diff --git a/.audit.metadata b/.audit.metadata
index 85ae7fa..1cbe0b8 100644
--- a/.audit.metadata
+++ b/.audit.metadata
@@ -1 +1 @@
-58ea81cb6052fc3a1d1ec5e5accebc0aaf7c8d1a SOURCES/audit-2.3.3.tar.gz
+84ce70969f3be29e460d92d9cd026119bee9b1dc SOURCES/audit-2.4.1.tar.gz
diff --git a/.gitignore b/.gitignore
index 3879b87..ec48444 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1 +1 @@
-SOURCES/audit-2.3.3.tar.gz
+SOURCES/audit-2.4.1.tar.gz
diff --git a/SOURCES/audit-2.3.3-login.patch b/SOURCES/audit-2.3.3-login.patch
deleted file mode 100644
index f8701dc..0000000
--- a/SOURCES/audit-2.3.3-login.patch
+++ /dev/null
@@ -1,86 +0,0 @@
-diff -urp audit-2.3.3.orig/src/ausearch-parse.c audit-2.3.3/src/ausearch-parse.c
---- audit-2.3.3.orig/src/ausearch-parse.c 2014-03-18 12:18:17.376764161 -0400
-+++ audit-2.3.3/src/ausearch-parse.c 2014-03-18 12:21:10.924749548 -0400
-@@ -1106,14 +1106,41 @@ static int parse_login(const lnode *n, s
- s->uid = strtoul(ptr, NULL, 10);
- if (errno)
- return 6;
-- // get loginuid
- *term = ' ';
-+ // optionally get subj
-+ if (event_subject) {
-+ str = strstr(term, "subj=");
-+ if (str) {
-+ ptr = str + 5;
-+ term = strchr(ptr, ' ');
-+ if (term == NULL)
-+ return 12;
-+ *term = 0;
-+ if (audit_avc_init(s) == 0) {
-+ anode an;
-+
-+ anode_init(&an);
-+ an.scontext = strdup(str);
-+ alist_append(s->avc, &an);
-+ *term = ' ';
-+ } else
-+ return 13;
-+ *term = ' ';
-+ }
-+ }
-+ // get loginuid
- str = strstr(term, "new auid=");
- if (str == NULL) {
-- str = strstr(term, "new loginuid=");
-- if (str == NULL)
-- return 7;
-- ptr = str + 13;
-+ // 3.14 kernel changed it to the next line
-+ str = strstr(term, " auid=");
-+ if (str == NULL) {
-+ str = strstr(term, "new loginuid=");
-+ if (str == NULL)
-+ return 7;
-+ ptr = str + 13;
-+ }
-+ else
-+ ptr = str + 6;
- } else
- ptr = str + 9;
- term = strchr(ptr, ' ');
-@@ -1148,18 +1175,24 @@ static int parse_login(const lnode *n, s
- if (term == NULL)
- term = n->message;
- str = strstr(term, "new ses=");
-- if (str) {
-- ptr = str + 8;
-- term = strchr(ptr, ' ');
-- if (term)
-- *term = 0;
-- errno = 0;
-- s->session_id = strtoul(ptr, NULL, 10);
-- if (errno)
-- return 11;
-- if (term)
-- *term = ' ';
-+ if (str == NULL) {
-+ // The 3.14 kernel changed it to the next line
-+ str = strstr(term, " ses=");
-+ if (str == NULL)
-+ return 14;
-+ ptr = str + 5;
- }
-+ else
-+ ptr = str + 8;
-+ term = strchr(ptr, ' ');
-+ if (term)
-+ *term = 0;
-+ errno = 0;
-+ s->session_id = strtoul(ptr, NULL, 10);
-+ if (errno)
-+ return 11;
-+ if (term)
-+ *term = ' ';
- }
- return 0;
- }
diff --git a/SOURCES/audit-2.3.3-remote.patch b/SOURCES/audit-2.3.3-remote.patch
deleted file mode 100644
index fda01a9..0000000
--- a/SOURCES/audit-2.3.3-remote.patch
+++ /dev/null
@@ -1,13 +0,0 @@
-diff -urp audit-2.3.3.orig/audisp/plugins/remote/audisp-remote.c audit-2.3.3/audisp/plugins/remote/audisp-remote.c
---- audit-2.3.3.orig/audisp/plugins/remote/audisp-remote.c 2014-01-16 06:24:42.000000000 -0500
-+++ audit-2.3.3/audisp/plugins/remote/audisp-remote.c 2014-03-18 12:36:32.574671943 -0400
-@@ -1063,6 +1063,9 @@ static int init_transport(void)
- {
- case T_TCP:
- rc = init_sock();
-+ // We set this so that it will retry the connection
-+ if (rc == ET_TEMPORARY)
-+ remote_ended = 1;
- break;
- default:
- rc = ET_PERMANENT;
diff --git a/SOURCES/audit-2.3.3-uid-1000.patch b/SOURCES/audit-2.3.3-uid-1000.patch
deleted file mode 100644
index ad5fc34..0000000
--- a/SOURCES/audit-2.3.3-uid-1000.patch
+++ /dev/null
@@ -1,101 +0,0 @@
-diff -urp audit-2.3.3.orig/contrib/stig.rules audit-2.3.3/contrib/stig.rules
---- audit-2.3.3.orig/contrib/stig.rules 2014-03-18 13:07:27.658515740 -0400
-+++ audit-2.3.3/contrib/stig.rules 2014-03-18 13:08:25.979510829 -0400
-@@ -16,7 +16,7 @@
- ## NOTE:
- ## 1) if this is being used on a 32 bit machine, comment out the b64 lines
- ## 2) These rules assume that login under the root account is not allowed.
