = auparse_find_field(au, "root_dir");
+ break;
default:
break;
}
@@ -1628,6 +1640,10 @@ map:
if (D.opt == NORM_OPT_ALL) {
if (type == AUDIT_USER_DEVICE) {
add_obj_attr(au, "uuid", 0);
+ } else if (type == AUDIT_SOFTWARE_UPDATE) {
+ auparse_first_record(au);
+ add_obj_attr(au, "key_enforce", 0);
+ add_obj_attr(au, "gpg_res", 0);
}
}
diff -urNp audit-3.0.orig/auparse/normalize-internal.h audit-3.0/auparse/normalize-internal.h
--- audit-3.0.orig/auparse/normalize-internal.h 2018-05-21 13:38:08.000000000 -0400
+++ audit-3.0/auparse/normalize-internal.h 2018-07-01 10:24:07.029078467 -0400
@@ -1,6 +1,6 @@
/*
* normalize-internal.h
- * Copyright (c) 2016-17 Red Hat Inc., Durham, North Carolina.
+ * Copyright (c) 2016-18 Red Hat Inc., Durham, North Carolina.
* All Rights Reserved.
*
* This library is free software; you can redistribute it and/or
@@ -96,6 +96,7 @@
#define NORM_WHAT_MEMORY 20
#define NORM_WHAT_KEYSTROKES 21
#define NORM_WHAT_DEVICE 22
+#define NORM_WHAT_SOFTWARE 23
// This enum is used to map events to what kind they are
#define NORM_EVTYPE_UNKNOWN 0
diff -urNp audit-3.0.orig/auparse/normalize_obj_kind_map.h audit-3.0/auparse/normalize_obj_kind_map.h
--- audit-3.0.orig/auparse/normalize_obj_kind_map.h 2018-05-21 13:38:08.000000000 -0400
+++ audit-3.0/auparse/normalize_obj_kind_map.h 2018-07-01 10:22:28.806089007 -0400
@@ -1,6 +1,6 @@
/*
* normalize_obj_kind_map.h
- * Copyright (c) 2016-17 Red Hat Inc., Durham, North Carolina.
+ * Copyright (c) 2016-18 Red Hat Inc., Durham, North Carolina.
* All Rights Reserved.
*
* This library is free software; you can redistribute it and/or
@@ -45,4 +45,5 @@ _S(NORM_WHAT_MAC_CONFIG, "mac-config")
_S(NORM_WHAT_MEMORY, "memory")
_S(NORM_WHAT_KEYSTROKES, "keystrokes")
_S(NORM_WHAT_DEVICE, "device")
+_S(NORM_WHAT_SOFTWARE, "software")
//_S(, "")
diff -urNp audit-3.0.orig/auparse/normalize_record_map.h audit-3.0/auparse/normalize_record_map.h
--- audit-3.0.orig/auparse/normalize_record_map.h 2018-05-21 13:38:08.000000000 -0400
+++ audit-3.0/auparse/normalize_record_map.h 2018-07-01 10:22:28.806089007 -0400
@@ -1,6 +1,6 @@
/*
* normalize_record_map.h
- * Copyright (c) 2016-17 Red Hat Inc., Durham, North Carolina.
+ * Copyright (c) 2016-18 Red Hat Inc., Durham, North Carolina.
* All Rights Reserved.
*
* This library is free software; you can redistribute it and/or
@@ -63,6 +63,7 @@ _S(AUDIT_MAC_CHECK, "mac-permission")
_S(AUDIT_ACCT_LOCK, "locked-account")
_S(AUDIT_ACCT_UNLOCK, "unlocked-account")
_S(AUDIT_USER_DEVICE, "configured-device")
+_S(AUDIT_SOFTWARE_UPDATE, "installed-software")
_S(AUDIT_DAEMON_START, "started-audit")
_S(AUDIT_DAEMON_END, "shutdown-audit")
_S(AUDIT_DAEMON_ABORT, "aborted-auditd-startup")
diff -urNp audit-3.0.orig/auparse/typetab.h audit-3.0/auparse/typetab.h
--- audit-3.0.orig/auparse/typetab.h 2018-05-21 13:38:08.000000000 -0400
+++ audit-3.0/auparse/typetab.h 2018-07-01 10:22:28.807089007 -0400
@@ -1,5 +1,5 @@
/* typetab.h --
- * Copyright 2007-09,2011-12,2014-17 Red Hat Inc., Durham, North Carolina.
+ * Copyright 2007-09,2011-12,2014-18 Red Hat Inc., Durham, North Carolina.
* All Rights Reserved.
*
* This library is free software; you can redistribute it and/or
@@ -140,4 +140,5 @@ _S(AUPARSE_TYPE_MACPROTO, "macproto" )
_S(AUPARSE_TYPE_ESCAPED, "invalid_context")
_S(AUPARSE_TYPE_IOCTL_REQ, "ioctlcmd" )
_S(AUPARSE_TYPE_FANOTIFY, "resp" )
-
+_S(AUPARSE_TYPE_ESCAPED, "sw" )
+_S(AUPARSE_TYPE_ESCAPED, "root_dir" )