From 8598412eb8dc0f505b409082d2c493808f80bca6 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Nov 11 2014 02:51:07 +0000 Subject: import audit-2.4-1.el7 --- diff --git a/.audit.metadata b/.audit.metadata new file mode 100644 index 0000000..4e88993 --- /dev/null +++ b/.audit.metadata @@ -0,0 +1 @@ +4cddd98eff5d6fc53dccaa845d87ba560b77cf82 SOURCES/audit-2.4.tar.gz diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..5b79a52 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +SOURCES/audit-2.4.tar.gz diff --git a/README.md b/README.md deleted file mode 100644 index 0e7897f..0000000 --- a/README.md +++ /dev/null @@ -1,5 +0,0 @@ -The master branch has no content - -Look at the c7 branch if you are working with CentOS-7, or the c4/c5/c6 branch for CentOS-4, 5 or 6 - -If you find this file in a distro specific branch, it means that no content has been checked in yet diff --git a/SOURCES/audit-2.3.3-augenrules.patch b/SOURCES/audit-2.3.3-augenrules.patch new file mode 100644 index 0000000..f408308 --- /dev/null +++ b/SOURCES/audit-2.3.3-augenrules.patch @@ -0,0 +1,21 @@ +diff -urp audit-2.3.3.orig/init.d/auditd.service audit-2.3.3/init.d/auditd.service +--- audit-2.3.3.orig/init.d/auditd.service 2014-01-16 06:24:42.000000000 -0500 ++++ audit-2.3.3/init.d/auditd.service 2014-03-18 12:47:13.682617960 -0400 +@@ -8,12 +8,11 @@ RefuseManualStop=yes + + [Service] + ExecStart=/sbin/auditd -n +-## To use augenrules, copy this file to /etc/systemd/system/auditd.service +-## and uncomment the next line and delete/comment out the auditctl line. +-## Then copy existing rules to /etc/audit/rules.d/ +-## Not doing this last step can cause loss of existing rules +-#ExecStartPost=-/sbin/augenrules --load +-ExecStartPost=-/sbin/auditctl -R /etc/audit/audit.rules ++## To not use augenrules, copy this file to /etc/systemd/system/auditd.service ++## and comment/delete the next line and uncomment the auditctl line. ++## NOTE: augenrules expect any rules to be added to /etc/audit/rules.d/ ++ExecStartPost=-/sbin/augenrules --load ++#ExecStartPost=-/sbin/auditctl -R /etc/audit/audit.rules + ExecReload=/bin/kill -HUP $MAINPID + + [Install] diff --git a/SOURCES/audit-2.3.3-uid-1000.patch b/SOURCES/audit-2.3.3-uid-1000.patch new file mode 100644 index 0000000..0f957f3 --- /dev/null +++ b/SOURCES/audit-2.3.3-uid-1000.patch @@ -0,0 +1,90 @@ +diff -ur audit-2.4.orig/contrib/stig.rules audit-2.4/contrib/stig.rules +--- audit-2.4.orig/contrib/stig.rules 2014-08-24 12:39:26.000000000 -0400 ++++ audit-2.4/contrib/stig.rules 2014-09-18 08:36:39.301843819 -0400 +@@ -16,7 +16,7 @@ + ## NOTE: + ## 1) if this is being used on a 32 bit machine, comment out the b64 lines + ## 2) These rules assume that login under the root account is not allowed. +-## 3) It is also assumed that 500 represents the first usable user account. To ++## 3) It is also assumed that 1000 represents the first usable user account. To + ## be sure, look at UID_MIN in /etc/login.defs. + ## 4) If these rules generate too much spurious data for your tastes, limit the + ## the syscall file rules with a directory, like -F dir=/etc +@@ -102,22 +102,22 @@ + + ##- Discretionary access control permission modification (unsuccessful + ## and successful use of chown/chmod) +--a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod +--a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod +--a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod +--a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod +--a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod +--a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod ++-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod ++-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod ++-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod ++-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod ++-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod ++-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod + + ##- Unauthorized access attempts to files (unsuccessful) +--a always,exit -F arch=b32 -S creat -S open -S openat -S open_by_handle_at -S truncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access +--a always,exit -F arch=b32 -S creat -S open -S openat -S open_by_handle_at -S truncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access +--a always,exit -F arch=b64 -S creat -S open -S openat -S open_by_handle_at -S truncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access +--a always,exit -F arch=b64 -S creat -S open -S openat -S open_by_handle_at -S truncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access ++-a always,exit -F arch=b32 -S creat -S open -S openat -S open_by_handle_at -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access ++-a always,exit -F arch=b32 -S creat -S open -S openat -S open_by_handle_at -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access ++-a always,exit -F arch=b64 -S creat -S open -S openat -S open_by_handle_at -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access ++-a always,exit -F arch=b64 -S creat -S open -S openat -S open_by_handle_at -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access + + ##- Use of privileged commands (unsuccessful and successful) + ## use find /bin -type f -perm -04000 2>/dev/null and put all those files in a rule like this +--a always,exit -F path=/bin/ping -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged ++-a always,exit -F path=/bin/ping -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged + + ##- Use of print command (unsuccessful and successful) + +@@ -125,14 +125,14 @@ + ## You have to mount media before using it. You must disable all automounting + ## so that its done manually in order to get the correct user requesting the + ## export +--a always,exit -F arch=b32 -S mount -F auid>=500 -F auid!=4294967295 -k export +--a always,exit -F arch=b64 -S mount -F auid>=500 -F auid!=4294967295 -k export ++-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k export ++-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k export + + ##- System startup and shutdown (unsuccessful and successful) + + ##- Files and programs deleted by the user (successful and unsuccessful) +--a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k delete +--a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k delete ++-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete ++-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete + + ##- All system administration actions + ##- All security personnel actions +@@ -170,7 +170,7 @@ + #-a always,exit -F arch=b64 -S delete_module -k module-unload + + ## Optional - admin may be abusing power by looking in user's home dir +-#-a always,exit -F dir=/home -F uid=0 -F auid>=500 -F auid!