--## 3) It is also assumed that 500 represents the first usable user account. To
-+## 3) It is also assumed that 1000 represents the first usable user account. To
- ## be sure, look at UID_MIN in /etc/login.defs.
- ## 4) If these rules generate too much spurious data for your tastes, limit the
- ## the syscall file rules with a directory, like -F dir=/etc
-@@ -102,22 +102,22 @@
-
- ##- Discretionary access control permission modification (unsuccessful
- ## and successful use of chown/chmod)
---a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod
---a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod
---a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod
---a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod
---a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod
---a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod
-+-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod
-+-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod
-+-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod
-+-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod
-+-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod
-+-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod
-
- ##- Unauthorized access attempts to files (unsuccessful)
---a always,exit -F arch=b32 -S creat -S open -S openat -S open_by_handle_at -S truncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access
---a always,exit -F arch=b32 -S creat -S open -S openat -S open_by_handle_at -S truncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access
---a always,exit -F arch=b64 -S creat -S open -S openat -S open_by_handle_at -S truncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access
---a always,exit -F arch=b64 -S creat -S open -S openat -S open_by_handle_at -S truncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access
-+-a always,exit -F arch=b32 -S creat -S open -S openat -S open_by_handle_at -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access
-+-a always,exit -F arch=b32 -S creat -S open -S openat -S open_by_handle_at -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access
-+-a always,exit -F arch=b64 -S creat -S open -S openat -S open_by_handle_at -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access
-+-a always,exit -F arch=b64 -S creat -S open -S openat -S open_by_handle_at -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access
-
- ##- Use of privileged commands (unsuccessful and successful)
- ## use find /bin -type f -perm -04000 2>/dev/null and put all those files in a rule like this
---a always,exit -F path=/bin/ping -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged
-+-a always,exit -F path=/bin/ping -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-
- ##- Use of print command (unsuccessful and successful)
-
-@@ -125,14 +125,14 @@
- ## You have to mount media before using it. You must disable all automounting
- ## so that its done manually in order to get the correct user requesting the
- ## export
---a always,exit -F arch=b32 -S mount -F auid>=500 -F auid!=4294967295 -k export
---a always,exit -F arch=b64 -S mount -F auid>=500 -F auid!=4294967295 -k export
-+-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k export
-+-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k export
-
- ##- System startup and shutdown (unsuccessful and successful)
-
- ##- Files and programs deleted by the user (successful and unsuccessful)
---a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k delete
---a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k delete
-+-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete
-+-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete
-
- ##- All system administration actions
- ##- All security personnel actions
-@@ -160,10 +160,6 @@
- #-a always,exit -F arch=b32 -S ptrace -F a0=6 -k register-injection
- #-a always,exit -F arch=b64 -S ptrace -F a0=6 -k register-injection
-
--## Optional - could be an attempt to bypass audit or simply legacy program
--#-a always,exit -F arch=b32 -S personality -F a0!=4294967295 -k bypass
--#-a always,exit -F arch=b64 -S personality -F a0!=4294967295 -k bypass
--
- ## Optional - might want to watch module insertion
- #-w /sbin/insmod -p x -k modules
- #-w /sbin/rmmod -p x -k modules
-@@ -174,7 +170,7 @@
- #-a always,exit -F arch=b64 -S delete_module -k module-unload
-
- ## Optional - admin may be abusing power by looking in user's home dir
--#-a always,exit -F dir=/home -F uid=0 -F auid>=500 -F auid!=4294967295 -C auid!=obj_uid -F key=power-abuse
-+#-a always,exit -F dir=/home -F uid=0 -F auid>=1000 -F auid!=4294967295 -C auid!=obj_uid -F key=power-abuse
-
- ## Optional - log container creation
- #-a always,exit -F arch=b32 -S clone -F a0&2080505856 -k container-create
-diff -urp audit-2.3.3.orig/docs/audit.rules.7 audit-2.3.3/docs/audit.rules.7
---- audit-2.3.3.orig/docs/audit.rules.7 2014-03-18 13:07:29.580515578 -0400
-+++ audit-2.3.3/docs/audit.rules.7 2014-03-18 13:07:58.584513136 -0400
-@@ -76,10 +76,10 @@ After the syscall is specified, you woul
- .B \-F
- options that fine tune what to match against. Rather than list all the valid field types here, the reader should look at the auditctl man page which has a full listing of each field and what it means. But its worth mentioning a couple things.
-
--The audit system considers uids to be unsigned numbers. The audit system uses the number \-1 to indicate that a loginuid is not set. This means that when its printed out, it looks like 4294967295. If you write a rule that you wanted try to get the valid users of the system, you need to look in /etc/login.defs to see where user accounts start. For example, if UID_MIN is 500, then you would also need to take into account that the unsigned representation of \-1 is higher than 500. So you would address this with the following piece of a rule:
-+The audit system considers uids to be unsigned numbers. The audit system uses the number \-1 to indicate that a loginuid is not set. This means that when its printed out, it looks like 4294967295. If you write a rule that you wanted try to get the valid users of the system, you need to look in /etc/login.defs to see where user accounts start. For example, if UID_MIN is 1000, then you would also need to take into account that the unsigned representation of \-1 is higher than 1000. So you would address this with the following piece of a rule:
-
- .nf
--\-F auid>=500 \-F auid!=4294967295
-+\-F auid>=1000 \-F auid!=4294967295
- .fi
-
- These individual checks are "anded" and both have to be true.
diff --git a/SOURCES/audit-2.3.5-debug.patch b/SOURCES/audit-2.3.5-debug.patch
deleted file mode 100644
index 4b42b34..0000000
--- a/SOURCES/audit-2.3.5-debug.patch
+++ /dev/null
@@ -1,104 +0,0 @@
-diff -urp audit-2.3.5.orig/docs/ausearch.8 audit-2.3.5/docs/ausearch.8
---- audit-2.3.5.orig/docs/ausearch.8 2014-03-10 13:31:14.000000000 -0400
-+++ audit-2.3.5/docs/ausearch.8 2014-03-11 10:51:13.385867279 -0400
-@@ -21,6 +21,9 @@ Search for an event based on the given \
- .BR \-c ,\ \-\-comm \ \fIcomm-name\fP
- Search for an event based on the given \fIcomm name\fP. The comm name is the executable's name from the task structure.
- .TP
-+.BR \-\-debug
-+Write malformed events that are skipped to stderr.
-+.TP
- .BR \-e,\ \-\-exit \ \fIexit-code-or-errno\fP
- Search for an event based on the given syscall \fIexit code or errno\fP.
- .TP
-diff -urp audit-2.3.5.orig/src/aureport-options.c audit-2.3.5/src/aureport-options.c
---- audit-2.3.5.orig/src/aureport-options.c 2014-03-10 13:31:14.000000000 -0400
-+++ audit-2.3.5/src/aureport-options.c 2014-03-11 10:41:08.604806542 -0400
-@@ -56,6 +56,7 @@ const char *event_uuid = NULL;
- const char *event_vmname = NULL;
- int event_exit = 0, event_exit_is_set = 0;
- int event_ppid = -1, event_session_id = -2;
-+int event_debug = 0;
-
- /* These are used by aureport */
- const char *dummy = "dummy";
-diff -urp audit-2.3.5.orig/src/ausearch-options.c audit-2.3.5/src/ausearch-options.c
---- audit-2.3.5.orig/src/ausearch-options.c 2014-03-10 13:31:14.000000000 -0400
-+++ audit-2.3.5/src/ausearch-options.c 2014-03-11 10:26:49.577720272 -0400
-@@ -55,6 +55,7 @@ int just_one = 0;
- int event_session_id = -2;
- int event_exit = 0, event_exit_is_set = 0;
- int line_buffered = 0;
-+int event_debug = 0;
- const char *event_key = NULL;
- const char *event_filename = NULL;
- const char *event_exe = NULL;
-@@ -81,13 +82,14 @@ S_HOSTNAME, S_INTERP, S_INFILE, S_MESSAG
- S_TIME_END, S_TIME_START, S_TERMINAL, S_ALL_UID, S_EFF_UID, S_UID, S_LOGINID,
- S_VERSION, S_EXACT_MATCH, S_EXECUTABLE, S_CONTEXT, S_SUBJECT, S_OBJECT,
- S_PPID, S_KEY, S_RAW, S_NODE, S_IN_LOGS, S_JUST_ONE, S_SESSION, S_EXIT,
--S_LINEBUFFERED, S_UUID, S_VMNAME};
-+S_LINEBUFFERED, S_UUID, S_VMNAME, S_DEBUG };
-
- static struct nv_pair optiontab[] = {
- { S_EVENT, "-a" },
- { S_EVENT, "--event" },
- { S_COMM, "-c" },
- { S_COMM, "--comm" },
-+ { S_DEBUG, "--debug" },
- { S_EXIT, "-e" },
- { S_EXIT, "--exit" },
- { S_FILENAME, "-f" },
-@@ -176,6 +178,7 @@ static void usage(void)
- printf("usage: ausearch [options]\n"
- "\t-a,--event <Audit event id>\tsearch based on audit event id\n"
- "\t-c,--comm <Comm name>\t\tsearch based on command line name\n"