=4294967295 -C auid!=obj_uid -F key=power-abuse ++#-a always,exit -F dir=/home -F uid=0 -F auid>=1000 -F auid!=4294967295 -C auid!=obj_uid -F key=power-abuse + + ## Optional - log container creation + #-a always,exit -F arch=b32 -S clone -F a0&2080505856 -k container-create +diff -ur audit-2.4.orig/docs/audit.rules.7 audit-2.4/docs/audit.rules.7 +--- audit-2.4.orig/docs/audit.rules.7 2014-08-24 12:39:22.000000000 -0400 ++++ audit-2.4/docs/audit.rules.7 2014-09-18 08:36:39.301843819 -0400 +@@ -76,10 +76,10 @@ + .B \-F + options that fine tune what to match against. Rather than list all the valid field types here, the reader should look at the auditctl man page which has a full listing of each field and what it means. But its worth mentioning a couple things. + +-The audit system considers uids to be unsigned numbers. The audit system uses the number \-1 to indicate that a loginuid is not set. This means that when its printed out, it looks like 4294967295. If you write a rule that you wanted try to get the valid users of the system, you need to look in /etc/login.defs to see where user accounts start. For example, if UID_MIN is 500, then you would also need to take into account that the unsigned representation of \-1 is higher than 500. So you would address this with the following piece of a rule: ++The audit system considers uids to be unsigned numbers. The audit system uses the number \-1 to indicate that a loginuid is not set. This means that when its printed out, it looks like 4294967295. If you write a rule that you wanted try to get the valid users of the system, you need to look in /etc/login.defs to see where user accounts start. For example, if UID_MIN is 1000, then you would also need to take into account that the unsigned representation of \-1 is higher than 1000. So you would address this with the following piece of a rule: + + .nf +-\-F auid>=500 \-F auid!=4294967295 ++\-F auid>=1000 \-F auid!=4294967295 + .fi + + These individual checks are "anded" and both have to be true. diff --git a/SPECS/audit.spec b/SPECS/audit.spec new file mode 100644 index 0000000..54a5ced --- /dev/null +++ b/SPECS/audit.spec @@ -0,0 +1,435 @@ +%{!?python_sitearch: %define python_sitearch %(%{__python} -c "from distutils.sysconfig import get_python_lib; print get_python_lib(1)")} + +# Do we want systemd? +%define WITH_SYSTEMD 1 + +Summary: User space tools for 2.6 kernel auditing +Name: audit +Version: 2.4 +Release: 1%{?dist} +License: GPLv2+ +Group: System Environment/Daemons +URL: http://people.redhat.com/sgrubb/audit/ +Source0: http://people.redhat.com/sgrubb/audit/%{name}-%{version}.tar.gz +# Default to using augenrules to create audit.rules +Patch1: audit-2.3.3-augenrules.patch +# Adjust beginning user id's to 1000 +Patch2: audit-2.3.3-uid-1000.patch +BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) +BuildRequires: swig python-devel +BuildRequires: tcp_wrappers-devel krb5-devel libcap-ng-devel +BuildRequires: kernel-headers >= 2.6.29 +%ifnarch aarch64 ppc %{power64} s390 s390x %{ix86} +BuildRequires: golang +%endif +Requires: %{name}-libs = %{version}-%{release} +%if %{WITH_SYSTEMD} +BuildRequires: systemd-units +Requires(post): systemd-units systemd-sysv chkconfig coreutils +Requires(preun): systemd-units +Requires(postun): systemd-units coreutils +%else +Requires: chkconfig +%endif + +%description +The audit package contains the user space utilities for +storing and searching the audit records generate by +the audit subsystem in the Linux 2.6 kernel. + +%package libs +Summary: Dynamic library for libaudit +License: LGPLv2+ +Group: Development/Libraries + +%description libs +The audit-libs package contains the dynamic libraries needed for +applications to use the audit framework. + +%package libs-devel +Summary: Header files for libaudit +License: LGPLv2+ +Group: Development/Libraries +Requires: %{name}-libs = %{version} +Requires: kernel-headers >= 2.6.29 + +%description libs-devel +The audit-libs-devel package contains the header files needed for +developing applications that need to use the audit framework libraries. + +%package libs-static +Summary: Static version of libaudit library +License: LGPLv2+ +Group: Development/Libraries +Requires: kernel-headers >= 2.6.29 + +%description libs-static +The audit-libs-static package contains the static libraries +needed for developing applications that need to use static audit +framework libraries + +%package libs-python +Summary: Python bindings for libaudit +License: LGPLv2+ +Group: Development/Libraries +Requires: %{name}-libs = %{version}-%{release} + +%description libs-python +The audit-libs-python package contains the bindings so that libaudit +and libauparse can be used by python. + +%package -n audispd-plugins +Summary: Plugins for the audit event dispatcher +License: GPLv2+ +Group: System Environment/Daemons +BuildRequires: openldap-devel +Requires: %{name} = %{version}-%{release} +Requires: %{name}-libs = %{version}-%{release} +Requires: openldap + +%description -n audispd-plugins +The audispd-plugins package provides plugins for the real-time +interface to the audit system, audispd. These plugins can do things +like relay events to remote machines or analyze events for suspicious +behavior. + +%prep +%setup -q +# augenrules +%patch1 -p1 +# uid 1000 +%patch2 -p1 + +%build +%configure --sbindir=/sbin --libdir=/%{_lib} --with-python=yes --with-libwrap --enable-gssapi-krb5=yes --with-libcap-ng=yes --with-arm --with-aarch64 \ +%ifnarch aarch64 ppc %{power64} s390 s390x %{ix86} + --with-golang \ +%endif +%if %{WITH_SYSTEMD} + --enable-systemd +%endif + +make %{?_smp_mflags} + +%install +rm -rf $RPM_BUILD_ROOT +mkdir -p $RPM_BUILD_ROOT/{sbin,etc/audispd/plugins.d} +%if !%{WITH_SYSTEMD} +mkdir -p $RPM_BUILD_ROOT/{etc/{sysconfig,rc.d/init.d}} +%endif +mkdir -p $RPM_BUILD_ROOT/%{_mandir}/{man5,man8} +mkdir -p $RPM_BUILD_ROOT/%{_lib} +mkdir -p $RPM_BUILD_ROOT/%{_libdir}/audit +mkdir -p $RPM_BUILD_ROOT/%{_var}/log/audit +mkdir -p $RPM_BUILD_ROOT/%{_var}/spool/audit +make DESTDIR=$RPM_BUILD_ROOT install + +mkdir -p $RPM_BUILD_ROOT/%{_libdir} +# This winds up in the wrong place when libtool is involved +mv $RPM_BUILD_ROOT/%{_lib}/libaudit.a $RPM_BUILD_ROOT%{_libdir} +mv $RPM_BUILD_ROOT/%{_lib}/libauparse.a $RPM_BUILD_ROOT%{_libdir} +curdir=`pwd` +cd $RPM_BUILD_ROOT/%{_libdir} +LIBNAME=`basename \`ls $RPM_BUILD_ROOT/%{_lib}/libaudit.so.1.*.*\`` +ln -s ../../%{_lib}/$LIBNAME libaudit.so +LIBNAME=`basename \`ls $RPM_BUILD_ROOT/%{_lib}/libauparse.so.0.*.*\`` +ln -s ../../%{_lib}/$LIBNAME libauparse.so +cd $curdir +# Remove these items so they don't get picked up. +rm -f $RPM_BUILD_ROOT/%{_lib}/libaudit.so +rm -f $RPM_BUILD_ROOT/%{_lib}/libauparse.so +rm -f $RPM_BUILD_ROOT/%{_lib}/libaudit.la +rm -f $RPM_BUILD_ROOT/%{_lib}/libauparse.la +rm -f $RPM_BUILD_ROOT/%{_libdir}/python?.?