-+ "\t --debug\t\t\tWrite malformed events that are skipped to stderr\n"
- "\t-e,--exit <Exit code or errno>\tsearch based on syscall exit code\n"
- "\t-f,--file <File name>\t\tsearch based on file name\n"
- "\t-ga,--gid-all <all Group id>\tsearch based on All group ids\n"
-@@ -1099,6 +1102,9 @@ int check_params(int count, char *vars[]
- case S_LINEBUFFERED:
- line_buffered = 1;
- break;
-+ case S_DEBUG:
-+ event_debug = 1;
-+ break;
- default:
- fprintf(stderr, "%s is an unsupported option\n",
- vars[c]);
-diff -urp audit-2.3.5.orig/src/ausearch-options.h audit-2.3.5/src/ausearch-options.h
---- audit-2.3.5.orig/src/ausearch-options.h 2014-03-10 13:31:14.000000000 -0400
-+++ audit-2.3.5/src/ausearch-options.h 2014-03-11 10:07:12.631602075 -0400
-@@ -36,6 +36,7 @@ extern const char *event_object;
- extern int event_se;
- extern int just_one;
- extern int line_buffered;
-+extern int event_debug;
- extern pid_t event_ppid;
- extern int event_session_id;
- extern ilist *event_type;
-diff -urp audit-2.3.5.orig/src/ausearch-parse.c audit-2.3.5/src/ausearch-parse.c
---- audit-2.3.5.orig/src/ausearch-parse.c 2014-03-10 13:31:14.000000000 -0400
-+++ audit-2.3.5/src/ausearch-parse.c 2014-03-11 10:31:00.205745442 -0400
-@@ -168,11 +168,17 @@ int extract_search_items(llist *l)
- ret = parse_tty(n, s);
- break;
- default:
-- // printf("unparsed type:%d\n", n->type);
-+ if (event_debug)
-+ fprintf(stderr,
-+ "Unparsed type:%d\n - skipped",
-+ n->type);
- break;
- }
-- // if (ret) printf("type:%d ret:%d\n", n->type, ret);
-- } while ((n=list_next(l)) && ret==0);
-+ if (event_debug && ret)
-+ fprintf(stderr,
-+ "Malformed event skipped, rc=%d. %s\n",
-+ ret, n->message);
-+ } while ((n=list_next(l)) && ret == 0);
- }
- return ret;
- }
diff --git a/SOURCES/audit-2.3.5-fp.patch b/SOURCES/audit-2.3.5-fp.patch
deleted file mode 100644
index 25ab793..0000000
--- a/SOURCES/audit-2.3.5-fp.patch
+++ /dev/null
@@ -1,12 +0,0 @@
-diff -urp audit-2.3.5.orig/auparse/interpret.c audit-2.3.5/auparse/interpret.c
---- audit-2.3.5.orig/auparse/interpret.c 2014-02-27 09:06:10.000000000 -0500
-+++ audit-2.3.5/auparse/interpret.c 2014-03-07 12:09:40.896400420 -0500
-@@ -2276,6 +2276,8 @@ int auparse_interp_adjust_type(int rtype
- type = AUPARSE_TYPE_FLAGS;
- else if (rtype == AUDIT_MQ_OPEN && strcmp(name, "mode") == 0)
- type = AUPARSE_TYPE_MODE_SHORT;
-+ else if (rtype == AUDIT_CRYPTO_KEY_USER && strcmp(name, "fp") == 0)
-+ type = AUPARSE_TYPE_UNCLASSIFIED;
- else
- type = lookup_type(name);
-
diff --git a/SOURCES/audit-2.3.5-rotate.patch b/SOURCES/audit-2.3.5-rotate.patch
deleted file mode 100644
index 90b0b73..0000000
--- a/SOURCES/audit-2.3.5-rotate.patch
+++ /dev/null
@@ -1,13 +0,0 @@
-diff -urp audit-2.3.5.orig/src/auditd-event.c audit-2.3.5/src/auditd-event.c
---- audit-2.3.5.orig/src/auditd-event.c 2014-03-11 13:45:06.000000000 -0400
-+++ audit-2.3.5/src/auditd-event.c 2014-03-11 15:23:10.971506011 -0400
-@@ -705,7 +705,8 @@ static void rotate_logs(struct auditd_co
- unsigned int len, i;
- char *oldname, *newname;
-
-- if (data->config->num_logs < 2)
-+ if (data->config->max_log_size_action == SZ_ROTATE &&
-+ data->config->num_logs < 2)
- return;
-
- /* Close audit file. fchmod and fchown errors are not fatal because we
diff --git a/SOURCES/audit-2.3.5-seccomp.patch b/SOURCES/audit-2.3.5-seccomp.patch
deleted file mode 100644
index 98974f5..0000000
--- a/SOURCES/audit-2.3.5-seccomp.patch
+++ /dev/null
@@ -1,112 +0,0 @@
-diff -urp audit-2.3.5.orig/src/ausearch-common.h audit-2.3.5/src/ausearch-common.h
---- audit-2.3.5.orig/src/ausearch-common.h 2014-03-12 12:30:31.000000000 -0400
-+++ audit-2.3.5/src/ausearch-common.h 2014-03-17 17:08:27.200016460 -0400
-@@ -1,5 +1,5 @@
- /* ausearch-common.h --
-- * Copyright 2006-08,2010 Red Hat Inc., Durham, North Carolina.
-+ * Copyright 2006-08,2010,2014 Red Hat Inc., Durham, North Carolina.
- * Copyright (c) 2011 IBM Corp.
- * All Rights Reserved.
- *
-@@ -41,6 +41,7 @@ extern const char *event_filename;
- extern const char *event_hostname;
- extern const char *event_terminal;
- extern int event_syscall;
-+extern int event_machine;
- extern const char *event_exe;
- extern int event_ua, event_ga;
- extern int event_exit, event_exit_is_set;
-diff -urp audit-2.3.5.orig/src/ausearch-match.c audit-2.3.5/src/ausearch-match.c
---- audit-2.3.5.orig/src/ausearch-match.c 2014-03-12 12:30:31.000000000 -0400
-+++ audit-2.3.5/src/ausearch-match.c 2014-03-17 17:08:27.200016460 -0400
-@@ -84,9 +84,14 @@ int match(llist *l)
- if ((event_pid != -1) &&
- (event_pid != l->s.pid))
- return 0;
-- if ((event_syscall != -1) &&
-- (event_syscall != l->s.syscall))
-- return 0;
-+ if (event_syscall != -1) {
-+ if (event_syscall != l->s.syscall)
-+ return 0;
-+ if (event_machine != -1 &&
-+ (event_machine !=
-+ audit_elf_to_machine(l->s.arch)))
-+ return 0;
-+ }
- if ((event_session_id != -2) &&
- (event_session_id != l->s.session_id))
- return 0;
-diff -urp audit-2.3.5.orig/src/ausearch-options.c audit-2.3.5/src/ausearch-options.c
---- audit-2.3.5.orig/src/ausearch-options.c 2014-03-12 12:30:31.000000000 -0400
-+++ audit-2.3.5/src/ausearch-options.c 2014-03-17 17:08:27.200016460 -0400
-@@ -49,7 +49,7 @@ pid_t event_pid = -1, event_ppid = -1;
- success_t event_success = S_UNSET;
- int event_exact_match = 0;
- uid_t event_uid = -1, event_euid = -1, event_loginuid = -2;
--int event_syscall = -1;
-+int event_syscall = -1, event_machine = -1;
- int event_ua = 0, event_ga = 0, event_se = 0;
- int just_one = 0;
- int event_session_id = -2;
-@@ -661,6 +661,7 @@ int check_params(int count, char *vars[]
- optarg);
- retval = -1;
- }
-+ event_machine = machine;
- }
- c++;
- break;
-diff -urp audit-2.3.5.orig/src/ausearch-parse.c audit-2.3.5/src/ausearch-parse.c
---- audit-2.3.5.orig/src/ausearch-parse.c 2014-03-12 12:30:31.000000000 -0400
-+++ audit-2.3.5/src/ausearch-parse.c 2014-03-17 17:09:33.344014612 -0400
-@@ -1883,6 +1883,37 @@ static int parse_kernel_anom(const lnode
- }
- }
-
-+ if (n->type == AUDIT_SECCOMP) {
-+ // get arch
-+ str = strstr(term, "arch=");
-+ if (str == NULL)
-+ return 0; // A few kernel versions don't have it
-+ ptr = str + 5;
-+ term = strchr(ptr, ' ');
-+ if (term == NULL)
-+ return 12;
-+ *term = 0;
-+ errno = 0;
-+ s->arch = (int)strtoul(ptr, NULL, 16);
-+ if (errno)
-+ return 13;
-+ *term = ' ';
-+ // get syscall
-+ str = strstr(term, "syscall=");
-+ if (str == NULL)
-+ return 14;
-+ ptr = str + 8;
-+ term = strchr(ptr, ' ');
-+ if (term == NULL)
-+ return 15;
-+ *term = 0;
-+ errno = 0;
-+ s->syscall = (int)strtoul(ptr, NULL, 10);
-+ if (errno)
-+ return 16;
-+ *term = ' ';
-+ }
-+
- return 0;
- }
-
-diff -urp audit-2.3.5.orig/src/ausearch-report.c audit-2.3.5/src/ausearch-report.c
---- audit-2.3.5.orig/src/ausearch-report.c 2014-03-12 12:30:31.000000000 -0400
-+++ audit-2.3.5/src/ausearch-report.c 2014-03-17 17:08:27.201016460 -0400
-@@ -335,7 +335,7 @@ static void interpret(char *name, char *
- }
- type = auparse_interp_adjust_type(rtype, name, val);
-
-- if (rtype == AUDIT_SYSCALL) {
-+ if (rtype == AUDIT_SYSCALL || rtype == AUDIT_SECCOMP) {
- if (machine == (unsigned long)-1)
- machine = audit_detect_machine();
- if (*name == 'a' && strcmp(name, "arch") == 0) {
diff --git a/SOURCES/audit-2.4.1-uid-1000.patch b/SOURCES/audit-2.4.1-uid-1000.patch
new file mode 100644
index 0000000..dd2af0f
--- /dev/null
+++ b/SOURCES/audit-2.4.1-uid-1000.patch
@@ -0,0 +1,90 @@
+diff -ur audit-2.4.1.orig/contrib/stig.rules audit-2.4.1/contrib/stig.rules
+--- audit-2.4.1.orig/contrib/stig.rules 2014-10-27 16:54:03.000000000 -0400
++++ audit-2.4.1/contrib/stig.rules 2014-10-28 14:21:39.896827577 -0400
+@@ -19,7 +19,7 @@
+ ## NOTE:
+ ## 1) if this is being used on a 32 bit machine, comment out the b64 lines
+ ## 2) These rules assume that login under the root account is not allowed.
+-## 3) It is also assumed that 500 represents the first usable user account. To
++## 3) It is also assumed that 1000 represents the first usable user account. To
+ ## be sure, look at UID_MIN in /etc/login.defs.