/site-packages/_audit.a +rm -f $RPM_BUILD_ROOT/%{_libdir}/python?.?/site-packages/_audit.la +rm -f $RPM_BUILD_ROOT/%{_libdir}/python?.?/site-packages/_auparse.a +rm -f $RPM_BUILD_ROOT/%{_libdir}/python?.?/site-packages/_auparse.la +rm -f $RPM_BUILD_ROOT/%{_libdir}/python?.?/site-packages/auparse.a +rm -f $RPM_BUILD_ROOT/%{_libdir}/python?.?/site-packages/auparse.la + +# Move the pkgconfig file +mv $RPM_BUILD_ROOT/%{_lib}/pkgconfig $RPM_BUILD_ROOT%{_libdir} + +# On platforms with 32 & 64 bit libs, we need to coordinate the timestamp +touch -r ./audit.spec $RPM_BUILD_ROOT/etc/libaudit.conf +touch -r ./audit.spec $RPM_BUILD_ROOT/usr/share/man/man5/libaudit.conf.5.gz + +%ifnarch aarch64 ppc %{power64} s390 s390x +%check +make check +%endif + +%clean +rm -rf $RPM_BUILD_ROOT + +%post libs -p /sbin/ldconfig + +%post +# Copy default rules into place on new installation +if [ ! -e /etc/audit/audit.rules ] ; then + cp /etc/audit/rules.d/audit.rules /etc/audit/audit.rules +fi +%if %{WITH_SYSTEMD} +%systemd_post auditd.service +%else +/sbin/chkconfig --add auditd +%endif + +%preun +%if %{WITH_SYSTEMD} +%systemd_preun auditd.service +%else +if [ $1 -eq 0 ]; then + /sbin/service auditd stop > /dev/null 2>&1 + /sbin/chkconfig --del auditd +fi +%endif + +%postun libs -p /sbin/ldconfig + +%postun +if [ $1 -ge 1 ]; then + /sbin/service auditd condrestart > /dev/null 2>&1 || : +fi + +%files libs +%defattr(-,root,root,-) +/%{_lib}/libaudit.so.1* +/%{_lib}/libauparse.* +%config(noreplace) %attr(640,root,root) /etc/libaudit.conf +%{_mandir}/man5/libaudit.conf.5.gz + +%files libs-devel +%defattr(-,root,root,-) +%doc contrib/skeleton.c contrib/plugin +%{_libdir}/libaudit.so +%{_libdir}/libauparse.so +%ifnarch aarch64 ppc %{power64} s390 s390x %{ix86} +%dir %{_prefix}/lib/golang/src/pkg/redhat.com/audit +%{_prefix}/lib/golang/src/pkg/redhat.com/audit/audit.go +%endif +%{_includedir}/libaudit.h +%{_includedir}/auparse.h +%{_includedir}/auparse-defs.h +%{_libdir}/pkgconfig/audit.pc +%{_mandir}/man3/* + +%files libs-static +%defattr(-,root,root,-) +%{_libdir}/libaudit.a +%{_libdir}/libauparse.a + +%files libs-python +%defattr(-,root,root,-) +%attr(755,root,root) %{python_sitearch}/_audit.so +%attr(755,root,root) %{python_sitearch}/auparse.so +%{python_sitearch}/audit.py* + +%files +%defattr(-,root,root,-) +%doc README COPYING ChangeLog contrib/capp.rules contrib/nispom.rules contrib/lspp.rules contrib/stig.rules init.d/auditd.cron +%attr(644,root,root) %{_mandir}/man8/audispd.8.gz +%attr(644,root,root) %{_mandir}/man8/auditctl.8.gz +%attr(644,root,root) %{_mandir}/man8/auditd.8.gz +%attr(644,root,root) %{_mandir}/man8/aureport.8.gz +%attr(644,root,root) %{_mandir}/man8/ausearch.8.gz +%attr(644,root,root) %{_mandir}/man8/autrace.8.gz +%attr(644,root,root) %{_mandir}/man8/aulast.8.gz +%attr(644,root,root) %{_mandir}/man8/aulastlog.8.gz +%attr(644,root,root) %{_mandir}/man8/auvirt.8.gz +%attr(644,root,root) %{_mandir}/man8/augenrules.8.gz +%attr(644,root,root) %{_mandir}/man8/ausyscall.8.gz +%attr(644,root,root) %{_mandir}/man7/audit.rules.7.gz +%attr(644,root,root) %{_mandir}/man5/auditd.conf.5.gz +%attr(644,root,root) %{_mandir}/man5/audispd.conf.5.gz +%attr(644,root,root) %{_mandir}/man5/ausearch-expression.5.gz +%attr(750,root,root) /sbin/auditctl +%attr(750,root,root) /sbin/auditd +%attr(755,root,root) /sbin/ausearch +%attr(755,root,root) /sbin/aureport +%attr(750,root,root) /sbin/autrace +%attr(750,root,root) /sbin/audispd +%attr(750,root,root) /sbin/augenrules +%attr(755,root,root) %{_bindir}/aulast +%attr(755,root,root) %{_bindir}/aulastlog +%attr(755,root,root) %{_bindir}/ausyscall +%attr(755,root,root) %{_bindir}/auvirt +%if %{WITH_SYSTEMD} +%attr(640,root,root) %{_unitdir}/auditd.service +%attr(750,root,root) %dir %{_libexecdir}/initscripts/legacy-actions/auditd +%attr(750,root,root) %{_libexecdir}/initscripts/legacy-actions/auditd/resume +%attr(750,root,root) %{_libexecdir}/initscripts/legacy-actions/auditd/rotate +%attr(750,root,root) %{_libexecdir}/initscripts/legacy-actions/auditd/stop +%attr(750,root,root) %{_libexecdir}/initscripts/legacy-actions/auditd/restart +%attr(750,root,root) %{_libexecdir}/initscripts/legacy-actions/auditd/condrestart +%else +%attr(755,root,root) /etc/rc.d/init.d/auditd +%config(noreplace) %attr(640,root,root) /etc/sysconfig/auditd +%endif +%attr(750,root,root) %dir %{_var}/log/audit +%attr(750,root,root) %dir /etc/audit +%attr(750,root,root) %dir /etc/audit/rules.d +%attr(750,root,root) %dir /etc/audisp +%attr(750,root,root) %dir /etc/audisp/plugins.d +%config(noreplace) %attr(640,root,root) /etc/audit/auditd.conf +%config(noreplace) %attr(640,root,root) /etc/audit/rules.d/audit.rules +%config(noreplace) %attr(640,root,root) /etc/audisp/audispd.conf +%config(noreplace) %attr(640,root,root) /etc/audisp/plugins.d/af_unix.conf +%config(noreplace) %attr(640,root,root) /etc/audisp/plugins.d/syslog.conf + +%files -n audispd-plugins +%defattr(-,root,root,-) +%attr(644,root,root) %{_mandir}/man8/audispd-zos-remote.8.gz +%attr(644,root,root) %{_mandir}/man5/zos-remote.conf.5.gz +%config(noreplace) %attr(640,root,root) /etc/audisp/plugins.d/audispd-zos-remote.conf +%config(noreplace) %attr(640,root,root) /etc/audisp/zos-remote.conf +%attr(750,root,root) /sbin/audispd-zos-remote +%config(noreplace) %attr(640,root,root) /etc/audisp/audisp-remote.conf +%config(noreplace) %attr(640,root,root) /etc/audisp/plugins.d/au-remote.conf +%attr(750,root,root) /sbin/audisp-remote +%attr(700,root,root) %dir %{_var}/spool/audit +%attr(644,root,root) %{_mandir}/man5/audisp-remote.conf.5.gz +%attr(644,root,root) %{_mandir}/man8/audisp-remote.8.gz + +%changelog +* Thu Sep 18 2014 Steve Grubb 2.4-1 +resolves: #1115196 - Add golang bindings for libaudit +resolves: #1105150 - audispd config file parser fails on long input +resolves: #1104973 - auparse truncating selinux context after first category +resolves: #1088593 - auditctl man page examples use deprecated syscalls +resolves: #1087849 - support for setting loginuid immutable +resolves: #1073063 - AUDIT_SECCOMP events syscall field is not interpretted +resolves: #975796 - confusing aulast records for bad logins + +* Tue Mar 18 2014 Steve Grubb 2.3.3-4 +resolves: #1077249 - Audit update, various issues + +* Fri Jan 24 2014 Daniel Mach - 2.3.3-3 +- Mass rebuild 2014-01-24 + +* Mon Jan 20 2014 Steve Grubb 2.3.3-2 +- New upstream bugfix/enhancement release +resolves: #1053804 - ausearch issues found by ausearch-test +resolves: #1030409 - ausearch help typo for "-x" option + +* Fri Dec 27 2013 Daniel Mach - 2.3.2-4 +- Mass rebuild 2013-12-27 + +* Thu Oct 03 2013 Steve Grubb 2.3.2-3 +resolves: #828495 - semanage port should generate an audit event + +* Thu Aug 29 2013 Steve Grubb 2.3.2-2 +resolves: #991056 - ausearch ignores USER events with -ua option + +* Mon Jul 29 2013 Steve Grubb 2.3.2-1 +- New upstream bugfix/enhancement release +resolves: #982112 Add delay between stopping and starting auditd + +* Wed Jul 10 2013 Steve Grubb 2.3.1-4 +resolves: #982112 Add delay between stopping and starting auditd + +* Wed Jul 03 2013 Steve Grubb 2.3.1-3 +- Remove prelude support + +* Fri May 31 2013 Steve Grubb 2.3.1-2 +- Fix unknown lvalue in auditd.service (#969345) + +* Thu May 30 2013 Steve Grubb 2.3.1-1 +- New upstream bugfix/enhancement release + +* Fri May 03 2013 Steve Grubb 2.3-2 +- If no rules exist, copy shipped rules into place + +* Tue Apr 30 2013 Steve Grubb 2.3-1 +- New upstream bugfix release + +* Thu Mar 21 2013 Steve Grubb 2.2.3-2 +- Fix clone syscall interpretation + +* Tue Mar 19 2013 Steve Grubb 2.2.3-1 +- New upstream bugfix release + +* Wed Feb 13 2013 Fedora Release Engineering - 2.2.2-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild + +* Wed Jan 16 2013 Steve Grubb 2.2.2-4 +- Don't make auditd.service file executable (#896113) + +* Fri Jan 11 2013 Steve Grubb 2.2.2-3 +- Do not own /usr/lib64/audit + +* Wed Dec 12 2012 Steve Grubb 2.2.2-2 +- New upstream release + +* Wed Jul 18 2012 Fedora Release Engineering - 2.2.1-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild + +* Fri Mar 23 2012 Steve Grubb 2.2.1-1 +- New upstream release + +* Thu Mar 1 2012 Steve Grubb 2.2-1 +- New upstream release + +* Thu Jan 12 2012 Fedora Release Engineering - 2.1.3-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild + +* Thu Sep 15 2011 Adam Williamson 2.1.3-4 +- add in some systemd scriptlets that were missed, including one which + will cause auditd to be enabled on upgrade from pre-systemd builds + +* Wed Sep 14 2011 Steve Grubb 2.1.3-3 +- Enable by default (#737060) + +* Tue Aug 30 2011 Steve Grubb 2.1.3-2 +- Correct misplaced ifnarch (#734359) + +* Mon Aug 15 2011 Steve Grubb 2.1.3-1 +- New upstream release + +* Tue Jul 26 2011 Jóhann B. Guðmundsson - 2.1.2-2 +- Introduce systemd unit file, drop SysV support + +* Sat Jun 11 2011 Steve Grubb 2.1.2-1 +- New upstream release + +* Wed Apr 20 2011 Steve Grubb 2.1.1-1 +- New upstream release + +* Tue Mar 29 2011 Steve Grubb 2.1-1 +- New upstream release + +* Mon Feb 07 2011 Fedora Release Engineering - 2.0.6-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild + +* Fri Feb 04 2011 Steve Grubb 2.0.6-1 +- New upstream release + +* Thu Jan 20 2011 Karsten Hopp 2.0.5-2 +- bump and rebuild as 2.0.5-1 was erroneously linked with python-2.6 on ppc + +* Tue Nov 02 2010 Steve Grubb 2.0.5-1 +- New upstream release + +* Wed Jul 21 2010 David Malcolm - 2.0.4-4 +- Rebuilt for https://fedoraproject.org/wiki/Features/Python_2.7/MassRebuild + +* Tue Feb 16 2010 Adam Jackson 2.0.4-3 +- audit-2.0.4-add-needed.patch: Fix FTBFS for --no-add-needed + +* Fri Jan 29 2010 Steve Grubb 2.0.4-2 +- Split out static libs (#556039) + +* Tue Dec 08 2009 Steve Grubb 2.0.4-1 +- New upstream release + +* Sat Oct 17 2009 Steve Grubb 2.0.3-1 +- New upstream release + +* Fri Oct 16 2009 Steve Grubb 2.0.2-1 +- New upstream release + +* Mon Sep 28 2009 Steve Grubb 2.0.1-1 +- New upstream release + +* Fri Aug 21 2009 Steve Grubb 2.0-3 +- New upstream release