+ ## 4) If these rules generate too much spurious data for your tastes, limit the
+ ## the syscall file rules with a directory, like -F dir=/etc
+@@ -106,22 +106,22 @@
+
+ ##- Discretionary access control permission modification (unsuccessful
+ ## and successful use of chown/chmod)
+--a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>=500 -F auid!=4294967295 -F key=perm_mod
+--a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=500 -F auid!=4294967295 -F key=perm_mod
+--a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F auid>=500 -F auid!=4294967295 -F key=perm_mod
+--a always,exit -F arch=b64 -S chown,fchown,lchown,fchownat -F auid>=500 -F auid!=4294967295 -F key=perm_mod
+--a always,exit -F arch=b32 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>=500 -F auid!=4294967295 -F key=perm_mod
+--a always,exit -F arch=b64 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>=500 -F auid!=4294967295 -F key=perm_mod
++-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=4294967295 -F key=perm_mod
++-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=4294967295 -F key=perm_mod
++-a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F auid>=1000 -F auid!=4294967295 -F key=perm_mod
++-a always,exit -F arch=b64 -S chown,fchown,lchown,fchownat -F auid>=1000 -F auid!=4294967295 -F key=perm_mod
++-a always,exit -F arch=b32 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod
++-a always,exit -F arch=b64 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod
+
+ ##- Unauthorized access attempts to files (unsuccessful)
+--a always,exit -F arch=b32 -S open,creat,truncate,openat,open_by_handle_at -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -F key=access
+--a always,exit -F arch=b32 -S open,creat,truncate,openat,open_by_handle_at -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -F key=access
+--a always,exit -F arch=b64 -S open,truncate,creat,openat,open_by_handle_at -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -F key=access
+--a always,exit -F arch=b64 -S open,truncate,creat,openat,open_by_handle_at -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -F key=access
++-a always,exit -F arch=b32 -S open,creat,truncate,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access
++-a always,exit -F arch=b32 -S open,creat,truncate,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access
++-a always,exit -F arch=b64 -S open,truncate,creat,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access
++-a always,exit -F arch=b64 -S open,truncate,creat,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access
+
+ ##- Use of privileged commands (unsuccessful and successful)
+ ## use find /bin -type f -perm -04000 2>/dev/null and put all those files in a rule like this
+--a always,exit -F path=/bin/ping -F perm=x -F auid>=500 -F auid!=4294967295 -F key=privileged
++-a always,exit -F path=/bin/ping -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged
+
+ ##- Use of print command (unsuccessful and successful)
+
+@@ -129,14 +129,14 @@
+ ## You have to mount media before using it. You must disable all automounting
+ ## so that its done manually in order to get the correct user requesting the
+ ## export
+--a always,exit -F arch=b32 -S mount -F auid>=500 -F auid!=4294967295 -F key=export
+--a always,exit -F arch=b64 -S mount -F auid>=500 -F auid!=4294967295 -F key=export
++-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -F key=export
++-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -F key=export
+
+ ##- System startup and shutdown (unsuccessful and successful)
+
+ ##- Files and programs deleted by the user (successful and unsuccessful)
+--a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F auid>=500 -F auid!=4294967295 -F key=delete
+--a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F auid>=500 -F auid!=4294967295 -F key=delete
++-a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F auid>=1000 -F auid!=4294967295 -F key=delete
++-a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F auid>=1000 -F auid!=4294967295 -F key=delete
+
+ ##- All system administration actions
+ ##- All security personnel actions
+@@ -175,7 +175,7 @@
+ #-a always,exit -F arch=b64 -S delete_module -F key=module-unload
+
+ ## Optional - admin may be abusing power by looking in user's home dir
+-#-a always,exit -F dir=/home -F uid=0 -F auid>=500 -F auid!=4294967295 -C auid!=obj_uid -F key=power-abuse
++#-a always,exit -F dir=/home -F uid=0 -F auid>=1000 -F auid!=4294967295 -C auid!=obj_uid -F key=power-abuse
+
+ ## Optional - log container creation
+ #-a always,exit -F arch=b32 -S clone -F a0&0x7C020000 -F key=container-create
+diff -ur audit-2.4.1.orig/docs/audit.rules.7 audit-2.4.1/docs/audit.rules.7
+--- audit-2.4.1.orig/docs/audit.rules.7 2014-10-27 16:54:03.000000000 -0400
++++ audit-2.4.1/docs/audit.rules.7 2014-10-28 14:23:00.014833616 -0400
+@@ -76,10 +76,10 @@
+ .B \-F
+ options that fine tune what to match against. Rather than list all the valid field types here, the reader should look at the auditctl man page which has a full listing of each field and what it means. But its worth mentioning a couple things.
+
+-The audit system considers uids to be unsigned numbers. The audit system uses the number \-1 to indicate that a loginuid is not set. This means that when its printed out, it looks like 4294967295. If you write a rule that you wanted try to get the valid users of the system, you need to look in /etc/login.defs to see where user accounts start. For example, if UID_MIN is 500, then you would also need to take into account that the unsigned representation of \-1 is higher than 500. So you would address this with the following piece of a rule:
++The audit system considers uids to be unsigned numbers. The audit system uses the number \-1 to indicate that a loginuid is not set. This means that when its printed out, it looks like 4294967295. If you write a rule that you wanted try to get the valid users of the system, you need to look in /etc/login.defs to see where user accounts start. For example, if UID_MIN is 1000, then you would also need to take into account that the unsigned representation of \-1 is higher than 1000. So you would address this with the following piece of a rule:
+
+ .nf
+-\-F auid>=500 \-F auid!=4294967295
++\-F auid>=1000 \-F auid!=4294967295
+ .fi
+
+ These individual checks are "anded" and both have to be true.
diff --git a/SOURCES/audit-2.4.2-ipsec.patch b/SOURCES/audit-2.4.2-ipsec.patch
new file mode 100644
index 0000000..f77316b
--- /dev/null
+++ b/SOURCES/audit-2.4.2-ipsec.patch
@@ -0,0 +1,26 @@
+diff -urp audit-2.4.1.orig/lib/libaudit.h audit-2.4.1/lib/libaudit.h
+--- audit-2.4.1.orig/lib/libaudit.h 2014-10-27 16:54:03.000000000 -0400
++++ audit-2.4.1/lib/libaudit.h 2014-12-16 13:37:12.798853979 -0500
+@@ -200,6 +200,10 @@ extern "C" {
+ #define AUDIT_CRYPTO_REPLAY_USER 2406 /* Crypto replay detected */
+ #define AUDIT_CRYPTO_SESSION 2407 /* Record parameters set during
+ TLS session establishment */
++#define AUDIT_CRYPTO_IKE_SA 2408 /* Record parameters related to
++ IKE SA */
++#define AUDIT_CRYPTO_IPSEC_SA 2409 /* Record parameters related to
++ IPSEC SA */
+
+ #define AUDIT_LAST_CRYPTO_MSG 2499
+
+diff -urp audit-2.4.1.orig/lib/msg_typetab.h audit-2.4.1/lib/msg_typetab.h
+--- audit-2.4.1.orig/lib/msg_typetab.h 2014-10-27 16:54:03.000000000 -0400
++++ audit-2.4.1/lib/msg_typetab.h 2014-12-16 13:37:12.798853979 -0500
+@@ -205,6 +205,8 @@ _S(AUDIT_CRYPTO_KEY_USER, "CR
+ _S(AUDIT_CRYPTO_FAILURE_USER, "CRYPTO_FAILURE_USER" )
+ _S(AUDIT_CRYPTO_REPLAY_USER, "CRYPTO_REPLAY_USER" )
+ _S(AUDIT_CRYPTO_SESSION, "CRYPTO_SESSION" )
++_S(AUDIT_CRYPTO_IKE_SA, "CRYPTO_IKE_SA" )
++_S(AUDIT_CRYPTO_IPSEC_SA, "CRYPTO_IPSEC_SA" )
+ _S(AUDIT_VIRT_CONTROL, "VIRT_CONTROL" )
+ _S(AUDIT_VIRT_RESOURCE, "VIRT_RESOURCE" )
+ _S(AUDIT_VIRT_MACHINE_ID, "VIRT_MACHINE_ID" )
diff --git a/SOURCES/audit-2.4.2-ppc-machine.patch b/SOURCES/audit-2.4.2-ppc-machine.patch
new file mode 100644
index 0000000..b431900
--- /dev/null
+++ b/SOURCES/audit-2.4.2-ppc-machine.patch
@@ -0,0 +1,21 @@
+Index: /trunk/lib/libaudit.c
+===================================================================
+--- /trunk/lib/libaudit.c (revision 1065)
++++ /trunk/lib/libaudit.c (revision 1066)
+@@ -1214,12 +1214,8 @@
+ break;
+ #endif
+- case MACH_PPC64LE:
+- if (bits != __AUDIT_ARCH_64BIT)
+- return -6;
+- break;
+-
+- case MACH_86_64: /* fallthrough */
+- case MACH_PPC64: /* fallthrough */
+- case MACH_S390X: /* fallthrough */
++ case MACH_86_64: /* fallthrough */
++ case MACH_PPC64: /* fallthrough */
++ case MACH_PPC64LE: /* fallthrough */
++ case MACH_S390X: /* fallthrough */
+ break;
+ default:
diff --git a/SPECS/audit.spec b/SPECS/audit.spec
index 54f16cc..229bee2 100644
--- a/SPECS/audit.spec
+++ b/SPECS/audit.spec
@@ -5,28 +5,20 @@
Summary: User space tools for 2.6 kernel auditing
Name: audit
-Version: 2.3.3
-Release: 4%{?dist}
+Version: 2.4.1
+Release: 5%{?dist}
License: GPLv2+
Group: System Environment/Daemons
URL: http://people.redhat.com/sgrubb/audit/
Source0: http://people.redhat.com/sgrubb/audit/%{name}-%{version}.tar.gz
-# CRYPTO_KEY_USER fp field interpretation collision
-Patch1: audit-2.3.5-fp.patch
-# Add --debug option to ausearch
-Patch2: audit-2.3.5-debug.patch
-# Correct parsing of AUDIT_LOGIN events due to kernel changes
-Patch3: audit-2.3.3-login.patch
-# When shifting logs, ignore num_logs (#950158)
-Patch4: audit-2.3.5-rotate.patch
-# Interpret syscall in AUDIT_SECCOMP events
-Patch5: audit-2.3.5-seccomp.patch
-# Fix retry logic when temporary network failure during remote logging #1028635
-Patch6: audit-2.3.3-remote.patch
# Default to using augenrules to create audit.rules
-Patch7: audit-2.3.3-augenrules.patch
+Patch1: audit-2.3.3-augenrules.patch
# Adjust beginning user id's to 1000
-Patch8: audit-2.3.3-uid-1000.patch
+Patch2: audit-2.4.1-uid-1000.patch
+# Add 2 ipsec related events
+Patch3: audit-2.4.2-ipsec.patch
+# Fix detection of audit elf type when ppc64le is specified in a rule
+Patch4: audit-2.4.2-ppc-machine.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
BuildRequires: swig python-devel
BuildRequires: tcp_wrappers-devel krb5-devel libcap-ng-devel
@@ -59,7 +51,7 @@ applications to use the audit framework.
Summary: Header files for libaudit
License: LGPLv2+
Group: Development/Libraries
-Requires: %{name}-libs = %{version}
+Requires: %{name}-libs = %{version}-%{release}
Requires: kernel-headers >= 2.6.29
%description libs-devel
@@ -104,25 +96,18 @@ behavior.
%prep
%setup -q
-# CRYPTO_KEY_USER
+# augenrules
%patch1 -p1
-# --debug
+# uid 1000
%patch2 -p1
-# AUDIT_LOGIN
+# Add ipsec audit events
%patch3 -p1
-# ignore num_logs
-%patch4 -p1
-# AUDIT_SECCOMP
-%patch5 -p1
-# Remote logging
-%patch6 -p1
-# augenrules
-%patch7 -p1
-# uid 1000
-%patch8 -p1
+# Fix ppc64le elf type translation
+%patch4 -p2
%build
-%configure --sbindir=/sbin --libdir=/%{_lib} --with-python=yes --with-libwrap --enable-gssapi-krb5=yes --with-libcap-ng=yes --with-armeb --with-aarch64 \
+%configure --sbindir=/sbin --libdir=/%{_lib} --with-python=yes --with-libwrap --enable-gssapi-krb5=yes --with-libcap-ng=yes --with-arm --with-aarch64 \
+--without-golang \
%if %{WITH_SYSTEMD}
--enable-systemd
%endif
@@ -165,11 +150,14 @@ rm -f $RPM_BUILD_ROOT/%{_libdir}/python?.?/site-packages/_auparse.la
rm -f $RPM_BUILD_ROOT/%{_libdir}/python?.?/site-packages/auparse.a
rm -f $RPM_BUILD_ROOT/%{_libdir}/python?.?/site-packages/auparse.la
+# Move the pkgconfig file
+mv $RPM_BUILD_ROOT/%{_lib}/pkgconfig $RPM_BUILD_ROOT%{_libdir}
+
# On platforms with 32 & 64 bit libs, we need to coordinate the timestamp
touch -r ./audit.spec $RPM_BUILD_ROOT/etc/libaudit.conf
touch -r ./audit.spec $RPM_BUILD_ROOT/usr/share/man/man5/libaudit.conf.5.gz
-%ifnarch ppc ppc64
+%ifnarch aarch64 ppc %{power64} s390 s390x %{ix86}
%check
make check
%endif
@@ -209,8 +197,8 @@ fi
%files libs
%defattr(-,root,root,-)
-%attr(755,root,root) /%{_lib}/libaudit.so.1*
-%attr(755,root,root) /%{_lib}/libauparse.*
+/%{_lib}/libaudit.so.1*
+/%{_lib}/libauparse.*
%config(noreplace) %attr(640,root,root) /etc/libaudit.conf
%{_mandir}/man5/libaudit.conf.5.gz
@@ -222,6 +210,7 @@ fi
%{_includedir}/libaudit.h
%{_includedir}/auparse.h
%{_includedir}/auparse-defs.h
+%{_libdir}/pkgconfig/audit.pc
%{_mandir}/man3/*
%files libs-static
@@ -302,7 +291,32 @@ fi
%attr(644,root,root) %{_mandir}/man8/audisp-remote.8.gz
%changelog
-* Tue Mar 17 2014 Steve Grubb <sgrubb@redhat.com> 2.3.3-4
+* Wed Jan 14 2015 Steve Grubb <sgrubb@redhat.com> 2.4.1-5
+resolves: #1180675 - rules with "-F arch=ppc64le" fail to load
+
+* Tue Jan 13 2015 Steve Grubb <sgrubb@redhat.com> 2.4.1-4
+- Remove golang bindings added under the following bz
+resolves: #1115196 - Add golang bindings for libaudit
+
+* Wed Dec 17 2014 Steve Grubb <sgrubb@redhat.com> 2.4.1-2
+resolves: #1173160 - Audit package needs update for new VPN crypto events
+
+* Tue Oct 28 2014 Steve Grubb <sgrubb@redhat.com> 2.4.1-1
+resolves: #963353 - aarch64 userspace auditing needs to be written
+resolves: #1150202 - perf trace sleep 1 does not list any syscall information
+resolves: #1142989 - Update audit package to 2.4.1
+resolves: #1155221 - adjust fstatat naming to match kernel uapi
+
+* Thu Sep 18 2014 Steve Grubb <sgrubb@redhat.com> 2.4-1
+resolves: #1115196 - Add golang bindings for libaudit
+resolves: #1105150 - audispd config file parser fails on long input
+resolves: #1104973 - auparse truncating selinux context after first category
+resolves: #1088593 - auditctl man page examples use deprecated syscalls
+resolves: #1087849 - support for setting loginuid immutable
+resolves: #1073063 - AUDIT_SECCOMP events syscall field is not interpretted
+resolves: #975796 - confusing aulast records for bad logins
+
+* Tue Mar 18 2014 Steve Grubb <sgrubb@redhat.com> 2.3.3-4
resolves: #1077249 - Audit update, various issues
* Fri Jan 24 2014 Daniel Mach <dmach@redhat.com> - 2.3.3-3